configmap injection seems to be generating a large number of events

[raffaelespazzoli]

investigate why configmap injection controller seems to be receiving an unlimited number of events. when adding logs to the event filter:

    isAnnotatedConfigMap := predicate.Funcs{
        UpdateFunc: func(e event.UpdateEvent) bool {
            oldSecret, _ := e.MetaOld.GetAnnotations()[certAnnotationSecret]
            newSecret, _ := e.MetaNew.GetAnnotations()[certAnnotationSecret]
            log.V(1).Info("update func", "config map", e.MetaNew.GetName(), "annotation old", oldSecret, "annotation new", newSecret)
            return oldSecret != newSecret
        },
        CreateFunc: func(e event.CreateEvent) bool {
            _, ok1 := e.Meta.GetAnnotations()[certAnnotationSecret]
            log.V(1).Info("create func", "config map", e.Meta.GetName(), "has annotation", ok1)
            return ok1
        },
    }

the operator seems to be entering an infinite loop in which all it does is printing those statements and discard the event.

[mathianasj]

@raffaelespazzoli do you have any steps to replicate the issue? I was unable to witness that behavior.

Steps to try to reproduce

1. create secret

   kind: Secret
   apiVersion: v1
   metadata:
   name: test-inject-ca
   namespace: cert-utils-testing
   data:
   ca.crt: >-
   entry here
   tls.crt: >-
   entry here
   tls.key: >-
   entry here
   type: kubernetes.io/tls

2. create configmap with annotation to reference secret

   kind: ConfigMap
   apiVersion: v1
   metadata:
   name: test-inject-ca-cm
   namespace: cert-utils-testing
   annotations:
   cert-utils-operator.redhat-cop.io/injectca-from-secret: cert-utils-testing/test-inject-ca

[raffaelespazzoli]

@mathianasj I didn't even have to create the secret. Did you add those debug statement? Do you see them in the logs? After opening this issue, I thought that perhaps there are some configmap in OCP 4.x that are constantly getting renewed and that could have explained the behavior I was seeing.

[mathianasj]

I am able to see the log message when running locally I did have to change one thing on my 4.3.13 cluster to get it to start. The only time I get the log entry is when I change a configmap

I had to change https://github.com/redhat-cop/cert-utils-operator/blob/a68715b246f0a7eb26f98384fbbc02b16c66158d/cmd/manager/main.go#L24

crd "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" to crd "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"

[mathianasj]

Let me try one more check

[mathianasj]

@raffaelespazzoli I see what you mean now, that looks like normal behavior because the ones that are flowing ar things like the configmap locks for operators. Not sure if we can exclude certain configmaps from the watch?

[raffaelespazzoli]

@mathianasj can you upgrade the CRD to v1? @mathianasj we can't exclude configmaps by namespace. not sure if there is pattern to see the configmaps used as leader election locks by operators. Any idea?

[mathianasj]

Since this is normal behavior due to increased logging I think we can close this. Even if we add an exclude in the updatefunc to look for the annotation that defines the configmap as a lock it will still fire.