Merge pull request rancher#35518 from ibuildthecloud/fixes3-26

[Forward Port] Performance fixes rancher#35401

Author: ibuildthecloud

pkg/auth/providerrefresh/refresher.go

@@ -206,6 +206,10 @@ func (r *refresher) refreshAttributes(attribs *v3.UserAttribute) (*v3.UserAttrib
 			secret := ""
 			if providers.ProvidersWithSecrets[providerName] {
 				secret, err = r.tokenMGR.GetSecret(user.Name, providerName, loginTokens[providerName])
+				if apierrors.IsNotFound(err) {
+					// There is no secret so we can't refresh, just continue to the next attribute
+					return attribs, nil
+				}
 				if err != nil {
 					return nil, err
 				}

pkg/controllers/management/auth/manager.go

@@ -10,6 +10,7 @@ import (
 	"github.com/rancher/norman/objectclient"
 	"github.com/rancher/norman/types/slice"
 	"github.com/rancher/rancher/pkg/clustermanager"
+	"github.com/rancher/rancher/pkg/controllers/managementuser/rbac"
 	v13 "github.com/rancher/rancher/pkg/generated/norman/core/v1"
 	v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
 	typesrbacv1 "github.com/rancher/rancher/pkg/generated/norman/rbac.authorization.k8s.io/v1"
@@ -668,6 +669,9 @@ func (m *manager) gatherAndDedupeRoles(roleTemplateName string) (map[string]*v3.
 	for _, role := range allRoles {
 		roles[role.Name] = role
 	}
+
+	//toLower
+	rbac.ToLowerRoleTemplates(roles)
 	return roles, nil
 }
 
@@ -753,10 +757,12 @@ func (m *manager) reconcileManagementPlaneRole(namespace string, resourceToVerbs
 		for resource, newVerbs := range resourceToVerbs {
 			currentVerbs := map[string]string{}
 			for _, rule := range role.Rules {
-				if slice.ContainsString(rule.Resources, resource) {
+				if slice.ContainsString(rule.Resources, resource) || slice.ContainsString(rule.Resources, "*") {
 					for _, v := range rule.Verbs {
 						if rule.APIGroups[0] == newVerbs[v] {
 							currentVerbs[v] = rule.APIGroups[0]
+						} else if rule.APIGroups[0] == "*" || newVerbs[v] == "*" {
+							currentVerbs[v] = newVerbs[v]
 						}
 					}
 				}
@@ -767,7 +773,7 @@ func (m *manager) reconcileManagementPlaneRole(namespace string, resourceToVerbs
 				role = role.DeepCopy()
 				added := false
 				for i, rule := range newRole.Rules {
-					if slice.ContainsString(rule.Resources, resource) {
+					if slice.ContainsString(rule.Resources, resource) || slice.ContainsString(rule.Resources, "*") {
 						newRole.Rules[i] = buildRule(resource, newVerbs)
 						added = true
 					}

pkg/controllers/managementuser/rbac/handler_base.go

@@ -313,12 +313,7 @@ func (m *manager) compareAndUpdateNamespacedRole(role *rbacv1.Role, rt *v3.RoleT
 	return err
 }
 
-func (m *manager) gatherRoles(rt *v3.RoleTemplate, roleTemplates map[string]*v3.RoleTemplate) error {
-	err := m.gatherRolesRecurse(rt, roleTemplates)
-	if err != nil {
-		return err
-	}
-
+func ToLowerRoleTemplates(roleTemplates map[string]*v3.RoleTemplate) {
 	// clean the roles for kubeneretes: lowercase resources and verbs
 	for key, rt := range roleTemplates {
 		if rt.External {
@@ -346,7 +341,14 @@ func (m *manager) gatherRoles(rt *v3.RoleTemplate, roleTemplates map[string]*v3.
 		rt.Rules = toLowerRules
 		roleTemplates[key] = rt
 	}
+}
 
