Major refactoring, improvements and arm64 support (#9)

Major refactoring and improvements

Restructured monitors to broadcast events for resource changes
Refactored heavy reflectors into event handlers for resource changes
Added health checks for monitors
Refactored watchers to work on single consumer queues
Split project into modules
Code cleanup
Added arm64 support

Author: winromulus

ES.Kubernetes.Reflector.CertManager/CertManagerModule.cs

@@ -0,0 +1,13 @@
+using Autofac;
+
+namespace ES.Kubernetes.Reflector.CertManager
+{
+    public class CertManagerModule : Module
+    {
+        protected override void Load(ContainerBuilder builder)
+        {
+            builder.RegisterType<CertificateSecretAnnotator>().AsImplementedInterfaces();
+            builder.RegisterType<CertificatesMonitor>().AsImplementedInterfaces().SingleInstance();
+        }
+    }
+}

ES.Kubernetes.Reflector.CertManager/CertificateSecretAnnotator.cs

@@ -0,0 +1,147 @@
+using System.Collections.Generic;
+using System.Linq;
+using System.Net;
+using System.Threading;
+using System.Threading.Tasks;
+using ES.Kubernetes.Reflector.CertManager.Constants;
+using ES.Kubernetes.Reflector.CertManager.Events;
+using ES.Kubernetes.Reflector.CertManager.Resources;
+using ES.Kubernetes.Reflector.Core.Constants;
+using k8s;
+using k8s.Models;
+using MediatR;
+using Microsoft.AspNetCore.JsonPatch;
+using Microsoft.Extensions.Logging;
+using Microsoft.Rest;
+using Newtonsoft.Json.Linq;
+
+namespace ES.Kubernetes.Reflector.CertManager
+{
+    public class CertificateSecretAnnotator :
+        INotificationHandler<InternalCertificateWatcherEvent>,
+        INotificationHandler<InternalSecretWatcherEvent>
+    {
+        private readonly IKubernetes _client;
+        private readonly ILogger<CertificateSecretAnnotator> _logger;
+
+        public CertificateSecretAnnotator(ILogger<CertificateSecretAnnotator> logger, IKubernetes client)
+        {
+            _logger = logger;
+            _client = client;
+        }
+
+
+        public async Task Handle(InternalCertificateWatcherEvent notification, CancellationToken cancellationToken)
+        {
+            if (notification.Type != WatchEventType.Added && notification.Type != WatchEventType.Modified) return;
+            if (notification.Item.Metadata == null) return;
+            if (notification.Item.Spec == null) return;
+
+            var certificate = notification.Item;
+
+            _logger.LogDebug("Certificate {certNs}/{certName} has secret {secretNs}/{secretName}",
+                certificate.Metadata.NamespaceProperty, certificate.Metadata.Name,
+                certificate.Metadata.NamespaceProperty, certificate.Spec.SecretName);
+            V1Secret secret = null;
+            try
+            {
+                secret = await _client.ReadNamespacedSecretAsync(certificate.Spec.SecretName,
+                    certificate.Metadata.NamespaceProperty, cancellationToken: cancellationToken);
+            }
+            catch (HttpOperationException ex) when (ex.Response.StatusCode == HttpStatusCode.NotFound)
+            {
+                _logger.LogDebug("Could not find matching secret {secretNs}/{secretName}",
+                    certificate.Metadata.NamespaceProperty, certificate.Spec.SecretName);
+            }
+
+            if (secret != null) await Annotate(secret, certificate);
+        }
+
+        public async Task Handle(InternalSecretWatcherEvent notification, CancellationToken cancellationToken)
+        {
+            if (notification.Type != WatchEventType.Added && notification.Type != WatchEventType.Modified) return;
+
+            var secret = notification.Item;
+            var metadata = secret.Metadata;
+            if (metadata.Labels == null) return;
+
+            if (metadata.Labels.TryGetValue(CertManagerConstants.CertificateNameLabel, out var certificateName))
