Fix initial secret not being written to Kubernetes

Updates to the secret that occurred before the controller was done syncing were not being written to Kubernetes. Subsequent updates to the secret would eventually get it written, but Rancher requires that the cert be written immediately. This was probably an unnecessary optimization anyway, so back it out in favor of just checking to see if the secrets controller is available. Also fixed improper handling of multiple goroutines attempting to create the Kubernetes secret at the same time; this was also handled eventually but caused an unnecessary round of extra writes to the secret. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2025-06-24 05:47:03 +00:00 · 2022-05-11 02:28:39 -07:00 · 2022-05-11 02:28:39 -07:00 · 9b92d13bcb
commit 9b92d13bcb
parent b1d65efb6f
1 changed files with 16 additions and 10 deletions
--- a/storage/kubernetes/controller.go
+++ b/storage/kubernetes/controller.go
@ -69,6 +69,8 @@ type storage struct {
 }

 func (s *storage) SetFactory(tls dynamiclistener.TLSFactory) {
+	s.Lock()
+	defer s.Unlock()
 	s.tls = tls
 }

@ -109,7 +111,9 @@ func (s *storage) init(secrets v1controller.SecretController) {
 		// local storage was empty, try to populate it
 		secret, err := s.secrets.Get(s.namespace, s.name, metav1.GetOptions{})
 		if err != nil {
-			logrus.Warnf("Failed to init Kubernetes secret: %v", err)
+			if !errors.IsNotFound(err) {
+				logrus.Warnf("Failed to init Kubernetes secret: %v", err)
+			}
 			return
 		}

@ -144,7 +148,7 @@ func (s *storage) targetSecret() (*v1.Secret, error) {
 }

 func (s *storage) saveInK8s(secret *v1.Secret) (*v1.Secret, error) {
-	if !s.controllerHasSynced() {
+	if !s.initComplete() {
 		return secret, nil
 	}

@ -206,9 +210,14 @@ func (s *storage) Update(secret *v1.Secret) error {
 	return nil
 }

+func isConflictOrAlreadyExists(err error) bool {
+	return errors.IsConflict(err) || errors.IsAlreadyExists(err)
+}
+
 func (s *storage) update(secret *v1.Secret) (err error) {
-	err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
-		secret, err = s.saveInK8s(secret)
+	var newSecret *v1.Secret
+	err = retry.OnError(retry.DefaultRetry, isConflictOrAlreadyExists, func() error {
+		newSecret, err = s.saveInK8s(secret)
 		return err
 	})

@ -219,14 +228,11 @@ func (s *storage) update(secret *v1.Secret) (err error) {
 	// Only hold the lock while updating underlying storage
 	s.Lock()
 	defer s.Unlock()
-	return s.storage.Update(secret)
+	return s.storage.Update(newSecret)
 }

-func (s *storage) controllerHasSynced() bool {
+func (s *storage) initComplete() bool {
 	s.RLock()
 	defer s.RUnlock()
-	if s.secrets == nil {
-		return false
-	}
-	return s.secrets.Informer().HasSynced()
+	return s.secrets != nil
 }