profile handling

Author: ajssmith

internal/kube/adaptor/config_init.go

@@ -48,13 +48,20 @@ func InitialiseConfig(cli internalclient.Clients, namespace string, path string,
 		if routerConfiguration == nil {
 			return fmt.Errorf("empty router configuration in ConfigMap %q", routerConfigMap)
 		}
-		delta := secretsSync.Expect(routerConfiguration.SslProfiles)
+		delta := secretsSync.ExpectSslProfiles(routerConfiguration.SslProfiles)
 		if len(delta.Missing) > 0 {
 			slog.Info("Waiting for Secrets to be created for SslProfiles", slog.Any("sslProfiles", delta.Missing))
 		}
 		for name, diff := range delta.PendingOrdinals {
 			slog.Info("Secret has outdated ordinal", slog.String("secret", diff.SecretName), slog.Uint64("ordinal", diff.Current), slog.String("profile", name), slog.Uint64("expected", diff.Expect))
 		}
+		deltaProxy := secretsSync.ExpectProxyProfiles(namespace+"/"+routerConfigMap, routerConfiguration.ProxyProfiles)
+		if len(deltaProxy.Missing) > 0 {
+			slog.Info("Waiting for Secrets to be created for ProxyProfiles", slog.Any("proxProfiles", deltaProxy.Missing))
+		}
+		for _, err := range deltaProxy.Errors {
+			delta.Errors = append(delta.Errors, err)
+		}
 		return delta.Error()
 	}, backoff.NewExponentialBackOff(backoff.WithMaxElapsedTime(time.Second*60)))
 	if retryErr != nil {

internal/kube/adaptor/config_sync.go

@@ -1,11 +1,15 @@
 package adaptor
 
 import (
+	"context"
 	"fmt"
 	"log/slog"
 	"os"
 
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/util/retry"
 
 	internalclient "github.com/skupperproject/skupper/internal/kube/client"
 	"github.com/skupperproject/skupper/internal/kube/secrets"
@@ -14,8 +18,10 @@ import (
 )
 
 // Syncs the live router config with the configmap (bridge configuration,
-// secrets for services with TLS enabled, and secrets and connectors for links)
+// secrets for services with TLS enabled, and secrets and connectors for links
+// as well as proxy profiles)
 type ConfigSync struct {
+	cli             internalclient.Clients
 	agentPool       *qdr.AgentPool
 	controller      *watchers.EventProcessor
 	namespace       string
@@ -37,6 +43,7 @@ func sslSecretsWatcher(namespace string, eventProcessor *watchers.EventProcessor
 func NewConfigSync(cli internalclient.Clients, namespace string, path string, routerConfigMap string, metrics watchers.MetricsProvider) *ConfigSync {
 	controller := watchers.NewEventProcessor("config-sync", cli, watchers.WithMetricsProvider(metrics))
 	configSync := &ConfigSync{
+		cli:             cli,
 		agentPool:       qdr.NewAgentPool("amqp://localhost:5672", nil),
 		controller:      controller,
 		namespace:       namespace,
@@ -88,6 +95,26 @@ func (c *ConfigSync) key(name string) string {
 	return fmt.Sprintf("%s/%s", c.namespace, name)
 }
 
