introduce accesses caching (#46)

* introduce accesses caching Signed-off-by: Francesco Ilario <[email protected]> * add serviceaccount support Signed-off-by: Francesco Ilario <[email protected]> * rename files, add tests Signed-off-by: Francesco Ilario <[email protected]> * disable performance cluster deletion Signed-off-by: Francesco Ilario <[email protected]> * making ginkgo tests parallel Signed-off-by: Francesco Ilario <[email protected]> --------- Signed-off-by: Francesco Ilario <[email protected]>
konflux-ci · Jan 31, 2025 · 3a25aa9 · 3a25aa9
1 parent df42cd7
commit 3a25aa9
Show file tree

Hide file tree

Showing 28 changed files with 993 additions and 61 deletions.
diff --git a/Makefile b/Makefile
@@ -52,7 +52,7 @@ fmt: ## Run go fmt against code.
 
 .PHONY: test
 test: ## Run go test against code.
-	$(GINKGO) --label-filter='!perf'
+	$(GINKGO) --label-filter='!perf' ./pkg/... ./
 
 .PHONY: test-perf
 test-perf: ## Run performance tests
@@ -61,6 +61,7 @@ test-perf: ## Run performance tests
 		--name namespace-lister-perf-test $(PERF_CLUSTER_PROVIDER_FLAGS)
 	KUBECONFIG=$(PERF_CLUSTER_KUBECONFIG) $(GINKGO) --label-filter='perf' \
 		--keep-going --procs=1 --flake-attempts 2 --output-dir=$(PERF_OUT_DIR)
+	# -$(PERF_CLUSTER_PROVIDER) delete cluster --name namespace-lister-perf-test
 
 .PHONY: image-build
 image-build:

diff --git a/acceptance/config/patches/with_cache_resyncperiod.yaml b/acceptance/config/patches/with_cache_resyncperiod.yaml
@@ -0,0 +1,5 @@
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: CACHE_RESYNC_PERIOD
+    value: '20s'
diff --git a/acceptance/pkg/suite/steps.go b/acceptance/pkg/suite/steps.go
@@ -3,21 +3,24 @@ package suite
 import (
 	"context"
 	"fmt"
+	"log"
 	"slices"
+	"time"
 
 	"github.com/cucumber/godog"
 
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
 
 	tcontext "github.com/konflux-ci/namespace-lister/acceptance/pkg/context"
 	arest "github.com/konflux-ci/namespace-lister/acceptance/pkg/rest"
 )
 
 func InjectSteps(ctx *godog.ScenarioContext) {
-	//read
+	// read
 	ctx.Step(`^ServiceAccount has access to a namespace$`,
 		func(ctx context.Context) (context.Context, error) { return UserInfoHasAccessToNNamespaces(ctx, 1) })
 	ctx.Step(`^User has access to a namespace$`,
@@ -92,49 +95,56 @@ func TheUserCanRetrieveOnlyTheNamespacesTheyHaveAccessTo(ctx context.Context) (c
 		return ctx, err
 	}
 
-	ann := corev1.NamespaceList{}
-	if err := cli.List(ctx, &ann); err != nil {
-		return ctx, err
-	}
-
-	enn := tcontext.Namespaces(ctx)
-	if expected, actual := len(enn), len(ann.Items); expected != actual {
-		return ctx, fmt.Errorf("expected %d namespaces, actual %d", expected, actual)
-	}
+	return ctx, wait.PollUntilContextTimeout(ctx, 2*time.Second, 1*time.Minute, true, func(ctx context.Context) (done bool, err error) {
+		ann := corev1.NamespaceList{}
+		if err := cli.List(ctx, &ann); err != nil {
+			log.Printf("error listing namespaces: %v", err)
+			return false, nil
+		}
 
-	for _, en := range enn {
-		if !slices.ContainsFunc(ann.Items, func(an corev1.Namespace) bool {
-			return en.Name == an.Name
-		}) {
-			return ctx, fmt.Errorf("expected namespace %s not found in actual namespace list: %v", en.Name, ann.Items)
+		enn := tcontext.Namespaces(ctx)
+		if expected, actual := len(enn), len(ann.Items); expected != actual {
+			log.Printf("expected %d namespaces, actual %d", expected, actual)
+			return false, nil
 		}
-	}
 
-	return ctx, nil
+		for _, en := range enn {
+			if !slices.ContainsFunc(ann.Items, func(an corev1.Namespace) bool {
+				return en.Name == an.Name
+			}) {
+				log.Printf("expected namespace %s not found in actual namespace list: %v", en.Name, ann.Items)
+				return false, nil
+			}
+		}
+		return true, nil
+	})
 }
 
 func TheUserCanRetrieveTheNamespace(ctx context.Context) (context.Context, error) {
 	run := tcontext.RunId(ctx)
-
 	cli, err := tcontext.InvokeBuildUserClientFunc(ctx)
 	if err != nil {
 		return ctx, err
 	}
 
