Refresh secret when data change

internal/controller/appconfigurationprovider_controller.go

@@ -269,15 +269,15 @@ func (reconciler *AzureAppConfigurationProviderReconciler) Reconcile(ctx context
 			}
 		}
 
-		result, err := reconciler.createOrUpdateSecrets(ctx, provider, processor.Settings)
+		result, err := reconciler.createOrUpdateSecrets(ctx, provider, processor)
 		if err != nil {
 			return result, nil
 		}
 	}
 
 	// Expel the secrets which are no longer selected by the provider.
 	if provider.Spec.Secret == nil || processor.RefreshOptions.SecretSettingPopulated {
-		result, err := reconciler.expelRemovedSecrets(ctx, provider, existingSecrets, processor.ReconciliationState.ExistingSecretReferences)
+		result, err := reconciler.expelRemovedSecrets(ctx, provider, existingSecrets, processor.Settings.SecretReferences)
 		if err != nil {
 			return result, nil
 		}
@@ -411,8 +411,8 @@ func (reconciler *AzureAppConfigurationProviderReconciler) createOrUpdateConfigM
 func (reconciler *AzureAppConfigurationProviderReconciler) createOrUpdateSecrets(
 	ctx context.Context,
 	provider *acpv1.AzureAppConfigurationProvider,
-	settings *loader.TargetKeyValueSettings) (reconcile.Result, error) {
-	if len(settings.SecretSettings) == 0 {
+	processor *AppConfigurationProviderProcessor) (reconcile.Result, error) {
+	if len(processor.Settings.SecretSettings) == 0 {
 		klog.V(3).Info("No secret settings are fetched from Azure AppConfiguration")
 	}
 
@@ -425,36 +425,41 @@ func (reconciler *AzureAppConfigurationProviderReconciler) createOrUpdateSecrets
 		Namespace: provider.Namespace,
 	}
 
-	for secretName, secret := range settings.SecretSettings {
-		secretObj := &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      secretName,
-				Namespace: provider.Namespace,
-			},
-			Type: secret.Type,
-		}
+	secretToUpdate := checkAndUpdateSecretRef(reconciler.ProvidersReconcileState[namespacedName].ExistingSecretReferences, processor.Settings.SecretReferences, processor.ShouldReconcile)
+	for secretName, secret := range processor.Settings.SecretSettings {
+		if _, ok := secretToUpdate[secretName]; ok {
+			secretObj := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      secretName,
+					Namespace: provider.Namespace,
+				},
+				Type: secret.Type,
+			}
 
-		// Important: set the ownership of secret
-		if err := controllerutil.SetControllerReference(provider, secretObj, reconciler.Scheme); err != nil {
-			reconciler.logAndSetFailStatus(provider, err)
-			return reconcile.Result{Requeue: true, RequeueAfter: RequeueReconcileAfter}, err
-		}
+			// Important: set the ownership of secret
+			if err := controllerutil.SetControllerReference(provider, secretObj, reconciler.Scheme); err != nil {
+				reconciler.logAndSetFailStatus(provider, err)
+				return reconcile.Result{Requeue: true, RequeueAfter: RequeueReconcileAfter}, err
+			}
 
-		provider.Annotations[LastReconcileTimeAnnotation] = metav1.Now().UTC().String()
-		operationResult, err := ctrl.CreateOrUpdate(ctx, reconciler.Client, secretObj, func() error {
-			secretObj.Data = secret.Data
-			secretObj.Labels = provider.Labels
-			secretObj.Annotations = provider.Annotations
+			provider.Annotations[LastReconcileTimeAnnotation] = metav1.Now().UTC().String()
+			operationResult, err := ctrl.CreateOrUpdate(ctx, reconciler.Client, secretObj, func() error {
+				secretObj.Data = secret.Data
+				secretObj.Labels = provider.Labels
+				secretObj.Annotations = provider.Annotations
 
