kubernetes-sigs
diff --git a/‎config/rbac/role.yaml
Lines changed: 0 additions & 8 deletions b/‎config/rbac/role.yaml
Lines changed: 0 additions & 8 deletions
diff --git a/‎controllers/elbv2/eventhandlers/node.go
Lines changed: 39 additions & 13 deletions b/‎controllers/elbv2/eventhandlers/node.go
Lines changed: 39 additions & 13 deletions
diff --git a/‎controllers/elbv2/eventhandlers/node_test.go
Lines changed: 170 additions & 0 deletions b/‎controllers/elbv2/eventhandlers/node_test.go
Lines changed: 170 additions & 0 deletions
diff --git a/‎controllers/ingress/eventhandlers/secret_events.go
Lines changed: 2 additions & 1 deletion b/‎controllers/ingress/eventhandlers/secret_events.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎controllers/ingress/group_controller.go
Lines changed: 8 additions & 5 deletions b/‎controllers/ingress/group_controller.go
Lines changed: 8 additions & 5 deletions
diff --git a/‎docs/deploy/subnet_discovery.md
Lines changed: 1 addition & 1 deletion b/‎docs/deploy/subnet_discovery.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/guide/ingress/annotations.md
Lines changed: 1 addition & 1 deletion b/‎docs/guide/ingress/annotations.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎helm/aws-load-balancer-controller/README.md
Lines changed: 1 addition & 0 deletions b/‎helm/aws-load-balancer-controller/README.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎helm/aws-load-balancer-controller/templates/rbac.yaml
Lines changed: 6 additions & 1 deletion b/‎helm/aws-load-balancer-controller/templates/rbac.yaml
Lines changed: 6 additions & 1 deletion
@@ -52,14 +52,6 @@ rules:
   verbs:
   - patch
   - update
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - ""
   resources:
 
@@ -55,47 +55,54 @@ func (h *enqueueRequestsForNodeEvent) Generic(e event.GenericEvent, queue workqu
 	// nothing to do here
 }
 
-// enqueueImpactedEndpointBindings will enqueue all impacted TargetGroupBindings for node events.
+// enqueueImpactedTargetGroupBindings will enqueue all impacted TargetGroupBindings for node events.
 func (h *enqueueRequestsForNodeEvent) enqueueImpactedTargetGroupBindings(queue workqueue.RateLimitingInterface, nodeOld *corev1.Node, nodeNew *corev1.Node) {
 	var nodeKey types.NamespacedName
-	nodeOldIsReady := false
-	nodeNewIsReady := false
+	nodeOldSuitableAsTrafficProxy := false
+	nodeNewSuitableAsTrafficProxy := false
+	nodeOldReadyCondStatus := corev1.ConditionFalse
+	nodeNewReadyCondStatus := corev1.ConditionFalse
 	if nodeOld != nil {
 		nodeKey = k8s.NamespacedName(nodeOld)
-		nodeOldIsReady = k8s.IsNodeSuitableAsTrafficProxy(nodeOld)
+		nodeOldSuitableAsTrafficProxy = backend.IsNodeSuitableAsTrafficProxy(nodeOld)
+		if readyCond := k8s.GetNodeCondition(nodeOld, corev1.NodeReady); readyCond != nil {
+			nodeOldReadyCondStatus = readyCond.Status
+		}
 	}
 	if nodeNew != nil {
 		nodeKey = k8s.NamespacedName(nodeNew)
-		nodeNewIsReady = k8s.IsNodeSuitableAsTrafficProxy(nodeNew)
+		nodeNewSuitableAsTrafficProxy = backend.IsNodeSuitableAsTrafficProxy(nodeNew)
+		if readyCond := k8s.GetNodeCondition(nodeNew, corev1.NodeReady); readyCond != nil {
+			nodeNewReadyCondStatus = readyCond.Status
+		}
 	}
 
 	tgbList := &elbv2api.TargetGroupBindingList{}
 	if err := h.k8sClient.List(context.Background(), tgbList); err != nil {
-		h.logger.Error(err, "failed to fetch targetGroupBindings")
+		h.logger.Error(err, "[this should never happen] failed to fetch targetGroupBindings")
 		return
 	}
 
 	for _, tgb := range tgbList.Items {
 		if tgb.Spec.TargetType == nil || (*tgb.Spec.TargetType) != elbv2api.TargetTypeInstance {
 			continue
 		}
-
 		nodeSelector, err := backend.GetTrafficProxyNodeSelector(&tgb)
 		if err != nil {
 			h.logger.Error(err, "failed to get nodeSelector", "TargetGroupBinding", tgb)
-			return
+			continue
 		}
 
