Merge pull request kubernetes#112 from ncdc/kcp-scope-cluster-auth-tr…

…ust-ctrl UPSTREAM: <carry>: scope cluster_authentication_trust_controller properly
ezrasilvera · Nov 9, 2022 · 309ae77 · 309ae77
2 parents 38c7316 + 5569ee5
commit 309ae77
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 16 deletions.
diff --git a/...rolplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller.go b/...rolplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller.go
@@ -89,28 +89,25 @@ type ClusterAuthenticationInfo struct {
 
 // NewClusterAuthenticationTrustController returns a controller that will maintain the kube-system configmap/extension-apiserver-authentication
 // that holds information about how to aggregated apiservers are recommended (but not required) to configure themselves.
-func NewClusterAuthenticationTrustController(requiredAuthenticationData ClusterAuthenticationInfo, kubeClient kubernetes.Interface) *Controller {
-	// we construct our own informer because we need such a small subset of the information available.  Just one namespace.
-	kubeSystemConfigMapInformer := corev1informers.NewConfigMapInformer(kubeClient, configMapNamespace, 12*time.Hour, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})
-
+func NewClusterAuthenticationTrustController(requiredAuthenticationData ClusterAuthenticationInfo, kubeClient kubernetes.Interface, rootConfigMapInformer corev1informers.ConfigMapInformer) *Controller {
 	c := &Controller{
 		requiredAuthenticationData:  requiredAuthenticationData,
-		configMapLister:             corev1listers.NewConfigMapLister(kubeSystemConfigMapInformer.GetIndexer()),
+		configMapLister:             rootConfigMapInformer.Lister(),
 		configMapClient:             kubeClient.CoreV1(),
 		namespaceClient:             kubeClient.CoreV1(),
 		queue:                       workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "cluster_authentication_trust_controller"),
-		preRunCaches:                []cache.InformerSynced{kubeSystemConfigMapInformer.HasSynced},
-		kubeSystemConfigMapInformer: kubeSystemConfigMapInformer,
+		preRunCaches:                []cache.InformerSynced{rootConfigMapInformer.Informer().HasSynced},
+		kubeSystemConfigMapInformer: rootConfigMapInformer.Informer(),
 	}
 
-	kubeSystemConfigMapInformer.AddEventHandler(cache.FilteringResourceEventHandler{
+	rootConfigMapInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
 		FilterFunc: func(obj interface{}) bool {
 			if cast, ok := obj.(*corev1.ConfigMap); ok {
-				return cast.Name == configMapName
+				return cast.Namespace == configMapNamespace && cast.Name == configMapName
 			}
 			if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
 				if cast, ok := tombstone.Obj.(*corev1.ConfigMap); ok {
-					return cast.Name == configMapName
+					return cast.Namespace == configMapNamespace && cast.Name == configMapName
 				}
 			}
 			return true // always return true just in case.  The checks are fairly cheap

diff --git a/pkg/controlplane/instance.go b/pkg/controlplane/instance.go
@@ -430,12 +430,16 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 		return nil, err
 	}
 
+	configMapsInformer := c.ExtraConfig.VersionedInformers.Core().V1().ConfigMaps()
+	// Make sure it gets started
+	_ = configMapsInformer.Informer()
+
 	m.GenericAPIServer.AddPostStartHookOrDie("start-cluster-authentication-info-controller", func(hookContext genericapiserver.PostStartHookContext) error {
 		kubeClient, err := kubernetes.NewForConfig(hookContext.LoopbackClientConfig)
 		if err != nil {
 			return err
 		}
-		controller := clusterauthenticationtrust.NewClusterAuthenticationTrustController(m.ClusterAuthenticationInfo, kubeClient)
+		controller := clusterauthenticationtrust.NewClusterAuthenticationTrustController(m.ClusterAuthenticationInfo, kubeClient, configMapsInformer)
 
 		// generate a context  from stopCh. This is to avoid modifying files which are relying on apiserver
 		// TODO: See if we can pass ctx to the current method

diff --git a/pkg/genericcontrolplane/apis/apis.go b/pkg/genericcontrolplane/apis/apis.go
@@ -22,8 +22,8 @@ import (
 	"net/http"
 	"time"
 
-	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
 	kcpkubernetesinformers "github.com/kcp-dev/client-go/informers"
+	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
 	"github.com/kcp-dev/logicalcluster/v2"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	apiserverinternalv1alpha1 "k8s.io/api/apiserverinternal/v1alpha1"
@@ -148,7 +148,8 @@ func (c *Config) Complete() CompletedConfig {
 // New returns a new instance of GenericControlPlane from the given config.
 // Certain config fields will be set to a default value if unset.
 // Certain config fields must be specified, including:
-//   KubeletClientConfig
+//
+//	KubeletClientConfig
 func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget) (*GenericControlPlane, error) {
 	s, err := c.GenericConfig.New("kube-control-plane", delegationTarget)
 	if err != nil {
@@ -190,12 +191,20 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 		return nil, err
 	}
 
+	rootCluster := logicalcluster.New("root")
+
+	// Have to create this outside the post-start hook to ensure the informer is started correctly
+	rootConfigMapsInformer := c.ExtraConfig.VersionedInformers.Core().V1().ConfigMaps().Cluster(rootCluster)
+	// Register the informer for starting when the factory is started in a different post-start hook
+	_ = rootConfigMapsInformer.Informer()
+
 	m.GenericAPIServer.AddPostStartHookOrDie("start-cluster-authentication-info-controller", func(hookContext genericapiserver.PostStartHookContext) error {
 		kubeClient, err := kcpkubernetesclientset.NewForConfig(hookContext.LoopbackClientConfig)
 		if err != nil {
 			return err
 		}
-		controller := clusterauthenticationtrust.NewClusterAuthenticationTrustController(m.ClusterAuthenticationInfo, kubeClient.Cluster(logicalcluster.New("root")))
+
+		controller := clusterauthenticationtrust.NewClusterAuthenticationTrustController(m.ClusterAuthenticationInfo, kubeClient.Cluster(rootCluster), rootConfigMapsInformer)
 
 		// generate a context  from stopCh. This is to avoid modifying files which are relying on apiserver
 		// TODO: See if we can pass ctx to the current method
@@ -242,7 +251,7 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 			}
 			controller := lease.NewController(
 				clock.RealClock{},
-				kubeClient.Cluster(logicalcluster.New("root")),
+				kubeClient.Cluster(rootCluster),
 				m.GenericAPIServer.APIServerID,
 				int32(c.ExtraConfig.IdentityLeaseDurationSeconds),
 				nil,
@@ -258,7 +267,7 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 				return err
 			}
 			go apiserverleasegc.NewAPIServerLeaseGC(
-				kubeClient.Cluster(logicalcluster.New("root")),
+				kubeClient.Cluster(rootCluster),
 				time.Duration(c.ExtraConfig.IdentityLeaseDurationSeconds)*time.Second,
 				metav1.NamespaceSystem,
 				KubeAPIServerIdentityLeaseLabelSelector,