-	n := corev1.Namespace{}
-	k := types.NamespacedName{Name: fmt.Sprintf("run-%s-0", run)}
-	if err := cli.Get(ctx, k, &n); err != nil {
-		return ctx, err
-	}
-
-	enn := tcontext.Namespaces(ctx)
-	if expected, actual := 1, len(enn); expected != actual {
-		return ctx, fmt.Errorf("expected %d namespaces, actual %d: %v", expected, actual, enn)
-	}
+	return ctx, wait.PollUntilContextTimeout(ctx, 2*time.Second, 1*time.Minute, true, func(ctx context.Context) (done bool, err error) {
+		n := corev1.Namespace{}
+		k := types.NamespacedName{Name: fmt.Sprintf("run-%s-0", run)}
+		if err := cli.Get(ctx, k, &n); err != nil {
+			log.Printf("error getting namespace %v: %v", k, err)
+			return false, nil
+		}
 
-	if expected, actual := n.Name, enn[0].Name; actual != expected {
-		return ctx, fmt.Errorf("expected namespace %s, actual %s", expected, actual)
-	}
+		enn := tcontext.Namespaces(ctx)
+		if expected, actual := 1, len(enn); expected != actual {
+			log.Printf("expected %d namespaces, actual %d: %v", expected, actual, enn)
+			return false, nil
+		}
 
-	return ctx, nil
+		if expected, actual := n.Name, enn[0].Name; actual != expected {
+			log.Printf("expected namespace %s, actual %s", expected, actual)
+			return false, nil
+		}
+		return true, nil
+	})
 }
diff --git a/acceptance/test/dumb-proxy/Makefile b/acceptance/test/dumb-proxy/Makefile
@@ -35,6 +35,20 @@ deploy-namespace-lister: $(OUT_DIR)
 				--kind "Deployment" \
 				--name "namespace-lister" \
 				--version "v1" && \
+			cp "$(ROOT_DIR)/../config/patches/with_log_debug.yaml" . && \
+			kustomize edit add patch \
+				--path "with_log_debug.yaml" \
+				--group "apps" \
+				--kind "Deployment" \
+				--name "namespace-lister" \
+				--version "v1" && \
+			cp "$(ROOT_DIR)/config/patches/with_cache_resyncperiod.yaml" . && \
+			kustomize edit add patch \
+				--path "with_cache_resyncperiod.yaml" \
+				--group "apps" \
+				--kind "Deployment" \
+				--name "namespace-lister" \
+				--version "v1" && \
 			kustomize build | $(KUBECTL) apply -f - ; \
 	)
 

diff --git a/acceptance/test/smart-proxy/Makefile b/acceptance/test/smart-proxy/Makefile
@@ -26,6 +26,8 @@ deploy-namespace-lister: $(OUT_DIR)
 		cd $(OUT_DIR)/config && \
 			kustomize init && \
 			kustomize edit add base "../../../../../config" && \
+			kustomize edit set namespace namespace-lister && \
+			kustomize edit set image "namespace-lister:latest=$(IMG)" && \
 			cp "$(ROOT_DIR)/../config/patches/with_header_auth.yaml" . && \
 			kustomize edit add patch \
 				--path "with_header_auth.yaml" \
@@ -40,8 +42,20 @@ deploy-namespace-lister: $(OUT_DIR)
 				--kind "Deployment" \
 				--name "namespace-lister" \
 				--version "v1" && \
-			kustomize edit set namespace namespace-lister && \
-			kustomize edit set image "namespace-lister:latest=$(IMG)" && \
+			cp "$(ROOT_DIR)/../config/patches/with_log_debug.yaml" . && \
+			kustomize edit add patch \
+				--path "with_log_debug.yaml" \
+				--group "apps" \
+				--kind "Deployment" \
+				--name "namespace-lister" \
+				--version "v1" && \
+			cp "$(ROOT_DIR)/config/patches/with_cache_resyncperiod.yaml" . && \
+			kustomize edit add patch \
+				--path "with_cache_resyncperiod.yaml" \
+				--group "apps" \
+				--kind "Deployment" \
+				--name "namespace-lister" \
+				--version "v1" && \
 			kustomize build | $(KUBECTL) apply -f - ; \
 	)
 

