Enable/disable np controller based on configmap (#8)

kishorj · web-flow · commit 9252ce9138f7 · 2023-06-29T17:39:28.000-07:00
* enable/disable controller based on configmap

Use the common configmap kube-system/amazon-vpc-cni to check feature
enablement. The controller will be enabled only if the configmap exists
and contains the key enable-network-policy-controller in the data and the
value is set to "true".

* pass context from main
diff --git a/cmd/main.go b/cmd/main.go
@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"os"
 
 	"github.com/go-logr/logr"
@@ -29,6 +30,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/kubernetes"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
@@ -39,6 +41,7 @@ import (
 	"github.com/aws/amazon-network-policy-controller-k8s/pkg/config"
 	"github.com/aws/amazon-network-policy-controller-k8s/pkg/k8s"
 	"github.com/aws/amazon-network-policy-controller-k8s/pkg/policyendpoints"
+	"github.com/aws/amazon-network-policy-controller-k8s/pkg/utils/configmap"
 	"github.com/aws/amazon-network-policy-controller-k8s/version"
 	//+kubebuilder:scaffold:imports
 )
@@ -82,17 +85,36 @@ func main() {
 		setupLog.Error(err, "unable to create controller manager")
 		os.Exit(1)
 	}
+	clientSet, err := kubernetes.NewForConfig(mgr.GetConfig())
+	if err != nil {
+		setupLog.Error(err, "unable to obtain clientSet")
+		os.Exit(1)
+	}
+
 	ctx := ctrl.SetupSignalHandler()
-	enablePolicyController := true
+	enableNetworkPolicyController := true
+	if controllerCFG.EnableConfigMapCheck {
+		var cancelFn context.CancelFunc
+		ctx, cancelFn = context.WithCancel(ctx)
+		setupLog.Info("Enable network policy controller based on configuration", "configmap", configmap.GetControllerConfigMapId())
+		configMapManager := config.NewConfigmapManager(configmap.GetControllerConfigMapId(),
+			clientSet, cancelFn, configmap.GetConfigmapCheckFn(), ctrl.Log.WithName("configmap-manager"))
+		if err := configMapManager.MonitorConfigMap(ctx); err != nil {
+			setupLog.Error(err, "Unable to monitor configmap for checking if controller is enabled")
+			os.Exit(1)
+		}
+		enableNetworkPolicyController = configMapManager.IsControllerEnabled()
+	}
+
 	policyEndpointsManager := policyendpoints.NewPolicyEndpointsManager(mgr.GetClient(),
 		controllerCFG.EndpointChunkSize, ctrl.Log.WithName("endpoints-manager"))
 	finalizerManager := k8s.NewDefaultFinalizerManager(mgr.GetClient(), ctrl.Log.WithName("finalizer-manager"))
 	policyController := controllers.NewPolicyReconciler(mgr.GetClient(), policyEndpointsManager,
 		controllerCFG, finalizerManager, ctrl.Log.WithName("controllers").WithName("policy"))
-	if enablePolicyController {
+	if enableNetworkPolicyController {
 		setupLog.Info("Network Policy controller is enabled, starting watches")
 		if err := policyController.SetupWithManager(ctx, mgr); err != nil {
-			setupLog.Error(err, "unable to create controller", "controller", "policy")
+			setupLog.Error(err, "Unable to setup network policy controller")
 			os.Exit(1)
 		}
 	}
diff --git a/pkg/config/configmap_manager.go b/pkg/config/configmap_manager.go
@@ -0,0 +1,141 @@
+package config
+
+import (
+	"context"
+	"errors"
+
+	"github.com/aws/amazon-network-policy-controller-k8s/pkg/k8s"
+	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/cache"
+)
+
+// +kubebuilder:rbac:groups="",resources=configmaps,namespace="system",resourceNames=amazon-vpc-cni,verbs=get;list;watch
+
+type ConfigmapManager interface {
+	MonitorConfigMap(ctx context.Context) error
+	IsControllerEnabled() bool
+}
+
+var _ ConfigmapManager = (*defaultConfigmapManager)(nil)
+
+type defaultConfigmapManager struct {
+	initialState           bool
+	resourceRef            types.NamespacedName
+	store                  cache.Store
+	rt                     *cache.Reflector
+	clientSet              *kubernetes.Clientset
+	logger                 logr.Logger
+	cancelFn               context.CancelFunc
+	monitorStopChan        chan struct{}
+	storeNotifyChan        chan struct{}
+	configMapCheckFunction func(*corev1.ConfigMap) bool
+}
+
+func NewConfigmapManager(resourceRef types.NamespacedName, clientSet *kubernetes.Clientset,
+	cancelFn context.CancelFunc, configmapCheckFunction func(configMap *corev1.ConfigMap) bool, logger logr.Logger) *defaultConfigmapManager {
+	storeNotifyChan := make(chan struct{})
+	cmStore := k8s.NewConfigMapStore(storeNotifyChan)
+	return &defaultConfigmapManager{
+		clientSet:              clientSet,
+		resourceRef:            resourceRef,
+		store:                  cmStore,
+		logger:                 logger,
+		cancelFn:               cancelFn,
+		monitorStopChan:        make(chan struct{}),
+		storeNotifyChan:        storeNotifyChan,
+		configMapCheckFunction: configmapCheckFunction,
+	}
+}
+
+// IsControllerEnabled returns the initial state of the policy controller.
+func (m *defaultConfigmapManager) IsControllerEnabled() bool {
+	m.logger.V(1).Info("IsControllerEnabled() returning", "value", m.initialState)
+	return m.initialState
+}
+
+// MonitorConfigMap starts cache reflector and watches for configmap updates.
+func (m *defaultConfigmapManager) MonitorConfigMap(ctx context.Context) error {
+	fieldSelector := fields.Set{"metadata.name": m.resourceRef.Name}.AsSelector().String()
+	listFunc := func(options metav1.ListOptions) (runtime.Object, error) {
+		options.FieldSelector = fieldSelector
+		return m.clientSet.CoreV1().ConfigMaps(m.resourceRef.Namespace).List(ctx, options)
+	}
+	watchFunc := func(options metav1.ListOptions) (watch.Interface, error) {
+		options.FieldSelector = fieldSelector
+		return m.clientSet.CoreV1().ConfigMaps(m.resourceRef.Namespace).Watch(ctx, options)
+	}
+	m.rt = cache.NewReflector(&cache.ListWatch{ListFunc: listFunc, WatchFunc: watchFunc},
+		&corev1.ConfigMap{},
+		m.store,
+		0,
+	)
+	go m.rt.Run(m.monitorStopChan)
+	go m.listenForConfigMapUpdates()
+
+	if _, err := m.setInitialControllerState(); err != nil {
+		m.logger.Info("Failed to set initial state", "err", err)
+		return err
+	}
+	return nil
+}
+
+// listen for the messages in the storeNotifyChan in a loop and update the state of the policy controller accordingly.
+func (m *defaultConfigmapManager) listenForConfigMapUpdates() {
+	defer func() {
+		m.logger.Info("Controller detected changes to the configmap, cancelling manager context")
+		close(m.monitorStopChan)
+		m.cancelFn()
+	}()
+
+	for {
+		select {
+		case <-m.storeNotifyChan:
+			enabled, err := m.getCurrentEnabledConfig()
+			if err != nil {
+				m.logger.Error(err, "Failed to get controller state from configmap")
+				return
+			}
+			m.logger.V(1).Info("Received configmap notification", "initial", m.initialState,
+				"new", enabled)
+			if m.initialState != enabled {
+				m.logger.Info("Controller state changed", "initial", m.initialState,
+					"new", enabled)
+				return
+			}
+		}
+	}
+}
+
+// getCurrentEnabledConfig gets the current state of the policy controller from the configmap
+func (m *defaultConfigmapManager) getCurrentEnabledConfig() (bool, error) {
+	cm, exists, err := m.store.GetByKey(m.resourceRef.String())
+	if err != nil {
+		return false, err
+	}
+	if !exists {
+		return false, nil
+	}
+	return m.configMapCheckFunction(cm.(*corev1.ConfigMap)), nil
+}
+