-			return nil
-		})
-		if err != nil {
-			reconciler.logAndSetFailStatus(provider, err)
-			return reconcile.Result{Requeue: true, RequeueAfter: RequeueReconcileAfter}, err
-		}
+				return nil
+			})
+			if err != nil {
+				reconciler.logAndSetFailStatus(provider, err)
+				return reconcile.Result{Requeue: true, RequeueAfter: RequeueReconcileAfter}, err
+			}
 
-		reconciler.ProvidersReconcileState[namespacedName].ExistingSecretReferences[secretObj.Name].SecretResourceVersion = secretObj.ResourceVersion
-		klog.V(5).Infof("Secret %q in %q namespace is %s", secretObj.Name, secretObj.Namespace, string(operationResult))
+			processor.Settings.SecretReferences[secretName].SecretResourceVersion = secretObj.ResourceVersion
+			klog.V(5).Infof("Secret %q in %q namespace is %s", secretObj.Name, secretObj.Namespace, string(operationResult))
+		} else {
+			klog.V(5).Infof("Skip updating the secret %q in %q namespace since its data is up-to-date", secretName, provider.Namespace)
+		}
 	}
 
 	return reconcile.Result{}, nil

internal/controller/appconfigurationprovider_controller_test.go

@@ -173,11 +173,11 @@ var _ = Describe("AppConfiguationProvider controller", func() {
 				SecretReferences: map[string]*loader.TargetSecretReference{
 					secretName: {
 						Type:        corev1.SecretTypeTLS,
-						UriSegments: make(map[string]loader.KeyVaultSecretUriSegment),
+						UriSegments: make(map[string]loader.KeyVaultSecretMetadata),
 					},
 					secretName2: {
 						Type:        corev1.SecretTypeOpaque,
-						UriSegments: make(map[string]loader.KeyVaultSecretUriSegment),
+						UriSegments: make(map[string]loader.KeyVaultSecretMetadata),
 					},
 				},
 			}
@@ -266,7 +266,7 @@ var _ = Describe("AppConfiguationProvider controller", func() {
 				SecretReferences: map[string]*loader.TargetSecretReference{
 					secretName: {
 						Type:        corev1.SecretType("Opaque"),
-						UriSegments: make(map[string]loader.KeyVaultSecretUriSegment),
+						UriSegments: make(map[string]loader.KeyVaultSecretMetadata),
 					},
 				},
 			}
@@ -609,7 +609,7 @@ var _ = Describe("AppConfiguationProvider controller", func() {
 			_ = k8sClient.Delete(ctx, configProvider)
 		})
 
-		It("Should refresh secret", func() {
+		It("Should refresh secret when data change", func() {
 			By("By enabling refresh on secret")
 			configMapResult := make(map[string]string)
 			configMapResult["testKey"] = "testValue"
@@ -622,6 +622,11 @@ var _ = Describe("AppConfiguationProvider controller", func() {
 			secretResult["testSecretKey3"] = []byte("testSecretValue3")
 
 			secretName := "secret-to-be-refreshed-3"
+			secretMetadata := make(map[string]loader.KeyVaultSecretMetadata)
+			secretMetadata["testSecretKey2"] = loader.KeyVaultSecretMetadata{
+				HostName: "fakeHostName",
+			}
+
 			allSettings := &loader.TargetKeyValueSettings{
 				SecretSettings: map[string]corev1.Secret{
 					secretName: {
@@ -633,7 +638,7 @@ var _ = Describe("AppConfiguationProvider controller", func() {
 				SecretReferences: map[string]*loader.TargetSecretReference{
 					secretName: {
 						Type:        corev1.SecretType("Opaque"),
-						UriSegments: make(map[string]loader.KeyVaultSecretUriSegment),
+						UriSegments: secretMetadata,
 					},
 				},
 			}
@@ -713,7 +718,37 @@ var _ = Describe("AppConfiguationProvider controller", func() {
 				},
 			}
 
