SecretVersion as a subresource

Signed-off-by: Harsh Thakur <harshthakur9030@gmail.com>
crossplane-contrib · Feb 27, 2021 · 322384a · 322384a
1 parent b6bda43
commit 322384a
Show file tree

Hide file tree

Showing 5 changed files with 111 additions and 1 deletion.
diff --git a/apis/secretsmanager/v1alpha1/secret_types.go b/apis/secretsmanager/v1alpha1/secret_types.go
@@ -20,6 +20,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
+	"github.com/docker/swarmkit/api/timestamp"
 )
 
 // Keys used in connection secret.
@@ -28,6 +29,38 @@ const (
 	ConnectionSecretKeyProjectName = "projectName"
 )
 
+// SecretVersionState gives the state of a [SecretVersion][google.cloud.secretmanager.v1.SecretVersion], indicating if it can be accessed.
+type SecretVersionState int32
+
+const (
+	// SecretVersionSTATEUNSPECIFIED represents that SecretVersion state is not specified. This value is unused and invalid.
+	SecretVersionSTATEUNSPECIFIED SecretVersionState = 0
+	// SecretVersionENABLED represents that SecretVersion state  may be accessed.
+	SecretVersionENABLED SecretVersionState = 1
+	// SecretVersionDISABLED represents that SecretVersion state may not be accessed, but the secret data
+	// is still available and can be placed back into the [ENABLED] state.
+	SecretVersionDISABLED SecretVersionState = 2
+	// SecretVersionDESTROYED represents that SecretVersion state is destroyed and the secret data is no longer
+	// stored. A version may not leave this state once entered.
+	SecretVersionDESTROYED SecretVersionState = 3
+)
+
+// SecretVersionStateName is to map integers with states
+var SecretVersionStateName = map[int32]string{
+	0: "STATE_UNSPECIFIED",
+	1: "ENABLED",
+	2: "DISABLED",
+	3: "DESTROYED",
+}
+
+// SecretVersionStateValue is to map states with integers
+var SecretVersionStateValue = map[string]int32{
+	"STATE_UNSPECIFIED": 0,
+	"ENABLED":           1,
+	"DISABLED":          2,
+	"DESTROYED":         3,
+}
+
 // SecretParameters defines parameters for a desired Secret Manager's secret.
 type SecretParameters struct {
 
@@ -44,6 +77,9 @@ type SecretParameters struct {
 	// +optional
 	// +immutable
 	Replication *Replication `json:"replication,omitempty"`
+
+	// SecretVersions is a list of SecretVersion resource in the Secret Manager API.
+	SecretVersions *[]SecretVersion `json:"secretVersion,omitempty	"`
 }
 
 // Replication policy that defines the replication configuration of data.
@@ -91,6 +127,50 @@ type ReplicationUserManagedReplica struct {
 	Location string `json:"location,omitempty"`
 }
 
+// SecretVersion resource in the Secret Manager API.
+type SecretVersion struct {
+
+	// Output only. The resource name of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the
+	// format `projects/*/secrets/*/versions/*`.
+	// [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] IDs in a [Secret][google.cloud.secretmanager.v1.Secret] start at 1 and
+	// are incremented for each subsequent version of the secret.
+	Name string `json:"name,omitempty"`
+
+	// Payload is the secret payload of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
+	Payload SecretPayload `json:"payload,omitempty"`
+}
+
+// SecretPayload is a secret payload resource in the Secret Manager API. This contains the
+// sensitive secret data that is associated with a [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
+type SecretPayload struct {
+	// Data is the secret data. Must be no larger than 64KiB.
+	Data []byte `json:"data,omitempty"`
+}
+
+// SecretVersionStatus gives the status of the SecretVersion resource in the Secret Manager API.
+type SecretVersionStatus struct {
+	// Output only. The resource name of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the
+	// format `projects/*/secrets/*/versions/*`.
+	// [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] IDs in a [Secret][google.cloud.secretmanager.v1.Secret] start at 1 and
+	// are incremented for each subsequent version of the secret.
+	Name string `json:"name,omitempty"`
+
+	// Output only. The time at which the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] was created.
+	CreateTime *timestamp.Timestamp `json:"create_time,omitempty"`
+
+	// Output only. The time this [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] was destroyed.
+	// Only present if [state][google.cloud.secretmanager.v1.SecretVersion.state] is
+	// [DESTROYED][google.cloud.secretmanager.v1.SecretVersion.State.DESTROYED].
+	DestroyTime *timestamp.Timestamp `json:"destroy_time,omitempty"`
+
+	// Output only. This must be unique within the project. External name of the object is set to this field, hence making it optional
+	// +optional
+	SecretID *string `json:"secretid,omitempty"`
+
+	// Output only. The current state of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
+	State SecretVersionState `json:"state,omitempty"`
+}
+
 // SecretObservation is used to show the observed state of the
 // Secret resource on GCP Secrets Manager. All fields in this structure should only
 // be populated from GCP responses; any changes made to the k8s resource outside

diff --git a/go.mod b/go.mod
@@ -14,6 +14,7 @@ require (
 	cloud.google.com/go/storage v1.6.0
 	github.com/crossplane/crossplane-runtime v0.12.1-0.20210219155338-30a941c3c3c6
 	github.com/crossplane/crossplane-tools v0.0.0-20201201125637-9ddc70edfd0d
+	github.com/docker/swarmkit v1.12.0
 	github.com/google/go-cmp v0.5.2
 	github.com/googleapis/gax-go v1.0.3
 	github.com/googleapis/gax-go/v2 v2.0.5

diff --git a/go.sum b/go.sum
@@ -145,6 +145,8 @@ github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r
 github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
+github.com/docker/swarmkit v1.12.0 h1:vcbNXevt9xOod0miQxkp9WZ70IsOCe8geXkmFnXP2e0=
+github.com/docker/swarmkit v1.12.0/go.mod h1:n3Z4lIEl7g261ptkGDBcYi/3qBMDl9csaAhwi2MPejs=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=

diff --git a/pkg/clients/secret/secret.go b/pkg/clients/secret/secret.go
@@ -36,6 +36,7 @@ type Client interface {
 	UpdateSecret(ctx context.Context, req *secretmanager.UpdateSecretRequest, opts ...gax.CallOption) (*secretmanager.Secret, error)
 	GetSecret(ctx context.Context, req *secretmanager.GetSecretRequest, opts ...gax.CallOption) (*secretmanager.Secret, error)
 	DeleteSecret(ctx context.Context, req *secretmanager.DeleteSecretRequest, opts ...gax.CallOption) error
+	// CreateSecretRequest(ctx context.Context, req *secretmanagerpb.AddSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
 }
 
 // GenerateSecret is used to convert Crossplane SecretParameters
@@ -63,6 +64,26 @@ func GenerateSecret(name string, sp v1alpha1.SecretParameters, s *secretmanager.
 
 }
 
+// func NewCreateSecretVersionRequest(projectID, name string, sp v1alpha1.SecretParameters) *secretmanager.SecretVersion {
+
+// 	// if sp.SecretVersions != nil {
+// 	// 	for _, version := range *sp.SecretVersions {
+// 	// 		// Build the request.
+// 	// 		req = &secretmanagerpb.AddSecretVersionRequest{
+// 	// 			Parent: sp.Parent,
+// 	// 			Payload: &secretmanagerpb.SecretPayload{
+// 	// 				Data: version.Payload.Data,
+// 	// 			},
+// 	// 		}
+
+// 	// 	}
+
+// 	// }
+
+// Can't do it this way since the GCP API doesn't let me return a list of requests.
+// 	// return req
+// }
+
 // NewCreateSecretRequest produces a Secret that is configured via given SecretParameters.
 func NewCreateSecretRequest(projectID, name string, sp v1alpha1.SecretParameters) *secretmanager.CreateSecretRequest {
 	secret := &secretmanager.Secret{}

diff --git a/pkg/controller/secretsmanager/secret.go b/pkg/controller/secretsmanager/secret.go
@@ -24,13 +24,16 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/pkg/errors"
 	sm "google.golang.org/genproto/googleapis/cloud/secretmanager/v1"
+	"k8s.io/client-go/util/workqueue"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
 
 	xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	"github.com/crossplane/crossplane-runtime/pkg/event"
 	"github.com/crossplane/crossplane-runtime/pkg/logging"
 	"github.com/crossplane/crossplane-runtime/pkg/meta"
+	"github.com/crossplane/crossplane-runtime/pkg/ratelimiter"
 	"github.com/crossplane/crossplane-runtime/pkg/reconciler/managed"
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 
@@ -51,11 +54,14 @@ const (
 )
 
 // SetupSecret adds a controller that reconciles Secrets.
-func SetupSecret(mgr ctrl.Manager, l logging.Logger) error {
+func SetupSecret(mgr ctrl.Manager, l logging.Logger, rl workqueue.RateLimiter) error {
 	name := managed.ControllerName(v1alpha1.SecretGroupKind)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
+		WithOptions(controller.Options{
+			RateLimiter: ratelimiter.NewDefaultManagedRateLimiter(rl),
+		}).
 		For(&v1alpha1.Secret{}).
 		Complete(managed.NewReconciler(mgr,
 			resource.ManagedKind(v1alpha1.TopicGroupVersionKind),