remove ServiceAccount update event handler (istio#11775)

security/pkg/k8s/controller/workloadsecret.go

@@ -17,14 +17,12 @@ package controller
 import (
 	"bytes"
 	"fmt"
-	"reflect"
 	"strings"
 	"time"
 
 	"istio.io/istio/pkg/spiffe"
 
 	v1 "k8s.io/api/core/v1"
-
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
@@ -145,7 +143,6 @@ func NewSecretController(ca ca.CertificateAuthority, certTTL time.Duration,
 	rehf := cache.ResourceEventHandlerFuncs{
 		AddFunc:    c.saAdded,
 		DeleteFunc: c.saDeleted,
-		UpdateFunc: c.saUpdated,
 	}
 	c.saStore, c.saController = cache.NewInformer(saLW, &v1.ServiceAccount{}, time.Minute, rehf)
 
@@ -199,30 +196,6 @@ func (sc *SecretController) saDeleted(obj interface{}) {
 	sc.monitoring.ServiceAccountDeletion.Inc()
 }
 
-// Handles the event where a service account is updated.
-func (sc *SecretController) saUpdated(oldObj, curObj interface{}) {
-	if reflect.DeepEqual(oldObj, curObj) {
-		// Nothing is changed. The method is invoked by periodical re-sync with the apiserver.
-		return
-	}
-	oldSa := oldObj.(*v1.ServiceAccount)
-	curSa := curObj.(*v1.ServiceAccount)
-
-	curName := curSa.GetName()
-	curNamespace := curSa.GetNamespace()
-	oldName := oldSa.GetName()
-	oldNamespace := oldSa.GetNamespace()
-
-	// We only care the name and namespace of a service account.
-	if curName != oldName || curNamespace != oldNamespace {
-		sc.deleteSecret(oldName, oldNamespace)
-		sc.upsertSecret(curName, curNamespace)
-
-		log.Infof("Service account \"%s\" in namespace \"%s\" has been updated to \"%s\" in namespace \"%s\"",
-			oldName, oldNamespace, curName, curNamespace)
-	}
-}
-
 func (sc *SecretController) upsertSecret(saName, saNamespace string) {
 	secret := ca.BuildSecret(saName, GetSecretName(saName), saNamespace, nil, nil, nil, nil, nil, IstioSecretType)
 

security/pkg/k8s/controller/workloadsecret_test.go

@@ -60,7 +60,6 @@ func TestSecretController(t *testing.T) {
 		existingSecret   *v1.Secret
 		saToAdd          *v1.ServiceAccount
 		saToDelete       *v1.ServiceAccount
-		sasToUpdate      *updatedSas
 		expectedActions  []ktesting.Action
 		gracePeriodRatio float32
 		injectFailure    bool
@@ -90,27 +89,6 @@ func TestSecretController(t *testing.T) {
 			gracePeriodRatio: defaultGracePeriodRatio,
 			shouldFail:       false,
 		},
-		"updating service accounts does nothing if name and namespace are not changed": {
-			sasToUpdate: &updatedSas{
-				curSa: createServiceAccount("name", "ns"),
-				oldSa: createServiceAccount("name", "ns"),
-			},
-			gracePeriodRatio: defaultGracePeriodRatio,
-			expectedActions:  []ktesting.Action{},
-			shouldFail:       false,
-		},
-		"updating service accounts deletes old secret and creates a new one": {
-			sasToUpdate: &updatedSas{
-				curSa: createServiceAccount("new-name", "new-ns"),
-				oldSa: createServiceAccount("old-name", "old-ns"),
-			},
-			expectedActions: []ktesting.Action{
-				ktesting.NewDeleteAction(gvr, "old-ns", "istio.old-name"),
-				ktesting.NewCreateAction(gvr, "new-ns", ca.BuildSecret("new-name", "istio.new-name", "new-ns", certChain, caKey, rootCert, nil, nil, IstioSecretType)),
-			},
-			gracePeriodRatio: defaultGracePeriodRatio,
-			shouldFail:       false,
-		},
 		"adding new service account does not overwrite existing secret": {
 			existingSecret:   istioTestSecret,
 			saToAdd:          createServiceAccount("test", "test-ns"),
@@ -188,9 +166,6 @@ func TestSecretController(t *testing.T) {
 		if tc.saToDelete != nil {
 			controller.saDeleted(tc.saToDelete)
 		}
-		if tc.sasToUpdate != nil {
-			controller.saUpdated(tc.sasToUpdate.oldSa, tc.sasToUpdate.curSa)
-		}
 
 		if err := checkActions(client.Actions(), tc.expectedActions); err != nil {
 			t.Errorf("Case %q: %s", k, err.Error())
@@ -413,8 +388,3 @@ func createServiceAccount(name, namespace string) *v1.ServiceAccount {
 		},
 	}
 }
-
-type updatedSas struct {
-	curSa *v1.ServiceAccount
-	oldSa *v1.ServiceAccount
-}