fix: reduce database calls on policy updates (kyverno#136)

* fix: reduce database calls on policy updates Signed-off-by: Vishal Choudhary <[email protected]> * fix: lint Signed-off-by: Vishal Choudhary <[email protected]> --------- Signed-off-by: Vishal Choudhary <[email protected]> Signed-off-by: Zach Stone <[email protected]>
giantswarm · Jul 4, 2024 · 25ab764 · 25ab764
1 parent 2277656
commit 25ab764
Show file tree

Hide file tree

Showing 6 changed files with 100 additions and 112 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,13 @@
+ARG ARCH
+FROM golang:1.21.5 as build
+
+WORKDIR /
+COPY . ./
+
+RUN GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="-w -s" -o reports-server ./main.go
+
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=build reports-server reports-server
+USER 65534
+ENTRYPOINT ["/reports-server"]
diff --git a/pkg/api/cephr.go b/pkg/api/cephr.go
@@ -133,11 +133,18 @@ func (c *cephrStore) Create(ctx context.Context, obj runtime.Object, createValid
 func (c *cephrStore) Update(ctx context.Context, name string, objInfo rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc, forceAllowCreate bool, options *metav1.UpdateOptions) (runtime.Object, bool, error) {
 	isDryRun := slices.Contains(options.DryRun, "All")
 
+	oldObj, err := c.getCephr(name)
+	if err != nil && !forceAllowCreate {
+		return nil, false, err
+	}
+
+	updatedObject, err := objInfo.UpdatedObject(ctx, oldObj)
+	if err != nil && !forceAllowCreate {
+		return nil, false, err
+	}
+	cephr := updatedObject.(*reportsv1.ClusterEphemeralReport)
 	if forceAllowCreate {
-		oldObj, _ := c.getCephr(name)
-		updatedObject, _ := objInfo.UpdatedObject(ctx, oldObj)
-		cephr := updatedObject.(*reportsv1.ClusterEphemeralReport)
-		if err := c.updateCephr(cephr, true); err != nil {
+		if err := c.updateCephr(cephr, oldObj); err != nil {
 			klog.ErrorS(err, "failed to update resource")
 		}
 		if err := c.broadcaster.Action(watch.Added, updatedObject); err != nil {
@@ -146,15 +153,6 @@ func (c *cephrStore) Update(ctx context.Context, name string, objInfo rest.Updat
 		return updatedObject, true, nil
 	}
 
-	oldObj, err := c.getCephr(name)
-	if err != nil {
-		return nil, false, err
-	}
-
-	updatedObject, err := objInfo.UpdatedObject(ctx, oldObj)
-	if err != nil {
-		return nil, false, err
-	}
 	err = updateValidation(ctx, updatedObject, oldObj)
 	if err != nil {
 		switch options.FieldValidation {
@@ -176,7 +174,7 @@ func (c *cephrStore) Update(ctx context.Context, name string, objInfo rest.Updat
 
 	klog.Infof("updating cluster ephemeral reports name=%s", cephr.Name)
 	if !isDryRun {
-		if err := c.updateCephr(cephr, false); err != nil {
+		if err := c.updateCephr(cephr, oldObj); err != nil {
 			return nil, false, errors.NewBadRequest(fmt.Sprintf("cannot create cluster ephemeral report: %s", err.Error()))
 		}
 		if err := c.broadcaster.Action(watch.Modified, updatedObject); err != nil {
@@ -312,21 +310,12 @@ func (c *cephrStore) createCephr(report *reportsv1.ClusterEphemeralReport) error
 	return c.store.ClusterEphemeralReports().Create(context.TODO(), *report)
 }
 
-func (c *cephrStore) updateCephr(report *reportsv1.ClusterEphemeralReport, force bool) error {
-	if !force {
-		oldReport, err := c.getCephr(report.GetName())
-		if err != nil {
-			return errorpkg.Wrapf(err, "old cluster ephemeral report not found")
-		}
-		oldRV, err := strconv.ParseInt(oldReport.ResourceVersion, 10, 64)
-		if err != nil {
-			return errorpkg.Wrapf(err, "could not parse resource version")
-		}
-
-		report.ResourceVersion = fmt.Sprint(oldRV + 1)
-	} else {
-		report.ResourceVersion = "1"
+func (c *cephrStore) updateCephr(report *reportsv1.ClusterEphemeralReport, oldReport *reportsv1.ClusterEphemeralReport) error {
+	oldRV, err := strconv.ParseInt(oldReport.ResourceVersion, 10, 64)
+	if err != nil {
+		return errorpkg.Wrapf(err, "could not parse resource version")
 	}
+	report.ResourceVersion = fmt.Sprint(oldRV + 1)
 
