Skip to content

Commit

Permalink
prune on VaultAuthGlobal update
Browse files Browse the repository at this point in the history
  • Loading branch information
@benashz
benashz committed May 13, 2024
1 parent de2c6fa commit 4406bf0
Show file tree
Hide file tree
Showing 14 changed files with 335 additions and 55 deletions.
8 changes: 5 additions & 3 deletions api/v1beta1/vaultauth_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -275,7 +275,7 @@ type VaultAuthSpec struct {
AllowedNamespaces []string `json:"allowedNamespaces,omitempty"`
// Method to use when authenticating to Vault.
// +kubebuilder:validation:Enum=kubernetes;jwt;appRole;aws;gcp
Method string `json:"method"`
Method string `json:"method,omitempty"`
// Mount to use when authenticating to auth method.
Mount string `json:"mount,omitempty"`
// Params to use when authenticating to Vault
Expand Down Expand Up @@ -304,8 +304,10 @@ type VaultAuthSpec struct {
// VaultAuthStatus defines the observed state of VaultAuth
type VaultAuthStatus struct {
// Valid auth mechanism.
Valid bool `json:"valid"`
Error string `json:"error"`
Valid bool `json:"valid"`
Error string `json:"error"`
Conditions []metav1.Condition `json:"conditions,omitempty"`
SpecHash string `json:"specHash,omitempty"`
}

//+kubebuilder:object:root=true
Expand Down
6 changes: 6 additions & 0 deletions api/v1beta1/vaultauthglobal_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,12 @@ type VaultAuthGlobalSpec struct {
// method will be used. This can be used as a default Vault namespace for all
// auth methods.
Namespace string `json:"namespace,omitempty"`
// DefaultMethod to use when authenticating to Vault.
// +kubebuilder:validation:Enum=kubernetes;jwt;appRole;aws;gcp
DefaultMethod string `json:"defaultMethod,omitempty"`
// Mount to use when authenticating to auth method. If not specified the mount of
// the auth method configured in Vault will be used.
Mount string `json:"mount,omitempty"`
// AllowedNamespaces Kubernetes Namespaces which are allow-listed for use with this AuthMethod.
// This field allows administrators to customize which Kubernetes namespaces are authorized to
// use with this AuthMethod. While Vault will still enforce its own rules, this has the added
Expand Down
10 changes: 9 additions & 1 deletion api/v1beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 14 additions & 0 deletions chart/crds/secrets.hashicorp.com_vaultauthglobals.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,15 @@ spec:
default
type: string
type: object
defaultMethod:
description: DefaultMethod to use when authenticating to Vault.
enum:
- kubernetes
- jwt
- appRole
- aws
- gcp
type: string
gcp:
description: GCP specific auth configuration, requires that Method
be set to `gcp`.
Expand Down Expand Up @@ -233,6 +242,11 @@ spec:
minimum: 600
type: integer
type: object
mount:
description: |-
Mount to use when authenticating to auth method. If not specified the mount of
the auth method configured in Vault will be used.
type: string
namespace:
description: |-
Namespace to auth to in Vault, if not specified the namespace of the auth
Expand Down
73 changes: 71 additions & 2 deletions chart/crds/secrets.hashicorp.com_vaultauths.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,14 +259,83 @@ spec:
namespace of the VaultConnection CR. If no value is specified for VaultConnectionRef the
Operator will default to the `default` VaultConnection, configured in the operator's namespace.
type: string
required:
- method
type: object
status:
description: VaultAuthStatus defines the observed state of VaultAuth
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
error:
type: string
specHash:
type: string
valid:
description: Valid auth mechanism.
type: boolean
Expand Down
14 changes: 14 additions & 0 deletions config/crd/bases/secrets.hashicorp.com_vaultauthglobals.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,15 @@ spec:
default
type: string
type: object
defaultMethod:
description: DefaultMethod to use when authenticating to Vault.
enum:
- kubernetes
- jwt
- appRole
- aws
- gcp
type: string
gcp:
description: GCP specific auth configuration, requires that Method
be set to `gcp`.
Expand Down Expand Up @@ -233,6 +242,11 @@ spec:
minimum: 600
type: integer
type: object
mount:
description: |-
Mount to use when authenticating to auth method. If not specified the mount of
the auth method configured in Vault will be used.
type: string
namespace:
description: |-
Namespace to auth to in Vault, if not specified the namespace of the auth
Expand Down
73 changes: 71 additions & 2 deletions config/crd/bases/secrets.hashicorp.com_vaultauths.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,14 +259,83 @@ spec:
namespace of the VaultConnection CR. If no value is specified for VaultConnectionRef the
Operator will default to the `default` VaultConnection, configured in the operator's namespace.
type: string
required:
- method
type: object
status:
description: VaultAuthStatus defines the observed state of VaultAuth
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
error:
type: string
specHash:
type: string
valid:
description: Valid auth mechanism.
type: boolean
Expand Down
7 changes: 5 additions & 2 deletions controllers/eventhandlers.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,9 @@ func (e *enqueueRefRequestsHandler) Generic(ctx context.Context,
func (e *enqueueRefRequestsHandler) enqueue(ctx context.Context,
q workqueue.RateLimitingInterface, o client.Object,
) {
logger := log.FromContext(ctx).WithName("enqueueRefRequestsHandler")
logger := log.FromContext(ctx).WithName(
"enqueueRefRequestsHandler").
WithValues("refKind", e.kind)
reqs := map[reconcile.Request]empty{}
d := e.maxRequeueAfter
if d <= 0 {
Expand All @@ -96,6 +98,7 @@ func (e *enqueueRefRequestsHandler) enqueue(ctx context.Context,

referrers := e.refCache.Get(e.kind, client.ObjectKeyFromObject(o))
if len(referrers) == 0 {
logger.V(consts.LogLevelDebug).Info("No referrers")
return
}

Expand All @@ -117,7 +120,7 @@ func (e *enqueueRefRequestsHandler) enqueue(ctx context.Context,
if _, ok := reqs[req]; !ok {
_, jitter := computeMaxJitterDuration(d)
logger.V(consts.LogLevelTrace).Info(
"Enqueuing", "obj", ref, "refKind", e.kind)
"Enqueuing", "obj", ref)
q.AddAfter(req, jitter)
reqs[req] = empty{}
}
Expand Down
6 changes: 6 additions & 0 deletions controllers/registry.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ const (
VaultStaticSecret
VaultPKISecret
HCPVaultSecretsApp
VaultAuth
VaultAuthGlobal
)

func (k ResourceKind) String() string {
Expand All @@ -31,6 +33,10 @@ func (k ResourceKind) String() string {
return "VaultPKISecret"
case HCPVaultSecretsApp:
return "HCPVaultSecretsApp"
case VaultAuth:
return "VaultAuth"
case VaultAuthGlobal:
return "VaultAuthGlobal"
default:
return "unknown"
}
Expand Down
Loading

0 comments on commit 4406bf0

Please sign in to comment.