From 02ba77d7c6b65602769fefc4c9af2b39679f621c Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Mon, 9 Jun 2025 11:15:22 +0100 Subject: [PATCH 1/4] secretannotator: Only pass clients to Reconciler Signed-off-by: Stephen Finucane --- pkg/operator/secretannotator/aws/reconciler.go | 10 +++++----- pkg/operator/secretannotator/azure/reconciler.go | 8 ++++---- pkg/operator/secretannotator/gcp/reconciler.go | 8 ++++---- .../secretannotator/openstack/reconciler.go | 10 +++++----- .../secretannotator/secretannotator_controller.go | 13 +++++++------ pkg/operator/secretannotator/vsphere/reconciler.go | 6 +++--- 6 files changed, 28 insertions(+), 27 deletions(-) diff --git a/pkg/operator/secretannotator/aws/reconciler.go b/pkg/operator/secretannotator/aws/reconciler.go index a136a6cb23..5e1bbf8d57 100644 --- a/pkg/operator/secretannotator/aws/reconciler.go +++ b/pkg/operator/secretannotator/aws/reconciler.go @@ -38,16 +38,16 @@ const ( AwsSecretAccessKeyName = "aws_secret_access_key" ) -func NewReconciler(c client.Client, mgr manager.Manager) reconcile.Reconciler { +func NewReconciler(client, rootCredClient, liveClient client.Client) reconcile.Reconciler { r := &ReconcileCloudCredSecret{ - Client: c, - RootCredClient: mgr.GetClient(), - LiveClient: utils.LiveClient(mgr), + Client: client, + RootCredClient: rootCredClient, + LiveClient: liveClient, Logger: log.WithField("controller", constants.SecretAnnotatorControllerName), AWSClientBuilder: awsutils.ClientBuilder, } - s := status.NewSecretStatusHandler(c) + s := status.NewSecretStatusHandler(client) statuscontroller.AddHandler(constants.SecretAnnotatorControllerName, s) return r diff --git a/pkg/operator/secretannotator/azure/reconciler.go b/pkg/operator/secretannotator/azure/reconciler.go index e607170376..2d98ee2968 100644 --- a/pkg/operator/secretannotator/azure/reconciler.go +++ b/pkg/operator/secretannotator/azure/reconciler.go @@ -38,14 +38,14 @@ type ReconcileCloudCredSecret struct { Logger log.FieldLogger } -func NewReconciler(c client.Client, mgr manager.Manager) reconcile.Reconciler { +func NewReconciler(client, rootCredClient client.Client) reconcile.Reconciler { r := &ReconcileCloudCredSecret{ - Client: c, - RootCredClient: mgr.GetClient(), + Client: client, + RootCredClient: rootCredClient, Logger: log.WithField("controller", constants.SecretAnnotatorControllerName), } - s := status.NewSecretStatusHandler(c) + s := status.NewSecretStatusHandler(client) statuscontroller.AddHandler(constants.SecretAnnotatorControllerName, s) return r diff --git a/pkg/operator/secretannotator/gcp/reconciler.go b/pkg/operator/secretannotator/gcp/reconciler.go index cdebdd7d8e..80ba10b285 100644 --- a/pkg/operator/secretannotator/gcp/reconciler.go +++ b/pkg/operator/secretannotator/gcp/reconciler.go @@ -40,16 +40,16 @@ const ( GCPAuthJSONKey = "service_account.json" ) -func NewReconciler(c client.Client, mgr manager.Manager, projectName string) reconcile.Reconciler { +func NewReconciler(client, rootCredClient client.Client, projectName string) reconcile.Reconciler { r := &ReconcileCloudCredSecret{ - Client: c, - RootCredClient: mgr.GetClient(), + Client: client, + RootCredClient: rootCredClient, Logger: log.WithField("controller", constants.SecretAnnotatorControllerName), GCPClientBuilder: ccgcp.NewClientFromJSON, ProjectName: projectName, } - s := status.NewSecretStatusHandler(c) + s := status.NewSecretStatusHandler(client) statuscontroller.AddHandler(controllerName, s) return r diff --git a/pkg/operator/secretannotator/openstack/reconciler.go b/pkg/operator/secretannotator/openstack/reconciler.go index fed4db31a6..66c6ca6226 100644 --- a/pkg/operator/secretannotator/openstack/reconciler.go +++ b/pkg/operator/secretannotator/openstack/reconciler.go @@ -49,15 +49,15 @@ import ( "github.com/openshift/cloud-credential-operator/pkg/operator/utils" ) -func NewReconciler(c client.Client, mgr manager.Manager) reconcile.Reconciler { +func NewReconciler(client, rootCredClient, liveClient client.Client) reconcile.Reconciler { r := &ReconcileCloudCredSecret{ - Client: c, - RootCredClient: mgr.GetClient(), - LiveClient: utils.LiveClient(mgr), + Client: client, + RootCredClient: rootCredClient, + LiveClient: liveClient, Logger: log.WithField("controller", constants.SecretAnnotatorControllerName), } - s := status.NewSecretStatusHandler(c) + s := status.NewSecretStatusHandler(client) statuscontroller.AddHandler(constants.SecretAnnotatorControllerName, s) return r diff --git a/pkg/operator/secretannotator/secretannotator_controller.go b/pkg/operator/secretannotator/secretannotator_controller.go index e045e76b94..458c3e6300 100644 --- a/pkg/operator/secretannotator/secretannotator_controller.go +++ b/pkg/operator/secretannotator/secretannotator_controller.go @@ -26,6 +26,7 @@ import ( "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/gcp" "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/openstack" "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/vsphere" + "github.com/openshift/cloud-credential-operator/pkg/operator/utils" log "github.com/sirupsen/logrus" ) @@ -40,19 +41,19 @@ func Add(mgr, rootCredentialManager manager.Manager, kubeconfig string) error { switch platformType { case configv1.AzurePlatformType: - return azure.Add(mgr, rootCredentialManager, azure.NewReconciler(mgr.GetClient(), rootCredentialManager)) + return azure.Add(mgr, rootCredentialManager, azure.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient())) case configv1.AWSPlatformType: - return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager)) + return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient(), utils.LiveClient(mgr))) case configv1.GCPPlatformType: if infraStatus.PlatformStatus == nil || infraStatus.PlatformStatus.GCP == nil { log.Fatalf("Missing GCP configuration in infrastructure platform status") } - return gcp.Add(mgr, rootCredentialManager, gcp.NewReconciler(mgr.GetClient(), rootCredentialManager, infraStatus.PlatformStatus.GCP.ProjectID)) + return gcp.Add(mgr, rootCredentialManager, gcp.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient(), infraStatus.PlatformStatus.GCP.ProjectID)) case configv1.VSpherePlatformType: - return vsphere.Add(mgr, rootCredentialManager, vsphere.NewReconciler(mgr.GetClient(), rootCredentialManager)) + return vsphere.Add(mgr, rootCredentialManager, vsphere.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient())) case configv1.OpenStackPlatformType: - return openstack.Add(mgr, rootCredentialManager, openstack.NewReconciler(mgr.GetClient(), rootCredentialManager)) + return openstack.Add(mgr, rootCredentialManager, openstack.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient(), utils.LiveClient(mgr))) default: // returning the AWS implementation for default to avoid changing any behavior - return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager)) + return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient(), utils.LiveClient(mgr))) } } diff --git a/pkg/operator/secretannotator/vsphere/reconciler.go b/pkg/operator/secretannotator/vsphere/reconciler.go index e220165d9b..5445cefa3e 100644 --- a/pkg/operator/secretannotator/vsphere/reconciler.go +++ b/pkg/operator/secretannotator/vsphere/reconciler.go @@ -58,10 +58,10 @@ type ReconcileCloudCredSecret struct { } // NewReconciler will return a reconciler for handling vSphere cloud cred secrets. -func NewReconciler(c client.Client, mgr manager.Manager) reconcile.Reconciler { +func NewReconciler(client, rootCredClient client.Client) reconcile.Reconciler { return &ReconcileCloudCredSecret{ - Client: c, - RootCredClient: mgr.GetClient(), + Client: client, + RootCredClient: rootCredClient, Logger: log.WithField("controller", constants.SecretAnnotatorControllerName), } } From 910b9f2bedd783dd388f4d571b28d7213ab03845 Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Mon, 9 Jun 2025 11:34:23 +0100 Subject: [PATCH 2/4] Only cache cloud config CMs This will allow us to use this caching client shortly. Signed-off-by: Stephen Finucane --- pkg/cmd/operator/cmd.go | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/pkg/cmd/operator/cmd.go b/pkg/cmd/operator/cmd.go index accdde65e5..665667ea84 100644 --- a/pkg/cmd/operator/cmd.go +++ b/pkg/cmd/operator/cmd.go @@ -202,6 +202,9 @@ func NewOperator() *cobra.Command { &corev1.Secret{}: { Field: selectorForRootCredential(platformType), }, + &corev1.ConfigMap{}: { + Field: selectorForCloudConfig(platformType), + }, }, }, }) @@ -359,6 +362,26 @@ func selectorForRootCredential(platformType configv1.PlatformType) fields.Select return selector } +func selectorForCloudConfig(platformType configv1.PlatformType) fields.Selector { + var name, namespace string + switch platformType { + case configv1.AWSPlatformType: + namespace = "openshift-config-managed" + name = "kube-cloud-config" + case configv1.OpenStackPlatformType: + namespace = "openshift-config" + name = "cloud-provider-config" + default: + return fields.Nothing() + } + selector := fields.SelectorFromSet(fields.Set{ + "metadata.namespace": namespace, + "metadata.name": name, + }) + log.WithField("selector", selector.String()).Info("setting up field selector for cloud config ConfigMap") + return selector +} + func initializeGlog(flags *pflag.FlagSet) { golog.SetOutput(glogWriter{}) // Redirect all regular go log output to glog golog.SetFlags(0) From 337d50725b7705cbee9a0e8571521edbb99bbdda Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Mon, 9 Jun 2025 11:40:51 +0100 Subject: [PATCH 3/4] Remove use of non-caching client This was first introduced in commit 48d6ccc6437 as a resolution to OCPBUGS-16313 [1][2], which was itself introduced by the removal of configmaps read access from the cluster role used by CCO. However, non-caching clients are expensive and with the change introduced in the previous commit, which restricted caching to specific config maps, plus the existing role allowing access to these config maps, their use should no longer be necessary. [1] https://github.com/openshift/cloud-credential-operator/pull/575 [2] https://issues.redhat.com/browse/OCPBUGS-16313 Signed-off-by: Stephen Finucane --- pkg/aws/actuator/actuator.go | 12 +++---- pkg/operator/controller.go | 3 +- .../secretannotator/aws/reconciler.go | 6 ++-- .../secretannotator/openstack/reconciler.go | 6 ++-- .../openstack/reconciler_test.go | 4 --- .../secretannotator_controller.go | 7 ++-- pkg/operator/utils/client.go | 32 ------------------- 7 files changed, 13 insertions(+), 57 deletions(-) delete mode 100644 pkg/operator/utils/client.go diff --git a/pkg/aws/actuator/actuator.go b/pkg/aws/actuator/actuator.go index f3462130bd..42f92ce13d 100644 --- a/pkg/aws/actuator/actuator.go +++ b/pkg/aws/actuator/actuator.go @@ -71,16 +71,14 @@ var _ actuatoriface.Actuator = (*AWSActuator)(nil) type AWSActuator struct { Client client.Client RootCredClient client.Client - LiveClient client.Client AWSClientBuilder func(accessKeyID, secretAccessKey []byte, c client.Client) (ccaws.Client, error) Scheme *runtime.Scheme } // NewAWSActuator creates a new AWSActuator. -func NewAWSActuator(client, rootCredClient, liveClient client.Client, scheme *runtime.Scheme) (*AWSActuator, error) { +func NewAWSActuator(client, rootCredClient client.Client, scheme *runtime.Scheme) (*AWSActuator, error) { return &AWSActuator{ Client: client, - LiveClient: liveClient, RootCredClient: rootCredClient, AWSClientBuilder: awsutils.ClientBuilder, Scheme: scheme, @@ -158,7 +156,7 @@ func (a *AWSActuator) needsUpdate(ctx context.Context, cr *minterv1.CredentialsR // Various checks for the kinds of reasons that would trigger a needed update _, existingAccessKey, existingSecretKey, existingCredentialsKey := a.loadExistingSecret(cr) - awsClient, err := a.AWSClientBuilder([]byte(existingAccessKey), []byte(existingSecretKey), a.LiveClient) + awsClient, err := a.AWSClientBuilder([]byte(existingAccessKey), []byte(existingSecretKey), a.RootCredClient) if err != nil { return true, err } @@ -471,7 +469,7 @@ func (a *AWSActuator) syncPassthrough(ctx context.Context, cr *minterv1.Credenti } // build client with root secret and verify that the creds are good enough to pass through - awsClient, err := a.AWSClientBuilder([]byte(accessKeyID), []byte(secretAccessKey), a.LiveClient) + awsClient, err := a.AWSClientBuilder([]byte(accessKeyID), []byte(secretAccessKey), a.RootCredClient) if err != nil { msg := "error building AWS client" logger.WithError(err).Error(msg) @@ -957,7 +955,7 @@ func (a *AWSActuator) buildRootAWSClient(cr *minterv1.CredentialsRequest) (minte } logger.Debug("creating root AWS client") - return a.AWSClientBuilder(accessKeyID, secretAccessKey, a.LiveClient) + return a.AWSClientBuilder(accessKeyID, secretAccessKey, a.RootCredClient) } // buildReadAWSClient will return an AWS client using the the scaled down read only AWS creds @@ -987,7 +985,7 @@ func (a *AWSActuator) buildReadAWSClient(cr *minterv1.CredentialsRequest) (minte } logger.Debug("creating read AWS client") - client, err := a.AWSClientBuilder(accessKeyID, secretAccessKey, a.LiveClient) + client, err := a.AWSClientBuilder(accessKeyID, secretAccessKey, a.RootCredClient) if err != nil { return nil, err } diff --git a/pkg/operator/controller.go b/pkg/operator/controller.go index 52089d7eaf..63bc4817bf 100644 --- a/pkg/operator/controller.go +++ b/pkg/operator/controller.go @@ -32,7 +32,6 @@ import ( "github.com/openshift/cloud-credential-operator/pkg/operator/podidentity" "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator" "github.com/openshift/cloud-credential-operator/pkg/operator/status" - "github.com/openshift/cloud-credential-operator/pkg/operator/utils" "github.com/openshift/cloud-credential-operator/pkg/ovirt" "github.com/openshift/cloud-credential-operator/pkg/util" vsphereactuator "github.com/openshift/cloud-credential-operator/pkg/vsphere/actuator" @@ -86,7 +85,7 @@ func AddToManager(m, rootM manager.Manager, explicitKubeconfig string, coreClien switch platformType { case configv1.AWSPlatformType: log.Info("initializing AWS actuator") - a, err = awsactuator.NewAWSActuator(m.GetClient(), rootM.GetClient(), utils.LiveClient(m), m.GetScheme()) + a, err = awsactuator.NewAWSActuator(m.GetClient(), rootM.GetClient(), m.GetScheme()) if err != nil { return err } diff --git a/pkg/operator/secretannotator/aws/reconciler.go b/pkg/operator/secretannotator/aws/reconciler.go index 5e1bbf8d57..706268f4bb 100644 --- a/pkg/operator/secretannotator/aws/reconciler.go +++ b/pkg/operator/secretannotator/aws/reconciler.go @@ -38,11 +38,10 @@ const ( AwsSecretAccessKeyName = "aws_secret_access_key" ) -func NewReconciler(client, rootCredClient, liveClient client.Client) reconcile.Reconciler { +func NewReconciler(client, rootCredClient client.Client) reconcile.Reconciler { r := &ReconcileCloudCredSecret{ Client: client, RootCredClient: rootCredClient, - LiveClient: liveClient, Logger: log.WithField("controller", constants.SecretAnnotatorControllerName), AWSClientBuilder: awsutils.ClientBuilder, } @@ -97,7 +96,6 @@ var _ reconcile.Reconciler = &ReconcileCloudCredSecret{} type ReconcileCloudCredSecret struct { Client client.Client RootCredClient client.Client - LiveClient client.Client Logger log.FieldLogger AWSClientBuilder func(accessKeyID, secretAccessKey []byte, c client.Client) (ccaws.Client, error) } @@ -185,7 +183,7 @@ func (r *ReconcileCloudCredSecret) validateCloudCredsSecret(secret *corev1.Secre return r.updateSecretAnnotations(secret, constants.InsufficientAnnotation) } - awsClient, err := r.AWSClientBuilder(accessKey, secretKey, r.LiveClient) + awsClient, err := r.AWSClientBuilder(accessKey, secretKey, r.RootCredClient) if err != nil { return fmt.Errorf("error creating aws client: %v", err) } diff --git a/pkg/operator/secretannotator/openstack/reconciler.go b/pkg/operator/secretannotator/openstack/reconciler.go index 66c6ca6226..b8ad662ce1 100644 --- a/pkg/operator/secretannotator/openstack/reconciler.go +++ b/pkg/operator/secretannotator/openstack/reconciler.go @@ -49,11 +49,10 @@ import ( "github.com/openshift/cloud-credential-operator/pkg/operator/utils" ) -func NewReconciler(client, rootCredClient, liveClient client.Client) reconcile.Reconciler { +func NewReconciler(client, rootCredClient client.Client) reconcile.Reconciler { r := &ReconcileCloudCredSecret{ Client: client, RootCredClient: rootCredClient, - LiveClient: liveClient, Logger: log.WithField("controller", constants.SecretAnnotatorControllerName), } @@ -107,7 +106,6 @@ var _ reconcile.Reconciler = &ReconcileCloudCredSecret{} type ReconcileCloudCredSecret struct { Client client.Client RootCredClient client.Client - LiveClient client.Client Logger log.FieldLogger } @@ -172,7 +170,7 @@ func (r *ReconcileCloudCredSecret) Reconcile(ctx context.Context, request reconc // TODO(stephenfin): Remove this syncer in a future release once CCM no longer // relies on the legacy place during bootstrapping. config := &corev1.ConfigMap{} - err = r.LiveClient.Get(context.Background(), types.NamespacedName{Namespace: "openshift-config", Name: "cloud-provider-config"}, config) + err = r.RootCredClient.Get(context.Background(), types.NamespacedName{Namespace: "openshift-config", Name: "cloud-provider-config"}, config) if err != nil { r.Logger.Debugf("cloud provider config not found: %v", err) return reconcile.Result{}, err diff --git a/pkg/operator/secretannotator/openstack/reconciler_test.go b/pkg/operator/secretannotator/openstack/reconciler_test.go index 6d8f24083c..32aab010c0 100644 --- a/pkg/operator/secretannotator/openstack/reconciler_test.go +++ b/pkg/operator/secretannotator/openstack/reconciler_test.go @@ -190,12 +190,10 @@ func TestReconcileCloudCredSecret_Reconcile(t *testing.T) { existing := append(tc.existing, infra, testOperatorConfig(tc.mode)) fakeClient := fake.NewClientBuilder().WithRuntimeObjects(existing...).Build() fakeRootCredClient := fake.NewClientBuilder().WithRuntimeObjects(secret, ccmConfig).Build() - fakeLiveClient := fake.NewClientBuilder().WithRuntimeObjects(ccmConfig).Build() r := &ReconcileCloudCredSecret{ Client: fakeClient, RootCredClient: fakeRootCredClient, - LiveClient: fakeLiveClient, Logger: log.WithField("controller", "testController"), } _, err := r.Reconcile(context.TODO(), reconcile.Request{NamespacedName: types.NamespacedName{ @@ -281,13 +279,11 @@ func TestReconcileCloudCredSecret_Reconcile(t *testing.T) { secret := testSecret(tc.cloudsYAML) fakeClient := fake.NewClientBuilder().WithRuntimeObjects(infra, passthrough).Build() fakeRootCredClient := fake.NewClientBuilder().WithRuntimeObjects(secret, ccmConfig).Build() - fakeLiveClient := fake.NewClientBuilder().WithRuntimeObjects(ccmConfig).Build() t.Logf("clouds.yaml: %s", tc.cloudsYAML) r := &ReconcileCloudCredSecret{ Client: fakeClient, RootCredClient: fakeRootCredClient, - LiveClient: fakeLiveClient, Logger: log.WithField("controller", "testController"), } diff --git a/pkg/operator/secretannotator/secretannotator_controller.go b/pkg/operator/secretannotator/secretannotator_controller.go index 458c3e6300..bc4c878e79 100644 --- a/pkg/operator/secretannotator/secretannotator_controller.go +++ b/pkg/operator/secretannotator/secretannotator_controller.go @@ -26,7 +26,6 @@ import ( "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/gcp" "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/openstack" "github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator/vsphere" - "github.com/openshift/cloud-credential-operator/pkg/operator/utils" log "github.com/sirupsen/logrus" ) @@ -43,7 +42,7 @@ func Add(mgr, rootCredentialManager manager.Manager, kubeconfig string) error { case configv1.AzurePlatformType: return azure.Add(mgr, rootCredentialManager, azure.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient())) case configv1.AWSPlatformType: - return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient(), utils.LiveClient(mgr))) + return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient())) case configv1.GCPPlatformType: if infraStatus.PlatformStatus == nil || infraStatus.PlatformStatus.GCP == nil { log.Fatalf("Missing GCP configuration in infrastructure platform status") @@ -52,8 +51,8 @@ func Add(mgr, rootCredentialManager manager.Manager, kubeconfig string) error { case configv1.VSpherePlatformType: return vsphere.Add(mgr, rootCredentialManager, vsphere.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient())) case configv1.OpenStackPlatformType: - return openstack.Add(mgr, rootCredentialManager, openstack.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient(), utils.LiveClient(mgr))) + return openstack.Add(mgr, rootCredentialManager, openstack.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient())) default: // returning the AWS implementation for default to avoid changing any behavior - return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient(), utils.LiveClient(mgr))) + return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient())) } } diff --git a/pkg/operator/utils/client.go b/pkg/operator/utils/client.go deleted file mode 100644 index f7886fa515..0000000000 --- a/pkg/operator/utils/client.go +++ /dev/null @@ -1,32 +0,0 @@ -package utils - -import ( - "context" - - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/manager" -) - -type delegatingClient struct { - reader client.Reader - client.Client -} - -func (d *delegatingClient) Get(ctx context.Context, key client.ObjectKey, obj client.Object, opts ...client.GetOption) error { - return d.reader.Get(ctx, key, obj, opts...) -} - -func (d *delegatingClient) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error { - return d.reader.List(ctx, list, opts...) -} - -var _ client.Client = (*delegatingClient)(nil) - -// LiveClient returns a client.Client that never uses the cache by virtue of using the APIReader() for -// all read operations. -func LiveClient(mgr manager.Manager) client.Client { - return &delegatingClient{ - reader: mgr.GetAPIReader(), - Client: mgr.GetClient(), - } -} From 737fd1800e0b288b91fdbba30dc0f772341b317d Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Mon, 9 Jun 2025 11:36:49 +0100 Subject: [PATCH 4/4] manifests: Narrow allowed verbs This should have been cleaned up after debugging. Signed-off-by: Stephen Finucane --- manifests/01-config-role.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/manifests/01-config-role.yaml b/manifests/01-config-role.yaml index a914914416..75f8070f0a 100644 --- a/manifests/01-config-role.yaml +++ b/manifests/01-config-role.yaml @@ -16,5 +16,3 @@ rules: - cloud-provider-config verbs: - get - - list - - watch