Skip to content

Two informerfactories are started by cert-manager controller which causes all Secrets to be cached twice in controller #5689

New issue
New issue
Closed
#5691
Closed
Two informerfactories are started by cert-manager controller which causes all Secrets to be cached twice in controller#5689
#5691
Labels
kind/bugCategorizes issue or PR as related to a bug.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.
@irbekrm

Description

@irbekrm
irbekrm
opened on Jan 4, 2023

Here is the default core types informerfactory here which is used to create an informer for Secrets.

There is another informerfactory just for Secrets started here. This code runs every time the challenges controller is registered, so the second informerfactory is every time for a default cert-manager installation and we cache all the Secrets twice.

The logs confirm that two Secret watches are started:

I0104 19:32:11.799278       1 reflector.go:221] Starting reflector *v1.Secret (5m0s) from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.799286       1 reflector.go:257] Listing and watching *v1.Secret from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.804492       1 leaderelection.go:278] successfully renewed lease kube-system/cert-manager-controller
I0104 19:32:11.899938       1 shared_informer.go:303] caches populated
I0104 19:32:11.900006       1 controller.go:182] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="gateway-shim"
I0104 19:32:11.900081       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="challenges"
I0104 19:32:11.900099       1 controller.go:102] cert-manager/challenges "msg"="starting control loop" 
I0104 19:32:11.900375       1 context.go:300] cert-manager/controller "msg"="creating event broadcaster" 
I0104 19:32:11.900521       1 controller.go:191] cert-manager/controller/certificaterequests-issuer-venafi "msg"="new certificate request controller registered" "type"="venafi"
I0104 19:32:11.900558       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="certificaterequests-issuer-venafi"
I0104 19:32:11.900565       1 controller.go:102] cert-manager/certificaterequests-issuer-venafi "msg"="starting control loop" 
I0104 19:32:11.900750       1 context.go:300] cert-manager/controller "msg"="creating event broadcaster" 
I0104 19:32:11.900845       1 controller.go:182] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificatesigningrequests-issuer-ca"
I0104 19:32:11.900869       1 controller.go:182] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificatesigningrequests-issuer-selfsigned"
I0104 19:32:11.900936       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="certificates-trigger"
I0104 19:32:11.900949       1 controller.go:102] cert-manager/certificates-trigger "msg"="starting control loop" 
I0104 19:32:11.901047       1 context.go:300] cert-manager/controller "msg"="creating event broadcaster" 
I0104 19:32:11.901113       1 approver.go:81] cert-manager/controller/certificaterequests-approver "msg"="certificate request approver controller registered" 
I0104 19:32:11.901169       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="certificaterequests-approver"
I0104 19:32:11.901180       1 controller.go:102] cert-manager/certificaterequests-approver "msg"="starting control loop" 
I0104 19:32:11.901329       1 context.go:300] cert-manager/controller "msg"="creating event broadcaster" 
I0104 19:32:11.901395       1 controller.go:191] cert-manager/controller/certificaterequests-issuer-ca "msg"="new certificate request controller registered" "type"="ca"
I0104 19:32:11.901441       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="certificaterequests-issuer-ca"
I0104 19:32:11.901472       1 controller.go:102] cert-manager/certificaterequests-issuer-ca "msg"="starting control loop" 
I0104 19:32:11.901565       1 context.go:300] cert-manager/controller "msg"="creating event broadcaster" 
I0104 19:32:11.901637       1 controller.go:182] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificatesigningrequests-issuer-vault"
I0104 19:32:11.901751       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="certificates-request-manager"
I0104 19:32:11.901813       1 controller.go:102] cert-manager/certificates-request-manager "msg"="starting control loop" 
I0104 19:32:11.901821       1 context.go:300] cert-manager/controller "msg"="creating event broadcaster" 
I0104 19:32:11.902059       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="clusterissuers"
I0104 19:32:11.902121       1 controller.go:102] cert-manager/clusterissuers "msg"="starting control loop" 
I0104 19:32:11.902145       1 context.go:300] cert-manager/controller "msg"="creating event broadcaster" 
I0104 19:32:11.902360       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="ingress-shim"
I0104 19:32:11.902417       1 controller.go:102] cert-manager/ingress-shim "msg"="starting control loop" 
I0104 19:32:11.902440       1 context.go:300] cert-manager/controller "msg"="creating event broadcaster" 
I0104 19:32:11.902581       1 controller.go:191] cert-manager/controller/certificaterequests-issuer-vault "msg"="new certificate request controller registered" "type"="vault"
I0104 19:32:11.902857       1 context.go:300] cert-manager/controller "msg"="creating event broadcaster" 
I0104 19:32:11.902935       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="certificaterequests-issuer-vault"
I0104 19:32:11.902997       1 controller.go:102] cert-manager/certificaterequests-issuer-vault "msg"="starting control loop" 
I0104 19:32:11.903092       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="certificates-metrics"
I0104 19:32:11.903145       1 controller.go:102] cert-manager/certificates-metrics "msg"="starting control loop" 
I0104 19:32:11.903396       1 context.go:300] cert-manager/controller "msg"="creating event broadcaster" 
I0104 19:32:11.903621       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="certificates-key-manager"
I0104 19:32:11.903629       1 controller.go:102] cert-manager/certificates-key-manager "msg"="starting control loop" 
I0104 19:32:11.903911       1 context.go:300] cert-manager/controller "msg"="creating event broadcaster" 
I0104 19:32:11.904051       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="certificates-revision-manager"
I0104 19:32:11.904081       1 controller.go:102] cert-manager/certificates-revision-manager "msg"="starting control loop" 
I0104 19:32:11.904296       1 context.go:300] cert-manager/controller "msg"="creating event broadcaster" 
I0104 19:32:11.904494       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="orders"
I0104 19:32:11.904532       1 controller.go:102] cert-manager/orders "msg"="starting control loop" 
I0104 19:32:11.908186       1 context.go:300] cert-manager/controller "msg"="creating event broadcaster" 
I0104 19:32:11.908462       1 controller.go:191] cert-manager/controller/certificaterequests-issuer-acme "msg"="new certificate request controller registered" "type"="acme"
I0104 19:32:11.908863       1 context.go:300] cert-manager/controller "msg"="creating event broadcaster" 
I0104 19:32:11.909056       1 controller.go:191] cert-manager/controller/certificaterequests-issuer-selfsigned "msg"="new certificate request controller registered" "type"="selfsigned"
I0104 19:32:11.909092       1 controller.go:213] cert-manager/controller "msg"="starting shared informer factories" 
I0104 19:32:11.909120       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="certificaterequests-issuer-acme"
I0104 19:32:11.909190       1 reflector.go:221] Starting reflector *v1.Pod (10h0m0s) from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909200       1 reflector.go:257] Listing and watching *v1.Pod from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909201       1 reflector.go:221] Starting reflector *v1.Challenge (10h0m0s) from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909210       1 reflector.go:257] Listing and watching *v1.Challenge from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909212       1 reflector.go:221] Starting reflector *v1.Service (10h0m0s) from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909225       1 reflector.go:257] Listing and watching *v1.Service from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909281       1 controller.go:102] cert-manager/certificaterequests-issuer-acme "msg"="starting control loop" 
I0104 19:32:11.909327       1 reflector.go:221] Starting reflector *v1.ClusterIssuer (10h0m0s) from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909335       1 reflector.go:257] Listing and watching *v1.ClusterIssuer from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909411       1 reflector.go:221] Starting reflector *v1.Order (10h0m0s) from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909418       1 reflector.go:257] Listing and watching *v1.Order from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909452       1 reflector.go:221] Starting reflector *v1.Ingress (10h0m0s) from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909460       1 reflector.go:257] Listing and watching *v1.Ingress from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909506       1 reflector.go:221] Starting reflector *v1.Certificate (10h0m0s) from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909552       1 reflector.go:257] Listing and watching *v1.Certificate from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909600       1 reflector.go:221] Starting reflector *v1.Issuer (10h0m0s) from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909663       1 reflector.go:257] Listing and watching *v1.Issuer from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909568       1 reflector.go:221] Starting reflector *v1.CertificateRequest (10h0m0s) from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909731       1 reflector.go:257] Listing and watching *v1.CertificateRequest from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909542       1 controller.go:205] cert-manager/controller "msg"="starting controller" "controller"="certificaterequests-issuer-selfsigned"
I0104 19:32:11.909886       1 controller.go:102] cert-manager/certificaterequests-issuer-selfsigned "msg"="starting control loop" 
I0104 19:32:11.909582       1 reflector.go:221] Starting reflector *v1.Secret (10h0m0s) from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169
I0104 19:32:11.909934       1 reflector.go:257] Listing and watching *v1.Secret from k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169

It is not entirely clear to me whether there are any contexts where the solver gets initialized in contexts where there isn't another informer factory available. In case of challenges controller, we should be able to pass the default secrets lister created by challenges controller.

/kind bug

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions