-
Notifications
You must be signed in to change notification settings - Fork 3
/
keyhubsecret_controller.go
178 lines (153 loc) · 6.15 KB
/
keyhubsecret_controller.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
// Copyright 2020 Topicus Security BV
// SPDX-License-Identifier: Apache-2.0
package controllers
import (
"context"
"fmt"
"time"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/client-go/tools/record"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
keyhubv1alpha1 "github.com/topicuskeyhub/keyhub-vault-operator/api/v1alpha1"
"github.com/topicuskeyhub/keyhub-vault-operator/controllers/metrics"
"github.com/topicuskeyhub/keyhub-vault-operator/controllers/policy"
"github.com/topicuskeyhub/keyhub-vault-operator/controllers/secret"
"github.com/topicuskeyhub/keyhub-vault-operator/controllers/settings"
"github.com/topicuskeyhub/keyhub-vault-operator/controllers/vault"
)
const (
requeueDelay = time.Duration(5 * time.Minute)
requeueDelayAfterError = time.Duration(2 * time.Minute)
)
// KeyHubSecretReconciler reconciles a KeyHubSecret object
type KeyHubSecretReconciler struct {
client.Client
Log logr.Logger
Scheme *runtime.Scheme
Recorder record.EventRecorder
SettingsManager settings.SettingsManager
PolicyEngine policy.PolicyEngine
VaultIndexCache vault.VaultIndexCache
}
func init() {
metrics.KeyHubApiRequests.WithLabelValues("group", "list").Add(0)
metrics.KeyHubApiRequests.WithLabelValues("vault", "list").Add(0)
metrics.KeyHubApiRequests.WithLabelValues("vault", "get").Add(0)
}
// +kubebuilder:rbac:groups=keyhub.topicus.nl,resources=keyhubsecrets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=keyhub.topicus.nl,resources=keyhubsecrets/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=keyhub.topicus.nl,resources=keyhubsecrets/finalizers,verbs=update
// +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;create;update;patch;delete
// Reconcile is part of the main kubernetes reconciliation loop which aims to
// move the current state of the cluster closer to the desired state.
// TODO(user): Modify the Reconcile function to compare the state specified by
// the KeyHubSecret object against the actual cluster state, and then
// perform operations to make the cluster state reflect the state specified by
// the user.
//
// For more details, check Reconcile and its Result here:
// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.7.0/pkg/reconcile
func (r *KeyHubSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
log := r.Log.WithValues("keyhubsecret", req.NamespacedName)
// r.Recorder.Event()
log.Info("", "KeyHubSecret", req.NamespacedName)
// Fetch the KeyHubSecret instance
keyhubsecret := &keyhubv1alpha1.KeyHubSecret{}
err := r.Get(ctx, req.NamespacedName, keyhubsecret)
if err != nil {
if errors.IsNotFound(err) {
// Request object not found, could have been deleted after reconcile request.
// Owned objects are automatically garbage collected. For additional cleanup logic use finalizers.
// Return and don't requeue
log.Info("KeyHubSecret resource not found. Ignoring since object must be deleted")
return ctrl.Result{}, nil
}
// Error reading the object - requeue the request.
log.Error(err, "Failed to get KeyHubSecret")
return ctrl.Result{}, err
}
if keyhubsecret.DeletionTimestamp != nil {
log.Info("KeyHubSecret resource marked for deletion. Ignoring since object must be deleted")
return ctrl.Result{}, nil
}
secret := r.newSecretForCR(keyhubsecret)
res, err := controllerutil.CreateOrPatch(ctx, r.Client, secret, r.reconcileFn(keyhubsecret, secret))
if err != nil {
keyhubsecret.Status.Sync.Status = keyhubv1alpha1.SyncStatusCodeOutOfSync
r.Status().Update(ctx, keyhubsecret)
r.Recorder.Event(keyhubsecret, "Warning", "ProcessingError", err.Error())
log.Error(err, "sync failed")
return ctrl.Result{RequeueAfter: requeueDelayAfterError}, err
}
if res != controllerutil.OperationResultNone {
var reason string
var message string
switch res {
case controllerutil.OperationResultCreated:
reason = "SecretCreated"
message = fmt.Sprintf("Secret (type '%s') has been created", secret.Type)
default:
reason = "SecretUpdated"
message = "Secret has been updated"
}
r.Recorder.Event(keyhubsecret, "Normal", reason, message)
}
if len(keyhubsecret.Status.SecretKeyStatuses) > 0 {
keyhubsecret.Status.Sync.Status = keyhubv1alpha1.SyncStatusCodeSynced
} else {
keyhubsecret.Status.Sync.Status = keyhubv1alpha1.SyncStatusCodeUnknown
}
err = r.Status().Update(ctx, keyhubsecret)
if err != nil {
log.Error(err, "Failed to update KeyHubSecret status")
r.Recorder.Event(keyhubsecret, "Warning", "FailedUpdate", err.Error())
return ctrl.Result{RequeueAfter: requeueDelayAfterError}, err
}
return ctrl.Result{RequeueAfter: requeueDelay}, nil
}
func (r *KeyHubSecretReconciler) reconcileFn(cr *keyhubv1alpha1.KeyHubSecret, s *corev1.Secret) controllerutil.MutateFn {
return func() error {
// Set KeyHubSecret instance as the owner and controller
if err := controllerutil.SetControllerReference(cr, s, r.Scheme); err != nil {
return err
}
client, err := r.PolicyEngine.GetClient(cr)
if err != nil {
return err
}
records, err := r.VaultIndexCache.Get(client)
if err != nil {
return err
}
secretBuilder := secret.NewSecretBuilder(
r.Client,
ctrl.Log.WithName("SecretBuilder"),
records,
vault.NewVaultSecretRetriever(r.Log, client),
)
return secretBuilder.Build(cr, s)
}
}
func (r *KeyHubSecretReconciler) newSecretForCR(cr *keyhubv1alpha1.KeyHubSecret) *corev1.Secret {
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: cr.Name,
Namespace: cr.Namespace,
},
}
}
// SetupWithManager sets up the controller with the Manager.
func (r *KeyHubSecretReconciler) SetupWithManager(mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&keyhubv1alpha1.KeyHubSecret{}).
Owns(&corev1.Secret{}).
Complete(r)
}