Don't clobber secret key

On the start of a new server we do not want to blindly save the cert because that will change the TLS key. Instead only write to k8s on start if there is no secret in k8s. On start of the controller it will sync up if the local file and k8s secret aren't the same
ibuildthecloud · Nov 15, 2019 · 5c0b410 · 5c0b410
1 parent 988d8dd
commit 5c0b410
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/storage/kubernetes/controller.go b/storage/kubernetes/controller.go
@@ -80,9 +80,20 @@ func (s *storage) init(secrets v1controller.SecretController) {
 	})
 	s.secrets = secrets
 
-	secret, err := s.storage.Get()
-	if err == nil && secret != nil {
-		s.saveInK8s(secret)
+	if secret, err := s.storage.Get(); err == nil && secret != nil && len(secret.Data) > 0 {
+		// just ensure there is a secret in k3s
+		_, err := s.secrets.Get(s.namespace, s.name, metav1.GetOptions{})
+		if errors.IsNotFound(err) {
+			_, _ = s.secrets.Create(&v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        s.name,
+					Namespace:   s.namespace,
+					Annotations: secret.Annotations,
+				},
+				Type: v1.SecretTypeTLS,
+				Data: secret.Data,
+			})
+		}
 	}
 }