fix(cert-manager): exclude CRDs from cache to avoid excessive memory …

…usage Signed-off-by: Florian Bacher <[email protected]>
keptn · Oct 10, 2023 · bc24a3f · bc24a3f
1 parent a05a915
commit bc24a3f
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 4 deletions.
diff --git a/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go b/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go
@@ -90,21 +90,38 @@ func (r *KeptnWebhookCertificateReconciler) Reconcile(ctx context.Context, reque
 	r.Log.Info("reconciling webhook certificates",
 		"namespace", request.Namespace, "name", request.Name)
 
+	r.Log.Info("Retrieving MutatingWebhooks")
 	mutatingWebhookConfigurations, err := r.ResourceRetriever.GetMutatingWebhooks(ctx)
 	if err != nil {
 		r.Log.Error(err, "could not find mutating webhook configuration")
 	}
+	r.Log.Info(
+		"Found MutatingWebhooks to inject certificates",
+		"numberOfItems", len(mutatingWebhookConfigurations.Items),
+		"byteSize", mutatingWebhookConfigurations.Size(),
+	)
 
+	r.Log.Info("Retrieving ValidatingWebhooks")
 	validatingWebhookConfigurations, err := r.ResourceRetriever.GetValidatingWebhooks(ctx)
 	if err != nil {
 		r.Log.Error(err, "could not find validating webhook configuration")
 	}
+	r.Log.Info(
+		"Found ValidatingWebhooks to inject certificates",
+		"numberOfItems", len(validatingWebhookConfigurations.Items),
+		"byteSize", validatingWebhookConfigurations.Size(),
+	)
 
+	r.Log.Info("Retrieving CRDs")
 	crds, err := r.ResourceRetriever.GetCRDs(ctx)
 	if err != nil {
 		r.Log.Error(err, "could not find CRDs")
 	}
-
+	r.Log.Info(
+		"Found CRDs to inject certificates",
+		"numberOfItems", len(crds.Items),
+		"byteSize", crds.Size(),
+	)
 	certSecret := newCertificateSecret(r.Client)
 
 	if err := r.setCertificates(ctx, certSecret); err != nil {
@@ -240,6 +257,11 @@ func (r *KeptnWebhookCertificateReconciler) updateCRDConfiguration(ctx context.C
 		return nil
 	}
 
+	r.Log.Info(
+		"Found conversion webhook in CRD, updating client certificate",
+		"crd", crdName,
+	)
+
 	// update crd
 	crd.Spec.Conversion.Webhook.ClientConfig.CABundle = bundle
 	if err := r.Client.Update(ctx, &crd); err != nil {

diff --git a/klt-cert-manager/main.go b/klt-cert-manager/main.go
@@ -2,9 +2,6 @@ package main
 
 import (
 	"flag"
-	"log"
-	"os"
-
 	"github.com/kelseyhightower/envconfig"
 	"github.com/keptn/lifecycle-toolkit/klt-cert-manager/controllers/keptnwebhookcontroller"
 	corev1 "k8s.io/api/core/v1"
@@ -13,8 +10,11 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
+	"log"
+	"os"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
@@ -89,6 +89,11 @@ func main() {
 		// if you are doing or is intended to do any operation such as perform cleanups
 		// after the manager stops then its usage might be unsafe.
 		// LeaderElectionReleaseOnCancel: true,
+		Client: ctrlclient.Options{
+			Cache: &ctrlclient.CacheOptions{
+				DisableFor: []ctrlclient.Object{&apiv1.CustomResourceDefinition{}},
+			},
+		},
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")