 	return c.store.ClusterEphemeralReports().Update(context.TODO(), *report)
 }

diff --git a/pkg/api/cpolr.go b/pkg/api/cpolr.go
@@ -133,11 +133,18 @@ func (c *cpolrStore) Create(ctx context.Context, obj runtime.Object, createValid
 func (c *cpolrStore) Update(ctx context.Context, name string, objInfo rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc, forceAllowCreate bool, options *metav1.UpdateOptions) (runtime.Object, bool, error) {
 	isDryRun := slices.Contains(options.DryRun, "All")
 
+	oldObj, err := c.getCpolr(name)
+	if err != nil && !forceAllowCreate {
+		return nil, false, err
+	}
+
+	updatedObject, err := objInfo.UpdatedObject(ctx, oldObj)
+	if err != nil && !forceAllowCreate {
+		return nil, false, err
+	}
+	cpolr := updatedObject.(*v1alpha2.ClusterPolicyReport)
 	if forceAllowCreate {
-		oldObj, _ := c.getCpolr(name)
-		updatedObject, _ := objInfo.UpdatedObject(ctx, oldObj)
-		cpolr := updatedObject.(*v1alpha2.ClusterPolicyReport)
-		if err := c.updateCpolr(cpolr, true); err != nil {
+		if err := c.updateCpolr(cpolr, oldObj); err != nil {
 			klog.ErrorS(err, "failed to update resource")
 		}
 		if err := c.broadcaster.Action(watch.Added, updatedObject); err != nil {
@@ -146,15 +153,6 @@ func (c *cpolrStore) Update(ctx context.Context, name string, objInfo rest.Updat
 		return updatedObject, true, nil
 	}
 
-	oldObj, err := c.getCpolr(name)
-	if err != nil {
-		return nil, false, err
-	}
-
-	updatedObject, err := objInfo.UpdatedObject(ctx, oldObj)
-	if err != nil {
-		return nil, false, err
-	}
 	err = updateValidation(ctx, updatedObject, oldObj)
 	if err != nil {
 		switch options.FieldValidation {
@@ -176,7 +174,7 @@ func (c *cpolrStore) Update(ctx context.Context, name string, objInfo rest.Updat
 
 	klog.Infof("updating cluster policy report name=%s", cpolr.Name)
 	if !isDryRun {
-		if err := c.updateCpolr(cpolr, false); err != nil {
+		if err := c.updateCpolr(cpolr, oldObj); err != nil {
 			return nil, false, errors.NewBadRequest(fmt.Sprintf("cannot create cluster policy report: %s", err.Error()))
 		}
 		if err := c.broadcaster.Action(watch.Modified, updatedObject); err != nil {
@@ -312,21 +310,12 @@ func (c *cpolrStore) createCpolr(report *v1alpha2.ClusterPolicyReport) error {
 	return c.store.ClusterPolicyReports().Create(context.TODO(), *report)
 }
 
-func (c *cpolrStore) updateCpolr(report *v1alpha2.ClusterPolicyReport, force bool) error {
-	if !force {
-		oldReport, err := c.getCpolr(report.GetName())
-		if err != nil {
-			return errorpkg.Wrapf(err, "old cluster policy report not found")
-		}
-		oldRV, err := strconv.ParseInt(oldReport.ResourceVersion, 10, 64)
-		if err != nil {
-			return errorpkg.Wrapf(err, "could not parse resource version")
-		}
-
-		report.ResourceVersion = fmt.Sprint(oldRV + 1)
-	} else {
-		report.ResourceVersion = "1"
+func (c *cpolrStore) updateCpolr(report *v1alpha2.ClusterPolicyReport, oldReport *v1alpha2.ClusterPolicyReport) error {
+	oldRV, err := strconv.ParseInt(oldReport.ResourceVersion, 10, 64)
+	if err != nil {
+		return errorpkg.Wrapf(err, "could not parse resource version")
 	}
+	report.ResourceVersion = fmt.Sprint(oldRV + 1)
 
 	return c.store.ClusterPolicyReports().Update(context.TODO(), *report)
 }

diff --git a/pkg/api/ephr.go b/pkg/api/ephr.go
@@ -146,11 +146,19 @@ func (p *ephrStore) Update(ctx context.Context, name string, objInfo rest.Update
 	isDryRun := slices.Contains(options.DryRun, "All")
 	namespace := genericapirequest.NamespaceValue(ctx)
 
