refactor: effective tls policies reconciler #927
Conversation
| if policy.DeletionTimestamp != nil { | ||
| logger.V(1).Info("policy is marked for deletion, nothing to do", "name", policy.Name, "namespace", policy.Namespace, "uid", policy.GetUID()) | ||
| continue | ||
| } |
There was a problem hiding this comment.
No need for finalizer since associated Certificate's will also be deleted by owner ref
| logger := controller.LoggerFromContext(ctx).WithName("EffectiveTLSPoliciesReconciler").WithName("Reconcile") | ||
|
|
||
| // Get all TLS Policies | ||
| policies := lo.Filter(topology.Policies().Items(), func(item machinery.Policy, index int) bool { |
There was a problem hiding this comment.
So are we reconciling every policy on the cluster with every change to the subscribed kinds? Not quite understanding how this is working
There was a problem hiding this comment.
If so do we intend to have a way to not need to do this? Like if a certificate changes, there is a link between that certificate and the TLSPolicy that ownes it so we shouldn't need to reconcile all TLSPolicies because a certificate changed right. Or am I misunderstanding?
There was a problem hiding this comment.
That's fair. There's is a way to do reconcile only affected tls policies instead by using the events received. I've pushed a commit for this so this should be addressed now cd35907
KevFan
force-pushed
the
effective-tls-reconciler
branch
5 times, most recently
from
af8c44c
to
cd35907
Compare
Signed-off-by: KevFan <chfan@redhat.com>
Signed-off-by: KevFan <chfan@redhat.com>
Signed-off-by: KevFan <chfan@redhat.com>
Signed-off-by: KevFan <chfan@redhat.com>
Signed-off-by: KevFan <chfan@redhat.com>
…get ref Signed-off-by: KevFan <chfan@redhat.com>
…rts" This reverts commit 552d9f3. Signed-off-by: KevFan <chfan@redhat.com>
Signed-off-by: KevFan <chfan@redhat.com>
Signed-off-by: KevFan <chfan@redhat.com>
Signed-off-by: KevFan <chfan@redhat.com>
| g := machinery.Gateway{Gateway: ob.(*gwapiv1.Gateway)} | ||
|
|
||
| affectedPolicies = append(affectedPolicies, lo.Filter(policies, func(item machinery.Policy, index int) bool { | ||
| for _, tg := range item.GetTargetRefs() { | ||
| if g.GetLocator() == tg.GetLocator() { |
There was a problem hiding this comment.
Have you considered using g.Policies()?
There was a problem hiding this comment.
Hmm, dont think i'm able to since g is a new machinery.Gateway instance, so the policies will be nil unless you're saying to get the machinery.Gateway instance elsewhere? 🤔
| affectedPolicies = append(affectedPolicies, lo.Filter(policies, func(item machinery.Policy, index int) bool { | ||
| return item.GetName() == ob.GetName() && item.GetNamespace() == ob.GetNamespace() | ||
| })...) |
There was a problem hiding this comment.
I understand this will filter out all TLSPolicies that have been deleted. Unless that's what indeed you want, could we simply cast ob maybe?
| affectedPolicies = append(affectedPolicies, lo.Filter(policies, func(item machinery.Policy, index int) bool { | |
| return item.GetName() == ob.GetName() && item.GetNamespace() == ob.GetNamespace() | |
| })...) | |
| p, _ := ob.(*TLSPolicy) | |
| affectedPolicies = append(affectedPolicies, p) |
There was a problem hiding this comment.
Hmm, I didn't intend to do this, but that is simpler indeed. Why it's working as is due to there's no work to be done on tlspolicies marked for deletion 🤔
| affectedPolicies = append(affectedPolicies, lo.Filter(policies, func(item machinery.Policy, index int) bool { | ||
| p := item.(*kuadrantv1alpha1.TLSPolicy) | ||
| return utils.IsOwnedBy(ob, p) | ||
| })...) |
There was a problem hiding this comment.
I believe you could leverage the topology links here too:
| affectedPolicies = append(affectedPolicies, lo.Filter(policies, func(item machinery.Policy, index int) bool { | |
| p := item.(*kuadrantv1alpha1.TLSPolicy) | |
| return utils.IsOwnedBy(ob, p) | |
| })...) | |
| c, _ := ob.(*controller.RuntimeObject).Object.(*certmanagerv1.Certificate) | |
| listeners := topology.Targetables().Parents(machinery.LocatorFromObject(c)) | |
| affectedPolicies = append(affectedPolicies, lo.FlatMap(listeners, func(l machinery.Targetable) ([]machinery.Policy, bool) { | |
| return l.(*machinery.Listener).Gateway.Policies() | |
| })...) |
In this particular case, not sure if it's better or worse. I'm just thinking about avoiding filtering the same list of policies so many times.
There was a problem hiding this comment.
Hmm, that's true. If you feel strongly on this I can update, but using the owner refernence looks a lot more readable unless filtering the list of policies should be avoided in general? 🤔
controllers/tls_workflow.go
Outdated
| } | ||
|
|
||
| // Return only unique policies as there can be duplicates from multiple events | ||
| return lo.Uniq(affectedPolicies) |
There was a problem hiding this comment.
Hmm. Maybe specify a uniqueness key and thus avoid possible problems with pointer comparison:
| return lo.Uniq(affectedPolicies) | |
| return lo.UniqBy(affectedPolicies, func(p machinery.Policy) string { return p.GetLocator() } ) |
| // TODO: Update when targeting by section name is allowed, the listener will contain the policy rather than the gateway | ||
| listeners := lo.FilterMap(topology.Targetables().Items(), func(t machinery.Targetable, index int) (*machinery.Listener, bool) { | ||
| l, ok := t.(*machinery.Listener) | ||
| return l, ok && lo.Contains(l.Gateway.Policies(), p) |
There was a problem hiding this comment.
I'm actually surprised equality (==) between two policy works.
There was a problem hiding this comment.
Yeah, I think it compares the pointers between the two policies
Signed-off-by: KevFan <chfan@redhat.com>
KevFan
force-pushed
the
effective-tls-reconciler
branch
from
cd35907
to
2c1093b
Compare
Description
Part of #819 #824
Verification