Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add method too ensure single secret #507

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add method too ensure single secret #507

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions modules/common/secret/secret.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"strings"
"time"

"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/env"
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
"github.com/openstack-k8s-operators/lib-common/modules/common/util"
Expand Down Expand Up @@ -445,3 +446,74 @@ func VerifySecret(

return hash, ctrl.Result{}, nil
}

type ConditionUpdater interface {
Set(c *condition.Condition)
MarkTrue(t condition.Type, messageFormat string, messageArgs ...interface{})
}

// ensureSecret - ensures that the Secret object exists and the expected fields
// are in the Secret. It returns a hash of the values of the expected fields.
func EnsureSecret(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thats the same functionality what VerifySecret provide, no? check secret exist, contains expected fields and return the hash. it is just the condition handling which it provides, which I think could be done in the caller.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the main difference between EnsureSecret and VerifySecret is that we return secret to not make multiple gets

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another difference is that EnsureSecret is setting the InputReady condition. I'm wondering if we could pull out the common code to a private function to avoid the duplication and keep this two public methods for now. Later on we can move all the callers of VerifySecret to EnsureSecret and remove VerifySecret but that requires individual changes in each caller due to the signature change.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right missed the return of the secret. setting the condition is a big difference from what is usually done in all the other current lib-common code. from a quick grep, only the ReconcileRbac is setting conditions within the lib-common code (except of the conditions handling stuff itself). Is this a direction we want to move to? I am not sure. Right now the caller is setting the condition depending on the shared function return. if we keep the condition handling in the caller, VerifySecret only misses to return the secret, which we could add, or add a new func to deprecate the current one if we want to name it EnsureSecret.

If we want to also go with condition handling in lib-common funcs, I think the ConditionUpdater should not be part of the secret pkg, it should be in condition.

ctx context.Context,
secretName types.NamespacedName,
expectedFields []string,
reader client.Reader,
conditionUpdater ConditionUpdater,
requeueTimeout time.Duration,
) (string, ctrl.Result, corev1.Secret, error) {
secret := &corev1.Secret{}
err := reader.Get(ctx, secretName, secret)
if err != nil {
if k8s_errors.IsNotFound(err) {
conditionUpdater.Set(condition.FalseCondition(
condition.InputReadyCondition,
condition.RequestedReason,
condition.SeverityInfo,
fmt.Sprintf("Input data resources missing: %s", "secret/"+secretName.Name)))
return "",
ctrl.Result{RequeueAfter: requeueTimeout},
*secret,
fmt.Errorf("secret %s not found", secretName)
}
conditionUpdater.Set(condition.FalseCondition(
condition.InputReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
condition.InputReadyErrorMessage,
err.Error()))
return "", ctrl.Result{}, *secret, err
}

// collect the secret values the caller expects to exist
values := [][]byte{}
for _, field := range expectedFields {
val, ok := secret.Data[field]
if !ok {
err := fmt.Errorf("field '%s' not found in secret/%s", field, secretName.Name)
conditionUpdater.Set(condition.FalseCondition(
condition.InputReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
condition.InputReadyErrorMessage,
err.Error()))
return "", ctrl.Result{}, *secret, err
}
values = append(values, val)
}

// TODO(gibi): Do we need to watch the Secret for changes?

hash, err := util.ObjectHash(values)
if err != nil {
conditionUpdater.Set(condition.FalseCondition(
condition.InputReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
condition.InputReadyErrorMessage,
err.Error()))
return "", ctrl.Result{}, *secret, err
}

return hash, ctrl.Result{}, *secret, nil
}
Loading