+	oldObj, err := p.getEphr(name, namespace)
+	if err != nil && !forceAllowCreate {
+		return nil, false, err
+	}
+
+	updatedObject, err := objInfo.UpdatedObject(ctx, oldObj)
+	if err != nil && !forceAllowCreate {
+		return nil, false, err
+	}
+	ephr := updatedObject.(*reportsv1.EphemeralReport)
+
 	if forceAllowCreate {
-		oldObj, _ := p.getEphr(name, namespace)
-		updatedObject, _ := objInfo.UpdatedObject(ctx, oldObj)
-		ephr := updatedObject.(*reportsv1.EphemeralReport)
-		if err := p.updateEphr(ephr, true); err != nil {
+		if err := p.updateEphr(ephr, oldObj); err != nil {
 			klog.ErrorS(err, "failed to update resource")
 		}
 		if err := p.broadcaster.Action(watch.Added, updatedObject); err != nil {
@@ -159,15 +167,6 @@ func (p *ephrStore) Update(ctx context.Context, name string, objInfo rest.Update
 		return updatedObject, true, nil
 	}
 
-	oldObj, err := p.getEphr(name, namespace)
-	if err != nil {
-		return nil, false, err
-	}
-
-	updatedObject, err := objInfo.UpdatedObject(ctx, oldObj)
-	if err != nil {
-		return nil, false, err
-	}
 	err = updateValidation(ctx, updatedObject, oldObj)
 	if err != nil {
 		switch options.FieldValidation {
@@ -193,7 +192,7 @@ func (p *ephrStore) Update(ctx context.Context, name string, objInfo rest.Update
 
 	klog.Infof("updating ephemeral reports name=%s namespace=%s", ephr.Name, ephr.Namespace)
 	if !isDryRun {
-		err := p.updateEphr(ephr, false)
+		err := p.updateEphr(ephr, oldObj)
 		if err != nil {
 			return nil, false, errors.NewBadRequest(fmt.Sprintf("cannot create ephemeral report: %s", err.Error()))
 		}
@@ -333,21 +332,12 @@ func (p *ephrStore) createEphr(report *reportsv1.EphemeralReport) error {
 	return p.store.EphemeralReports().Create(context.TODO(), *report)
 }
 
-func (p *ephrStore) updateEphr(report *reportsv1.EphemeralReport, force bool) error {
-	if !force {
-		oldReport, err := p.getEphr(report.GetName(), report.Namespace)
-		if err != nil {
-			return errorpkg.Wrapf(err, "old ephemeral report not found")
-		}
-		oldRV, err := strconv.ParseInt(oldReport.ResourceVersion, 10, 64)
-		if err != nil {
-			return errorpkg.Wrapf(err, "could not parse resource version")
-		}
-
-		report.ResourceVersion = fmt.Sprint(oldRV + 1)
-	} else {
-		report.ResourceVersion = "1"
+func (p *ephrStore) updateEphr(report *reportsv1.EphemeralReport, oldReport *reportsv1.EphemeralReport) error {
+	oldRV, err := strconv.ParseInt(oldReport.ResourceVersion, 10, 64)
+	if err != nil {
+		return errorpkg.Wrapf(err, "could not parse resource version")
 	}
+	report.ResourceVersion = fmt.Sprint(oldRV + 1)
 
 	return p.store.EphemeralReports().Update(context.TODO(), *report)
 }

diff --git a/pkg/api/install.go b/pkg/api/install.go
@@ -35,6 +35,7 @@ var (
 )
 
 func init() {
+	utilruntime.Must(installWgPolicyTypesInternal(Scheme))
 	utilruntime.Must(v1alpha2.AddToScheme(Scheme))
 	utilruntime.Must(Scheme.SetVersionPriority(v1alpha2.SchemeGroupVersion))
 	metav1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"})
@@ -91,3 +92,19 @@ func Install(store storage.Interface, server *genericapiserver.GenericAPIServer)
 
