gardener · gardener-prow · Jan 17, 2025 · Jan 7, 2025 · Jan 8, 2025 · Jan 13, 2025
diff --git a/cmd/discovery-server/app/app.go b/cmd/discovery-server/app/app.go
@@ -40,7 +40,8 @@ import (
 	"github.com/gardener/gardener-discovery-server/internal/handler/workloadidentity"
 	"github.com/gardener/gardener-discovery-server/internal/metrics"
 	oidreconciler "github.com/gardener/gardener-discovery-server/internal/reconciler/openidmeta"
-	store "github.com/gardener/gardener-discovery-server/internal/store/openidmeta"
+	"github.com/gardener/gardener-discovery-server/internal/store"
+	"github.com/gardener/gardener-discovery-server/internal/store/openidmeta"
 )
 
 // AppName is the name of the application.
@@ -126,15 +127,15 @@ func run(ctx context.Context, log logr.Logger, conf *options.Config) error {
 		return err
 	}
 
-	store := store.NewStore()
+	s := store.MustNewStore(openidmeta.Copy)
 	if err := (&oidreconciler.Reconciler{
 		ResyncPeriod: conf.Resync.Duration,
-		Store:        store,
+		Store:        s,
 	}).SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create controller: %w", err)
 	}
 
-	h := oidhandler.New(store, log.WithName("oid-meta-handler"))
+	h := oidhandler.New(s, log.WithName("oid-meta-handler"))
 
 	mux := http.NewServeMux()
 	const (

diff --git a/internal/handler/openidmeta/handler.go b/internal/handler/openidmeta/handler.go
@@ -11,7 +11,8 @@ import (
 	"github.com/google/uuid"
 
 	"github.com/gardener/gardener-discovery-server/internal/handler"
-	store "github.com/gardener/gardener-discovery-server/internal/store/openidmeta"
+	"github.com/gardener/gardener-discovery-server/internal/store"
+	"github.com/gardener/gardener-discovery-server/internal/store/openidmeta"
 )
 
 const (
@@ -28,12 +29,12 @@ var (
 
 // Handler is capable or serving openid discovery documents.
 type Handler struct {
-	store store.Reader
+	store store.Reader[openidmeta.Data]
 	log   logr.Logger
 }
 
 // New constructs a new [Handler].
-func New(store store.Reader, log logr.Logger) *Handler {
+func New(store store.Reader[openidmeta.Data], log logr.Logger) *Handler {
 	return &Handler{
 		store: store,
 		log:   log,
@@ -46,7 +47,7 @@ func (h *Handler) HandleOpenIDConfiguration() http.Handler {
 	log := h.log.WithName("openid-configuration")
 	return handler.SetHSTS(
 		handler.AllowMethods(handleRequest(log, h.store,
-			func(data store.Data) []byte { return data.Config },
+			func(data openidmeta.Data) []byte { return data.Config },
 		),
 			log, http.MethodGet, http.MethodHead,
 		),
@@ -59,14 +60,14 @@ func (h *Handler) HandleJWKS() http.Handler {
 	log := h.log.WithName("jwks")
 	return handler.SetHSTS(
 		handler.AllowMethods(handleRequest(log, h.store,
-			func(data store.Data) []byte { return data.JWKS },
+			func(data openidmeta.Data) []byte { return data.JWKS },
 		),
 			log, http.MethodGet, http.MethodHead,
 		),
 	)
 }
 
-func handleRequest(log logr.Logger, s store.Reader, getContent func(store.Data) []byte) http.Handler {
+func handleRequest(log logr.Logger, s store.Reader[openidmeta.Data], getContent func(openidmeta.Data) []byte) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		shootUID := r.PathValue("shootUID")
 		if _, err := uuid.Parse(shootUID); err != nil {

diff --git a/internal/handler/openidmeta/handler_test.go b/internal/handler/openidmeta/handler_test.go
@@ -14,12 +14,13 @@ import (
 
 	"github.com/gardener/gardener-discovery-server/internal/handler"
 	oidhandler "github.com/gardener/gardener-discovery-server/internal/handler/openidmeta"
+	"github.com/gardener/gardener-discovery-server/internal/store"
 	oidstore "github.com/gardener/gardener-discovery-server/internal/store/openidmeta"
 )
 
 var _ = Describe("#HttpHandlerOpenIDMeta", func() {
 	var (
-		store *oidstore.Store
+		s *store.Store[oidstore.Data]
 
 		projectName = "foo"
 
@@ -31,18 +32,18 @@ var _ = Describe("#HttpHandlerOpenIDMeta", func() {
 	)
 
 	BeforeEach(func() {
-		store = oidstore.NewStore()
-		store.Write(projectName+"--"+uid1, oidstore.Data{
+		s = store.MustNewStore(oidstore.Copy)
+		s.Write(projectName+"--"+uid1, oidstore.Data{
 			Config: []byte("config1"),
 			JWKS:   []byte("jwks1"),
 		})
-		store.Write(projectName+"--"+uid2, oidstore.Data{
+		s.Write(projectName+"--"+uid2, oidstore.Data{
 			Config: []byte("config2"),
 			JWKS:   []byte("jwks2"),
 		})
 
 		log := logzap.New(logzap.WriteTo(GinkgoWriter))
-		oidHandler = oidhandler.New(store, log)
+		oidHandler = oidhandler.New(s, log)
 		mux = http.NewServeMux()
 		mux.Handle("/projects/{projectName}/shoots/{shootUID}/issuer/.well-known/openid-configuration", oidHandler.HandleOpenIDConfiguration())
 		mux.Handle("/projects/{projectName}/shoots/{shootUID}/issuer/jwks", oidHandler.HandleJWKS())

diff --git a/internal/reconciler/openidmeta/metadata.go b/internal/reconciler/openidmeta/metadata.go
@@ -20,6 +20,7 @@ import (
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
+	"github.com/gardener/gardener-discovery-server/internal/store"
 	"github.com/gardener/gardener-discovery-server/internal/store/openidmeta"
 	"github.com/gardener/gardener-discovery-server/internal/utils"
 )
@@ -29,7 +30,7 @@ import (
 type Reconciler struct {
 	Client       client.Client
 	ResyncPeriod time.Duration
-	Store        openidmeta.Writer
+	Store        store.Writer[openidmeta.Data]
 }
 
 // Reconcile retrieves the public OIDC metadata info from a secret and stores into cache.

diff --git a/internal/reconciler/openidmeta/metadata_test.go b/internal/reconciler/openidmeta/metadata_test.go
@@ -31,6 +31,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	oidreconciler "github.com/gardener/gardener-discovery-server/internal/reconciler/openidmeta"
+	"github.com/gardener/gardener-discovery-server/internal/store"
 	oidstore "github.com/gardener/gardener-discovery-server/internal/store/openidmeta"
 	"github.com/gardener/gardener-discovery-server/internal/utils"
 )
@@ -39,8 +40,8 @@ var _ = Describe("#ReconcileOpenIDMeta", func() {
 	var (
 		reconciler *oidreconciler.Reconciler
 
-		c     client.Client
-		store *oidstore.Store
+		c client.Client
+		s *store.Store[oidstore.Data]
 
 		shoot                *gardencorev1beta1.Shoot
 		project              *gardencorev1beta1.Project
@@ -53,7 +54,7 @@ var _ = Describe("#ReconcileOpenIDMeta", func() {
 		shootUID       = types.UID("7a25a9b8-f7fc-4e1e-a421-31b4deaa3086")
 		resyncPeriod   = time.Second
 
-		expectStoreEntry = func(store *oidstore.Store, key string, want oidstore.Data) {
+		expectStoreEntry = func(store *store.Store[oidstore.Data], key string, want oidstore.Data) {
 			got, ok := store.Read(key)
 			Expect(ok).To(BeTrue())
 			Expect(got).To(Equal(want))
@@ -128,10 +129,10 @@ var _ = Describe("#ReconcileOpenIDMeta", func() {
 				"jwks":          jwksBytes,
 			},
 		}
-		store = oidstore.NewStore()
+		s = store.MustNewStore(oidstore.Copy)
 		reconciler = &oidreconciler.Reconciler{
 			Client:       c,
-			Store:        store,
+			Store:        s,
 			ResyncPeriod: resyncPeriod,
 		}
 		secretNamespacedName = client.ObjectKeyFromObject(secret)
@@ -146,8 +147,8 @@ var _ = Describe("#ReconcileOpenIDMeta", func() {
 		Expect(err).ToNot(HaveOccurred())
 		Expect(res).To(Equal(ctrl.Result{RequeueAfter: resyncPeriod}))
 
-		Expect(store.Len()).To(Equal(1))
-		expectStoreEntry(store, secret.Name, oidstore.Data{
+		Expect(s.Len()).To(Equal(1))
+		expectStoreEntry(s, secret.Name, oidstore.Data{
 			Config: []byte(`{"issuer":"https://foo","jwks_uri":"https://foo/jwks"}`),
 			JWKS:   expectedJWKSBytes,
 		})
@@ -164,8 +165,8 @@ var _ = Describe("#ReconcileOpenIDMeta", func() {
 			Expect(err).ToNot(HaveOccurred())
 			Expect(res).To(Equal(ctrl.Result{RequeueAfter: resyncPeriod}))
 
-			Expect(store.Len()).To(Equal(1))
-			expectStoreEntry(store, secret.Name, oidstore.Data{
+			Expect(s.Len()).To(Equal(1))
+			expectStoreEntry(s, secret.Name, oidstore.Data{
 				Config: []byte(`{"issuer":"https://foo","jwks_uri":"https://foo/jwks"}`),
 				JWKS:   expectedJWKSBytes,
 			})
@@ -176,7 +177,7 @@ var _ = Describe("#ReconcileOpenIDMeta", func() {
 			Expect(err).ToNot(HaveOccurred())
 			Expect(res).To(Equal(ctrl.Result{}))
 
-			Expect(store.Len()).To(Equal(0))
+			Expect(s.Len()).To(Equal(0))
 		},
 		Entry("secret is missing", func() {
 			Expect(c.Delete(ctx, secret)).To(Succeed())

diff --git a/internal/store/openidmeta/data.go b/internal/store/openidmeta/data.go
@@ -0,0 +1,29 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Gardener contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package openidmeta
+
+import "github.com/gardener/gardener-discovery-server/internal/store"
+
+var (
+	_ store.Reader[Data] = (*store.Store[Data])(nil)
+	_ store.Writer[Data] = (*store.Store[Data])(nil)
+)
+
+// Data holds openid discovery metadata.
+type Data struct {
+	Config []byte
+	JWKS   []byte
+}
+
+// Copy returns a deep copy of [Data].
+func Copy(data Data) Data {
+	out := Data{
+		Config: make([]byte, len(data.Config)),
+		JWKS:   make([]byte, len(data.JWKS)),
+	}
+	copy(out.Config, data.Config)
+	copy(out.JWKS, data.JWKS)
+	return out
+}
diff --git a/internal/store/openidmeta/store.go b/internal/store/openidmeta/store.go