-		nodeOldIsTrafficProxy := false
-		nodeNewIsTrafficProxy := false
+		nodeOldSuitableAsTrafficProxyForTGB := false
+		nodeNewSuitableAsTrafficProxyForTGB := false
 		if nodeOld != nil {
-			nodeOldIsTrafficProxy = nodeOldIsReady && nodeSelector.Matches(labels.Set(nodeOld.Labels))
+			nodeOldSuitableAsTrafficProxyForTGB = nodeOldSuitableAsTrafficProxy && nodeSelector.Matches(labels.Set(nodeOld.Labels))
 		}
 		if nodeNew != nil {
-			nodeNewIsTrafficProxy = nodeNewIsReady && nodeSelector.Matches(labels.Set(nodeNew.Labels))
+			nodeNewSuitableAsTrafficProxyForTGB = nodeNewSuitableAsTrafficProxy && nodeSelector.Matches(labels.Set(nodeNew.Labels))
 		}
 
-		if nodeOldIsTrafficProxy != nodeNewIsTrafficProxy {
+		if h.shouldEnqueueTGBDueToNodeEvent(nodeOldSuitableAsTrafficProxyForTGB, nodeOldReadyCondStatus, nodeNewSuitableAsTrafficProxyForTGB, nodeNewReadyCondStatus) {
 			h.logger.V(1).Info("enqueue targetGroupBinding for node event",
 				"node", nodeKey,
 				"targetGroupBinding", k8s.NamespacedName(&tgb),
@@ -109,3 +116,22 @@ func (h *enqueueRequestsForNodeEvent) enqueueImpactedTargetGroupBindings(queue w
 		}
 	}
 }
+
+// shouldEnqueueTGBDueToNodeEvent checks whether a TGB should be queued due to node event.
+func (h *enqueueRequestsForNodeEvent) shouldEnqueueTGBDueToNodeEvent(
+	nodeOldSuitableAsTrafficProxyForTGB bool, nodeOldReadyCondStatus corev1.ConditionStatus,
+	nodeNewSuitableAsTrafficProxyForTGB bool, nodeNewReadyCondStatus corev1.ConditionStatus) bool {
+	if nodeOldSuitableAsTrafficProxyForTGB == false && nodeNewSuitableAsTrafficProxyForTGB == false {
+		return false
+	}
+	if nodeOldSuitableAsTrafficProxyForTGB == true && nodeNewSuitableAsTrafficProxyForTGB == true {
+		return nodeOldReadyCondStatus != nodeNewReadyCondStatus
+	}
+	if nodeOldSuitableAsTrafficProxyForTGB == true && nodeNewSuitableAsTrafficProxyForTGB == false {
+		return nodeOldReadyCondStatus != corev1.ConditionFalse
+	}
+	if nodeOldSuitableAsTrafficProxyForTGB == false && nodeNewSuitableAsTrafficProxyForTGB == true {
+		return nodeNewReadyCondStatus != corev1.ConditionFalse
+	}
+	return false
+}
@@ -0,0 +1,170 @@
+package eventhandlers
+
+import (
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	"testing"
+)
+
+func Test_enqueueRequestsForNodeEvent_shouldEnqueueTGBDueToNodeEvent(t *testing.T) {
+	type args struct {
+		nodeOldSuitableAsTrafficProxyForTGB bool
+		nodeOldReadyCondStatus              corev1.ConditionStatus
+		nodeNewSuitableAsTrafficProxyForTGB bool
+		nodeNewReadyCondStatus              corev1.ConditionStatus
+	}
+	tests := []struct {
+		name string
+		args args
+		want bool
+	}{
+		{
+			name: "suitable node changed from ready to notReady",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionTrue,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionFalse,
+			},
+			want: true,
+		},
+		{
+			name: "suitable node changed from ready to unknown",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionTrue,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionUnknown,
+			},
+			want: true,
+		},
+		{
+			name: "suitable node changed from notReady to ready",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionFalse,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionTrue,
+			},
+			want: true,
+		},
+		{
+			name: "suitable node changed from notReady to unknown",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionFalse,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionUnknown,