 	return nil
 }
+
+func installWgPolicyTypesInternal(s *runtime.Scheme) error {
+	schemeGroupVersion := schema.GroupVersion{Group: "wgpolicyk8s.io", Version: runtime.APIVersionInternal}
+	addKnownTypes := func(scheme *runtime.Scheme) error {
+		scheme.AddKnownTypes(schemeGroupVersion,
+			&v1alpha2.ClusterPolicyReport{},
+			&v1alpha2.PolicyReport{},
+			&v1alpha2.ClusterPolicyReportList{},
+			&v1alpha2.PolicyReportList{},
+		)
+		return nil
+	}
+	schemeBuilder := runtime.NewSchemeBuilder(addKnownTypes)
+	utilruntime.Must(schemeBuilder.AddToScheme(s))
+	return nil
+}
diff --git a/pkg/api/polr.go b/pkg/api/polr.go
@@ -146,11 +146,19 @@ func (p *polrStore) Update(ctx context.Context, name string, objInfo rest.Update
 	isDryRun := slices.Contains(options.DryRun, "All")
 	namespace := genericapirequest.NamespaceValue(ctx)
 
+	oldObj, err := p.getPolr(name, namespace)
+	if err != nil && !forceAllowCreate {
+		return nil, false, err
+	}
+
+	updatedObject, err := objInfo.UpdatedObject(ctx, oldObj)
+	if err != nil && !forceAllowCreate {
+		return nil, false, err
+	}
+	polr := updatedObject.(*v1alpha2.PolicyReport)
+
 	if forceAllowCreate {
-		oldObj, _ := p.getPolr(name, namespace)
-		updatedObject, _ := objInfo.UpdatedObject(ctx, oldObj)
-		polr := updatedObject.(*v1alpha2.PolicyReport)
-		if err := p.updatePolr(polr, true); err != nil {
+		if err := p.updatePolr(polr, oldObj); err != nil {
 			klog.ErrorS(err, "failed to update resource")
 		}
 		if err := p.broadcaster.Action(watch.Added, updatedObject); err != nil {
@@ -159,15 +167,6 @@ func (p *polrStore) Update(ctx context.Context, name string, objInfo rest.Update
 		return updatedObject, true, nil
 	}
 
-	oldObj, err := p.getPolr(name, namespace)
-	if err != nil {
-		return nil, false, err
-	}
-
-	updatedObject, err := objInfo.UpdatedObject(ctx, oldObj)
-	if err != nil {
-		return nil, false, err
-	}
 	err = updateValidation(ctx, updatedObject, oldObj)
 	if err != nil {
 		switch options.FieldValidation {
@@ -193,7 +192,7 @@ func (p *polrStore) Update(ctx context.Context, name string, objInfo rest.Update
 
 	klog.Infof("updating policy reports name=%s namespace=%s", polr.Name, polr.Namespace)
 	if !isDryRun {
-		err := p.updatePolr(polr, false)
+		err := p.updatePolr(polr, oldObj)
 		if err != nil {
 			return nil, false, errors.NewBadRequest(fmt.Sprintf("cannot create policy report: %s", err.Error()))
 		}
@@ -333,21 +332,12 @@ func (p *polrStore) createPolr(report *v1alpha2.PolicyReport) error {
 	return p.store.PolicyReports().Create(context.TODO(), *report)
 }
 
-func (p *polrStore) updatePolr(report *v1alpha2.PolicyReport, force bool) error {
-	if !force {
-		oldReport, err := p.getPolr(report.GetName(), report.Namespace)
-		if err != nil {
-			return errorpkg.Wrapf(err, "old policy report not found")
-		}
-		oldRV, err := strconv.ParseInt(oldReport.ResourceVersion, 10, 64)
-		if err != nil {
-			return errorpkg.Wrapf(err, "could not parse resource version")
-		}
-
-		report.ResourceVersion = fmt.Sprint(oldRV + 1)
-	} else {
-		report.ResourceVersion = "1"
+func (p *polrStore) updatePolr(report *v1alpha2.PolicyReport, oldReport *v1alpha2.PolicyReport) error {
+	oldRV, err := strconv.ParseInt(oldReport.ResourceVersion, 10, 64)
+	if err != nil {
+		return errorpkg.Wrapf(err, "could not parse resource version")
 	}
+	report.ResourceVersion = fmt.Sprint(oldRV + 1)
 
 	return p.store.PolicyReports().Update(context.TODO(), *report)
 }