feat(provider/kuberentes): restrict caching by kind (#2398)

spinnaker · Feb 27, 2018 · a9eeb90 · a9eeb90
1 parent 11e9cba
commit a9eeb90
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 0 deletions.
diff --git a/.../netflix/spinnaker/clouddriver/kubernetes/config/KubernetesConfigurationProperties.groovy b/.../netflix/spinnaker/clouddriver/kubernetes/config/KubernetesConfigurationProperties.groovy
@@ -46,6 +46,8 @@ class KubernetesConfigurationProperties {
     String namingStrategy = "kubernetesAnnotations"
     Boolean debug = false
     List<CustomKubernetesResource> customResources;
+    List<String> kinds
+    List<String> omitKinds
   }
 
   List<ManagedAccount> accounts = []

diff --git a/.../netflix/spinnaker/clouddriver/kubernetes/security/KubernetesNamedAccountCredentials.java b/.../netflix/spinnaker/clouddriver/kubernetes/security/KubernetesNamedAccountCredentials.java
@@ -186,6 +186,8 @@ static class Builder<C extends KubernetesCredentials> {
     KubectlJobExecutor jobExecutor;
     Namer namer;
     List<CustomKubernetesResource> customResources;
+    List<String> kinds;
+    List<String> omitKinds;
     boolean debug;
 
     Builder name(String name) {
@@ -326,6 +328,16 @@ Builder customResources(List<CustomKubernetesResource> customResources) {
       return this;
     }
 
+    Builder kinds(List<String> kinds) {
+      this.kinds = kinds;
+      return this;
+    }
+
+    Builder omitKinds(List<String> omitKinds) {
+      this.omitKinds = omitKinds;
+      return this;
+    }
+
     private C buildCredentials() {
       switch (providerVersion) {
         case v1:
@@ -361,6 +373,8 @@ private C buildCredentials() {
               .omitNamespaces(omitNamespaces)
               .registry(spectatorRegistry)
               .customResources(customResources)
+              .kinds(kinds)
+              .omitKinds(omitKinds)
               .debug(debug)
               .jobExecutor(jobExecutor)
               .build();
@@ -378,6 +392,10 @@ KubernetesNamedAccountCredentials build() {
         throw new IllegalArgumentException("At most one of 'namespaces' and 'omitNamespaces' can be specified");
       }
 
+      if ((omitKinds != null && !omitKinds.isEmpty()) && (kinds != null && !kinds.isEmpty())) {
+        throw new IllegalArgumentException("At most one of 'kinds' and 'omitKinds' can be specified");
+      }
+
       if (cacheThreads == 0) {
         cacheThreads = 1;
       }

diff --git a/...naker/clouddriver/kubernetes/security/KubernetesNamedAccountCredentialsInitializer.groovy b/...naker/clouddriver/kubernetes/security/KubernetesNamedAccountCredentialsInitializer.groovy
@@ -100,6 +100,8 @@ class KubernetesNamedAccountCredentialsInitializer implements CredentialsInitial
           .jobExecutor(jobExecutor)
           .namer(namerRegistry.getNamingStrategy(managedAccount.namingStrategy))
           .customResources(managedAccount.customResources)
+          .kinds(managedAccount.kinds)
+          .omitKinds(managedAccount.omitKinds)
           .debug(managedAccount.debug)
           .build()
 

diff --git a/...spinnaker/clouddriver/kubernetes/v2/caching/agent/KubernetesV2CachingAgentDispatcher.java b/...spinnaker/clouddriver/kubernetes/v2/caching/agent/KubernetesV2CachingAgentDispatcher.java
@@ -24,6 +24,7 @@
 import com.netflix.spinnaker.clouddriver.kubernetes.security.KubernetesNamedAccountCredentials;
 import com.netflix.spinnaker.clouddriver.kubernetes.v2.description.KubernetesResourceProperties;
 import com.netflix.spinnaker.clouddriver.kubernetes.v2.description.KubernetesResourcePropertyRegistry;
+import com.netflix.spinnaker.clouddriver.kubernetes.v2.security.KubernetesV2Credentials;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
@@ -47,13 +48,15 @@ public class KubernetesV2CachingAgentDispatcher implements KubernetesCachingAgen
 
   @Override
   public List<KubernetesCachingAgent> buildAllCachingAgents(KubernetesNamedAccountCredentials credentials) {
+    KubernetesV2Credentials v2Credentials = (KubernetesV2Credentials) credentials.getCredentials();
     List<KubernetesCachingAgent> result = new ArrayList<>();
     IntStream.range(0, credentials.getCacheThreads())
         .boxed()
         .forEach(i -> propertyRegistry.values()
             .stream()
             .map(KubernetesResourceProperties::getHandler)
             .filter(Objects::nonNull)
+            .filter(h -> v2Credentials.isValidKind(h.kind()))
             .map(h -> h.buildCachingAgent(credentials, objectMapper, registry, i, credentials.getCacheThreads()))
             .filter(Objects::nonNull)
             .forEach(c -> result.add((KubernetesCachingAgent) c))

diff --git a/.../com/netflix/spinnaker/clouddriver/kubernetes/v2/description/manifest/KubernetesKind.java b/.../com/netflix/spinnaker/clouddriver/kubernetes/v2/description/manifest/KubernetesKind.java
@@ -24,6 +24,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
+import java.util.stream.Collectors;
 
 public class KubernetesKind {
   public static KubernetesKind CONFIG_MAP = new KubernetesKind("configMap", "cm");
@@ -77,4 +78,10 @@ public static KubernetesKind fromString(String name) {
     // separate from the above chain to avoid concurrent modification of the values list
     return kindOptional.orElseGet(() -> new KubernetesKind(name));
   }
+
+  public static List<KubernetesKind> fromStringList(List<String> names) {
+    return names.stream()
+        .map(KubernetesKind::fromString)
+        .collect(Collectors.toList());
+  }
 }
diff --git a/...ovy/com/netflix/spinnaker/clouddriver/kubernetes/v2/security/KubernetesV2Credentials.java b/...ovy/com/netflix/spinnaker/clouddriver/kubernetes/v2/security/KubernetesV2Credentials.java
@@ -61,6 +61,8 @@ public class KubernetesV2Credentials implements KubernetesCredentials {
   private final ObjectMapper mapper = new ObjectMapper();
   private final List<String> namespaces;
   private final List<String> omitNamespaces;
+  private final List<KubernetesKind> kinds;
+  private final List<KubernetesKind> omitKinds;
 
   // TODO(lwander) make configurable
   private final static int namespaceExpirySeconds = 30;
@@ -95,6 +97,16 @@ public class KubernetesV2Credentials implements KubernetesCredentials {
 
   private final Path serviceAccountNamespacePath = Paths.get("/var/run/secrets/kubernetes.io/serviceaccount/namespace");
 
+  public boolean isValidKind(KubernetesKind kind) {
+    if (!this.kinds.isEmpty()) {
+      return kinds.contains(kind);
+    } else if (!this.omitKinds.isEmpty()) {
+      return !omitKinds.contains(kind);
+    } else {
+      return true;
+    }
+  }
+
   public String getDefaultNamespace() {
     if (StringUtils.isEmpty(cachedDefaultNamespace)) {
       cachedDefaultNamespace = lookupDefaultNamespace();
@@ -137,6 +149,8 @@ public static class Builder {
     Registry registry;
     KubectlJobExecutor jobExecutor;
     List<CustomKubernetesResource> customResources;
+    List<String> kinds;
+    List<String> omitKinds;
     boolean debug;
 
     public Builder accountName(String accountName) {
@@ -204,6 +218,16 @@ public Builder oAuthScopes(List<String> oAuthScopes) {
       return this;
     }
 
+    public Builder kinds(List<String> kinds) {
+      this.kinds = kinds;
+      return this;
+    }
+
+    public Builder omitKinds(List<String> omitKinds) {
+      this.omitKinds = omitKinds;
+      return this;
+    }
+
     public KubernetesV2Credentials build() {
       KubeConfig kubeconfig;
       try {
@@ -223,6 +247,8 @@ public KubernetesV2Credentials build() {
       namespaces = namespaces == null ? new ArrayList<>() : namespaces;
       omitNamespaces = omitNamespaces == null ? new ArrayList<>() : omitNamespaces;
       customResources = customResources == null ? new ArrayList<>() : customResources;
+      kinds = kinds == null ? new ArrayList<>() : kinds;
+      omitKinds = omitKinds == null ? new ArrayList<>() : omitKinds;
 
       return new KubernetesV2Credentials(
           accountName,
@@ -236,6 +262,8 @@ public KubernetesV2Credentials build() {
           oAuthServiceAccount,
           oAuthScopes,
           customResources,
+          KubernetesKind.fromStringList(kinds),
+          KubernetesKind.fromStringList(omitKinds),
           debug
       );
     }
@@ -252,6 +280,8 @@ private KubernetesV2Credentials(@NotNull String accountName,
       String oAuthServiceAccount,
       List<String> oAuthScopes,
       @NotNull List<CustomKubernetesResource> customResources,
+      @NotNull List<KubernetesKind> kinds,
+      @NotNull List<KubernetesKind> omitKinds,
       boolean debug) {
     this.registry = registry;
     this.clock = registry.clock();
@@ -266,6 +296,8 @@ private KubernetesV2Credentials(@NotNull String accountName,
     this.oAuthServiceAccount = oAuthServiceAccount;
     this.oAuthScopes = oAuthScopes;
     this.customResources = customResources;
+    this.kinds = kinds;
+    this.omitKinds = omitKinds;
 
     this.liveNamespaceSupplier = Suppliers.memoizeWithExpiration(() -> jobExecutor.list(this, KubernetesKind.NAMESPACE, "")
         .stream()