Skip to content

Commit

Permalink
Explicitly set the secret credential data on sync.
Browse files Browse the repository at this point in the history 
The behavior previously changed to patching the credential secrets as
opposed to updating them. As a result, sometimes when a credential is
changed it can continue to have pieces of the old credential.

This change overrides the entire credential data to be explicitly set to
the new credential. This will remove all old credential data when
syncing the new credential.
  • Loading branch information
@jstuever
jstuever committed Nov 14, 2023
1 parent 5a6da9c commit a054632
Show file tree
Hide file tree
Showing 7 changed files with 15 additions and 21 deletions.
5 changes: 2 additions & 3 deletions pkg/aws/actuator/actuator.go
View file
Expand Up @@ -1025,9 +1025,8 @@ func (a *AWSActuator) syncAccessKeySecret(ctx context.Context, cr *minterv1.Cred
secret.Annotations[minterv1.AnnotationCredentialsRequest] = fmt.Sprintf("%s/%s", cr.Namespace, cr.Name)
secret.Annotations[minterv1.AnnotationAWSPolicyLastApplied] = userPolicy

if secret.Data == nil {
secret.Data = map[string][]byte{}
}
secret.Data = map[string][]byte{}

// either we know the access key ID and secret access key, or we get them from the secret itself
for identifier, into := range map[string]*string{
secretDataAccessKey: &accessKeyID,
Expand Down
6 changes: 3 additions & 3 deletions pkg/azure/actuator.go
View file
Expand Up @@ -391,9 +391,9 @@ func (a *Actuator) syncCredentialSecrets(ctx context.Context, cr *minterv1.Crede
secret.Annotations = map[string]string{}
}
secret.Annotations[minterv1.AnnotationCredentialsRequest] = fmt.Sprintf("%s/%s", cr.Namespace, cr.Name)
if secret.Data == nil {
secret.Data = map[string][]byte{}
}

secret.Data = map[string][]byte{}

secret.Data[AzureClientID] = cloudCredsSecret.Data[AzureClientID]
secret.Data[AzureClientSecret] = cloudCredsSecret.Data[AzureClientSecret]
secret.Data[AzureRegion] = cloudCredsSecret.Data[AzureRegion]
Expand Down
6 changes: 3 additions & 3 deletions pkg/gcp/actuator/actuator.go
View file
Expand Up @@ -784,9 +784,9 @@ func (a *Actuator) syncSecret(ctx context.Context, cr *minterv1.CredentialsReque
secret.Annotations = map[string]string{}
}
secret.Annotations[minterv1.AnnotationCredentialsRequest] = fmt.Sprintf("%s/%s", cr.Namespace, cr.Name)
if secret.Data == nil {
secret.Data = map[string][]byte{}
}

secret.Data = map[string][]byte{}

secret.Data[gcpSecretJSONKey] = privateKeyData
return nil
})
Expand Down
3 changes: 0 additions & 3 deletions pkg/kubevirt/actuator.go
View file
Expand Up @@ -185,9 +185,6 @@ func (a *KubevirtActuator) syncCredentialSecret(ctx context.Context, cr *minterv
}
secret.Annotations[minterv1.AnnotationCredentialsRequest] = fmt.Sprintf("%s/%s", cr.Namespace, cr.Name)
if kubevirtCredentialData != nil {
if secret.Data == nil {
secret.Data = map[string][]byte{}
}
secret.Data = map[string][]byte{
KubevirtCredentialsSecretKey: *kubevirtCredentialData,
}
Expand Down
4 changes: 1 addition & 3 deletions pkg/openstack/actuator.go
View file
Expand Up @@ -139,9 +139,7 @@ func (a *OpenStackActuator) syncCredentialSecret(ctx context.Context, cr *minter
}
secret.Annotations[minterv1.AnnotationCredentialsRequest] = fmt.Sprintf("%s/%s", cr.Namespace, cr.Name)
if clouds != "" {
if secret.Data == nil {
secret.Data = map[string][]byte{}
}
secret.Data = map[string][]byte{}
secret.Data[RootOpenStackCredsSecretKey] = []byte(clouds)
}
return nil
Expand Down
6 changes: 3 additions & 3 deletions pkg/ovirt/actuator.go
View file
Expand Up @@ -156,9 +156,9 @@ func (a *OvirtActuator) syncCredentialSecret(ctx context.Context, cr *minterv1.C
secret.Annotations = map[string]string{}
}
secret.Annotations[minterv1.AnnotationCredentialsRequest] = fmt.Sprintf("%s/%s", cr.Namespace, cr.Name)
if secret.Data == nil {
secret.Data = map[string][]byte{}
}

secret.Data = map[string][]byte{}

for key, value := range secretDataFrom(ovirtCreds) {
secret.Data[key] = value
}
Expand Down
6 changes: 3 additions & 3 deletions pkg/vsphere/actuator/actuator.go
View file
Expand Up @@ -294,9 +294,9 @@ func (a *VSphereActuator) syncTargetSecret(ctx context.Context, cr *minterv1.Cre
secret.Annotations = map[string]string{}
}
secret.Annotations[minterv1.AnnotationCredentialsRequest] = fmt.Sprintf("%s/%s", cr.Namespace, cr.Name)
if secret.Data == nil {
secret.Data = map[string][]byte{}
}

secret.Data = map[string][]byte{}

for key, value := range secretData {
secret.Data[key] = value
}
Expand Down

0 comments on commit a054632

Please sign in to comment.