Fix issue where sealed secrets status is not updated if sealed secret… (

#1295) Signed-off-by: Moritz Wirth <[email protected]>
bitnami-labs · Oct 16, 2023 · 82f84c1 · 82f84c1
1 parent 80400e4
commit 82f84c1
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 11 deletions.
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
@@ -412,20 +412,18 @@ func (c *Controller) updateSealedSecretStatus(ssecret *ssv1alpha1.SealedSecret,
 		ssecret.Status = &ssv1alpha1.SealedSecretStatus{}
 	}
 
-	// No need to update the status if we already have observed it from the
-	// current generation of the resource.
-	if ssecret.Status.ObservedGeneration == ssecret.ObjectMeta.Generation {
-		return nil
-	}
-
 	ssecret.Status.ObservedGeneration = ssecret.ObjectMeta.Generation
-	updateSealedSecretsStatusConditions(ssecret.Status, unsealError)
+	updatedRequired := updateSealedSecretsStatusConditions(ssecret.Status, unsealError)
+	if updatedRequired {
+		_, err := c.ssclient.SealedSecrets(ssecret.GetObjectMeta().GetNamespace()).UpdateStatus(context.Background(), ssecret, metav1.UpdateOptions{})
+		return err
+	}
 
-	_, err := c.ssclient.SealedSecrets(ssecret.GetObjectMeta().GetNamespace()).UpdateStatus(context.Background(), ssecret, metav1.UpdateOptions{})
-	return err
+	return nil
 }
 
-func updateSealedSecretsStatusConditions(st *ssv1alpha1.SealedSecretStatus, unsealError error) {
+func updateSealedSecretsStatusConditions(st *ssv1alpha1.SealedSecretStatus, unsealError error) bool {
+	var updateRequired bool
 	cond := func() *ssv1alpha1.SealedSecretCondition {
 		for i := range st.Conditions {
 			if st.Conditions[i].Type == ssv1alpha1.SealedSecretSynced {
@@ -446,11 +444,16 @@ func updateSealedSecretsStatusConditions(st *ssv1alpha1.SealedSecretStatus, unse
 		status = corev1.ConditionFalse
 		cond.Message = unsealError.Error()
 	}
-	cond.LastUpdateTime = metav1.Now()
+
+	// Status has changed, update the transition time and signal that an update is required
 	if cond.Status != status {
 		cond.LastTransitionTime = cond.LastUpdateTime
 		cond.Status = status
+		cond.LastUpdateTime = metav1.Now()
+		updateRequired = true
 	}
+
+	return updateRequired
 }
 
 func isAnnotatedToBeManaged(secret *corev1.Secret) bool {

diff --git a/pkg/controller/controller_test.go b/pkg/controller/controller_test.go
@@ -156,6 +156,53 @@ func TestSkipRecreateConfigDoesSkipIt(t *testing.T) {
 	}
 }
 
+func TestEmptyStatusSendsUpdate(t *testing.T) {
+	updateRequired := updateSealedSecretsStatusConditions(&ssv1alpha1.SealedSecretStatus{}, nil)
+
+	if !updateRequired {
+		t.Fatalf("expected status update, but no update was send")
+	}
+}
+
+func TestStatusUpdateSendsUpdate(t *testing.T) {
+	updateRequired := updateSealedSecretsStatusConditions(&ssv1alpha1.SealedSecretStatus{
+		Conditions: []ssv1alpha1.SealedSecretCondition{{
+			Status: "False",
+			Type:   ssv1alpha1.SealedSecretSynced,
+		}},
+	}, nil)
+
+	if !updateRequired {
+		t.Fatalf("expected status update, but no update was send")
+	}
+}
+
+func TestSameStatusNoUpdate(t *testing.T) {
+	updateRequired := updateSealedSecretsStatusConditions(&ssv1alpha1.SealedSecretStatus{
+		Conditions: []ssv1alpha1.SealedSecretCondition{{
+			Type:   ssv1alpha1.SealedSecretSynced,
+			Status: "False",
+		}},
+	}, errors.New("testerror"))
+
+	if updateRequired {
+		t.Fatalf("expected no status update, but update was send")
+	}
+}
+
+func TestSyncedSecretWithErrorSendsUpdate(t *testing.T) {
+	updateRequired := updateSealedSecretsStatusConditions(&ssv1alpha1.SealedSecretStatus{
+		Conditions: []ssv1alpha1.SealedSecretCondition{{
+			Type:   ssv1alpha1.SealedSecretSynced,
+			Status: "True",
+		}},
+	}, errors.New("testerror"))
+
+	if !updateRequired {
+		t.Fatalf("expected status update, but no update was send")
+	}
+}
+
 func testKeyRegister(t *testing.T, ctx context.Context, clientset kubernetes.Interface, ns string) *KeyRegistry {
 	t.Helper()