merge of main branch

Author: Eneman Donatien

Makefile

@@ -229,10 +229,22 @@ spec:
   # Content of the policy, as a multiline string 
   # This should be IAM compliant JSON - follow the guidelines of the actual
   # S3 provider you're using, as sometimes only a subset is available.
+     The first Statement (Allow ListBucket) should be applied to every user,
+  # as s3-operator uses this call to verify that credentials are valid when
+  # reconciling an existing user.
   policyContent: >-
     {
       "Version": "2012-10-17",
       "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "s3:ListBucket"
+        ],
+        "Resource": [
+          "arn:aws:s3:::*"
+        ]
+      },
       {
         "Effect": "Allow",
         "Action": [

README.md

@@ -45,6 +45,20 @@ type S3UserSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:MaxLength=127
 	S3InstanceRef string `json:"s3InstanceRef,omitempty"`
+
+	// SecretFieldNameAccessKey associated to the S3User
+	// Allow overridden the default key to store the accessKey value in the secret
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Type="string"
+	// +kubebuilder:default="accessKey"
+	SecretFieldNameAccessKey string `json:"secretFieldNameAccessKey,omitempty"`
+
+	// SecretFieldNameSecretKey associated to the S3User
+	// Allow overridden the default key to store the secretKey value in the secret
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Type="string"
+	// +kubebuilder:default="secretKey"
+	SecretFieldNameSecretKey string `json:"secretFieldNameSecretKey,omitempty"`
 }
 
 // S3UserStatus defines the observed state of S3User

api/v1alpha1/s3user_types.go

@@ -57,6 +57,18 @@ spec:
                 x-kubernetes-validations:
                 - message: s3InstanceRef is immutable
                   rule: self == oldSelf
+              secretFieldNameAccessKey:
+                default: accessKey
+                description: |-
+                  SecretFieldNameAccessKey associated to the S3User
+                  Allow overridden the default key to store the accessKey value in the secret
+                type: string
+              secretFieldNameSecretKey:
+                default: secretKey
+                description: |-
+                  SecretFieldNameSecretKey associated to the S3User
+                  Allow overridden the default key to store the secretKey value in the secret
+                type: string
               secretName:
                 description: SecretName associated to the S3User
                 type: string

config/crd/bases/s3.onyxia.sh_s3users.yaml

@@ -78,6 +78,46 @@ func (r *S3UserReconciler) handleDeletion(
 			)
 		}
 
+		err := r.deleteOldLinkedSecret(ctx, userResource)
+		if err != nil {
+			logger.Error(
+				err,
+				"An error occurred when trying to clean old secret linked to user",
+				"userResourceName",
+				userResource.Name,
+				"NamespacedName",
+				req.NamespacedName.String(),
+			)
+			return r.SetReconciledCondition(
+				ctx,
+				req,
+				userResource,
+				s3v1alpha1.DeletionFailure,
+				"Deletion of old secret associated to user have failed",
+				err,
+			)
+		}
+
+		userOwnedSecret, _ := r.getUserSecret(ctx, userResource)
+		if err := r.deleteSecret(ctx, &userOwnedSecret); err != nil {
+			logger.Error(
+				err,
+				"An error occurred when trying to clean secret linked to user",
+				"userResourceName",
+				userResource.Name,
+				"NamespacedName",
+				req.NamespacedName.String(),
+			)
+			return r.SetReconciledCondition(
+				ctx,
+				req,
+				userResource,
+				s3v1alpha1.DeletionFailure,
+				"Deletion of secret associated to user have failed",
+				err,
+			)
+		}
+
 		//Remove userFinalizer. Once all finalizers have been removed, the object will be deleted.
 		if ok := controllerutil.RemoveFinalizer(userResource, userFinalizer); !ok {
 			logger.Info(
@@ -94,7 +134,7 @@ func (r *S3UserReconciler) handleDeletion(
 		// calling r.Update() for adding/removal of finalizer is not necessary (an update event is generated
 		// with the call to AddFinalizer/RemoveFinalizer), and worse, causes "freshness" problem (with the
 		// "the object has been modified; please apply your changes to the latest version and try again" error)
-		err := r.Update(ctx, userResource)
+		err = r.Update(ctx, userResource)
 		if err != nil {
 			logger.Error(
 				err,

internal/controller/user/finalizer.go

@@ -36,10 +36,12 @@ func TestHandleDelete(t *testing.T) {
 			UID:        "6c8dceca-f7df-469d-80a5-1afed9e4d710",
 		},
 		Spec: s3v1alpha1.S3UserSpec{
-			AccessKey:     "existing-valid-user",
-			Policies:      []string{"admin"},
-			SecretName:    "existing-valid-user-credentials",
-			S3InstanceRef: "s3-operator/default",
+			AccessKey:                "existing-valid-user",
+			Policies:                 []string{"admin"},
+			SecretName:               "existing-valid-user-credentials",
+			S3InstanceRef:            "s3-operator/default",
+			SecretFieldNameAccessKey: "accessKey",
+			SecretFieldNameSecretKey: "secretKey",
 		},
 	}
 

internal/controller/user/finalizer_test.go

@@ -247,6 +247,26 @@ func (r *S3UserReconciler) handleUpdate(
 		)
 	}
 
+	err = r.deleteOldLinkedSecret(ctx, userResource)
+	if err != nil {
+		logger.Error(
+			err,
+			"An error occurred when trying to clean old secret linked to user",
+			"userResourceName",
+			userResource.Name,
+			"NamespacedName",
+			req.NamespacedName.String(),
+		)
+		return r.SetReconciledCondition(
+			ctx,
+			req,
+			userResource,
+			s3v1alpha1.Unreachable,
+			"Deletion of old secret associated to user have failed",
+			err,
+		)
+	}
+
 	userOwnedSecret, err := r.getUserSecret(ctx, userResource)
 	if err != nil {
 		if err.Error() == "SecretListingFailed" {
@@ -359,82 +379,6 @@ func (r *S3UserReconciler) handleUpdate(
 		return r.handleCreate(ctx, req, userResource)
 	}
 
-	credentialsValid, err := s3Client.CheckUserCredentialsValid(
-		userResource.Name,
-		string(userOwnedSecret.Data["accessKey"]),
-		string(userOwnedSecret.Data["secretKey"]),
-	)
-	if err != nil {
-		logger.Error(
-			err,
-			"An error occurred when checking if user credentials were valid",
-			"userResource",
-			userResource.Name,
-			"NamespacedName",
-			req.NamespacedName.String(),
-		)
-		return r.SetReconciledCondition(
-			ctx,
-			req,
-			userResource,
-			s3v1alpha1.Unreachable,
-			"Checking credentials on S3 server has failed",
-			err,
-		)
-	}
-
-	if !credentialsValid {
-		logger.Info(
-			"The secret containing the credentials will be deleted, and the user will be deleted from the S3 backend, then recreated (through another reconcile)",
-			"userResource",
-			userResource.Name,
-			"NamespacedName",
-			req.NamespacedName.String(),
-		)
-		err = r.deleteSecret(ctx, &userOwnedSecret)
-		if err != nil {
-			logger.Error(err, "Deletion of secret associated to user have failed", "userResource",
-				userResource.Name,
-				"userResourceName",
-				userResource.Name,
-				"NamespacedName",
-				req.NamespacedName.String())
-			return r.SetReconciledCondition(
-				ctx,
-				req,
-				userResource,
-				s3v1alpha1.Unreachable,
-				"Deletion of secret associated to user have failed",
-				err,
-			)
-
-		}
-		err = s3Client.DeleteUser(userResource.Spec.AccessKey)
-		if err != nil {
-			logger.Error(err, "Could not delete user on S3 server", "userResource",
-				userResource.Name,
-				"userResourceName",
-				userResource.Name,
-				"NamespacedName",
-				req.NamespacedName.String())
-			return r.SetReconciledCondition(
-				ctx,
-				req,
-				userResource,
-				s3v1alpha1.Unreachable,
-				fmt.Sprintf(
-					"Deletion of S3user %s on S3 server has failed",
-					userResource.Name,
-				),
-				err,
-			)
-
-		}
-		return r.handleCreate(ctx, req, userResource)
-	}
-
-	// --- End Secret management section
-
 	logger.Info("Checking user policies", "userResource",
 		userResource.Name,
 		"NamespacedName",
@@ -531,28 +475,88 @@ func (r *S3UserReconciler) handleUpdate(
 		}
 	}
 
-	logger.Info("User was reconciled without error",
-		"userResource",
+	credentialsValid, err := s3Client.CheckUserCredentialsValid(
 		userResource.Name,
-		"NamespacedName",
-		req.NamespacedName.String(),
+		string(userOwnedSecret.Data[userResource.Spec.SecretFieldNameAccessKey]),
+		string(userOwnedSecret.Data[userResource.Spec.SecretFieldNameSecretKey]),
 	)
 
-	// Re-fetch the S3User to ensure we have the latest state after updating the secret
-	// This is necessary at least when creating a user with secretName targetting a pre-existing secret
-	// that has proper form (data.accessKey and data.secretKey) but isn't owned by any other s3user
-	if err := r.Get(ctx, req.NamespacedName, userResource); err != nil {
+	if err != nil {
 		logger.Error(
 			err,
-			"Failed to re-fetch userResource",
-			"userResourceName",
+			"An error occurred when checking if user credentials were valid",
+			"userResource",
 			userResource.Name,
 			"NamespacedName",
 			req.NamespacedName.String(),
 		)
-		return ctrl.Result{}, err
+		return r.SetReconciledCondition(
+			ctx,
+			req,
+			userResource,
+			s3v1alpha1.Unreachable,
+			"Checking credentials on S3 server has failed",
+			err,
+		)
+	}
+
+	if !credentialsValid {
+		logger.Info(
+			"The secret containing the credentials will be deleted, and the user will be deleted from the S3 backend, then recreated (through another reconcile)",
+			"userResource",
+			userResource.Name,
+			"NamespacedName",
+			req.NamespacedName.String(),
+		)
+		err = r.deleteSecret(ctx, &userOwnedSecret)
+		if err != nil {
+			logger.Error(err, "Deletion of secret associated to user have failed", "userResource",
+				userResource.Name,
+				"userResourceName",
+				userResource.Name,
+				"NamespacedName",
+				req.NamespacedName.String())
+			return r.SetReconciledCondition(
+				ctx,
+				req,
+				userResource,
+				s3v1alpha1.Unreachable,
+				"Deletion of secret associated to user have failed",
+				err,
+			)
+
+		}
+		err = s3Client.DeleteUser(userResource.Spec.AccessKey)
+		if err != nil {
+			logger.Error(err, "Could not delete user on S3 server", "userResource",
+				userResource.Name,
+				"userResourceName",
+				userResource.Name,
+				"NamespacedName",
+				req.NamespacedName.String())
+			return r.SetReconciledCondition(
+				ctx,
+				req,
+				userResource,
+				s3v1alpha1.Unreachable,
+				fmt.Sprintf(
+					"Deletion of S3user %s on S3 server has failed",
+					userResource.Name,
+				),
+				err,
+			)
+
+		}
+		return r.handleCreate(ctx, req, userResource)
 	}
 
+	logger.Info("User was reconciled without error",
+		"userResource",
+		userResource.Name,
+		"NamespacedName",
+		req.NamespacedName.String(),
+	)
+
 	return r.SetReconciledCondition(
 		ctx,
 		req,
@@ -617,9 +621,8 @@ func (r *S3UserReconciler) handleCreate(
 		ctx,
 		userResource,
 		map[string][]byte{
-			"accessKey": []byte(userResource.Spec.AccessKey),
-			"secretKey": []byte(secretKey),
-		},
+			userResource.Spec.SecretFieldNameAccessKey: []byte(userResource.Spec.AccessKey),
+			userResource.Spec.SecretFieldNameSecretKey: []byte(secretKey)},
 	)
 	if err != nil {
 		// Error while creating the Kubernetes secret - requeue the request.