Merge pull request #989 from mac-chaffee/no-cache-secrets

Disable caching of secrets and configmaps
fluxcd · Jan 27, 2023 · 5984c81 · 5984c81
2 parents 9dc4271 + f84afcb
commit 5984c81
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@
 [![report](https://goreportcard.com/badge/github.com/fluxcd/source-controller)](https://goreportcard.com/report/github.com/fluxcd/source-controller)
 [![license](https://img.shields.io/github/license/fluxcd/source-controller.svg)](https://github.com/fluxcd/source-controller/blob/main/LICENSE)
 [![release](https://img.shields.io/github/release/fluxcd/source-controller/all.svg)](https://github.com/fluxcd/source-controller/releases)
- 
+
 The source-controller is a Kubernetes operator, specialised in artifacts acquisition
 from external sources such as Git, Helm repositories and S3 buckets.
 The source-controller implements the
@@ -25,3 +25,5 @@ Features:
 * makes the artifacts available in-cluster to interested 3rd parties
 * notifies interested 3rd parties of source changes and availability (status conditions, events, hooks)
 * reacts to Git push and Helm chart upload events (via [notification-controller](https://github.com/fluxcd/notification-controller))
+
+See [the docs folder](docs/spec/README.md) for more information.
diff --git a/internal/features/features.go b/internal/features/features.go
@@ -29,15 +29,23 @@ const (
 	// the last revision is still the same at the target repository,
 	// and if that is so, skips the reconciliation.
 	OptimizedGitClones = "OptimizedGitClones"
+	// CacheSecretsAndConfigMaps controls whether secrets and configmaps should be cached.
+	//
+	// When enabled, it will cache both object types, resulting in increased memory usage
+	// and cluster-wide RBAC permissions (list and watch).
+	CacheSecretsAndConfigMaps = "CacheSecretsAndConfigMaps"
 )
 
 var features = map[string]bool{
 	// OptimizedGitClones
 	// opt-out from v0.25
 	OptimizedGitClones: true,
+	// CacheSecretsAndConfigMaps
+	// opt-in from v0.34
+	CacheSecretsAndConfigMaps: false,
 }
 
-// DefaultFeatureGates contains a list of all supported feature gates and
+// FeatureGates contains a list of all supported feature gates and
 // their default values.
 func FeatureGates() map[string]bool {
 	return features

diff --git a/main.go b/main.go
@@ -27,11 +27,13 @@ import (
 	"github.com/go-logr/logr"
 	flag "github.com/spf13/pflag"
 	"helm.sh/helm/v3/pkg/getter"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	ctrl "sigs.k8s.io/controller-runtime"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/runtime/client"
@@ -167,6 +169,16 @@ func main() {
 		watchNamespace = os.Getenv("RUNTIME_NAMESPACE")
 	}
 
+	disableCacheFor := []ctrlclient.Object{}
+	shouldCache, err := features.Enabled(features.CacheSecretsAndConfigMaps)
+	if err != nil {
+		setupLog.Error(err, "unable to check feature gate "+features.CacheSecretsAndConfigMaps)
+		os.Exit(1)
+	}
+	if !shouldCache {
+		disableCacheFor = append(disableCacheFor, &corev1.Secret{}, &corev1.ConfigMap{})
+	}
+
 	restConfig := client.GetConfigOrDie(clientOptions)
 	mgr, err := ctrl.NewManager(restConfig, ctrl.Options{
 		Scheme:                        scheme,
@@ -181,6 +193,7 @@ func main() {
 		LeaderElectionID:              fmt.Sprintf("%s-leader-election", controllerName),
 		Namespace:                     watchNamespace,
 		Logger:                        ctrl.Log,
+		ClientDisableCacheFor:         disableCacheFor,
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")