+            {
+                _logger.LogDebug("Secret {secretNs}/{secretName} belongs to certificate {certNs}/{certName}",
+                    metadata.NamespaceProperty, metadata.Name,
+                    metadata.NamespaceProperty, certificateName);
+
+                Certificate certificate = null;
+                try
+                {
+                    var certificateJObject = await _client.GetNamespacedCustomObjectAsync(CertManagerConstants.CrdGroup,
+                        notification.CertificateResourceDefinitionVersion, metadata.NamespaceProperty,
+                        CertManagerConstants.CertificatePlural,
+                        certificateName, cancellationToken);
+                    certificate = ((JObject) certificateJObject).ToObject<Certificate>();
+                }
+                catch (HttpOperationException exception) when (exception.Response.StatusCode == HttpStatusCode.NotFound)
+                {
+                    _logger.LogDebug("Could not find certificate {certNs}/{certName}",
+                        metadata.NamespaceProperty, certificateName);
+                }
+
+                if (certificate != null) await Annotate(secret, certificate);
+            }
+        }
+
+
+        private async Task Annotate(V1Secret secret, Certificate certificate)
+        {
+            var secretAnnotations =
+                new Dictionary<string, string>(secret.Metadata.Annotations ?? new Dictionary<string, string>());
+            var original = secretAnnotations.ToDictionary(s => s.Key, s => s.Value);
+
+            var certAnnotations =
+                new Dictionary<string, string>(certificate.Metadata.Annotations ?? new Dictionary<string, string>());
+
+            void MatchAnnotations(Dictionary<string, string> pairs)
+            {
+                foreach (var pair in pairs)
+                    if (certAnnotations.TryGetValue(pair.Key, out var value))
+                        secretAnnotations[pair.Value] = value;
+                    else
+                        secretAnnotations.Remove(pair.Value);
+            }
+
+            MatchAnnotations(new Dictionary<string, string>
+            {
+                {
+                    Annotations.CertManagerCertificate.SecretReflectionAllowed,
+                    Annotations.Reflection.Allowed
+                },
+                {
+                    Annotations.CertManagerCertificate.SecretReflectionAllowedNamespaces,
+                    Annotations.Reflection.AllowedNamespaces
+                }
+            });
+
+
+            if (secretAnnotations.Count == original.Count &&
+                secretAnnotations.Keys.All(s => original.ContainsKey(s)) &&
+                secretAnnotations.All(s => original[s.Key] == s.Value))
+            {
+                _logger.LogDebug(
+                    "Secret {secretNs}/{secretName} matches certificate {certNs}/{certName} reflection annotations",
+                    secret.Metadata.NamespaceProperty, secret.Metadata.Name,
+                    certificate.Metadata.NamespaceProperty, certificate.Metadata.Name);
+                return;
+            }
+
+            _logger.LogInformation(
+                "Annotating secret {secretNamespace}/{secretName} to match certificate {certificateNamespace}/{certificateName} reflection annotations",
+                secret.Metadata.NamespaceProperty, secret.Metadata.Name,
+                certificate.Metadata.NamespaceProperty, certificate.Metadata.Name);
+
+            var patch = new JsonPatchDocument<V1Secret>();
+            patch.Replace(e => e.Metadata.Annotations, secretAnnotations);
+            await _client.PatchNamespacedSecretWithHttpMessagesAsync(new V1Patch(patch),
+                secret.Metadata.Name, secret.Metadata.NamespaceProperty);
+        }
+    }
+}

ES.Kubernetes.Reflector.CertManager/CertificatesMonitor.cs

@@ -0,0 +1,133 @@
+using System.Threading;
+using System.Threading.Tasks;
+using ES.Kubernetes.Reflector.CertManager.Constants;
+using ES.Kubernetes.Reflector.CertManager.Events;
+using ES.Kubernetes.Reflector.CertManager.Resources;
+using ES.Kubernetes.Reflector.Core.Events;
+using ES.Kubernetes.Reflector.Core.Monitoring;
+using k8s;
+using k8s.Models;
+using MediatR;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+
+namespace ES.Kubernetes.Reflector.CertManager
+{
+    public class CertificatesMonitor : IHostedService,
+        INotificationHandler<WatcherEvent<V1beta1CustomResourceDefinition>>,
+        IRequestHandler<HealthCheckRequest<CertificatesMonitor>, bool>
+    {
+        private readonly BroadcastWatcher<Certificate, InternalCertificateWatcherEvent> _certificatesWatcher;
+        private readonly IKubernetes _client;
+        private readonly ILogger<CertificatesMonitor> _logger;
+        private readonly BroadcastWatcher<V1Secret, InternalSecretWatcherEvent> _secretsWatcher;
+        private string _certificateResourceDefinitionVersion;
+
+        public CertificatesMonitor(ILogger<CertificatesMonitor> logger,
+            BroadcastWatcher<Certificate, InternalCertificateWatcherEvent> certificatesWatcher,
+            BroadcastWatcher<V1Secret, InternalSecretWatcherEvent> secretsWatcher,
+            IKubernetes client)
+        {
+            _logger = logger;
+            _certificatesWatcher = certificatesWatcher;
+            _secretsWatcher = secretsWatcher;
+            _client = client;
+
+
+            _secretsWatcher.OnBeforePublish = e =>
+                e.CertificateResourceDefinitionVersion = _certificateResourceDefinitionVersion;
+            _secretsWatcher.OnStateChanged = async (sender, update) =>
+            {
+                switch (update.State)
+                {
+                    case BroadcastWatcherState.Closed:
+                        _logger.LogDebug("Secrets watcher {state}", update.State);
+                        await sender.Start();
+                        break;
+                    case BroadcastWatcherState.Faulted:
+                        _logger.LogError(update.Exception, "Secrets watcher {state}", update.State);
+                        break;
+                    default:
+                        _logger.LogDebug("Secrets watcher {state}", update.State);
+                        break;
+                }
+            };
+
+            _certificatesWatcher.OnBeforePublish = e =>
+                e.CertificateResourceDefinitionVersion = _certificateResourceDefinitionVersion;
+            _certificatesWatcher.OnStateChanged = async (sender, update) =>
+            {
+                switch (update.State)
+                {
+                    case BroadcastWatcherState.Closed:
+                        _logger.LogDebug("Certificates watcher {state}", update.State);
+                        await _secretsWatcher.Stop();
+                        await sender.Start();
+                        await _secretsWatcher.Start();
+                        break;
+                    case BroadcastWatcherState.Faulted:
+                        _logger.LogError(update.Exception, "Certificates watcher {state}", update.State);
+                        break;
+                    default:
+                        _logger.LogDebug("Certificates watcher {state}", update.State);
+                        break;
+                }
+            };
+        }
+
+        public Task StartAsync(CancellationToken cancellationToken)
+        {
+            _logger.LogDebug("Starting");
+
+            _secretsWatcher.RequestFactory = async client =>
+                await client.ListSecretForAllNamespacesWithHttpMessagesAsync(watch: true);
+
+
+            _logger.LogInformation("Started");
+            return Task.CompletedTask;
+        }
+
+        public async Task StopAsync(CancellationToken cancellationToken)
+        {
+            _logger.LogDebug("Stopping");
+            await _certificatesWatcher.Stop();
+            await _secretsWatcher.Stop();
+            _logger.LogInformation("Stopped");
+        }
+
+
+        public async Task Handle(WatcherEvent<V1beta1CustomResourceDefinition> request,
+            CancellationToken cancellationToken)
+        {
+            if (request.Type != WatchEventType.Added && request.Type != WatchEventType.Modified) return;
+            if (request.Item.Spec?.Names == null) return;
+            if (request.Item.Spec.Group != CertManagerConstants.CrdGroup ||
+                request.Item.Spec.Names.Kind != CertManagerConstants.CertificateKind) return;
+
+            var resourceDefinition = request.Item;
+
+            _certificateResourceDefinitionVersion = request.Item.Spec.Version;
+            _logger.LogInformation("Updating watchers for {kind} version {version}",
+                CertManagerConstants.CertificateKind, request.Item.Spec.Version);
+
+            await _certificatesWatcher.Stop();
+            await _secretsWatcher.Stop();
+
+            _certificatesWatcher.RequestFactory = async client =>
+                await client.ListClusterCustomObjectWithHttpMessagesAsync(request.Item.Spec.Group,
+                    request.Item.Spec.Version, request.Item.Spec.Names.Plural, watch: true);
+
+            await _certificatesWatcher.Start();
+            await _secretsWatcher.Start();
+
+            _logger.LogInformation("Watchers updated for {kind} version {version}",
+                CertManagerConstants.CertificateKind, request.Item.Spec.Version);
+        }
+
+        public Task<bool> Handle(HealthCheckRequest<CertificatesMonitor> request,
+            CancellationToken cancellationToken)
+        {
+            return Task.FromResult(!_secretsWatcher.IsFaulted && !_certificatesWatcher.IsFaulted);
+        }
+    }
+}

ES.Kubernetes.Reflector/Constants/CertManagerConstants.cs renamed to ES.Kubernetes.Reflector.CertManager/Constants/CertManagerConstants.cs

@@ -1,4 +1,4 @@
-namespace ES.Kubernetes.Reflector.Constants
+namespace ES.Kubernetes.Reflector.CertManager.Constants
 {
     public static class CertManagerConstants
     {

ES.Kubernetes.Reflector.CertManager/CoreHealthCheck.cs

@@ -0,0 +1,43 @@
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using ES.Kubernetes.Reflector.Core.Events;
+using MediatR;
+using Microsoft.Extensions.Diagnostics.HealthChecks;
+
+namespace ES.Kubernetes.Reflector.CertManager
+{
+    public class CertManagerHealthCheck : IHealthCheck
+    {
+        private readonly IMediator _mediator;
+
+        public CertManagerHealthCheck(IMediator mediator)
+        {
+            _mediator = mediator;
+        }
+
+        public async Task<HealthCheckResult> CheckHealthAsync(HealthCheckContext context,
+            CancellationToken cancellationToken = default)
+        {
+            var checkMessages = new List<IRequest<bool>>
+            {
+                new HealthCheckRequest<CertificatesMonitor>()
+            };
+
+            var healthy = true;
+            foreach (var checkMessage in checkMessages)
+            {
+                var result = await _mediator.Send(checkMessage, cancellationToken);
+                if (!result)
+                {
+                    healthy = false;
+                    break;
+                }
+            }
+
+            return healthy
+                ? HealthCheckResult.Healthy("CertManager extension is healthy")
+                : HealthCheckResult.Unhealthy("CertManager extension is unhealthy");
+        }
+    }
+}

ES.Kubernetes.Reflector.CertManager/ES.Kubernetes.Reflector.CertManager.csproj

@@ -0,0 +1,11 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netstandard2.0</TargetFramework>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\ES.Kubernetes.Reflector.Core\ES.Kubernetes.Reflector.Core.csproj" />
+  </ItemGroup>
+
+</Project>

ES.Kubernetes.Reflector.CertManager/Events/InternalCertificateWatcherEvent.cs

@@ -0,0 +1,10 @@
+using ES.Kubernetes.Reflector.CertManager.Resources;
+using ES.Kubernetes.Reflector.Core.Events;
+
+namespace ES.Kubernetes.Reflector.CertManager.Events
+{
+    public class InternalCertificateWatcherEvent : WatcherEvent<Certificate>
+    {
+        public string CertificateResourceDefinitionVersion { get; set; }
+    }
+}

ES.Kubernetes.Reflector.CertManager/Events/InternalSecretWatcherEvent.cs

@@ -0,0 +1,10 @@
+using ES.Kubernetes.Reflector.Core.Events;
+using k8s.Models;
+
+namespace ES.Kubernetes.Reflector.CertManager.Events
+{
+    public class InternalSecretWatcherEvent : WatcherEvent<V1Secret>
+    {
+        public string CertificateResourceDefinitionVersion { get; set; }
+    }
+}