diff --git a/access_cache_startup.go b/access_cache_startup.go
@@ -0,0 +1,72 @@
+package main
+
+import (
+	"context"
+	"os"
+	"time"
+
+	authcache "github.com/konflux-ci/namespace-lister/pkg/auth/cache"
+
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	toolscache "k8s.io/client-go/tools/cache"
+	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
+	crcache "sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+func buildAndStartAccessCache(ctx context.Context, resourceCache crcache.Cache) (*authcache.SynchronizedAccessCache, error) {
+	aur := &CRAuthRetriever{resourceCache, ctx, getLoggerFromContext(ctx)}
+	sae := rbac.NewSubjectAccessEvaluator(aur, aur, aur, aur, "")
+	synchCache := authcache.NewSynchronizedAccessCache(
+		sae,
+		resourceCache, authcache.CacheSynchronizerOptions{
+			Logger:       getLoggerFromContext(ctx),
+			ResyncPeriod: getResyncPeriodFromEnvOrZero(ctx),
+		},
+	)
+
+	// register event handlers on resource cache
+	oo := []client.Object{
+		&corev1.Namespace{},
+		&rbacv1.RoleBinding{},
+		&rbacv1.ClusterRole{},
+		&rbacv1.ClusterRoleBinding{},
+		&rbacv1.Role{},
+	}
+	for _, o := range oo {
+		i, err := resourceCache.GetInformer(ctx, o)
+		if err != nil {
+			return nil, err
+		}
+
+		if _, err := i.AddEventHandler(
+			toolscache.ResourceEventHandlerFuncs{
+				AddFunc:    func(obj interface{}) { synchCache.Request() },
+				UpdateFunc: func(oldObj, newObj interface{}) { synchCache.Request() },
+				DeleteFunc: func(obj interface{}) { synchCache.Request() },
+			}); err != nil {
+			return nil, err
+		}
+	}
+	synchCache.Start(ctx)
+
+	if err := synchCache.Synch(ctx); err != nil {
+		return nil, err
+	}
+	return synchCache, nil
+}
+
+func getResyncPeriodFromEnvOrZero(ctx context.Context) time.Duration {
+	var zero time.Duration
+	rps, ok := os.LookupEnv(EnvCacheResyncPeriod)
+	if !ok {
+		return zero
+	}
+	rp, err := time.ParseDuration(rps)
+	if err != nil {
+		getLoggerFromContext(ctx).Warn("can not parse duration from environment variable", "error", err)
+		return zero
+	}
+	return rp
+}
diff --git a/config/patches/with_cache_resyncperiod.yaml b/config/patches/with_cache_resyncperiod.yaml
@@ -0,0 +1,5 @@
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: CACHE_RESYNC_PERIOD
+    value: '10m'
diff --git a/config/patches/with_log_debug.yaml b/config/patches/with_log_debug.yaml
@@ -0,0 +1,5 @@
+- op: replace
+  path: /spec/template/spec/containers/0/env/0
+  value:
+    name: LOG_LEVEL
+    value: "-4"
diff --git a/const.go b/const.go
@@ -1,9 +1,10 @@
 package main
 
 const (
-	EnvLogLevel       string = "LOG_LEVEL"
-	EnvUsernameHeader string = "AUTH_USERNAME_HEADER"
-	EnvAddress        string = "ADDRESS"
+	EnvLogLevel          string = "LOG_LEVEL"
+	EnvUsernameHeader    string = "AUTH_USERNAME_HEADER"
+	EnvAddress           string = "ADDRESS"
+	EnvCacheResyncPeriod string = "CACHE_RESYNC_PERIOD"
 
 	DefaultAddr           string = ":8080"
 	DefaultHeaderUsername string = "X-Email"

diff --git a/interfaces_test.go b/interfaces_test.go
@@ -2,9 +2,16 @@ package main_test
 
 import (
 	"k8s.io/client-go/rest"
+
+	namespacelister "github.com/konflux-ci/namespace-lister"
 )
 
 //go:generate mockgen -source=interfaces_test.go -destination=mocks/rest_interface.go -package=mocks
+
 type FakeInterface interface {
 	rest.Interface
 }
+
+type FakeSubjectNamespacesLister interface {
+	namespacelister.SubjectNamespacesLister
+}
diff --git a/main.go b/main.go
@@ -11,7 +11,6 @@ import (
 	"syscall"
 
 	"github.com/go-logr/logr"
-
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
@@ -69,20 +68,26 @@ func run(l *slog.Logger) error {
 
 	ctx = setLoggerIntoContext(ctx, l)
 
-	// create cache
-	l.Info("creating cache")
-	cacheCfg, err := NewCacheConfigFromEnv(cfg)
+	// create resource cache
+	l.Info("creating resource cache")
+	cacheCfg, err := NewResourceCacheConfigFromEnv(cfg)
 	if err != nil {
 		return err
 	}
-	cache, err := BuildAndStartCache(ctx, cacheCfg)
+	resourceCache, err := BuildAndStartResourceCache(ctx, cacheCfg)
+	if err != nil {
+		return err
+	}
+
+	// create access cache
+	l.Info("creating access cache")
+	accessCache, err := buildAndStartAccessCache(ctx, resourceCache)
 	if err != nil {
 		return err
 	}
 
-	// create the authorizer and the namespace lister
-	auth := NewAuthorizer(ctx, cache)
-	nsl := NewNamespaceLister(cache, auth)
+	// create the namespace lister
+	nsl := NewNamespaceListerForSubject(accessCache)
 
 	// build http server
 	l.Info("building server")

diff --git a/mocks/rest_interface.go b/mocks/rest_interface.go