Support generating cert based TLS type secret #10
Conversation
RichardChen820
force-pushed
the
user/junbchen/secretTypeSupport
branch
2 times, most recently
from
f9f7474 to
8532b05
Compare
RichardChen820
force-pushed
the
user/junbchen/secretTypeSupport
branch
5 times, most recently
from
4c001fb to
0915f11
Compare
RichardChen820
force-pushed
the
user/junbchen/secretTypeSupport
branch
4 times, most recently
from
ae025e4 to
f8d590d
Compare
| // Reset the resource version if the configmap or secret was unexpected deleted | ||
| if existingConfigMap.Name == "" { | ||
| reconciler.ProvidersReconcileState[req.NamespacedName].ConfigMapResourceVersion = nil | ||
| } | ||
|
|
||
| if provider.Spec.Secret == nil || existingSecret.Name == "" { |
There was a problem hiding this comment.
when spec.secret != nil, it seems impossible that existingSecret.Name == "" because of the line 145 . And what if there're multiple k8s secrets existing in cluster and some of them are deleted?
There was a problem hiding this comment.
Good catch! It should be updated accordingly
| var secretType corev1.SecretType = corev1.SecretTypeOpaque | ||
| var err error | ||
| if secretTypeTag, ok := setting.Tags[PreservedSecretTypeTag]; ok { | ||
| secretType, err = parseSecretType(secretTypeTag) |
There was a problem hiding this comment.
parseSecretType looks like only supporting tls type? Can user set opaque type through tag?
There was a problem hiding this comment.
No, current I don't want to support it, if someone want an opaque secret, just don't set any tag
| if err != nil { | ||
| return nil, err | ||
| } | ||
| } else if csl.Spec.Secret == nil { |
There was a problem hiding this comment.
Does the else if statement mean Spec.Secret can be nil when secret type is tls? If so, it may miss credentials when create SecretReferenceResolver.
There was a problem hiding this comment.
Good catch, updated
| @@ -141,8 +141,8 @@ type ManagedIdentityReferenceParameters struct { | |||
| Key string `json:"key"` | |||
| } | |||
|
|
|||
| // AzureKeyVaultReference defines the authentication type used to Azure KeyVault resolve KeyVaultReference | |||
| type AzureKeyVaultReference struct { | |||
| // SecretReference defines the authentication type used to Azure KeyVault resolve KeyVaultReference | |||
There was a problem hiding this comment.
The description can be updated to match the latest usage. It contains more supported properties than auth.
| return true | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Is it possible that the loop of updating secret in createOrUpdateSecrets breaks early? ending up with a state that len(reconciler.ProvidersReconcileState[namespacedName].ExistingSecretReferences) == 0 is false and ExistingSecretReferences[name].SecretResourceVersion == secret.ResourceVersion is true for all existing secrets, but the ir lengths don't match the length of settings.SecretSettings hence needs reconcile.
There was a problem hiding this comment.
Updated. And moved this shouldReconcile() function to processor to make the detailed logic transparency to the controller.
|
|
||
| if parsedType, ok := secretTypeMap[secretType]; ok { | ||
| if parsedType != corev1.SecretTypeTLS { | ||
| return "", fmt.Errorf("secret type %q is not supported", secretType) |
There was a problem hiding this comment.
So we don't allow customers to specify secretType opaque via the preserved tag?
There was a problem hiding this comment.
The default Secret being generated is opaque. There's no reasonable circumstance to specify opaque as a preserved tag.
| secret[k] = v | ||
| } else if secret[k].Type != v.Type { | ||
| return fmt.Errorf("secret type mismatch for key %q", k) | ||
|
|
There was a problem hiding this comment.
nit: extra empty line
internal/controller/processor.go
Outdated
| RefreshOptions *RefreshOptions | ||
| ResolveSecretReference loader.ResolveSecretReference | ||
| ResolveSecretReference loader.SecretReferenceResolver |
There was a problem hiding this comment.
ResolveSecretReference can be renamed to SecretReferenceResolver
| return false | ||
| } | ||
|
|
||
| if len(processor.ReconciliationState.ExistingSecretReferences) == 0 || |
There was a problem hiding this comment.
We can generate ConfigMap with empty data, Secret as well. When will len(processor.ReconciliationState.ExistingSecretReferences) == 0 and need to reconcile?
There was a problem hiding this comment.
Consider this scenario:
In beginning, no secret-related setting being specified in the yaml. Then user updates the yaml to add Secret. In this case, len(processor.ReconciliationState.ExistingSecretReferences) == 0 and need to reconcile
There was a problem hiding this comment.
If user updates the yaml, it can be returned early in line245. Does this scenario happen when user updates the yaml after seeing error log? Also there's a scenario when user specified secret section in yaml but no key vault references in store, which may also make len(ExistingSecretReferences)==0
There was a problem hiding this comment.
Also there's a scenario when user specified secret section in yaml but no key vault references in store, which may also make len(ExistingSecretReferences)==0
No, as long as user specify the secret section, at least one secret will be generated even it's empty.
There was a problem hiding this comment.
If user updates the yaml, it can be returned early in line245.
Right, but len(processor.ReconciliationState.ExistingSecretReferences) == 0 is an unexpected scenario, once it happens means something was wrong(may be just because the reconciliation never succeeded)
| default: | ||
| err = fmt.Errorf("failed to get certificate, unknown content type '%s'", *resolvedSecret.ContentType) | ||
| } | ||
| } else { |
There was a problem hiding this comment.
if the else statement deals with the situation when key vault reference is not backing certificate but with tls tag?
There was a problem hiding this comment.
I was looking into this part as well, no need to have the if..else.. block, just need to check the contentType and take relevant action.
RichardChen820
force-pushed
the
user/junbchen/secretTypeSupport
branch
3 times, most recently
from
339d54c to
75317f8
Compare
RichardChen820
force-pushed
the
user/junbchen/secretTypeSupport
branch
from
a5b98c2 to
ef366bf
Compare
* Support generating cert based TLS type secret * Resolve comments * Resolve comments * Rename to SecretReferenceResolver * Add more test cases
Support generating cert-based TLS type secret