The admin Secret is identified by an annotation on the admin Service.

charts/viking-service/templates/admin-service.yaml

@@ -9,6 +9,8 @@ metadata:
     # This label is used by the controller to find the pods to control.
     app: varnish-ingress
   name: {{ printf "%s-admin" (include "viking-service.fullname" . | trunc 57) }}
+  annotations:
+    viking.uplex.de/admSecret: {{ template "viking-service.admin-secret-name" . }}
 spec:
   clusterIP: None
   ports:

deploy/admin-svc.yaml

@@ -4,6 +4,8 @@ metadata:
   name: varnish-ingress-admin
   labels:
     app: varnish-ingress
+  annotations:
+    viking.uplex.de/admSecret: adm-secret
 spec:
   clusterIP: None
   ports:

examples/architectures/cluster-and-ns-wide/admin-svc-coffee.yaml

@@ -5,6 +5,8 @@ metadata:
   namespace: cafe
   labels:
     app: varnish-ingress
+  annotations:
+    viking.uplex.de/admSecret: adm-secret
 spec:
   clusterIP: None
   ports:

examples/architectures/cluster-and-ns-wide/admin-svc-system.yaml

@@ -5,6 +5,8 @@ metadata:
   namespace: kube-system
   labels:
     app: varnish-ingress
+  annotations:
+    viking.uplex.de/admSecret: adm-secret
 spec:
   clusterIP: None
   ports:

examples/architectures/clusterwide/admin-svc.yaml

@@ -5,6 +5,8 @@ metadata:
   namespace: kube-system
   labels:
     app: varnish-ingress
+  annotations:
+    viking.uplex.de/admSecret: adm-secret
 spec:
   clusterIP: None
   ports:

examples/architectures/multi-controller/admin-svc-coffee.yaml

@@ -5,6 +5,8 @@ metadata:
   namespace: cafe
   labels:
     app: varnish-ingress
+  annotations:
+    viking.uplex.de/admSecret: coffee-secret
 spec:
   clusterIP: None
   ports:

examples/architectures/multi-controller/admin-svc-tea.yaml

@@ -5,6 +5,8 @@ metadata:
   namespace: cafe
   labels:
     app: varnish-ingress
+  annotations:
+    viking.uplex.de/admSecret: tea-secret
 spec:
   clusterIP: None
   ports:

examples/architectures/multi-varnish-ns/admin-svc-coffee.yaml

@@ -5,6 +5,8 @@ metadata:
   namespace: cafe
   labels:
     app: varnish-ingress
+  annotations:
+    viking.uplex.de/admSecret: coffee-secret
 spec:
   clusterIP: None
   ports:

examples/architectures/multi-varnish-ns/admin-svc-tea.yaml

@@ -5,6 +5,8 @@ metadata:
   namespace: cafe
   labels:
     app: varnish-ingress
+  annotations:
+    viking.uplex.de/admSecret: tea-secret
 spec:
   clusterIP: None
   ports:

examples/file-cache/varnish.yaml

@@ -25,6 +25,8 @@ metadata:
   name: viking-service-file-cache-admin
   labels:
     app: varnish-ingress
+  annotations:
+    viking.uplex.de/admSecret: adm-secret
 spec:
   clusterIP: None
   ports:

examples/namespace/admin-svc.yaml

@@ -5,6 +5,8 @@ metadata:
   namespace: varnish-ingress
   labels:
     app: varnish-ingress
+  annotations:
+    viking.uplex.de/admSecret: adm-secret
 spec:
   clusterIP: None
   ports:

examples/varnish_pod_template/cli-args.yaml

@@ -25,6 +25,8 @@ metadata:
   name: pod-template-examples-admin
   labels:
     app: varnish-ingress
+  annotations:
+    viking.uplex.de/admSecret: adm-secret
 spec:
   clusterIP: None
   ports:

examples/varnish_pod_template/env.yaml

@@ -25,6 +25,8 @@ metadata:
   name: pod-template-examples-admin
   labels:
     app: varnish-ingress
+  annotations:
+    viking.uplex.de/admSecret: adm-secret
 spec:
   clusterIP: None
   ports:

examples/varnish_pod_template/proxy.yaml

@@ -25,6 +25,8 @@ metadata:
   name: pod-template-examples-admin
   labels:
     app: varnish-ingress
+  annotations:
+    viking.uplex.de/admSecret: adm-secret
 spec:
   clusterIP: None
   ports:

pkg/controller/secret.go

@@ -47,6 +47,7 @@ const (
 	admSecretKey         = "admin"
 	dplaneSecretKey      = "dataplaneapi"
 	vikingSecretLabelKey = vikingLabelPfx + "secret"
+	vikingAdmSecretKey   = vikingLabelPfx + "admSecret"
 	vikingAdmSecretVal   = "admin"
 	vikingAuthSecretVal  = "auth"
 )
@@ -139,33 +140,17 @@ func (worker *NamespaceWorker) deleteTLSSecret(
 }
 
 func (worker *NamespaceWorker) getVarnishSvcsForSecret(
-	secretName string) ([]*api_v1.Service, error) {
-
+	secretName string,
+) ([]*api_v1.Service, error) {
 	var secrSvcs []*api_v1.Service
 	svcs, err := worker.svc.List(varnishIngressSelector)
 	if err != nil {
 		return secrSvcs, err
 	}
 	for _, svc := range svcs {
-		pods, err := worker.getPods(svc)
-		if err != nil {
-			return secrSvcs, err
-		}
-		if len(pods.Items) == 0 {
-			continue
-		}
-
-		// The secret is meant for the service if a
-		// SecretVolumeSource is specified in the Pod spec
-		// that names the secret.
-		pod := pods.Items[0]
-		for _, vol := range pod.Spec.Volumes {
-			if vol.Secret == nil {
-				continue
-			}
-			if vol.Secret.SecretName == secretName {
-				secrSvcs = append(secrSvcs, svc)
-			}
+		if s, ok := svc.Annotations[vikingAdmSecretKey]; ok &&
+			s == secretName {
+			secrSvcs = append(secrSvcs, svc)
 		}
 	}
 	return secrSvcs, nil

pkg/controller/service.go

@@ -317,42 +317,24 @@ func (worker *NamespaceWorker) syncSvc(key string) update.Status {
 		return status
 	}
 
-	secrName := ""
-	worker.log.Tracef("Searching Pods for the secret for %s/%s",
+	worker.log.Tracef("Searching annotations for the secret for %s/%s",
 		svc.Namespace, svc.Name)
-	pods, err := worker.getPods(svc)
-	if err != nil {
-		return IncompleteIfNotFound(err,
-			"Cannot get a Pod for service %s/%s: %v",
-			svc.Namespace, svc.Name, err)
-	}
-	if len(pods.Items) == 0 {
-		return update.MakeIncomplete(
-			"No Pods for Service: %s/%s", svc.Namespace, svc.Name)
-	}
-	pod := &pods.Items[0]
-	for _, vol := range pod.Spec.Volumes {
-		if secretVol := vol.Secret; secretVol != nil {
-			secrName = secretVol.SecretName
-			break
-		}
+	secrName, ok := svc.Annotations[vikingAdmSecretKey]
+	if !ok {
+		return update.MakeFatal(
+			"Service %s/%s: missing required annotation %s",
+			svc.Namespace, svc.Name, vikingAdmSecretKey)
 	}
-	if secrName != "" {
-		worker.log.Infof("Found secret name %s/%s for Service %s/%s",
-			worker.namespace, secrName, svc.Namespace, svc.Name)
+	worker.log.Infof("Found secret name %s for Service %s/%s", secrName,
+		svc.Namespace, svc.Name)
 
-		if secret, err := worker.vsecr.Get(secrName); err == nil {
-			err = worker.setSecret(secret)
-			if err != nil {
-				return update.MakeIncomplete("%v", err)
-			}
-		} else {
-			worker.log.Warnf("Cannot get Secret %s: %v", secrName,
-				err)
+	if secret, err := worker.vsecr.Get(secrName); err == nil {
+		err = worker.setSecret(secret)
+		if err != nil {
+			return update.MakeIncomplete("%v", err)
 		}
 	} else {
-		worker.log.Warnf("No secret found for Service %s/%s",
-			svc.Namespace, svc.Name)
+		worker.log.Warnf("Cannot get Secret %s: %v", secrName, err)
 	}
 
 	if len(offldAddrs) > 0 {
@@ -360,7 +342,7 @@ func (worker *NamespaceWorker) syncSvc(key string) update.Status {
 			"%+v", svc.Namespace, svc.Name, offldAddrs)
 		status := worker.hController.AddOrUpdateOffloader(
 			svc.Namespace+"/"+svc.Name, offldAddrs,
-			worker.namespace+"/"+secrName)
+			svc.Namespace+"/"+secrName)
 		if status.IsError() {
 			return status
 		}
@@ -369,7 +351,7 @@ func (worker *NamespaceWorker) syncSvc(key string) update.Status {
 		svc.Name, addrs)
 	return worker.vController.AddOrUpdateVarnishSvc(
 		svc.Namespace+"/"+svc.Name, addrs,
-		worker.namespace+"/"+secrName, !updateVCL)
+		svc.Namespace+"/"+secrName, !updateVCL)
 }
 
 func (worker *NamespaceWorker) addSvc(key string) update.Status {