-			mockConfigurationSettings.EXPECT().ResolveSecretReferences(gomock.Any(), gomock.Any(), gomock.Any()).Return(newResolvedSecret, nil)
+			newSecretMetadata := make(map[string]loader.KeyVaultSecretMetadata)
+			newSecretMetadata["testSecretKey"] = loader.KeyVaultSecretMetadata{
+				HostName: "fakeHostName",
+			}
+			mockedSecretReference := make(map[string]*loader.TargetSecretReference)
+			mockedSecretReference[secretName] = &loader.TargetSecretReference{
+				Type:        corev1.SecretType("Opaque"),
+				UriSegments: newSecretMetadata,
+			}
+
+			newTargetSettings := &loader.TargetKeyValueSettings{
+				SecretSettings:   newResolvedSecret,
+				SecretReferences: mockedSecretReference,
+			}
+
+			mockConfigurationSettings.EXPECT().ResolveSecretReferences(gomock.Any(), gomock.Any(), gomock.Any()).Return(newTargetSettings, nil)
+			// Refresh interval is 1 minute, wait for 65 seconds to make sure the refresh is triggered
+			time.Sleep(65 * time.Second)
+
+			Eventually(func() bool {
+				err := k8sClient.Get(ctx, secretLookupKey, secret)
+				return err == nil
+			}, timeout, interval).Should(BeTrue())
+
+			Expect(secret.Namespace).Should(Equal(ProviderNamespace))
+			Expect(string(secret.Data["testSecretKey"])).Should(Equal("newTestSecretValue"))
+			Expect(string(secret.Data["testSecretKey2"])).Should(Equal("newTestSecretValue2"))
+			Expect(string(secret.Data["testSecretKey3"])).Should(Equal("newTestSecretValue3"))
+			Expect(secret.Type).Should(Equal(corev1.SecretType("Opaque")))
+
+			mockConfigurationSettings.EXPECT().ResolveSecretReferences(gomock.Any(), gomock.Any(), gomock.Any()).Return(newTargetSettings, nil)
 			// Refresh interval is 1 minute, wait for 65 seconds to make sure the refresh is triggered
 			time.Sleep(65 * time.Second)
 
@@ -728,6 +763,7 @@ var _ = Describe("AppConfiguationProvider controller", func() {
 			Expect(string(secret.Data["testSecretKey3"])).Should(Equal("newTestSecretValue3"))
 			Expect(secret.Type).Should(Equal(corev1.SecretType("Opaque")))
 		})
+
 	})
 
 	Context("Verify exist non escaped value in label", func() {

internal/controller/processor.go

@@ -70,7 +70,6 @@ func (processor *AppConfigurationProviderProcessor) processFullReconciliation()
 		return err
 	}
 	processor.Settings = updatedSettings
-	processor.ReconciliationState.ExistingSecretReferences = updatedSettings.SecretReferences
 	processor.RefreshOptions.ConfigMapSettingPopulated = true
 	if processor.Provider.Spec.Secret != nil {
 		processor.RefreshOptions.SecretSettingPopulated = true
@@ -160,7 +159,6 @@ func (processor *AppConfigurationProviderProcessor) processKeyValueRefresh(exist
 	}
 
 	processor.Settings = keyValueRefreshedSettings
-	reconcileState.ExistingSecretReferences = keyValueRefreshedSettings.SecretReferences
 	processor.RefreshOptions.ConfigMapSettingPopulated = true
 	if processor.Provider.Spec.Secret != nil {
 		processor.RefreshOptions.SecretSettingPopulated = true
@@ -201,17 +199,26 @@ func (processor *AppConfigurationProviderProcessor) processSecretReferenceRefres
 
 	// Only resolve the secret references that not specified the secret version
 	secretReferencesToSolve := make(map[string]*loader.TargetSecretReference)
+	cachedSecretReferences := make(map[string]*loader.TargetSecretReference)
 	for secretName, reference := range reconcileState.ExistingSecretReferences {
 		for key, uriSegment := range reference.UriSegments {
 			if uriSegment.SecretVersion == "" {
 				if secretReferencesToSolve[secretName] == nil {
 					secretReferencesToSolve[secretName] = &loader.TargetSecretReference{
 						Type:        reference.Type,
-						UriSegments: make(map[string]loader.KeyVaultSecretUriSegment),
+						UriSegments: make(map[string]loader.KeyVaultSecretMetadata),
 					}
 				}
 				secretReferencesToSolve[secretName].UriSegments[key] = uriSegment
 			}
+
+			if cachedSecretReferences[secretName] == nil {
+				cachedSecretReferences[secretName] = &loader.TargetSecretReference{
+					Type:        reference.Type,
+					UriSegments: make(map[string]loader.KeyVaultSecretMetadata),
+				}
+			}
+			cachedSecretReferences[secretName].UriSegments[key] = uriSegment
 		}
 	}
 
@@ -220,13 +227,19 @@ func (processor *AppConfigurationProviderProcessor) processSecretReferenceRefres
 		return err
 	}
 
-	for secretName, resolvedSecret := range resolvedSecrets {
+	for secretName, resolvedSecret := range resolvedSecrets.SecretSettings {
 		existingSecret, ok := existingSecrets[secretName]
 		if ok {
 			maps.Copy(existingSecret.Data, resolvedSecret.Data)
 		}
 	}
+
+	for secretName, reference := range resolvedSecrets.SecretReferences {
+		maps.Copy(cachedSecretReferences[secretName].UriSegments, reference.UriSegments)
+	}
+
 	processor.Settings.SecretSettings = existingSecrets
+	processor.Settings.SecretReferences = cachedSecretReferences
 	processor.RefreshOptions.SecretSettingPopulated = true
 
 	// Update next refresh time only if settings updated successfully
@@ -270,6 +283,9 @@ func (processor *AppConfigurationProviderProcessor) shouldReconcile(
 
 func (processor *AppConfigurationProviderProcessor) Finish() (ctrl.Result, error) {
 	processor.ReconciliationState.Generation = processor.Provider.Generation
+	if processor.RefreshOptions.SecretSettingPopulated {
+		processor.ReconciliationState.ExistingSecretReferences = processor.Settings.SecretReferences
+	}
 	if !processor.RefreshOptions.secretReferenceRefreshEnabled &&
 		!processor.RefreshOptions.sentinelBasedRefreshEnabled &&
 		!processor.RefreshOptions.featureFlagRefreshEnabled {

internal/controller/utils.go

@@ -302,3 +302,41 @@ func verifySelectorObject(selector acpv1.Selector) error {
 
 	return nil
 }
+
+func checkAndUpdateSecretRef(existingSecretReferences map[string]*loader.TargetSecretReference, latestSecretReferences map[string]*loader.TargetSecretReference, shouldReconcile bool) map[string]bool {
+	secretUpdateNeeded := make(map[string]bool)
+	if shouldReconcile {
+		for secretName := range latestSecretReferences {
+			secretUpdateNeeded[secretName] = true
+		}
+		return secretUpdateNeeded
+	}
+
+	for secretName, secretReference := range latestSecretReferences {
+		if _, ok := existingSecretReferences[secretName]; !ok {
+			secretUpdateNeeded[secretName] = true
+			continue
+		} else {
+			latestSecretReferences[secretName].SecretResourceVersion = existingSecretReferences[secretName].SecretResourceVersion
+		}
+
+		if len(existingSecretReferences[secretName].UriSegments) != len(secretReference.UriSegments) {
+			secretUpdateNeeded[secretName] = true
+			continue
+		}
+
+		for key, uriSegment := range secretReference.UriSegments {
+			if _, ok := existingSecretReferences[secretName].UriSegments[key]; !ok {
+				secretUpdateNeeded[secretName] = true
+				break
+			}
+			if existingSecretReferences[secretName].UriSegments[key].SecretId != nil && uriSegment.SecretId != nil &&
+				*(existingSecretReferences[secretName].UriSegments[key].SecretId) != *(uriSegment.SecretId) {
+				secretUpdateNeeded[secretName] = true
+				break
+			}
+		}
+	}
+
+	return secretUpdateNeeded
+}