feat: add comprehensive event recording for ConfigMap operations

Add EventRecorder to both controllers and webhook for better observability:

**NamespaceReconciler Events:**
- ReconciliationSkipped (Normal): Namespace opted out of WIF injection
- ConfigMapCreated (Normal): Direct identity ConfigMap created
- ConfigMapUpdated (Normal): Direct identity ConfigMap updated (self-healing)
- ConfigMapCreateFailed (Warning): Failed to create ConfigMap
- ConfigMapUpdateFailed (Warning): Failed to update ConfigMap

**ServiceAccountReconciler Events:**
- ReconciliationSkipped (Normal): Namespace opted out of WIF injection
- ConfigMapCreated (Normal): Impersonation ConfigMap created with GCP SA details
- ConfigMapUpdated (Normal): Impersonation ConfigMap updated (annotation change/self-healing)
- ConfigMapCreateFailed (Warning): Failed to create ConfigMap
- ConfigMapUpdateFailed (Warning): Failed to update ConfigMap

**Webhook Events (Enhanced):**
- ConfigMapCreated (Normal): ConfigMap created during pod admission with type info
- ConfigMapCreateFailed (Warning): Failed to create ConfigMap during pod admission

**Metrics:**
- Added 'error' label to track failed operations
- Error operations now properly excluded from success metrics

All events include descriptive messages with ConfigMap names and relevant context.
Events are nil-safe to support testing without EventRecorder.

Author: fujin

cmd/main.go

@@ -206,17 +206,19 @@ func main() {
 
 	// Setup Namespace controller for direct identity ConfigMap management
 	if err = (&controller.NamespaceReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
+		Client:   mgr.GetClient(),
+		Scheme:   mgr.GetScheme(),
+		Recorder: mgr.GetEventRecorderFor("wif-namespace-controller"),
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Namespace")
 		os.Exit(1)
 	}
 
 	// Setup ServiceAccount controller for impersonation ConfigMap reconciliation
 	if err = (&controller.ServiceAccountReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
+		Client:   mgr.GetClient(),
+		Scheme:   mgr.GetScheme(),
+		Recorder: mgr.GetEventRecorderFor("wif-serviceaccount-controller"),
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ServiceAccount")
 		os.Exit(1)

internal/controller/namespace_controller.go

@@ -18,6 +18,7 @@ package controller
 
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch
+// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
 
 import (
 	"context"
@@ -29,6 +30,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -64,7 +66,8 @@ func init() {
 // NamespaceReconciler reconciles Namespace objects and ensures direct identity ConfigMaps exist
 type NamespaceReconciler struct {
 	client.Client
-	Scheme *runtime.Scheme
+	Scheme   *runtime.Scheme
+	Recorder record.EventRecorder
 }
 
 // SetupWithManager sets up the controller with the Manager
@@ -101,6 +104,10 @@ func (r *NamespaceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 	// This prevents credential access even via manual ConfigMap mounting (security requirement)
 	if r.isWIFInjectionDisabled(namespace) {
 		log.V(1).Info("Skipping namespace with WIF injection disabled", "namespace", namespace.Name)
+		if r.Recorder != nil {
+			r.Recorder.Event(namespace, corev1.EventTypeNormal, "ReconciliationSkipped",
+				"WIF injection disabled - skipping direct identity ConfigMap reconciliation")
+		}
 		return ctrl.Result{}, nil
 	}
 
@@ -158,10 +165,19 @@ func (r *NamespaceReconciler) reconcileDirectConfigMap(ctx context.Context, name
 				directConfigMapOperations.WithLabelValues("noop").Inc()
 				return nil
 			}
+			directConfigMapOperations.WithLabelValues("error").Inc()
+			if r.Recorder != nil {
+				r.Recorder.Event(namespace, corev1.EventTypeWarning, "ConfigMapCreateFailed",
+					fmt.Sprintf("Failed to create direct identity ConfigMap: %v", err))
+			}
 			return fmt.Errorf("failed to create ConfigMap %s/%s: %w", namespace.Name, directIdentityConfigMapName, err)
 		}
 
 		directConfigMapOperations.WithLabelValues("create").Inc()
+		if r.Recorder != nil {
+			r.Recorder.Event(namespace, corev1.EventTypeNormal, "ConfigMapCreated",
+				fmt.Sprintf("Created direct identity ConfigMap '%s'", directIdentityConfigMapName))
+		}
 		log.Info("Successfully created direct identity ConfigMap",
 			"configMap", directIdentityConfigMapName,
 			"namespace", namespace.Name)
@@ -184,10 +200,19 @@ func (r *NamespaceReconciler) reconcileDirectConfigMap(ctx context.Context, name
 		existingCM.Labels = desiredCM.Labels
 
 		if err := r.Update(ctx, existingCM); err != nil {
+			directConfigMapOperations.WithLabelValues("error").Inc()
+			if r.Recorder != nil {
+				r.Recorder.Event(namespace, corev1.EventTypeWarning, "ConfigMapUpdateFailed",
+					fmt.Sprintf("Failed to update direct identity ConfigMap: %v", err))
+			}
 			return fmt.Errorf("failed to update ConfigMap %s/%s: %w", namespace.Name, directIdentityConfigMapName, err)
 		}
 
 		directConfigMapOperations.WithLabelValues("update").Inc()
+		if r.Recorder != nil {
+			r.Recorder.Event(namespace, corev1.EventTypeNormal, "ConfigMapUpdated",
+				fmt.Sprintf("Updated direct identity ConfigMap '%s' (self-healing)", directIdentityConfigMapName))
+		}
 		log.Info("Successfully updated direct identity ConfigMap",
 			"configMap", directIdentityConfigMapName,
 			"namespace", namespace.Name)

internal/controller/serviceaccount_controller.go

@@ -30,6 +30,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -62,7 +63,8 @@ func init() {
 // ServiceAccountReconciler reconciles ServiceAccount objects with WIF annotations
 type ServiceAccountReconciler struct {
 	client.Client
-	Scheme *runtime.Scheme
+	Scheme   *runtime.Scheme
+	Recorder record.EventRecorder
 }
 
 // SetupWithManager sets up the controller with the Manager
@@ -99,6 +101,10 @@ func (r *ServiceAccountReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 	if r.isWIFInjectionDisabled(namespace) {
 		log.V(1).Info("Skipping ServiceAccount in namespace with WIF injection disabled",
 			"serviceAccount", sa.Name, "namespace", sa.Namespace)
+		if r.Recorder != nil {
+			r.Recorder.Event(sa, corev1.EventTypeNormal, "ReconciliationSkipped",
+				"WIF injection disabled in namespace - skipping impersonation ConfigMap reconciliation")
+		}
 		return ctrl.Result{}, nil
 	}
 
@@ -180,10 +186,20 @@ func (r *ServiceAccountReconciler) reconcileConfigMap(ctx context.Context, sa *c
 				configMapReconcileOperations.WithLabelValues("noop").Inc()
 				return nil
 			}
+			configMapReconcileOperations.WithLabelValues("error").Inc()
+			if r.Recorder != nil {
+				r.Recorder.Event(sa, corev1.EventTypeWarning, "ConfigMapCreateFailed",
+					fmt.Sprintf("Failed to create impersonation ConfigMap '%s': %v", config.CredentialsConfigMap, err))
+			}
 			return fmt.Errorf("failed to create ConfigMap %s/%s: %w", sa.Namespace, config.CredentialsConfigMap, err)
 		}
 
 		configMapReconcileOperations.WithLabelValues("create").Inc()
+		if r.Recorder != nil {
+			r.Recorder.Event(sa, corev1.EventTypeNormal, "ConfigMapCreated",
+				fmt.Sprintf("Created impersonation ConfigMap '%s' for GCP service account '%s'",
+					config.CredentialsConfigMap, config.GoogleServiceAccount))
+		}
 		log.Info("Successfully created impersonation ConfigMap",
 			"configMap", config.CredentialsConfigMap,
 			"namespace", sa.Namespace)
@@ -208,10 +224,20 @@ func (r *ServiceAccountReconciler) reconcileConfigMap(ctx context.Context, sa *c
 		existingCM.OwnerReferences = desiredCM.OwnerReferences
 
 		if err := r.Update(ctx, existingCM); err != nil {
+			configMapReconcileOperations.WithLabelValues("error").Inc()
+			if r.Recorder != nil {
+				r.Recorder.Event(sa, corev1.EventTypeWarning, "ConfigMapUpdateFailed",
+					fmt.Sprintf("Failed to update impersonation ConfigMap '%s': %v", config.CredentialsConfigMap, err))
+			}
 			return fmt.Errorf("failed to update ConfigMap %s/%s: %w", sa.Namespace, config.CredentialsConfigMap, err)
 		}
 
 		configMapReconcileOperations.WithLabelValues("update").Inc()
+		if r.Recorder != nil {
+			r.Recorder.Event(sa, corev1.EventTypeNormal, "ConfigMapUpdated",
+				fmt.Sprintf("Updated impersonation ConfigMap '%s' for GCP service account '%s' (annotation change or self-healing)",
+					config.CredentialsConfigMap, config.GoogleServiceAccount))
+		}
 		log.Info("Successfully updated impersonation ConfigMap",
 			"configMap", config.CredentialsConfigMap,
 			"namespace", sa.Namespace)

internal/webhook/v1/pod_webhook.go

@@ -296,10 +296,22 @@ func (d *PodCustomDefaulter) ensureConfigMaps(ctx context.Context, namespace str
 			return nil
 		}
 		configMapOperations.WithLabelValues("create", "error").Inc()
+		if d.Recorder != nil {
+			d.Recorder.Event(pod, corev1.EventTypeWarning, "ConfigMapCreateFailed",
+				fmt.Sprintf("Failed to create WIF ConfigMap '%s': %v", configMapName, err))
+		}
 		return fmt.Errorf("failed to create ConfigMap %s/%s: %w", namespace, configMapName, err)
 	}
 
 	configMapOperations.WithLabelValues("create", "success").Inc()
+	if d.Recorder != nil {
+		cmType := "direct identity"
+		if !config.UseDirectIdentity {
+			cmType = fmt.Sprintf("impersonation (GCP SA: %s)", config.GoogleServiceAccount)
+		}
+		d.Recorder.Event(pod, corev1.EventTypeNormal, "ConfigMapCreated",
+			fmt.Sprintf("Created WIF ConfigMap '%s' (%s)", configMapName, cmType))
+	}
 	podlog.Info("Created WIF ConfigMap on-demand", "configmap", configMapName, "namespace", namespace)
 	return nil
 }