config: retain project.apiKeys secrets

Author: apetruhin

controller/clickhouse.go

@@ -13,6 +13,15 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
+func clickhousePasswordSecret(cr *corootv1.Coroot) *corev1.SecretKeySelector {
+	return &corev1.SecretKeySelector{
+		LocalObjectReference: corev1.LocalObjectReference{
+			Name: fmt.Sprintf("%s-clickhouse", cr.Name),
+		},
+		Key: "password",
+	}
+}
+
 func (r *CorootReconciler) clickhouseService(cr *corootv1.Coroot) *corev1.Service {
 	ls := Labels(cr, "clickhouse")
 	s := &corev1.Service{
@@ -204,9 +213,7 @@ func (r *CorootReconciler) clickhouseStatefulSets(cr *corootv1.Coroot) []*appsv1
 										FieldPath: "metadata.name",
 									},
 								}},
-								{Name: "CLICKHOUSE_PASSWORD", ValueFrom: &corev1.EnvVarSource{
-									SecretKeyRef: secretKeySelector(fmt.Sprintf("%s-clickhouse", cr.Name), "password"),
-								}},
+								{Name: "CLICKHOUSE_PASSWORD", ValueFrom: &corev1.EnvVarSource{SecretKeyRef: clickhousePasswordSecret(cr)}},
 							},
 							ReadinessProbe: &corev1.Probe{
 								ProbeHandler: corev1.ProbeHandler{

controller/controller.go

@@ -153,8 +153,8 @@ func (r *CorootReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 	}
 
 	if cr.Spec.ExternalClickhouse == nil {
-		r.CreateOrUpdateSecret(ctx, cr, "clickhouse", fmt.Sprintf("%s-clickhouse", cr.Name), "password", 16)
-
+		passwordSecret := clickhousePasswordSecret(cr)
+		r.CreateOrUpdateSecret(ctx, cr, passwordSecret.Name, []string{passwordSecret.Key}, 16, false)
 		r.CreateOrUpdateServiceAccount(ctx, cr, "clickhouse-keeper", sccNonroot)
 		r.CreateOrUpdateService(ctx, cr, r.clickhouseKeeperServiceHeadless(cr))
 		for _, pvc := range r.clickhouseKeeperPVCs(cr) {
@@ -230,28 +230,24 @@ func (r *CorootReconciler) GetSecret(ctx context.Context, cr *corootv1.Coroot, s
 	return string(data), nil
 }
 
-func (r *CorootReconciler) CreateOrUpdateSecret(ctx context.Context, cr *corootv1.Coroot, component, name, key string, length int) string {
-	s := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
-			Namespace: cr.Namespace,
-			Labels:    Labels(cr, component),
-		},
+func (r *CorootReconciler) CreateOrUpdateSecret(ctx context.Context, cr *corootv1.Coroot, name string, keys []string, length int, retain bool) {
+	if len(keys) == 0 {
+		return
 	}
-	var data string
-	r.CreateOrUpdate(ctx, cr, s, false, false, func() error {
+	s := &corev1.Secret{}
+	s.Name = name
+	s.Namespace = cr.Namespace
+	r.CreateOrUpdate(ctx, cr, s, false, retain, func() error {
 		if s.Data == nil {
 			s.Data = map[string][]byte{}
 		}
-		if d, ok := s.Data[key]; ok {
-			data = string(d)
-		} else {
-			data = RandomString(length)
-			s.Data[key] = []byte(data)
+		for _, key := range keys {
+			if _, ok := s.Data[key]; !ok {
+				s.Data[key] = []byte(RandomString(length))
+			}
 		}
 		return nil
 	})
-	return data
 }
 
 func (r *CorootReconciler) CreateOrUpdateConfigMap(ctx context.Context, cr *corootv1.Coroot, cm *corev1.ConfigMap) {

controller/coroot.go

@@ -48,10 +48,11 @@ func (r *CorootReconciler) validateCoroot(ctx context.Context, cr *corootv1.Coro
 		}
 	}
 
+	apiKeySecrets := map[string][]string{}
 	for _, p := range cr.Spec.Projects {
 		for i, k := range p.ApiKeys {
 			if k.KeySecret != nil {
-				r.CreateOrUpdateSecret(ctx, cr, "coroot", k.KeySecret.Name, k.KeySecret.Key, 32)
+				apiKeySecrets[k.KeySecret.Name] = append(apiKeySecrets[k.KeySecret.Name], k.KeySecret.Key)
 				p.ApiKeys[i].Key = configEnvs.Add(k.KeySecret)
 				p.ApiKeys[i].KeySecret = nil
 			}
@@ -136,6 +137,10 @@ func (r *CorootReconciler) validateCoroot(ctx context.Context, cr *corootv1.Coro
 		}
 	}
 
+	for name, keys := range apiKeySecrets {
+		r.CreateOrUpdateSecret(ctx, cr, name, keys, 32, true)
+	}
+
 	if ee := cr.Spec.EnterpriseEdition; ee != nil {
 		if ee.LicenseKeySecret != nil {
 			if _, err = r.GetSecret(ctx, cr, ee.LicenseKeySecret); err != nil {
@@ -431,8 +436,7 @@ func (r *CorootReconciler) corootStatefulSet(cr *corootv1.Coroot, configEnvs Con
 				Value: fmt.Sprintf("%s-clickhouse.%s:9000", cr.Name, cr.Namespace),
 			},
 			corev1.EnvVar{Name: "GLOBAL_CLICKHOUSE_USER", Value: "default"},
-			corev1.EnvVar{Name: "GLOBAL_CLICKHOUSE_PASSWORD", ValueFrom: &corev1.EnvVarSource{
-				SecretKeyRef: secretKeySelector(fmt.Sprintf("%s-clickhouse", cr.Name), "password")}},
+			corev1.EnvVar{Name: "GLOBAL_CLICKHOUSE_PASSWORD", ValueFrom: &corev1.EnvVarSource{SecretKeyRef: clickhousePasswordSecret(cr)}},
 			corev1.EnvVar{Name: "GLOBAL_CLICKHOUSE_INITIAL_DATABASE", Value: "default"},
 		)
 	}

controller/utils.go

@@ -109,15 +109,6 @@ func envVarFromSecret(name string, secret *corev1.SecretKeySelector, plainTextVa
 	return corev1.EnvVar{Name: name, ValueFrom: &corev1.EnvVarSource{SecretKeyRef: secret}}
 }
 
-func secretKeySelector(name, key string) *corev1.SecretKeySelector {
-	return &corev1.SecretKeySelector{
-		LocalObjectReference: corev1.LocalObjectReference{
-			Name: name,
-		},
-		Key: key,
-	}
-}
-
 func ValidateSamlIdentityProviderMetadata(metadata string) error {
 	_, err := samlsp.ParseMetadata([]byte(metadata))
 	return err