+func UpdateRouterConfig(client kubernetes.Interface, ctxt context.Context, update *qdr.RouterConfig, configmap *corev1.ConfigMap) error {
+	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		return updateRouterConfig(client, ctxt, update, configmap)
+	})
+}
+
+func updateRouterConfig(client kubernetes.Interface, ctxt context.Context, update *qdr.RouterConfig, configmap *corev1.ConfigMap) error {
+
+	err := update.WriteToConfigMap(configmap)
+	if err != nil {
+		return err
+	}
+
+	_, err = client.CoreV1().ConfigMaps(configmap.Namespace).Update(ctxt, configmap, metav1.UpdateOptions{})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func (c *ConfigSync) configEvent(key string, configmap *corev1.ConfigMap) error {
 	if configmap == nil {
 		return nil
@@ -102,6 +129,18 @@ func (c *ConfigSync) configEvent(key string, configmap *corev1.ConfigMap) error
 	if err := c.syncSslProfilesToRouter(desired.SslProfiles); err != nil {
 		return err
 	}
+	// Note: change to a proxy secret is one case where a non-skupper resource
+	// requires update to the router config and config map
+	proxyUpdates, err := c.syncProxyProfileCredentialsToDisk(key, desired.ProxyProfiles)
+	if err != nil {
+		return err
+	} else {
+		for _, update := range proxyUpdates {
+			if _, ok := desired.ProxyProfiles[update.Name]; ok {
+				desired.ProxyProfiles[update.Name] = update
+			}
+		}
+	}
 	if err := c.syncProxyProfilesToRouter(desired.ProxyProfiles); err != nil {
 		return err
 	}
@@ -113,6 +152,13 @@ func (c *ConfigSync) configEvent(key string, configmap *corev1.ConfigMap) error
 		c.logger.Error("sync failed", slog.Any("error", err))
 		return err
 	}
+	if len(proxyUpdates) > 0 {
+		err := UpdateRouterConfig(c.cli.GetKubeClient(), context.TODO(), desired, configmap)
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 
@@ -222,6 +268,7 @@ func (c *ConfigSync) syncSslProfilesToRouter(desired map[string]qdr.SslProfile)
 			if err := agent.CreateSslProfile(profile); err != nil {
 				return err
 			}
+			continue
 		}
 		if current != profile {
 			if err := agent.UpdateSslProfile(profile); err != nil {
@@ -240,7 +287,7 @@ func (c *ConfigSync) syncSslProfilesToRouter(desired map[string]qdr.SslProfile)
 }
 
 func (c *ConfigSync) syncSslProfileCredentialsToDisk(profiles map[string]qdr.SslProfile) error {
-	delta := c.profileSyncer.Expect(profiles)
+	delta := c.profileSyncer.ExpectSslProfiles(profiles)
 	return delta.Error()
 }
 
@@ -261,6 +308,7 @@ func (c *ConfigSync) syncProxyProfilesToRouter(desired map[string]qdr.ProxyProfi
 			if err := agent.CreateProxyProfile(profile); err != nil {
 				return err
 			}
+			continue
 		}
 		if current != profile {
 			if err := agent.UpdateProxyProfile(profile); err != nil {
@@ -278,6 +326,11 @@ func (c *ConfigSync) syncProxyProfilesToRouter(desired map[string]qdr.ProxyProfi
 	return nil
 }
 
+func (c *ConfigSync) syncProxyProfileCredentialsToDisk(key string, profiles map[string]qdr.ProxyProfile) (map[string]qdr.ProxyProfile, error) {
+	delta := c.profileSyncer.ExpectProxyProfiles(key, profiles)
+	return delta.ProxyUpdates, delta.Error()
+}
+
 func (c *ConfigSync) recoverTracking() error {
 	configmap, err := c.config.Get(c.key(c.routerConfigMap))
 	if err != nil {

internal/kube/secrets/manager.go

@@ -36,7 +36,7 @@ type profileWatcherContext struct {
 
 type ProfilesWatcher struct {
 	logger     *slog.Logger
-	cache      SecretsCache
+	Cache      SecretsCache
 	client     typedv1.SecretInterface
 	update     UpdateRouterConfigFn
 	pvProvider PriorValidityProvider
@@ -58,7 +58,7 @@ func NewProfilesWatcher(factory SecretsCacheFactory, client kubernetes.Interface
 		state:      make(map[string]*profileWatcherContext),
 		cleanup:    sync.OnceFunc(func() { close(stopCh) }),
 	}
-	w.cache = factory(stopCh, w.handleSecret)
+	w.Cache = factory(stopCh, w.handleSecret)
 	return w
 }
 
@@ -160,7 +160,7 @@ func (w *ProfilesWatcher) UseProfiles(profiles map[string]qdr.SslProfile) {
 		}
 		for _, secretName := range profileSecrets(profileName) {
 			key := w.keyfunc(secretName)
-			secret, err := w.cache.Get(key)
+			secret, err := w.Cache.Get(key)
 			if err != nil || secret == nil {
 				continue
 			}
@@ -171,7 +171,7 @@ func (w *ProfilesWatcher) UseProfiles(profiles map[string]qdr.SslProfile) {
 		state := w.state[profileName]
 		delete(w.state, profileName)
 		if state != nil && state.SecretKey != "" {
-			secret, err := w.cache.Get(state.SecretKey)
+			secret, err := w.Cache.Get(state.SecretKey)
 			if err != nil || secret == nil {
 				continue
 			}