(opts *config.CAInjectorConfiguration, ctx context.Context)
| 64 | ) |
| 65 | |
| 66 | func Run(opts *config.CAInjectorConfiguration, ctx context.Context) error { |
| 67 | log := logf.FromContext(ctx) |
| 68 | |
| 69 | restConfig := util.RestConfigWithUserAgent(ctrl.GetConfigOrDie(), "cainjector") |
| 70 | |
| 71 | var defaultNamespaces map[string]cache.Config |
| 72 | if opts.Namespace != "" { |
| 73 | // If a namespace has been provided, only watch resources in that namespace |
| 74 | defaultNamespaces = map[string]cache.Config{ |
| 75 | opts.Namespace: {}, |
| 76 | } |
| 77 | } |
| 78 | |
| 79 | metricsServerCertificateSource := buildCertificateSource(opts.MetricsTLSConfig, restConfig) |
| 80 | metricsServerOptions, err := buildMetricsServerOptions(opts, metricsServerCertificateSource) |
| 81 | if err != nil { |
| 82 | return err |
| 83 | } |
| 84 | |
| 85 | scheme := runtime.NewScheme() |
| 86 | utilruntime.Must(kscheme.AddToScheme(scheme)) |
| 87 | utilruntime.Must(cmscheme.AddToScheme(scheme)) |
| 88 | utilruntime.Must(apiext.AddToScheme(scheme)) |
| 89 | utilruntime.Must(apireg.AddToScheme(scheme)) |
| 90 | |
| 91 | mgr, err := ctrl.NewManager( |
| 92 | restConfig, |
| 93 | ctrl.Options{ |
| 94 | Scheme: scheme, |
| 95 | Cache: cache.Options{ |
| 96 | ReaderFailOnMissingInformer: true, |
| 97 | DefaultNamespaces: defaultNamespaces, |
| 98 | }, |
| 99 | Client: client.Options{ |
| 100 | Cache: &client.CacheOptions{ |
| 101 | // Why do we disable the cache for v1.Secret? |
| 102 | // |
| 103 | // 1. To reduce memory use of cainjector, by disabling |
| 104 | // in-memory cache of Secret resources. |
| 105 | // 2. To reduce the load on the K8S API server when |
| 106 | // cainjector starts up, caused by the initial listing of |
| 107 | // Secret resources in the cluster. |
| 108 | // |
| 109 | // Clusters may contain many and / or large Secret |
| 110 | // resources. |
| 111 | // For example OpenShift clusters may have thousands of |
| 112 | // ServiceAccounts and each of these has a Secret with the |
| 113 | // associated token. |
| 114 | // Or where helm is used, there will be large Secret |
| 115 | // resources containing the configuration of each Helm |
| 116 | // deployment. |
| 117 | // |
| 118 | // Ordinarily, the controller-runtime client would implicitly |
| 119 | // initialize a client-go cache which would list every |
| 120 | // Secret, including the entire data of every Secret. |
| 121 | // This initial list operation can place enormous load on |
| 122 | // the K8S API server. |
| 123 | // |
no test coverage detected