+// setInitialControllerState sets the initial state of the policy controller based on the configmap
+func (m *defaultConfigmapManager) setInitialControllerState() (retVal bool, err error) {
+	defer func() {
+		m.logger.V(1).Info("setInitialControllerState", "retVal", retVal, "err", err)
+		m.initialState = retVal
+	}()
+	// Wait for cache sync
+	if !cache.WaitForCacheSync(m.monitorStopChan, func() bool {
+		return m.rt.LastSyncResourceVersion() != ""
+	}) {
+		return false, errors.New("failed to sync configmap cache")
+	}
+	return m.getCurrentEnabledConfig()
+}
diff --git a/pkg/k8s/configmap_store.go b/pkg/k8s/configmap_store.go
@@ -0,0 +1,77 @@
+package k8s
+
+import (
+	"k8s.io/client-go/tools/cache"
+)
+
+// NewConfigMapStore constructs new conversionStore
+func NewConfigMapStore(notifyChan chan<- struct{}) *ConfigMapStore {
+	return &ConfigMapStore{
+		store:         cache.NewStore(cache.MetaNamespaceKeyFunc),
+		notifyChannel: notifyChan,
+	}
+}
+
+var _ cache.Store = &ConfigMapStore{}
+
+type ConfigMapStore struct {
+	store         cache.Store
+	notifyChannel chan<- struct{}
+}
+
+// Add adds the given object to the accumulator associated with the given object's key
+func (s *ConfigMapStore) Add(obj interface{}) error {
+	if err := s.store.Add(obj); err != nil {
+		return err
+	}
+	s.notifyChannel <- struct{}{}
+	return nil
+}
+
+// Update updates the given object in the accumulator associated with the given object's key
+func (s *ConfigMapStore) Update(obj interface{}) error {
+	if err := s.store.Update(obj); err != nil {
+		return err
+	}
+	s.notifyChannel <- struct{}{}
+	return nil
+}
+
+// Delete deletes the given object from the accumulator associated with the given object's key
+func (s *ConfigMapStore) Delete(obj interface{}) error {
+	if err := s.store.Delete(obj); err != nil {
+		return err
+	}
+	s.notifyChannel <- struct{}{}
+	return nil
+}
+
+// List returns a list of all the objects
+func (s *ConfigMapStore) List() []interface{} {
+	return s.store.List()
+}
+
+// ListKeys returns a list of all the keys
+func (s *ConfigMapStore) ListKeys() []string {
+	return s.store.ListKeys()
+}
+
+// Get returns the object with the given key
+func (s *ConfigMapStore) Get(obj interface{}) (item interface{}, exists bool, err error) {
+	return s.store.Get(obj)
+}
+
+// GetByKey returns the object with the given key
+func (s *ConfigMapStore) GetByKey(key string) (item interface{}, exists bool, err error) {
+	return s.store.GetByKey(key)
+}
+
+// Replace will delete the contents of the store, using instead the given list.
+func (s *ConfigMapStore) Replace(list []interface{}, resourceVersion string) error {
+	return s.store.Replace(list, resourceVersion)
+}
+
+// Resync invokes the cache.store Resync method
+func (s *ConfigMapStore) Resync() error {
+	return s.store.Resync()
+}
diff --git a/pkg/utils/configmap/configmap.go b/pkg/utils/configmap/configmap.go
@@ -0,0 +1,26 @@
+package configmap
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+const (
+	controllerConfigMapKey       = "enable-network-policy-controller"
+	controllerConfigEnabledValue = "true"
+)
+
+// GetControllerConfigMapId returns the id for the configmap resource containing the controller config
+func GetControllerConfigMapId() types.NamespacedName {
+	return types.NamespacedName{
+		Namespace: "kube-system",
+		Name:      "amazon-vpc-cni",
+	}
+}
+
+// GetConfigmapCheckFn returns a function that checks if controller is enabled in the configmap
+func GetConfigmapCheckFn() func(configMap *corev1.ConfigMap) bool {
+	return func(configMap *corev1.ConfigMap) bool {
+		return configMap.Data[controllerConfigMapKey] == controllerConfigEnabledValue
+	}
+}
