Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update secrets on resource version change only #2047

Merged
merged 1 commit into from
May 30, 2024
Merged

Update secrets on resource version change only #2047

merged 1 commit into from
May 30, 2024

Conversation

ciarams87
Copy link
Member

Proposed changes

Problem: Controller-runtime forces a reconciliation after a certain amount of time, even if the resources have not changed (default is 10 hours. For many resources, we have a generation changed predicate, meaning we do not process any changes unless there is a change in the spec. Secrets, however, do not have a generation ID and so cannot have such a predicate.

Solution: Secrets do have a resource version, and the controller-runtime provides a ResourceVersionChangedPredicate we can use similarly to the GenerationChangedPredicate we use elsewhere.

Testing: Left running overnight and confirmed the behaviour (reconciliation of the secrets) no longer occurred.

Please focus on (optional): Please note that this approach does not introspect the cert and key for changes, and a reconciliation will still occur where the cert and key remains the same but a different property (e.g. an annotation) changes meaning the resource version will have changed.

Closes #1112

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

NONE

@ciarams87 ciarams87 requested a review from a team as a code owner May 29, 2024 08:43
@github-actions github-actions bot added the bug Something isn't working label May 29, 2024
@kate-osborn
Copy link
Contributor

LGTM

Do you think we should file another issue to optimize secret processing further and only reload NGINX when the secret's content changes?

salonichf5
salonichf5 approved these changes May 29, 2024
View reviewed changes
Copy link
Contributor

@salonichf5 salonichf5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@ciarams87
Copy link
Member Author

Do you think we should file another issue to optimize secret processing further and only reload NGINX when the secret's content changes?

@kate-osborn I added an additional task to #1664 - I would be hopeful that we could find a solution that handles all cases where we reload NGINX unnecessarily

@ciarams87 ciarams87 force-pushed the fix/only-update-secret-on-change branch from 3a14fdc to 0ec717b Compare May 30, 2024 11:15
@ciarams87 ciarams87 enabled auto-merge (squash) May 30, 2024 11:16
@ciarams87 ciarams87 merged commit 16f0835 into nginxinc:main May 30, 2024
40 checks passed
@pleshakov pleshakov mentioned this pull request Jun 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sjberman sjberman sjberman approved these changes

@salonichf5 salonichf5 salonichf5 approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
NGINX Gateway Fabric
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NGF unnecessary reloads NGINX when it reconciles Secrets
4 participants
@ciarams87 @kate-osborn @sjberman @salonichf5