From 8d2dcf72fb5968ac1fbaab1f6cdd2465d723ea74 Mon Sep 17 00:00:00 2001 From: Angelos Kolaitis Date: Thu, 11 Apr 2024 04:09:22 +0300 Subject: [PATCH 1/2] do not list and iterate secrets --- controllers/microk8sconfig_controller.go | 44 +++++++++++++----------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/controllers/microk8sconfig_controller.go b/controllers/microk8sconfig_controller.go index c0b80a6..547cb62 100644 --- a/controllers/microk8sconfig_controller.go +++ b/controllers/microk8sconfig_controller.go @@ -626,17 +626,19 @@ func (r *MicroK8sConfigReconciler) storeBootstrapData(ctx context.Context, scope func (r *MicroK8sConfigReconciler) getJoinToken(ctx context.Context, scope *Scope) (string, error) { // See if the token exists. If not create it. - secrets := &corev1.SecretList{} - err := r.Client.List(ctx, secrets) - if err != nil { - return "", err - } + secret := &corev1.Secret{} - found := false - for _, s := range secrets.Items { - if s.Name == scope.Cluster.Name+"-jointoken" { - found = true - } + var found bool + err := r.Client.Get(ctx, types.NamespacedName{ + Namespace: scope.Cluster.Namespace, + Name: fmt.Sprintf("%s-jointoken", scope.Cluster.Name), + }, secret) + switch { + case err == nil: + found = true + case apierrors.IsNotFound(err): + default: + return "", err } if !found { @@ -678,17 +680,19 @@ func (r *MicroK8sConfigReconciler) getJoinToken(ctx context.Context, scope *Scop func (r *MicroK8sConfigReconciler) getCA(ctx context.Context, scope *Scope) (cert *string, key *string, err error) { // See if the CA cert exists. If not create it. - secrets := &corev1.SecretList{} - err = r.Client.List(ctx, secrets) - if err != nil { - return nil, nil, err - } + caSecret := &corev1.Secret{} - found := false - for _, s := range secrets.Items { - if s.Name == scope.Cluster.Name+"-ca" { - found = true - } + var found bool + err = r.Client.Get(ctx, types.NamespacedName{ + Namespace: scope.Cluster.Namespace, + Name: fmt.Sprintf("%s-ca", scope.Cluster.Name), + }, caSecret) + switch { + case err == nil: + found = true + case apierrors.IsNotFound(err): + default: + return nil, nil, err } if !found { From 18e470f9cb02a32e90be99a1a4c9b28ffc984e35 Mon Sep 17 00:00:00 2001 From: Angelos Kolaitis Date: Thu, 11 Apr 2024 10:22:44 +0300 Subject: [PATCH 2/2] reduce unnecessary apiserver interaction --- controllers/microk8sconfig_controller.go | 105 ++++++++--------------- 1 file changed, 36 insertions(+), 69 deletions(-) diff --git a/controllers/microk8sconfig_controller.go b/controllers/microk8sconfig_controller.go index 547cb62..6aa10e6 100644 --- a/controllers/microk8sconfig_controller.go +++ b/controllers/microk8sconfig_controller.go @@ -627,115 +627,82 @@ func (r *MicroK8sConfigReconciler) storeBootstrapData(ctx context.Context, scope func (r *MicroK8sConfigReconciler) getJoinToken(ctx context.Context, scope *Scope) (string, error) { // See if the token exists. If not create it. secret := &corev1.Secret{} - - var found bool err := r.Client.Get(ctx, types.NamespacedName{ Namespace: scope.Cluster.Namespace, Name: fmt.Sprintf("%s-jointoken", scope.Cluster.Name), }, secret) switch { case err == nil: - found = true + return string(secret.Data["value"]), nil case apierrors.IsNotFound(err): default: return "", err } - if !found { - const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" - b := make([]byte, 32) - for i := range b { - b[i] = letters[mrand.Intn(len(letters))] - } - token := string(b) - tokenSecret := &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: scope.Cluster.Namespace, - Name: scope.Cluster.Name + "-jointoken", - }, - Data: map[string][]byte{ - "value": []byte(token), - }, - } - err = r.Client.Create(ctx, tokenSecret) - if err != nil { - return "", err - } + const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" + b := make([]byte, 32) + for i := range b { + b[i] = letters[mrand.Intn(len(letters))] } - - readTokenSecret := &corev1.Secret{} - err = r.Client.Get(ctx, - types.NamespacedName{ + token := string(b) + tokenSecret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ Namespace: scope.Cluster.Namespace, Name: scope.Cluster.Name + "-jointoken", }, - readTokenSecret, - ) - if err != nil { + Data: map[string][]byte{ + "value": []byte(token), + }, + } + if err := r.Client.Create(ctx, tokenSecret); err != nil { return "", err } - return string(readTokenSecret.Data["value"]), nil + return token, nil } func (r *MicroK8sConfigReconciler) getCA(ctx context.Context, scope *Scope) (cert *string, key *string, err error) { // See if the CA cert exists. If not create it. - caSecret := &corev1.Secret{} + secret := &corev1.Secret{} - var found bool err = r.Client.Get(ctx, types.NamespacedName{ Namespace: scope.Cluster.Namespace, Name: fmt.Sprintf("%s-ca", scope.Cluster.Name), - }, caSecret) + }, secret) switch { case err == nil: - found = true + cert := string(secret.Data["crt"]) + key := string(secret.Data["key"]) + return &cert, &key, nil case apierrors.IsNotFound(err): default: return nil, nil, err } - if !found { - newcrt, newkey, err := r.generateCA() - if err != nil { - return nil, nil, err - } - caSecret := &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: scope.Cluster.Namespace, - Name: scope.Cluster.Name + "-ca", - }, - Data: map[string][]byte{ - // these are the expected names for the certificate and key - "tls.crt": []byte(*newcrt), - "tls.key": []byte(*newkey), - - // these are here for backwards-compatibility with older versions of the providers - "crt": []byte(*newcrt), - "key": []byte(*newkey), - }, - } - err = r.Client.Create(ctx, caSecret) - if err != nil { - return nil, nil, err - } + newcrt, newkey, err := r.generateCA() + if err != nil { + return nil, nil, err } - - readCASecret := &corev1.Secret{} - err = r.Client.Get(ctx, - types.NamespacedName{ + caSecret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ Namespace: scope.Cluster.Namespace, Name: scope.Cluster.Name + "-ca", }, - readCASecret, - ) - if err != nil { + Data: map[string][]byte{ + // these are the expected names for the certificate and key + "tls.crt": []byte(*newcrt), + "tls.key": []byte(*newkey), + + // these are here for backwards-compatibility with older versions of the providers + "crt": []byte(*newcrt), + "key": []byte(*newkey), + }, + } + if err := r.Client.Create(ctx, caSecret); err != nil { return nil, nil, err } - certstr := string(readCASecret.Data["crt"]) - keystr := string(readCASecret.Data["key"]) - return &certstr, &keystr, nil + return newcrt, newkey, nil } func (r *MicroK8sConfigReconciler) generateCA() (cert *string, key *string, err error) {