+			},
+			want: true,
+		},
+		{
+			name: "suitable node changed from unknown to ready",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionUnknown,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionTrue,
+			},
+			want: true,
+		},
+		{
+			name: "suitable node changed from unknown to notReady",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionUnknown,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionFalse,
+			},
+			want: true,
+		},
+		{
+			name: "suitable node remains ready",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionTrue,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionTrue,
+			},
+			want: false,
+		},
+		{
+			name: "suitable node remains notReady",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionFalse,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionFalse,
+			},
+			want: false,
+		},
+		{
+			name: "suitable node remains unknown",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionUnknown,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionUnknown,
+			},
+			want: false,
+		},
+		{
+			name: "non-suitable node changed from ready to notReady",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: false,
+				nodeOldReadyCondStatus:              corev1.ConditionTrue,
+				nodeNewSuitableAsTrafficProxyForTGB: false,
+				nodeNewReadyCondStatus:              corev1.ConditionFalse,
+			},
+			want: false,
+		},
+		{
+			name: "node became suitable while remains ready",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: false,
+				nodeOldReadyCondStatus:              corev1.ConditionTrue,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionTrue,
+			},
+			want: true,
+		},
+		{
+			name: "node became suitable while remains notReady",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: false,
+				nodeOldReadyCondStatus:              corev1.ConditionFalse,
+				nodeNewSuitableAsTrafficProxyForTGB: true,
+				nodeNewReadyCondStatus:              corev1.ConditionFalse,
+			},
+			want: false,
+		},
+		{
+			name: "node became non-suitable while remains ready",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionTrue,
+				nodeNewSuitableAsTrafficProxyForTGB: false,
+				nodeNewReadyCondStatus:              corev1.ConditionTrue,
+			},
+			want: true,
+		},
+		{
+			name: "node became non-suitable while remains notReady",
+			args: args{
+				nodeOldSuitableAsTrafficProxyForTGB: true,
+				nodeOldReadyCondStatus:              corev1.ConditionFalse,
+				nodeNewSuitableAsTrafficProxyForTGB: false,
+				nodeNewReadyCondStatus:              corev1.ConditionFalse,
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			h := &enqueueRequestsForNodeEvent{}
+			got := h.shouldEnqueueTGBDueToNodeEvent(tt.args.nodeOldSuitableAsTrafficProxyForTGB, tt.args.nodeOldReadyCondStatus,
+				tt.args.nodeNewSuitableAsTrafficProxyForTGB, tt.args.nodeNewReadyCondStatus)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
@@ -63,7 +63,8 @@ func (h *enqueueRequestsForSecretEvent) Delete(e event.DeleteEvent, _ workqueue.
 }
 
 func (h *enqueueRequestsForSecretEvent) Generic(e event.GenericEvent, _ workqueue.RateLimitingInterface) {
-	// we don't have any generic event for secrets.
+	secretObj := e.Object.(*corev1.Secret)
+	h.enqueueImpactedObjects(secretObj)
 }
 
 func (h *enqueueRequestsForSecretEvent) enqueueImpactedObjects(secret *corev1.Secret) {
 
@@ -93,6 +93,7 @@ type groupReconciler struct {
 	stackMarshaller   deploy.StackMarshaller
 	stackDeployer     deploy.StackDeployer
 	backendSGProvider networkingpkg.BackendSGProvider
+	secretsManager    k8s.SecretsManager
 
 	groupLoader           ingress.GroupLoader
 	groupFinalizerManager ingress.FinalizerManager
@@ -160,7 +161,7 @@ func (r *groupReconciler) reconcile(ctx context.Context, req ctrl.Request) error
 }
 
 func (r *groupReconciler) buildAndDeployModel(ctx context.Context, ingGroup ingress.Group) (core.Stack, *elbv2model.LoadBalancer, error) {
-	stack, lb, err := r.modelBuilder.Build(ctx, ingGroup)
+	stack, lb, secrets, err := r.modelBuilder.Build(ctx, ingGroup)
 	if err != nil {
 		r.recordIngressGroupEvent(ctx, ingGroup, corev1.EventTypeWarning, k8s.IngressEventReasonFailedBuildModel, fmt.Sprintf("Failed build model due to %v", err))
 		return nil, nil, err
@@ -177,6 +178,7 @@ func (r *groupReconciler) buildAndDeployModel(ctx context.Context, ingGroup ingr
 		return nil, nil, err
 	}
 	r.logger.Info("successfully deployed model", "ingressGroup", ingGroup.ID)
+	r.secretsManager.MonitorSecrets(ingGroup.ID.String(), secrets)
 	return stack, lb, err
 }
 
@@ -229,7 +231,7 @@ func (r *groupReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager
 	if err := r.setupIndexes(ctx, mgr.GetFieldIndexer(), ingressClassResourceAvailable); err != nil {
 		return err
 	}
-	if err := r.setupWatches(ctx, c, ingressClassResourceAvailable); err != nil {
+	if err := r.setupWatches(ctx, c, ingressClassResourceAvailable, clientSet); err != nil {
 		return err
 	}
 	return nil
@@ -276,9 +278,10 @@ func (r *groupReconciler) setupIndexes(ctx context.Context, fieldIndexer client.
 	return nil
 }
 
-func (r *groupReconciler) setupWatches(_ context.Context, c controller.Controller, ingressClassResourceAvailable bool) error {
+func (r *groupReconciler) setupWatches(_ context.Context, c controller.Controller, ingressClassResourceAvailable bool, clientSet *kubernetes.Clientset) error {
 	ingEventChan := make(chan event.GenericEvent)
 	svcEventChan := make(chan event.GenericEvent)
+	secretEventsChan := make(chan event.GenericEvent)
 	ingEventHandler := eventhandlers.NewEnqueueRequestsForIngressEvent(r.groupLoader, r.eventRecorder,
 		r.logger.WithName("eventHandlers").WithName("ingress"))
 	svcEventHandler := eventhandlers.NewEnqueueRequestsForServiceEvent(ingEventChan, r.k8sClient, r.eventRecorder,
@@ -297,10 +300,9 @@ func (r *groupReconciler) setupWatches(_ context.Context, c controller.Controlle
 	if err := c.Watch(&source.Kind{Type: &corev1.Service{}}, svcEventHandler); err != nil {
 		return err
 	}
-	if err := c.Watch(&source.Kind{Type: &corev1.Secret{}}, secretEventHandler); err != nil {
+	if err := c.Watch(&source.Channel{Source: secretEventsChan}, secretEventHandler); err != nil {
 		return err
 	}
-
 	if ingressClassResourceAvailable {
 		ingClassEventChan := make(chan event.GenericEvent)
 		ingClassParamsEventHandler := eventhandlers.NewEnqueueRequestsForIngressClassParamsEvent(ingClassEventChan, r.k8sClient, r.eventRecorder,
@@ -317,6 +319,7 @@ func (r *groupReconciler) setupWatches(_ context.Context, c controller.Controlle
 			return err
 		}
 	}
+	r.secretsManager = k8s.NewSecretsManager(clientSet, secretEventsChan, ctrl.Log.WithName("secrets-manager"))
 	return nil
 }
 
 
@@ -31,4 +31,4 @@ In version v2.1.1 and older, both the public and private subnets must be tagged
 
  `${cluster-name}` is the name of the kubernetes cluster
 
- The cluster tag is not required in v2.1.2 and newer releases. 
+ The cluster tag is not required in v2.1.2 and newer releases, unless a cluster tag for another cluster is present.
@@ -244,7 +244,7 @@ Traffic Routing can be controlled with following annotations:
     !!!example
         - response-503: return fixed 503 response
         - redirect-to-eks: redirect to an external url
-        - forward-single-tg: forward to an single targetGroup [**simplified schema**]
+        - forward-single-tg: forward to a single targetGroup [**simplified schema**]
         - forward-multiple-tg: forward to multiple targetGroups with different weights and stickiness config [**advanced schema**]
 
         ```yaml
 
@@ -234,3 +234,4 @@ The default values set by the application itself can be confirmed [here](https:/
 | `serviceMonitor.enabled`                       | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed   | `false`                                                                            |
 | `serviceMonitor.additionalLabels`              | Labels to add to the service account                                                                     | `{}`                                                                               |
 | `serviceMonitor.interval`                      | Prometheus scrape interval                                                                               | `1m`                                                                               |
+| `clusterSecretsPermissions.allowAllSecrets`    | If `true`, controller has access to all secrets in the cluster.                                          | `false`                                                                            |
@@ -57,8 +57,13 @@ rules:
   resources: [services, ingresses]
   verbs: [get, list, patch, update, watch]
 - apiGroups: [""]
-  resources: [nodes, secrets, namespaces, endpoints]
+  resources: [nodes, namespaces, endpoints]
   verbs: [get, list, watch]
+{{- if .Values.clusterSecretsPermissions.allowAllSecrets }}
+- apiGroups: [""]
+  resources: [secrets]
+  verbs: [get, list, watch]
+{{- end }}
 - apiGroups: ["elbv2.k8s.aws", "", "extensions", "networking.k8s.io"]
   resources: [targetgroupbindings/status, pods/status, services/status, ingresses/status]
   verbs: [update, patch]
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,8 @@ func (h *enqueueRequestsForSecretEvent) Delete(e event.DeleteEvent, _ workqueue.`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`func (h *enqueueRequestsForSecretEvent) Generic(e event.GenericEvent, _ workqueue.RateLimitingInterface) {`
`66`		`- // we don't have any generic event for secrets.`
	`66`	`+ secretObj := e.Object.(*corev1.Secret)`
	`67`	`+ h.enqueueImpactedObjects(secretObj)`
`67`	`68`	`}`
`68`	`69`
`69`	`70`	`func (h enqueueRequestsForSecretEvent) enqueueImpactedObjects(secret corev1.Secret) {`
Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,7 @@ type groupReconciler struct {`
`93`	`93`	`stackMarshaller deploy.StackMarshaller`
`94`	`94`	`stackDeployer deploy.StackDeployer`
`95`	`95`	`backendSGProvider networkingpkg.BackendSGProvider`
	`96`	`+ secretsManager k8s.SecretsManager`
`96`	`97`
`97`	`98`	`groupLoader ingress.GroupLoader`
`98`	`99`	`groupFinalizerManager ingress.FinalizerManager`
`@@ -160,7 +161,7 @@ func (r *groupReconciler) reconcile(ctx context.Context, req ctrl.Request) error`
`160`	`161`	`}`
`161`	`162`
`162`	`163`	`func (r groupReconciler) buildAndDeployModel(ctx context.Context, ingGroup ingress.Group) (core.Stack, elbv2model.LoadBalancer, error) {`
`163`		`- stack, lb, err := r.modelBuilder.Build(ctx, ingGroup)`
	`164`	`+ stack, lb, secrets, err := r.modelBuilder.Build(ctx, ingGroup)`
`164`	`165`	`if err != nil {`
`165`	`166`	`r.recordIngressGroupEvent(ctx, ingGroup, corev1.EventTypeWarning, k8s.IngressEventReasonFailedBuildModel, fmt.Sprintf("Failed build model due to %v", err))`
`166`	`167`	`return nil, nil, err`
`@@ -177,6 +178,7 @@ func (r *groupReconciler) buildAndDeployModel(ctx context.Context, ingGroup ingr`
`177`	`178`	`return nil, nil, err`
`178`	`179`	`}`
`179`	`180`	`r.logger.Info("successfully deployed model", "ingressGroup", ingGroup.ID)`
	`181`	`+ r.secretsManager.MonitorSecrets(ingGroup.ID.String(), secrets)`
`180`	`182`	`return stack, lb, err`
`181`	`183`	`}`
`182`	`184`
`@@ -229,7 +231,7 @@ func (r *groupReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager`
`229`	`231`	`if err := r.setupIndexes(ctx, mgr.GetFieldIndexer(), ingressClassResourceAvailable); err != nil {`
`230`	`232`	`return err`
`231`	`233`	`}`
`232`		`- if err := r.setupWatches(ctx, c, ingressClassResourceAvailable); err != nil {`
	`234`	`+ if err := r.setupWatches(ctx, c, ingressClassResourceAvailable, clientSet); err != nil {`
`233`	`235`	`return err`
`234`	`236`	`}`
`235`	`237`	`return nil`
`@@ -276,9 +278,10 @@ func (r *groupReconciler) setupIndexes(ctx context.Context, fieldIndexer client.`
`276`	`278`	`return nil`
`277`	`279`	`}`
`278`	`280`
`279`		`-func (r *groupReconciler) setupWatches(_ context.Context, c controller.Controller, ingressClassResourceAvailable bool) error {`
	`281`	`+func (r groupReconciler) setupWatches(_ context.Context, c controller.Controller, ingressClassResourceAvailable bool, clientSet kubernetes.Clientset) error {`
`280`	`282`	`ingEventChan := make(chan event.GenericEvent)`
`281`	`283`	`svcEventChan := make(chan event.GenericEvent)`
	`284`	`+ secretEventsChan := make(chan event.GenericEvent)`
`282`	`285`	`ingEventHandler := eventhandlers.NewEnqueueRequestsForIngressEvent(r.groupLoader, r.eventRecorder,`
`283`	`286`	`r.logger.WithName("eventHandlers").WithName("ingress"))`
`284`	`287`	`svcEventHandler := eventhandlers.NewEnqueueRequestsForServiceEvent(ingEventChan, r.k8sClient, r.eventRecorder,`
`@@ -297,10 +300,9 @@ func (r *groupReconciler) setupWatches(_ context.Context, c controller.Controlle`
`297`	`300`	`if err := c.Watch(&source.Kind{Type: &corev1.Service{}}, svcEventHandler); err != nil {`
`298`	`301`	`return err`
`299`	`302`	`}`
`300`		`- if err := c.Watch(&source.Kind{Type: &corev1.Secret{}}, secretEventHandler); err != nil {`
	`303`	`+ if err := c.Watch(&source.Channel{Source: secretEventsChan}, secretEventHandler); err != nil {`
`301`	`304`	`return err`
`302`	`305`	`}`
`303`		`-`
`304`	`306`	`if ingressClassResourceAvailable {`
`305`	`307`	`ingClassEventChan := make(chan event.GenericEvent)`
`306`	`308`	`ingClassParamsEventHandler := eventhandlers.NewEnqueueRequestsForIngressClassParamsEvent(ingClassEventChan, r.k8sClient, r.eventRecorder,`
`@@ -317,6 +319,7 @@ func (r *groupReconciler) setupWatches(_ context.Context, c controller.Controlle`
`317`	`319`	`return err`
`318`	`320`	`}`
`319`	`321`	`}`
	`322`	`+ r.secretsManager = k8s.NewSecretsManager(clientSet, secretEventsChan, ctrl.Log.WithName("secrets-manager"))`
`320`	`323`	`return nil`
`321`	`324`	`}`
`322`	`325`
Original file line number	Diff line number	Diff line change
`@@ -31,4 +31,4 @@ In version v2.1.1 and older, both the public and private subnets must be tagged`
`31`	`31`
`32`	`32`	`${cluster-name}` is the name of the kubernetes cluster
`33`	`33`
`34`		`- The cluster tag is not required in v2.1.2 and newer releases.`
	`34`	`+ The cluster tag is not required in v2.1.2 and newer releases, unless a cluster tag for another cluster is present.`