Use controller-runtime manager to access namespaces

Use controller-runtime [^1] to access Kubernetes namespaces instead of
explicitly initializing an informer. It dynamically adds informers on
read, so we don't need to initialize informers upfront.

[^1]: https://pkg.go.dev/sigs.k8s.io/controller-runtime

Fixes: c968ed4 ("watcher: Watch namespaces")
Signed-off-by: Michi Mutsuzaki <[email protected]>

Author: michi-covalent

.github/workflows/podinfo-test.yaml renamed to .github/workflows/integration-test.yaml

@@ -1,4 +1,4 @@
-name: PodInfo Integration Test
+name: Integration Test
 on:
   pull_request:
     types:
@@ -61,4 +61,4 @@ jobs:
           --set tetragonOperator.podInfo.enabled=true \
           --set tetragonOperator.image.override=${{ steps.vars.outputs.operatorImage }}
         kubectl rollout status -n kube-system deployment/tetragon-operator
-        go test --tags=integration -v ./operator/...
+        go test --tags=integration -v ./operator/... ./pkg/manager/...

cmd/tetragon/main.go

@@ -35,6 +35,7 @@ import (
 	tetragonGrpc "github.com/cilium/tetragon/pkg/grpc"
 	"github.com/cilium/tetragon/pkg/health"
 	"github.com/cilium/tetragon/pkg/logger"
+	"github.com/cilium/tetragon/pkg/manager"
 	"github.com/cilium/tetragon/pkg/metrics"
 	"github.com/cilium/tetragon/pkg/metricsconfig"
 	"github.com/cilium/tetragon/pkg/observer"
@@ -398,6 +399,9 @@ func tetragonExecuteCtx(ctx context.Context, cancel context.CancelFunc, ready fu
 	var k8sWatcher watcher.K8sResourceWatcher
 	if option.Config.EnableK8s {
 		log.Info("Enabling Kubernetes API")
+		// Start controller-runtime manager.
+		controllerManager := manager.Get()
+		controllerManager.Start(ctx)
 		// retrieve k8s clients
 		k8sClient, crdClient, err = watcher.GetK8sClients(waitCRDs)
 		if err != nil {
@@ -416,9 +420,6 @@ func tetragonExecuteCtx(ctx context.Context, cancel context.CancelFunc, ready fu
 		if err != nil {
 			return err
 		}
-		if err := watcher.AddNamespaceInformer(k8sWatcher); err != nil {
-			return err
-		}
 	} else {
 		log.Info("Disabling Kubernetes API")
 		k8sWatcher = watcher.NewFakeK8sWatcher(nil)

pkg/manager/manager.go

@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package manager
+
+import (
+	"context"
+	"sync"
+
+	"github.com/bombsimon/logrusr/v4"
+	"github.com/cilium/tetragon/pkg/logger"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	ctrlManager "sigs.k8s.io/controller-runtime/pkg/manager"
+)
+
+var (
+	initOnce, startOnce sync.Once
+	manager             *ControllerManager
+)
+
+// ControllerManager is responsible for running controller-runtime controllers,
+// and interacting with Kubernetes API server in general. If you need to interact
+// with Kubernetes API server, this is the place to start.
+type ControllerManager struct {
+	Manager ctrlManager.Manager
+}
+
+func Get() *ControllerManager {
+	initOnce.Do(func() {
+		ctrl.SetLogger(logrusr.New(logger.GetLogger()))
+		scheme := runtime.NewScheme()
+		utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+		controllerManager, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{Scheme: scheme})
+		if err != nil {
+			panic(err)
+		}
+		manager = &ControllerManager{
+			Manager: controllerManager,
+		}
+	})
+	return manager
+}
+
+func (cm *ControllerManager) Start(ctx context.Context) {
+	startOnce.Do(func() {
+		go func() {
+			if err := cm.Manager.Start(ctx); err != nil {
+				panic(err)
+			}
+		}()
+		cm.Manager.GetCache().WaitForCacheSync(ctx)
+	})
+}
+
+func (cm *ControllerManager) GetNamespace(name string) (*corev1.Namespace, error) {
+	ns := corev1.Namespace{}
+	if err := cm.Manager.GetCache().Get(context.Background(), types.NamespacedName{Name: name}, &ns); err != nil {
+		return nil, err
+	}
+	return &ns, nil
+}
+
+func (cm *ControllerManager) ListNamespaces() ([]corev1.Namespace, error) {
+	namespaceList := corev1.NamespaceList{}
+	if err := cm.Manager.GetCache().List(context.Background(), &namespaceList, &client.ListOptions{}); err != nil {
+		return nil, err
+	}
+	return namespaceList.Items, nil
+}

pkg/manager/manager_integration_test.go

@@ -0,0 +1,52 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+//go:build integration
+
+package manager
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/suite"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+)
+
+type ManagerTestSuite struct {
+	suite.Suite
+	testEnv *envtest.Environment
+	manager *ControllerManager
+}
+
+func (suite *ManagerTestSuite) SetupSuite() {
+	useExistingCluster := true
+	suite.testEnv = &envtest.Environment{
+		UseExistingCluster: &useExistingCluster,
+	}
+	_, err := suite.testEnv.Start()
+	assert.NoError(suite.T(), err)
+	suite.manager = Get()
+	suite.manager.Start(context.Background())
+}
+
+func (suite *ManagerTestSuite) TestListNamespaces() {
+	// List namespaces.
+	namespaces, err := suite.manager.ListNamespaces()
+	assert.NoError(suite.T(), err)
+	assert.NotEmpty(suite.T(), namespaces)
+
+	// Call GetNamespace on the first namespace in the list.
+	namespace, err := suite.manager.GetNamespace(namespaces[0].Name)
+	assert.NoError(suite.T(), err)
+	assert.Equal(suite.T(), namespaces[0].Name, namespace.Name)
+}
+
+func (suite *ManagerTestSuite) TearDownSuite() {
+	assert.NoError(suite.T(), suite.testEnv.Stop())
+}
+
+func TestControllerSuite(t *testing.T) {
+	suite.Run(t, new(ManagerTestSuite))
+}