As of current version, the user controller lists every secret in a namespace to find the one secret matching a S3User, which is fairly inefficient :
|
err := r.List(ctx, secretsList, client.InNamespace(userResource.Namespace)) |
|
if err != nil { |
|
logger.Error(err, "An error occurred while listing the secrets in user's namespace") |
|
return userSecret, fmt.Errorf("SecretListingFailed") |
|
} |
|
|
|
if len(secretsList.Items) == 0 { |
|
logger.Info("The user's namespace doesn't appear to contain any secret") |
|
return userSecret, nil |
|
} |
|
// In all the secrets inside the S3User's namespace, one should have an owner reference |
|
// pointing to the S3User. For that specific secret, we check if its name matches the one from |
|
// the S3User, whether explicit (userResource.Spec.SecretName) or implicit (userResource.Name) |
|
// In case of mismatch, that secret is deleted (and will be recreated) ; if there is a match, |
|
// it will be used for state comparison. |
|
uid := userResource.GetUID() |
|
|
|
// cmp.Or takes the first non "zero" value, see https://pkg.go.dev/cmp#Or |
|
effectiveS3UserSecretName := cmp.Or(userResource.Spec.SecretName, userResource.Name) |
|
for _, secret := range secretsList.Items { |
|
for _, ref := range secret.OwnerReferences { |
|
if ref.UID == uid { |
|
if secret.Name != effectiveS3UserSecretName { |
|
return secret, fmt.Errorf("S3UserSecretNameMismatch") |
|
} else { |
|
userSecret = secret |
|
break |
|
} |
|
} |
|
} |
|
} |
This could benefit from a dedicated label add to the secret when it's created. This is not difficult in itself, but requires some thought regarding pre-existing secrets (as in : Should the operator reconcile secrets to add labels ? Should this be managed with a small one-shot script to add the label to every S3User secret ?)
EDIT : usage example visible in Operator SDK doc