+func (m *manager) gatherRoles(rt *v3.RoleTemplate, roleTemplates map[string]*v3.RoleTemplate) error {
+	err := m.gatherRolesRecurse(rt, roleTemplates)
+	if err != nil {
+		return err
+	}
+	ToLowerRoleTemplates(roleTemplates)
 	return nil
 }
 
@@ -476,9 +478,14 @@ func (m *manager) ensureBindings(ns string, roles map[string]*v3.RoleTemplate, b
 	for key, rb := range desiredRBs {
 		switch roleBinding := rb.(type) {
 		case *rbacv1.RoleBinding:
-			logrus.Infof("Creating roleBinding %v", key)
-			_, err := m.workload.RBAC.RoleBindings(ns).Create(roleBinding)
-			if err != nil && !apierrors.IsAlreadyExists(err) {
+			_, err := m.workload.RBAC.RoleBindings("").Controller().Lister().Get(ns, roleBinding.Name)
+			if apierrors.IsNotFound(err) {
+				logrus.Infof("Creating roleBinding %v in %s", key, ns)
+				_, err := m.workload.RBAC.RoleBindings(ns).Create(roleBinding)
+				if err != nil && !apierrors.IsAlreadyExists(err) {
+					return err
+				}
+			} else if err != nil {
 				return err
 			}
 		case *rbacv1.ClusterRoleBinding:

pkg/controllers/managementuser/rbac/prtb_handler.go

@@ -101,6 +101,9 @@ func (p *prtbLifecycle) syncPRTB(binding *v3.ProjectRoleTemplateBinding) error {
 
 	for _, n := range namespaces {
 		ns := n.(*v1.Namespace)
+		if !ns.DeletionTimestamp.IsZero() {
+			continue
+		}
 		if err := p.m.ensureProjectRoleBindings(ns.Name, roles, binding); err != nil {
 			return errors.Wrapf(err, "couldn't ensure binding %v in %v", binding.Name, ns.Name)
 		}

pkg/controllers/managementuser/rbac/roletemplate_handler.go

@@ -114,6 +114,9 @@ func (c *rtSync) syncRT(template *v3.RoleTemplate, usedInProjects bool, prtbs []
 
 		for _, n := range namespaces {
 			ns := n.(*v1.Namespace)
+			if !ns.DeletionTimestamp.IsZero() {
+				continue
+			}
 			if err := c.m.ensureProjectRoleBindings(ns.Name, roles, prtb); err != nil {
 				return errors.Wrapf(err, "couldn't ensure binding %v in %v", prtb.Name, ns.Name)
 			}

pkg/controllers/managementuser/secret/secret.go

@@ -3,6 +3,7 @@ package secret
 import (
 	"context"
 	"fmt"
+	"reflect"
 	"strings"
 
 	"k8s.io/apimachinery/pkg/runtime"
@@ -35,6 +36,7 @@ const (
 
 type Controller struct {
 	secrets                   v1.SecretInterface
+	secretLister              v1.SecretLister
 	clusterNamespaceLister    v1.NamespaceLister
 	managementNamespaceLister v1.NamespaceLister
 	projectLister             v3.ProjectLister
@@ -73,6 +75,7 @@ func registerDeferred(ctx context.Context, cluster *config.UserContext) {
 	clusterSecretsClient := cluster.Core.Secrets("")
 	s := &Controller{
 		secrets:                   clusterSecretsClient,
+		secretLister:              clusterSecretsClient.Controller().Lister(),
 		clusterNamespaceLister:    cluster.Core.Namespaces("").Controller().Lister(),
 		managementNamespaceLister: cluster.Management.Core.Namespaces("").Controller().Lister(),
 		projectLister:             cluster.Management.Management.Projects(cluster.ClusterName).Controller().Lister(),
@@ -81,6 +84,7 @@ func registerDeferred(ctx context.Context, cluster *config.UserContext) {
 
 	n := &NamespaceController{
 		clusterSecretsClient: clusterSecretsClient,
+		clusterSecretsLister: clusterSecretsClient.Controller().Lister(),
 		managementSecrets:    cluster.Management.Core.Secrets("").Controller().Lister(),
 	}
 	cluster.Core.Namespaces("").AddHandler(ctx, "secretsController", n.sync)
@@ -116,6 +120,7 @@ func registerDeferred(ctx context.Context, cluster *config.UserContext) {
 
 type NamespaceController struct {
 	clusterSecretsClient v1.SecretInterface
+	clusterSecretsLister v1.SecretLister
 	managementSecrets    v1.SecretLister
 }
 
@@ -146,6 +151,9 @@ func (n *NamespaceController) sync(key string, obj *corev1.Namespace) (runtime.O
 					continue
 				}
 				namespacedSecret := getNamespacedSecret(secret, obj.Name)
+				if _, err := n.clusterSecretsLister.Get(namespacedSecret.Namespace, namespacedSecret.Name); err == nil {
+					continue
+				}
 				logrus.Infof("Creating secret [%s] into namespace [%s]", namespacedSecret.Name, obj.Name)
 				_, err := n.clusterSecretsClient.Create(namespacedSecret)
 				if err != nil && !errors.IsAlreadyExists(err) {
@@ -241,16 +249,26 @@ func (s *Controller) createOrUpdate(obj *corev1.Secret, action string) error {
 		return err
 	}
 	for _, namespace := range clusterNamespaces {
+		if !namespace.DeletionTimestamp.IsZero() {
+			continue
+		}
 		// copy the secret into namespace
 		namespacedSecret := getNamespacedSecret(obj, namespace.Name)
 		switch action {
 		case create:
+			if _, err := s.secretLister.Get(namespacedSecret.Namespace, namespacedSecret.Name); err == nil {
+				continue
+			}
 			logrus.Infof("Copying secret [%s] into namespace [%s]", namespacedSecret.Name, namespace.Name)
 			_, err := s.secrets.Create(namespacedSecret)
 			if err != nil && !errors.IsAlreadyExists(err) {
 				return err
 			}
 		case update:
+			if existing, err := s.secretLister.Get(namespacedSecret.Namespace, namespacedSecret.Name); err == nil &&
+				reflect.DeepEqual(existing.Data, namespacedSecret.Data) {
+				continue
+			}
 			logrus.Infof("Updating secret [%s] into namespace [%s]", namespacedSecret.Name, namespace.Name)
 			_, err := s.secrets.Update(namespacedSecret)
 			if err != nil && !errors.IsNotFound(err) {

pkg/controllers/managementuserlegacy/alert/deployer/upgradeimpl.go

@@ -397,12 +397,13 @@ func (l *AlertService) removeFinalizerFromLegacyAlerting() error {
 	}
 
 	for _, v := range oldProjectAlert {
+		if len(v.Finalizers) == 0 {
+			continue
+		}
 		newObj := v.DeepCopy()
 		newObj.SetFinalizers([]string{})
-		if !reflect.DeepEqual(newObj, v) {
-			if _, err = l.oldProjectAlerts.Update(newObj); err != nil {
-				return errors.Wrapf(err, "remove finalizer from legacy projectAlert %s:%s failed", newObj.Namespace, newObj.Name)
-			}
+		if _, err = l.oldProjectAlerts.Update(newObj); err != nil {
+			return errors.Wrapf(err, "remove finalizer from legacy projectAlert %s:%s failed", newObj.Namespace, newObj.Name)
 		}
 	}
 

pkg/wrangler/context.go

@@ -154,13 +154,14 @@ func (w *Context) StartWithTransaction(ctx context.Context, f func(context.Conte
 		return err
 	}
 
-	if err = w.Start(ctx); err != nil {
+	if err := w.ControllerFactory.SharedCacheFactory().Start(ctx); err != nil {
+		transaction.Rollback()
 		return err
 	}
 
-	w.SharedControllerFactory.SharedCacheFactory().WaitForCacheSync(ctx)
+	w.ControllerFactory.SharedCacheFactory().WaitForCacheSync(ctx)
 	transaction.Commit()
-	return nil
+	return w.Start(ctx)
 }
 
 func (w *Context) Start(ctx context.Context) error {