Reconcile owned services and ingresses for each statefulset pod insta…

…nce.

pkg/controllers/modifiers.go

@@ -18,10 +18,12 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	oidc_apps_controller "github.com/gardener/oidc-apps-controller/pkg/constants"
 	"os"
+	"strconv"
 	"strings"
 
+	oidc_apps_controller "github.com/gardener/oidc-apps-controller/pkg/constants"
+
 	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
 	gardenextensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
 	v1 "k8s.io/api/apps/v1"
@@ -176,7 +178,7 @@ func reconcileDeploymentDependencies(ctx context.Context, c client.Client, objec
 	}
 
 	// Create or update the oauth2 service setting the owner reference
-	if oauth2Service, err = createOauth2Service(object); err != nil {
+	if oauth2Service, err = createOauth2Service("", object); err != nil {
 		return fmt.Errorf("failed to create oauth2 service: %w", err)
 	}
 	if err := controllerutil.SetOwnerReference(object, &oauth2Service, c.Scheme()); err != nil {
@@ -225,7 +227,8 @@ func reconcileDeploymentDependencies(ctx context.Context, c client.Client, objec
 	}
 
 	// Create or update the oauth2 ingress setting the owner reference
-	if oauth2Ingress, err = createIngress(object.GetAnnotations()[oidc_apps_controller.AnnotationHostKey], object); err != nil {
+	if oauth2Ingress, err = createIngress(object.GetAnnotations()[oidc_apps_controller.AnnotationHostKey], "",
+		object); err != nil {
 		return fmt.Errorf("failed to create oauth2 ingress: %w", err)
 	}
 	if err = controllerutil.SetOwnerReference(object, &oauth2Ingress,
@@ -287,8 +290,20 @@ func reconcileStatefulSetDependencies(ctx context.Context, c client.Client, obje
 		}
 		pod.Annotations[oidc_apps_controller.AnnotationSuffixKey] = suffix
 
+		var podIndex string
+		host, domain, found := strings.Cut(hostPrefix, ".")
+		if found {
+			// In some environments, the pod index is added as a label: apps.kubernetes.io/pod-index
+			if idx, present := pod.GetObjectMeta().GetLabels()["statefulset.kubernetes.io/pod-name"]; present {
+				l := strings.Split(idx, "-")
+				host = fmt.Sprintf("%s-%s.%s", host, l[len(l)-1], domain)
+				podIndex = l[len(l)-1]
+			} else {
+				host = fmt.Sprintf("%s.%s", host, domain)
+			}
+		}
 		// Create or update the oauth2 service setting the owner reference
-		if oauth2Service, err = createOauth2Service(&pod); err != nil {
+		if oauth2Service, err = createOauth2Service(podIndex, &pod); err != nil {
 			return fmt.Errorf("failed to create oauth2 service: %w", err)
 		}
 		if err := controllerutil.SetOwnerReference(&pod, &oauth2Service, c.Scheme()); err != nil {
@@ -299,19 +314,7 @@ func reconcileStatefulSetDependencies(ctx context.Context, c client.Client, obje
 		}
 
 		// Create or update the oauth2 ingress setting the owner reference
-		host, domain, found := strings.Cut(hostPrefix, ".")
-		if found {
-			// In some environments, the pod index is added as a label: apps.kubernetes.io/pod-index
-			podIndex, present := pod.GetObjectMeta().GetLabels()["statefulset.kubernetes.io/pod-name"]
-			if present {
-				l := strings.Split(podIndex, "-")
-				host = fmt.Sprintf("%s-%s.%s", host, l[len(l)-1], domain)
-			} else {
-				host = fmt.Sprintf("%s.%s", host, domain)
-			}
-		}
-		// Create or update the oauth2 ingress setting the owner reference
-		if oauth2Ingress, err = createIngress(host, object); err != nil {
+		if oauth2Ingress, err = createIngress(host, podIndex, object); err != nil {
 			return fmt.Errorf("failed to create oauth2 ingress: %w", err)
 		}
 		if err = controllerutil.SetOwnerReference(&pod, &oauth2Ingress, c.Scheme()); err != nil {
@@ -362,3 +365,18 @@ func reconcileStatefulSetDependencies(ctx context.Context, c client.Client, obje
 
 	return nil
 }
+
+func addOptionalIndex(idx string) string {
+	if idx == "-" {
+		return ""
+	}
+	idxStr, ok := strings.CutSuffix(idx, "-")
+	if !ok {
+		return ""
+	}
+	i, err := strconv.ParseInt(idxStr, 0, 32)
+	if err != nil {
+		return ""
+	}
+	return fmt.Sprintf("%d-", i)
+}

pkg/controllers/oidc-apps-ingresses.go

@@ -16,7 +16,6 @@ package controllers
 
 import (
 	"fmt"
-
 	"github.com/gardener/oidc-apps-controller/pkg/configuration"
 	oidc_apps_controller "github.com/gardener/oidc-apps-controller/pkg/constants"
 
@@ -26,18 +25,17 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-func createIngress(host string, object client.Object) (networkingv1.Ingress, error) {
+func createIngress(host string, index string, object client.Object) (networkingv1.Ingress, error) {
 	suffix, ok := object.GetAnnotations()[oidc_apps_controller.AnnotationSuffixKey]
 	if !ok {
 		return networkingv1.Ingress{}, fmt.Errorf("missing suffix annotation")
 	}
 	ingressClassName := configuration.GetOIDCAppsControllerConfig().GetIngressClassName(object)
-
 	ingressTLSSecretName := configuration.GetOIDCAppsControllerConfig().GetIngressTLSSecretName(object)
 
 	return networkingv1.Ingress{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ingress" + "-" + suffix,
+			Name:      "ingress-" + addOptionalIndex(index+"-") + suffix,
 			Namespace: object.GetNamespace(),
 			Labels:    map[string]string{oidc_apps_controller.LabelKey: "oauth2"},
 		},
@@ -60,7 +58,7 @@ func createIngress(host string, object client.Object) (networkingv1.Ingress, err
 									PathType: ptr.To(networkingv1.PathTypePrefix),
 									Backend: networkingv1.IngressBackend{
 										Service: &networkingv1.IngressServiceBackend{
-											Name: "oauth2-service" + "-" + suffix,
+											Name: "oauth2-service-" + addOptionalIndex(index+"-") + suffix,
 											Port: networkingv1.ServiceBackendPort{
 												Name: "http",
 											},

pkg/controllers/oidc-apps-services.go

@@ -25,15 +25,15 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-func createOauth2Service(object client.Object) (corev1.Service, error) {
+func createOauth2Service(index string, object client.Object) (corev1.Service, error) {
 	suffix, ok := object.GetAnnotations()[oidc_apps_controller.AnnotationSuffixKey]
 	if !ok {
 		return corev1.Service{}, fmt.Errorf("missing suffix annotation")
 	}
 
 	return corev1.Service{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "oauth2-service-" + suffix,
+			Name:      "oauth2-service-" + addOptionalIndex(index+"-") + suffix,
 			Namespace: object.GetNamespace(),
 			Labels:    map[string]string{oidc_apps_controller.LabelKey: "oauth2"},
 		},

pkg/oidc-apps-controller/cmd.go

@@ -344,11 +344,32 @@ func addStatefulSetController(mgr manager.Manager) error {
 			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{})).
 		Watches(
 			&corev1.Service{},
-			handler.EnqueueRequestForOwner(
-				mgr.GetScheme(),
-				mgr.GetRESTMapper(),
-				&appsv1.StatefulSet{},
-			),
+			handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, obj client.Object) []reconcile.Request {
+				service := obj.(*corev1.Service)
+				c := mgr.GetClient()
+				for _, o := range service.GetOwnerReferences() {
+					pod := &corev1.Pod{}
+					if err := c.Get(ctx, types.NamespacedName{Name: o.Name, Namespace: service.Namespace}, pod); client.IgnoreNotFound(err) != nil {
+						_log.Error(err, "could not get pod", "name", o.Name, "namespace", service.Namespace)
+					}
+					if len(pod.Name) == 0 {
+						continue
+					}
+
+					for _, r := range pod.GetOwnerReferences() {
+						statefulset := &appsv1.StatefulSet{}
+						if err := c.Get(ctx, types.NamespacedName{Name: r.Name, Namespace: pod.Namespace}, statefulset); client.IgnoreNotFound(err) != nil {
+							_log.Error(err, "could not get statefulset", "name", r.Name, "namespace", pod.Namespace)
+						}
+						if len(statefulset.Name) == 0 {
+							continue
+						}
+						return []reconcile.Request{{NamespacedName: types.NamespacedName{Name: statefulset.Name, Namespace: statefulset.Namespace}}}
+					}
+				}
+
+				return nil
+			}),
 			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{})).
 		Watches(
 			&networkingv1.Ingress{},