lukaszraczylo
4277c8ac39
fix(controller): guard mirror deletion + enforce secret blacklist
...
C1: deleteAllMirrors used to issue a blind Delete on every namespace
matching the source name+GVK, which would destroy unrelated resources
(e.g. a 'default' SA, 'ca-bundle' ConfigMap) sharing the source name.
Now reads each candidate, verifies managed-by label and source-reference
annotation, and only deletes confirmed mirrors.
M1: BlacklistedSecretTypes was declared but never enforced. Enabling
mirroring on a service-account-token / bootstrap-token / helm release
Secret would mirror credentials cluster-wide. Now refused at Reconcile.
M3: deleteAllMirrors swallowed per-namespace errors and returned nil,
so callers removed the finalizer even on partial failure (orphans).
Errors are now joined and returned.
2026-05-02 22:35:40 +01:00
lukaszraczylo
096dca47d1
improvements jan2025 ( #6 )
...
* feat(controller): add lazy watcher, improve resource usage and add pattern validation
- [x] Add cache sync health check for readiness probe verification
- [x] Create namespace lister with API reader support for fresh label queries
- [x] Add pattern validation with warning logs for invalid glob patterns
- [x] Implement lazy watcher initialization mode to scan for active resources
- [x] Add requeue delay to namespace reconciler for cache settlement
- [x] Replace custom containsString with slices.Contains from stdlib
- [x] Add structured logging context to reconcilers (kind, group, version)
- [x] Improve error variable naming for clarity in nested conditions
- [x] Add nil-safe label access in namespace reconciler setup
- [x] Add APIReader to namespace and source reconcilers for fresh data
- [x] Improve type assertions with proper error handling in mirror operations
- [x] Reorder struct fields for consistency and readability
- [x] Add comprehensive pattern validation tests and validation API
* feat(controller): add lazy watcher, improve resource usage and add pattern validation
- [x] Add circuit breaker for reconciliation failure tracking and prevention
- [x] Implement granular registration state tracking (not-registered, source-only, fully-registered)
- [x] Add lazy controller initialization for active resource types only
- [x] Consolidate namespace listing into single API call for efficiency
- [x] Add mirror creation verification to catch webhook rejections
- [x] Implement high-cardinality resource detection and warnings
- [x] Add source deletion check in mirror reconciler to prevent races
- [x] Preserve transformation annotations on errors in mirror reconciliation
- [x] Expand constants documentation with labels vs annotations design rationale
- [x] Add comprehensive test coverage for circuit breaker and registration states
- [x] Add mutation-safety tests for hash computation
* fixup! feat(controller): add lazy watcher, improve resource usage and add pattern validation
2026-01-14 13:07:11 +00:00
lukaszraczylo
19e72e136a
Add lazy watcher, improving resource usage; update website.
2025-12-27 01:28:46 +00:00
lukaszraczylo
1d49573fd1
Fix the last tests
2025-12-26 17:44:57 +00:00
lukaszraczylo
2f5faddf04
Fix transformer handling logic and improve content hashing
2025-12-26 17:39:33 +00:00
lukaszraczylo
c8ebfe376b
Reliabity improvements.
2025-12-26 17:30:13 +00:00
lukaszraczylo
ceff0ed67f
CRD discovery, log noise reduction, e2e tests
2025-12-26 15:25:25 +00:00
lukaszraczylo
e822eb3e17
Compliment the reconciliation on annotation change with tests.
2025-12-26 01:42:16 +00:00
lukaszraczylo
c6bdc1f559
Remove targets if annotations on source have changed.
2025-12-26 01:35:46 +00:00
lukaszraczylo
2dd34bf39e
fix: Mirrored resources managed by other operators.
2025-12-26 01:02:55 +00:00
lukaszraczylo
ca0cff3be3
fixup! Utilise shared workflows.
2025-12-25 23:20:03 +00:00
lukaszraczylo
3e872dfdeb
Preparation for release.
2025-12-25 23:11:32 +00:00
lukaszraczylo
8adb52608f
initial commit
2025-12-25 22:10:57 +00:00
lukaszraczylo