-
Notifications
You must be signed in to change notification settings - Fork 87
Expand file tree
/
Copy pathsecret.go
More file actions
81 lines (65 loc) · 2.48 KB
/
secret.go
File metadata and controls
81 lines (65 loc) · 2.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package cabundleinjector
import (
"context"
"fmt"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kcoreclient "k8s.io/client-go/kubernetes/typed/core/v1"
listers "k8s.io/client-go/listers/core/v1"
"k8s.io/klog/v2"
apiannotations "github.com/openshift/api/annotations"
"github.com/openshift/library-go/pkg/controller/factory"
"github.com/openshift/service-ca-operator/pkg/controller/api"
)
type secretCABundleInjector struct {
client kcoreclient.SecretsGetter
lister listers.SecretLister
caBundle string
filterFn func(secret *corev1.Secret) bool
}
func newSecretInjectorConfig(config *caBundleInjectorConfig) controllerConfig {
informer := config.kubeInformers.Core().V1().Secrets()
syncer := &secretCABundleInjector{
client: config.kubeClient.CoreV1(),
lister: informer.Lister(),
caBundle: string(config.caBundle),
}
return controllerConfig{
name: "SecretCABundleInjector",
sync: syncer.Sync,
informer: informer.Informer(),
annotationsChecker: annotationsChecker(
api.InjectCABundleAnnotationName,
),
namespaced: true,
}
}
func (bi *secretCABundleInjector) Sync(ctx context.Context, syncCtx factory.SyncContext) error {
namespace, name := namespacedObjectFromQueueKey(syncCtx.QueueKey())
secret, err := bi.lister.Secrets(namespace).Get(name)
if apierrors.IsNotFound(err) {
return nil
} else if err != nil {
return err
}
if bi.filterFn != nil && !bi.filterFn(secret) {
return nil
}
// skip updating when the CA bundle is already there
if data, ok := secret.Data[api.InjectionDataKey]; ok &&
string(data) == bi.caBundle && len(secret.Data) == 1 {
return nil
}
klog.Infof("updating secret %s/%s with the service signing CA bundle", secret.Namespace, secret.Name)
// make a copy to avoid mutating cache state
secretCopy := secret.DeepCopy()
secretCopy.Data = map[string][]byte{api.InjectionDataKey: []byte(bi.caBundle)}
// set the owning-component unless someone else has claimed it.
if len(secretCopy.Annotations[apiannotations.OpenShiftComponent]) == 0 {
secretCopy.Annotations[apiannotations.OpenShiftComponent] = api.OwningJiraComponent
secretCopy.Annotations[apiannotations.OpenShiftDescription] = fmt.Sprintf("Secret is added/updated with a data item containing the CA signing bundle that can be used to verify service-serving certificates")
}
_, err = bi.client.Secrets(secretCopy.Namespace).Update(ctx, secretCopy, metav1.UpdateOptions{})
return err
}