Merge pull request #70 from zvlb/main

Add logic for add opaque secrets to envoy sDS

Author: zvlb

controllers/controller_utils.go

@@ -50,7 +50,20 @@ func defaultNodeIDs(ctx context.Context, cl client.Client, namespace string) ([]
 		return nil, errors.Wrap(err, errors.GetFromKubernetesMessage)
 	}
 	for _, l := range listeners.Items {
-		nodeIDs = append(nodeIDs, k8s.NodeIDs(l.DeepCopy())...)
+		for _, v := range k8s.NodeIDs(l.DeepCopy()) {
+			if !contains(nodeIDs, v) {
+				nodeIDs = append(nodeIDs, v)
+			}
+		}
 	}
 	return nodeIDs, nil
 }
+
+func contains(s []string, e string) bool {
+	for _, a := range s {
+		if a == e {
+			return true
+		}
+	}
+	return false
+}

controllers/kube_secret_controller.go

@@ -62,7 +62,7 @@ func (r *KubeSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	err := r.Get(ctx, req.NamespacedName, kubeSecret)
 	if err != nil {
 		if api_errors.IsNotFound(err) {
-			r.log.Info("Secret not found. Delete object fron xDS cache")
+			r.log.Info("Secret not found. Delete object from xDS cache")
 			nodeIDs, err := r.Cache.GetNodeIDsForResource(resourcev3.SecretType, getResourceName(req.Namespace, req.Name))
 			if err != nil {
 				return ctrl.Result{}, errors.Wrap(err, errors.GetNodeIDForResource)
@@ -90,13 +90,16 @@ func (r *KubeSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		nodeIDs = append(nodeIDs, defaultNodeIDs...)
 	}
 
+	envoySecrets, err := r.makeEnvoySecrets(kubeSecret)
+	if err != nil {
+		return ctrl.Result{}, errors.Wrap(err, "cannot generate xDS secret from Kubernetes Secret")
+	}
+
 	for _, nodeID := range nodeIDs {
-		envoySecret, err := r.makeEnvoySecret(kubeSecret)
-		if err != nil {
-			return ctrl.Result{}, errors.Wrap(err, "cannot generate xDS secret from Kubernetes Secret")
-		}
-		if err := r.Cache.Update(nodeID, envoySecret); err != nil {
-			return ctrl.Result{}, errors.Wrap(err, errors.CannotUpdateCacheMessage)
+		for _, envoySecret := range envoySecrets {
+			if err := r.Cache.Update(nodeID, envoySecret); err != nil {
+				return ctrl.Result{}, errors.Wrap(err, errors.CannotUpdateCacheMessage)
+			}
 		}
 	}
 
@@ -117,26 +120,40 @@ func (r *KubeSecretReconciler) valid(secret *corev1.Secret) bool {
 		r.log.V(1).Info("Not a xds controller secret")
 		return false
 	}
-	if secret.Type != corev1.SecretTypeTLS {
-		r.log.V(1).Info("Kuberentes Secret is not a type TLS. Skip")
+	if secret.Type != corev1.SecretTypeTLS && secret.Type != corev1.SecretTypeOpaque {
+		r.log.V(1).Info("Kuberentes Secret is not a type TLS or Opaque. Skip")
 		return false
 	}
 	return true
 }
 
-func (r *KubeSecretReconciler) makeEnvoySecret(kubeSecret *corev1.Secret) (*tlsv3.Secret, error) {
+// Generate xDS secret from Kubernetes Secret
+func (r *KubeSecretReconciler) makeEnvoySecrets(kubeSecret *corev1.Secret) ([]*tlsv3.Secret, error) {
+	switch kubeSecret.Type {
+	case corev1.SecretTypeTLS:
+		return r.makeEnvoyTLSSecret(kubeSecret)
+	case corev1.SecretTypeOpaque:
+		return r.makeEnvoyOpaqueSecret(kubeSecret)
+	default:
+		return nil, fmt.Errorf("unsupported secret type %s", kubeSecret.Type)
+	}
+}
+
+func (r *KubeSecretReconciler) makeEnvoyTLSSecret(kubeSecret *corev1.Secret) ([]*tlsv3.Secret, error) {
+	secrets := make([]*tlsv3.Secret, 0)
+
 	envoySecret := &tlsv3.Secret{
 		Name: fmt.Sprintf("%s-%s", kubeSecret.Namespace, kubeSecret.Name),
 		Type: &tlsv3.Secret_TlsCertificate{
 			TlsCertificate: &tlsv3.TlsCertificate{
 				CertificateChain: &corev3.DataSource{
 					Specifier: &corev3.DataSource_InlineBytes{
-						InlineBytes: kubeSecret.Data["tls.crt"],
+						InlineBytes: kubeSecret.Data[corev1.TLSCertKey],
 					},
 				},
 				PrivateKey: &corev3.DataSource{
 					Specifier: &corev3.DataSource_InlineBytes{
-						InlineBytes: kubeSecret.Data["tls.key"],
+						InlineBytes: kubeSecret.Data[corev1.TLSPrivateKeyKey],
 					},
 				},
 			},
@@ -146,5 +163,34 @@ func (r *KubeSecretReconciler) makeEnvoySecret(kubeSecret *corev1.Secret) (*tlsv
 		return nil, errors.Wrap(err, "cannot validate Envoy Secret")
 	}
 
-	return envoySecret, nil
+	secrets = append(secrets, envoySecret)
+
+	return secrets, nil
+}
+
+func (r *KubeSecretReconciler) makeEnvoyOpaqueSecret(kubeSecret *corev1.Secret) ([]*tlsv3.Secret, error) {
+	secrets := make([]*tlsv3.Secret, 0)
+
+	for k, v := range kubeSecret.Data {
+		envoySecret := &tlsv3.Secret{
+			Name: fmt.Sprintf("%s-%s-%s", kubeSecret.Namespace, kubeSecret.Name, k),
+			Type: &tlsv3.Secret_GenericSecret{
+				GenericSecret: &tlsv3.GenericSecret{
+					Secret: &corev3.DataSource{
+						Specifier: &corev3.DataSource_InlineBytes{
+							InlineBytes: v,
+						},
+					},
+				},
+			},
+		}
+
+		if err := envoySecret.ValidateAll(); err != nil {
+			return nil, errors.Wrap(err, "cannot validate Envoy Secret")
+		}
+
+		secrets = append(secrets, envoySecret)
+	}
+
+	return secrets, nil
 }

helm/charts/envoy-xds-controller/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.19
+version: 0.1.20
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.1.19"
+appVersion: "v0.1.20"
 
 home: https://github.com/kaasops/envoy-xds-controller
 sources: