/
generatedsecret_controller.go
153 lines (127 loc) · 4.21 KB
/
generatedsecret_controller.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
package controllers
import (
"context"
"github.com/go-logr/logr"
"github.com/pkg/errors"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
corev1alpha1 "github.com/phillebaba/kubernetes-generated-secret/api/v1alpha1"
"github.com/phillebaba/kubernetes-generated-secret/crypto"
)
// GeneratedSecretReconciler reconciles a GeneratedSecret object
type GeneratedSecretReconciler struct {
client.Client
Log logr.Logger
Scheme *runtime.Scheme
}
// Reconcile implements the reconciliation loop for the operator
// +kubebuilder:rbac:groups=core.phillebaba.io,resources=generatedsecrets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core.phillebaba.io,resources=generatedsecrets/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
func (r *GeneratedSecretReconciler) Reconcile(req ctrl.Request) (result ctrl.Result, err error) {
ctx := context.Background()
// Fetch generated secret
gs := &corev1alpha1.GeneratedSecret{}
if err := r.Get(ctx, req.NamespacedName, gs); err != nil {
return ctrl.Result{}, client.IgnoreNotFound(err)
}
// Set GeneratedSecret status
defer func() {
if err != nil {
gs.Status.State = corev1alpha1.Failed
}
r.Status().Update(ctx, gs)
}()
if gs.Status.State == "" {
gs.Status.State = corev1alpha1.Generating
err := r.Status().Update(ctx, gs)
if err != nil {
return ctrl.Result{}, err
}
}
// Set defaults
if ok := checkAndSetDefaults(gs); ok == false {
if err := r.Update(ctx, gs); err != nil {
return ctrl.Result{}, err
}
r.Log.Info("Setting default values and requeueing")
return ctrl.Result{Requeue: true}, nil
}
// Check if secret already exists
s := &corev1.Secret{}
err = r.Get(ctx, req.NamespacedName, s)
if client.IgnoreNotFound(err) != nil {
return ctrl.Result{}, err
}
if apierrors.IsNotFound(err) == false && hasOwnerReference(gs.UID, s.ObjectMeta.OwnerReferences) == false {
r.Log.Info("Conflicting Secret exists to the one meant to be generated", "secret", s.Namespace+"/"+s.Name)
gs.Status.State = corev1alpha1.Conflict
return ctrl.Result{Requeue: true}, nil
}
// Update or create secret
s = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: gs.Name, Namespace: gs.Namespace}}
_, err = ctrl.CreateOrUpdate(ctx, r, s, func() error {
sm := *gs.Spec.SecretMeta.DeepCopy()
sm.Name = gs.Name
sm.Namespace = gs.Namespace
s.ObjectMeta = sm
// Generate secret data
sd := make(map[string][]byte)
for _, d := range gs.Spec.DataList {
// Skip if value already exists
if val, ok := s.Data[d.Key]; ok {
sd[d.Key] = val
continue
}
randString, err := crypto.GenerateRandomASCIIString(*d.Length, d.Exclude)
if err != nil {
return err
}
sd[d.Key] = []byte(randString)
}
s.Data = sd
gs.Status.State = corev1alpha1.Generated
return controllerutil.SetControllerReference(gs, s, r.Scheme)
})
if err != nil {
return ctrl.Result{}, errors.Wrap(err, "unable to create or update Secret")
}
r.Log.Info("Created or Updated secret", "secret", s.Namespace+"/"+s.Name)
return ctrl.Result{}, nil
}
// SetupWithManager adds the controller manager
func (r *GeneratedSecretReconciler) SetupWithManager(mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&corev1alpha1.GeneratedSecret{}).
Owns(&corev1.Secret{}).
Complete(r)
}
// hasOwnerReference returns true if OwnerReferences contains UID
func hasOwnerReference(UID types.UID, ownerReferences []metav1.OwnerReference) bool {
has := false
for _, ownerReference := range ownerReferences {
if ownerReference.UID == UID {
has = true
}
}
return has
}
// checkAndSetDefaults checks if all values are set and sets them if not
func checkAndSetDefaults(gs *corev1alpha1.GeneratedSecret) bool {
ok := true
for i := 0; i < len(gs.Spec.DataList); i++ {
d := &gs.Spec.DataList[i]
if d.Length == nil {
length := int(10)
d.Length = &length
ok = false
}
}
return ok
}