Reconcile not called if the CR is Cluster scoped and the owns children are namespaced
#293
Comments
praveenperera
changed the title
owns does not trigger_owners if the CR is Cluster scoped and the children are namespaceowns does not trigger_owners if the CR is Cluster scoped and the children are namespace objects
praveenperera
changed the title
owns does not trigger_owners if the CR is Cluster scoped and the children are namespace objects
praveenperera
changed the title
owns children are namespaced
|
if you've hooked up: let certs = Api<CertIssuer>::all();
let secrets = Api<Secret>::all();
Controller::new(certs, lp).owns(secrets, lp)then reconcile should get triggered on all secrets (maybe you wanna scope secret listparams to some selector - to limit the amount of secret events this will yield). |
|
Hey I think I could have explained this better. This is exactly how I have it set up. However, even this way, the reconcile is never triggered if I change any of the secrets. let certs = Api<CertIssuer>::all();
let secrets = Api<Secret>::all();
Controller::new(certs, lp).owns(secrets, lp)I think I know the reason why. My CertIssuer is a apiVersion: certmaster.kuberails.com/v1
kind: CertIssuer
metadata:
name: com-ok-kuberails
spec:
domainName: praveenperera.com
namespaces:
- default
- praveen
dnsProvider:
provider: cloudflare
key: thisIsMyKey
secretKey: thisIsMySecretKeyHowever all secrets are namespaced. https://github.com/clux/kube-rs/blob/master/kube-runtime/src/controller.rs#L85-L92 Here it looks like it uses the namespace of the owner to find the children? But the namespace of the owner is always |
|
Oh, right. Own requires you to put owner references on the secret object, otherwise the controller had no way to connect it to the right crd. Sounds like you are missing that? |
|
I actually do setup the owner references following the example. I made the repo I was working on public. You can see it in the https://github.com/kuberails/certmaster/blob/setup-watches/controller/src/main.rs#L155-L173 And here is where I setup the controller: https://github.com/kuberails/certmaster/blob/setup-watches/controller/src/main.rs#L109-L123 |
|
Oh right, I see the problem now. |
Fixes kube-rs#293. This is a bit magical, but it's fairly common in K8s to allow reference fields (such as `OwnerReferences`) to refer to either cluster-scoped objects or namespaced resources in the same namespace. Code that converts those events into `ObjectRef`s generally won't know which of these cases is applicable, so this is the best we can do.
clux
added
bug
|
Does this work better for you @praveenperera ? If there's a need for it, I can probably push a patch for this tomorrow. |
|
Yes I think this will be perfect. Thanks guys. I am going to try it out tomorrow. I'll use master, no rush to release a new version from my side. Edit Just tried it out, and it works perfectly now. Thanks! |
Example: My custom resource
CertIssueris not scoped to a namespace. The CRD for isscope: Cluster.I want my controller to be able to manage certificates across the cluster. Across many different namespaces.
Its children are
Secrets. But Secrets have to be scoped to a namespace.In this case the children (Secrets) would never trigger the reconcile function. Right?
Maybe a solution is if the
selectorfield was public. I could make my own version ofownsusingtrigger_with.Or for a situation like this should I just be using
watchersdirectly instead of usingcontroller?The text was updated successfully, but these errors were encountered: