Allow the ignored Secret types to be configured by the Helm chart values

Signed-off-by: Richard Wall <[email protected]>

Author: wallrj

deploy/charts/venafi-kubernetes-agent/templates/configmap.yaml

@@ -89,6 +89,12 @@ data:
         resource-type:
           version: v1
           resource: secrets
+        {{- with .Values.config.ignoredSecretTypes }}
+        field-selectors:
+        {{- range . }}
+        - type!={{ . }}
+        {{- end }}
+        {{- end }}
     - kind: "k8s-dynamic"
       name: "k8s/certificates"
       config:
@@ -202,5 +208,3 @@ data:
           version: v1
           resource: issuers
 {{- end }}
-
-

deploy/charts/venafi-kubernetes-agent/values.yaml

@@ -186,6 +186,22 @@ config:
   # -- Description for the cluster resource if it needs to be created in Venafi Control Plane
   clusterDescription: ""
 
+  # -- Reduce the memory usage of the agent and reduce the load on the Kubernetes
+  # API server by omitting various common Secret types when listing Secrets.
+  # These Secret types will be added to a "type!=<type>" field selector in the
+  # agent config.
+  # * https://docs.venafi.cloud/vaas/k8s-components/t-cfg-tlspk-agent/#configuration
+  # * https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
+  # * https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/#list-of-supported-fields
+  ignoredSecretTypes:
+  - kubernetes.io/service-account-token
+  - kubernetes.io/dockercfg
+  - kubernetes.io/dockerconfigjson
+  - kubernetes.io/basic-auth
+  - kubernetes.io/ssh-auth,
+  - bootstrap.kubernetes.io/token
+  - helm.sh/release.v1
+
   # -- Specify ConfigMap details to load config from an existing resource.
   # This should be blank by default unless you have you own config.
   configmap:

examples/one-shot-secret.yaml

@@ -14,8 +14,16 @@ cluster_id: "my_cluster"
 period: 1m
 data-gatherers:
 - kind: "k8s-dynamic"
-  name: "k8s/secrets.v1"
+  name: "k8s/secrets"
   config:
     resource-type:
       version: v1
       resource: secrets
+    field-selectors:
+    - type!=kubernetes.io/service-account-token
+    - type!=kubernetes.io/dockercfg
+    - type!=kubernetes.io/dockerconfigjson
+    - type!=kubernetes.io/basic-auth
+    - type!=kubernetes.io/ssh-auth,
+    - type!=bootstrap.kubernetes.io/token
+    - type!=helm.sh/release.v1

pkg/datagatherer/k8s/dynamic.go

@@ -39,6 +39,8 @@ type ConfigDynamic struct {
 	ExcludeNamespaces []string `yaml:"exclude-namespaces"`
 	// IncludeNamespaces is a list of namespaces to include.
 	IncludeNamespaces []string `yaml:"include-namespaces"`
+	// FieldSelectors is a list of field selectors to use when listing this resource
+	FieldSelectors []string `yaml:"field-selectors"`
 }
 
 // UnmarshalYAML unmarshals the ConfigDynamic resolving GroupVersionResource.
@@ -52,6 +54,7 @@ func (c *ConfigDynamic) UnmarshalYAML(unmarshal func(interface{}) error) error {
 		} `yaml:"resource-type"`
 		ExcludeNamespaces []string `yaml:"exclude-namespaces"`
 		IncludeNamespaces []string `yaml:"include-namespaces"`
+		FieldSelectors    []string `yaml:"field-selectors"`
 	}{}
 	err := unmarshal(&aux)
 	if err != nil {
@@ -64,6 +67,7 @@ func (c *ConfigDynamic) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	c.GroupVersionResource.Resource = aux.ResourceType.Resource
 	c.ExcludeNamespaces = aux.ExcludeNamespaces
 	c.IncludeNamespaces = aux.IncludeNamespaces
+	c.FieldSelectors = aux.FieldSelectors
 
 	return nil
 }
@@ -79,6 +83,13 @@ func (c *ConfigDynamic) validate() error {
 		errors = append(errors, "invalid configuration: GroupVersionResource.Resource cannot be empty")
 	}
 
+	for _, selectorString := range c.FieldSelectors {
+		_, err := fields.ParseSelector(selectorString)
+		if err != nil {
+			errors = append(errors, fmt.Sprintf("invalid field selector %q: %s", selectorString, err))
+		}
+	}
+
 	if len(errors) > 0 {
 		return fmt.Errorf(strings.Join(errors, ", "))
 	}
@@ -151,26 +162,10 @@ func (c *ConfigDynamic) newDataGathererWithClient(ctx context.Context, cl dynami
 	}
 	// init shared informer for selected namespaces
 	fieldSelector := generateFieldSelector(c.ExcludeNamespaces)
-	// Reduce the memory usage and reduce the load on the Kubernetes API server
-	// by omitting various common Secret types when listing Secrets.
-	// * https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
-	//
-	// It would be better to include only TLS and Opaque Secrets rather than excluding the other types,
-	// because we can never know all the possible Secret types that a cluster may have,
-	// but field selectors do not yet support set based operators:
-	// * https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/#supported-operators
-	// * https://github.com/kubernetes/kubernetes/issues/32946
-	if c.GroupVersionResource.Group == "" && c.GroupVersionResource.Version == "v1" && c.GroupVersionResource.Resource == "secrets" {
-		fieldSelector = fields.AndSelectors(
-			fieldSelector,
-			fields.OneTermNotEqualSelector("type", "kubernetes.io/service-account-token"),
-			fields.OneTermNotEqualSelector("type", "kubernetes.io/dockercfg"),
-			fields.OneTermNotEqualSelector("type", "kubernetes.io/dockerconfigjson"),
-			fields.OneTermNotEqualSelector("type", "kubernetes.io/basic-auth"),
-			fields.OneTermNotEqualSelector("type", "kubernetes.io/ssh-auth"),
-			fields.OneTermNotEqualSelector("type", "bootstrap.kubernetes.io/token"),
-			fields.OneTermNotEqualSelector("type", "helm.sh/release.v1"),
-		)
+
+	// add any custom field selectors to the namespace selector
+	for _, selectorString := range c.FieldSelectors {
+		fieldSelector = fields.AndSelectors(fieldSelector, fields.ParseSelectorOrDie(selectorString))
 	}
 
 	// init cache to store gathered resources