New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gateway-api: improve secret sync resiliency #29017
gateway-api: improve secret sync resiliency #29017
Conversation
/test |
e71ac5f
to
6ed8e0a
Compare
/test |
1 similar comment
/test |
6ed8e0a
to
f066116
Compare
This commit removes the predicate option when watching Secrets in the secret-syncer. Without this change we miss to reconcile when: * the synced secret (in NS cilium-secrets) gets deleted or updated * the source secret gets deleted and might no longer be referenced by a Gateway resource Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit restricts the Gateway API's secret sync `For` watch to the source secrets that are outside of the target secrets namespace. This way, already synced secrets aren't re-synced (endless-reconciliation). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
updated the test-fixtures |
f066116
to
6b9a46b
Compare
/test after rebasing to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM just one small thing for readability but giving you a green tick anyway :D
Currently, Gateway API secret sync reconciliation isn't triggered when a synced k8s Secret in the secrets namespace (defaults to `cilium-secrets`) gets deleted or updated. Therefore, this commit introduces an additional watcher that watches for updated & deleted secrets and triggers a reconciliation of the owning Secret by using the labels `io.cilium.gateway/owning-secret-namespace` & `io.cilium.gateway/owning-secret-name` on the synced Secret. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit moves the controller-check (whether a Gateway is managed by Cilium Operator) from the Predicate into the EventHandler. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit unexports the fields `client`, `scheme` & `secretsNamespace` from the type `secretSyncer`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit refactors the Gateway API Secret Sync to handle deleted source secrets. Whenever a Secret gets deleted, the corresponding synced secret gets deleted too. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit refactors the Gateway API Secret Sync reconciler to take the referencing Gateway TLS secret references into account. Meaning that a Secret only gets synced once its referenced by a Gateway resource that is managed by Cilium. In addition, the synced secrets gets deleted once the last reference is deleted. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit introduces a unit test for the secret-sync reconcilation. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
6b9a46b
to
b90c021
Compare
Addressed @meyskens input - Thanks for the review! |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks ✔️
This PR improves the resiliency of the Gateway API secret sync.
main changes:
Please review the individual commits.
This is a preparation to re-use the secret synchronization for Cilium Ingress (#28911)