Add support for restricting the secrets watch list in cainjector

Aurélien Baumann · Aurélien Baumann · commit d9c01a9330e8 · 2022-11-16T16:26:16.000-05:00
The --secrets-field-selector flag is introduced and accepts a field selector expression

The following example makes cainjector ignore all secrets whose type is "helm.sh/release.v1".

```
--secrets-field-selector type!=helm.sh/release.v1
```

Signed-off-by: Aurélien Baumann &lt;aur.baumann@gmail.com&gt;
diff --git a/cmd/cainjector/app/start.go b/cmd/cainjector/app/start.go
@@ -44,6 +44,7 @@ import (
 // InjectorControllerOptions is a struct having injector controller options values
 type InjectorControllerOptions struct {
 	Namespace               string
+	SecretsFieldSelector    string
 	LeaderElect             bool
 	LeaderElectionNamespace string
 	LeaseDuration           time.Duration
@@ -69,6 +70,9 @@ func (o *InjectorControllerOptions) AddFlags(fs *pflag.FlagSet) {
 		"If set, this limits the scope of cainjector to a single namespace. "+
 		"If set, cainjector will not update resources with certificates outside of the "+
 		"configured namespace.")
+	fs.StringVar(&o.SecretsFieldSelector, "secrets-field-selector", "", ""+
+		"If set, this restricts the secrets watch list to the objects that match the given field expression. "+
+		"Example value is type!=helm.sh/release.v1.")
 	fs.BoolVar(&o.LeaderElect, "leader-elect", cmdutil.DefaultLeaderElect, ""+
 		"If true, cainjector will perform leader election between instances to ensure no more "+
 		"than one instance of cainjector operates at a time")
@@ -215,7 +219,7 @@ func (o InjectorControllerOptions) RunInjectorController(ctx context.Context) er
 	// Never retry if the controller exits cleanly.
 	g.Go(func() (err error) {
 		for {
-			err = cainjector.RegisterCertificateBased(gctx, mgr)
+			err = cainjector.RegisterCertificateBased(gctx, mgr, o.SecretsFieldSelector)
 			if err == nil {
 				return
 			}
@@ -234,7 +238,7 @@ func (o InjectorControllerOptions) RunInjectorController(ctx context.Context) er
 	// We do not retry this controller because it only interacts with core APIs
 	// which should always be in a working state.
 	g.Go(func() (err error) {
-		if err = cainjector.RegisterSecretBased(gctx, mgr); err != nil {
+		if err = cainjector.RegisterSecretBased(gctx, mgr, o.SecretsFieldSelector); err != nil {
 			return fmt.Errorf("error registering secret controller: %v", err)
 		}
 		return
diff --git a/pkg/controller/cainjector/setup.go b/pkg/controller/cainjector/setup.go
@@ -21,12 +21,13 @@ import (
 	"fmt"
 	"os"
 
-	logf "github.com/cert-manager/cert-manager/pkg/logs"
 	"github.com/go-logr/logr"
 	"golang.org/x/sync/errgroup"
 	admissionreg "k8s.io/api/admissionregistration/v1"
+	corev1 "k8s.io/api/core/v1"
 	apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
 	apireg "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -37,6 +38,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"
+
+	logf "github.com/cert-manager/cert-manager/pkg/logs"
 )
 
 // injectorSet describes a particular setup of the injector controller
@@ -180,8 +183,8 @@ func dataFromSliceOrFile(data []byte, file string) ([]byte, error) {
 // indices.
 // The registered controllers require the cert-manager API to be available
 // in order to run.
-func RegisterCertificateBased(ctx context.Context, mgr ctrl.Manager) error {
-	cache, client, err := newIndependentCacheAndDelegatingClient(mgr)
+func RegisterCertificateBased(ctx context.Context, mgr ctrl.Manager, secretsFieldSelector string) error {
+	cache, client, err := newIndependentCacheAndDelegatingClient(mgr, secretsFieldSelector)
 	if err != nil {
 		return err
 	}
@@ -202,8 +205,8 @@ func RegisterCertificateBased(ctx context.Context, mgr ctrl.Manager) error {
 // indices.
 // The registered controllers only require the corev1 APi to be available in
 // order to run.
-func RegisterSecretBased(ctx context.Context, mgr ctrl.Manager) error {
-	cache, client, err := newIndependentCacheAndDelegatingClient(mgr)
+func RegisterSecretBased(ctx context.Context, mgr ctrl.Manager, secretsFieldSelector string) error {
+	cache, client, err := newIndependentCacheAndDelegatingClient(mgr, secretsFieldSelector)
 	if err != nil {
 		return err
 	}
@@ -226,10 +229,15 @@ func RegisterSecretBased(ctx context.Context, mgr ctrl.Manager) error {
 // cert-manager Certificates CRDs have been installed and before the CA bundles
 // have been injected into the cert-manager CRDs, by the secrets based injector,
 // which is running in a separate goroutine.
-func newIndependentCacheAndDelegatingClient(mgr ctrl.Manager) (cache.Cache, client.Client, error) {
+func newIndependentCacheAndDelegatingClient(mgr ctrl.Manager, secretsFieldSelector string) (cache.Cache, client.Client, error) {
+	selector, err := selectorFromFieldSelectorExpressions(secretsFieldSelector)
+	if err != nil {
+		return nil, nil, fmt.Errorf("invalid field selector expression %s: %w", secretsFieldSelector, err)
+	}
 	cacheOptions := cache.Options{
-		Scheme: mgr.GetScheme(),
-		Mapper: mgr.GetRESTMapper(),
+		Scheme:            mgr.GetScheme(),
+		Mapper:            mgr.GetRESTMapper(),
+		SelectorsByObject: selector,
 	}
 	ca, err := cache.New(mgr.GetConfig(), cacheOptions)
 	if err != nil {
@@ -247,3 +255,14 @@ func newIndependentCacheAndDelegatingClient(mgr ctrl.Manager) (cache.Cache, clie
 	}
 	return ca, client, nil
 }
+
+func selectorFromFieldSelectorExpressions(expression string) (cache.SelectorsByObject, error) {
+	if expression == "" {
+		return nil, nil
+	}
+	selector, err := fields.ParseSelector(expression)
+	if err != nil {
+		return nil, fmt.Errorf("invalid field selector expression %s: %w", expression, err)
+	}
+	return map[client.Object]cache.ObjectSelector{&corev1.Secret{}: {Field: selector}}, nil
+}
