@@ -27,6 +27,7 @@ import (
2727 "time"
2828
2929 corev1 "k8s.io/api/core/v1"
30+ "k8s.io/apimachinery/pkg/fields"
3031 "k8s.io/apimachinery/pkg/labels"
3132 "k8s.io/apimachinery/pkg/runtime"
3233 utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -253,38 +254,51 @@ func main() {
253254 })
254255 }
255256
257+ // Scope the ConfigMap informer to only kagenti-relevant ConfigMaps.
258+ // Without this, the controller would cache ALL ConfigMaps cluster-wide.
259+ //
260+ // Three types of ConfigMaps are relevant:
261+ // 1. Cluster-level defaults in kagenti-system:
262+ // - kagenti-platform-config (platform-wide sidecar config)
263+ // - kagenti-feature-gates (which AuthBridge components are enabled)
264+ // Both are deployed by the kagenti-operator Helm chart and share the
265+ // label app.kubernetes.io/name=kagenti-operator-chart.
266+ //
267+ // 2. Namespace-level defaults in agent namespaces:
268+ // ConfigMaps labeled kagenti.io/defaults=true, deployed by platform
269+ // engineers via Helm/Kustomize to override cluster defaults per namespace.
270+ //
271+ // 3. SPIRE trust bundle (when signature verification is enabled):
272+ // The trust bundle ConfigMap (e.g. spire-bundle) in its configured namespace,
273+ // selected by metadata.name via a field selector.
274+ cmCacheNamespaces := map [string ]cache.Config {
275+ controller .ClusterDefaultsNamespace : {
276+ LabelSelector : labels .SelectorFromSet (map [string ]string {
277+ "app.kubernetes.io/name" : "kagenti-operator-chart" ,
278+ }),
279+ },
280+ cache .AllNamespaces : {
281+ LabelSelector : labels .SelectorFromSet (map [string ]string {
282+ controller .LabelNamespaceDefaults : "true" ,
283+ }),
284+ },
285+ }
286+ if requireA2ASignature && spireTrustBundleConfigMapNS != "" {
287+ cmCacheNamespaces [spireTrustBundleConfigMapNS ] = cache.Config {
288+ FieldSelector : fields .SelectorFromSet (fields.Set {
289+ "metadata.name" : spireTrustBundleConfigMapName ,
290+ }),
291+ }
292+ }
293+
256294 mgr , err := ctrl .NewManager (ctrl .GetConfigOrDie (), ctrl.Options {
257295 Scheme : scheme ,
258296 Metrics : metricsServerOptions ,
259297 Cache : cache.Options {
260298 DefaultNamespaces : getNamespacesToWatch (),
261- // Scope the ConfigMap informer to only kagenti-relevant ConfigMaps.
262- // Without this, the controller would cache ALL ConfigMaps cluster-wide.
263- //
264- // Two types of ConfigMaps are relevant:
265- // 1. Cluster-level defaults in kagenti-system:
266- // - kagenti-platform-config (platform-wide sidecar config)
267- // - kagenti-feature-gates (which AuthBridge components are enabled)
268- // Both are deployed by the kagenti-operator Helm chart and share the
269- // label app.kubernetes.io/name=kagenti-operator-chart.
270- //
271- // 2. Namespace-level defaults in agent namespaces:
272- // ConfigMaps labeled kagenti.io/defaults=true, deployed by platform
273- // engineers via Helm/Kustomize to override cluster defaults per namespace.
274299 ByObject : map [client.Object ]cache.ByObject {
275300 & corev1.ConfigMap {}: {
276- Namespaces : map [string ]cache.Config {
277- controller .ClusterDefaultsNamespace : {
278- LabelSelector : labels .SelectorFromSet (map [string ]string {
279- "app.kubernetes.io/name" : "kagenti-operator-chart" ,
280- }),
281- },
282- cache .AllNamespaces : {
283- LabelSelector : labels .SelectorFromSet (map [string ]string {
284- controller .LabelNamespaceDefaults : "true" ,
285- }),
286- },
287- },
301+ Namespaces : cmCacheNamespaces ,
288302 },
289303 },
290304 },
0 commit comments