Support versioned Secrets on Stacks

Signed-off-by: Katyanna Moura <[email protected]>

Author: katyanna

cluster/config-defaults.yaml

@@ -903,6 +903,9 @@ stackset_configmap_support_enabled: "true"
 stackset_configmap_support_enabled: "false"
 {{end}}
 
+# enable/disable secret support for stackset
+stackset_secret_support_enabled: "false"
+
 # enable/disable traffic segment support for stackset
 {{if eq .Cluster.Environment "e2e"}}
 stackset_enable_traffic_segments: "true"

cluster/manifests/stackset-controller/01-stack-crd.yaml

@@ -349,7 +349,7 @@ spec:
                 - maxReplicas
                 - metrics
                 type: object
-{{- if eq .Cluster.ConfigItems.stackset_configmap_support_enabled "true" }}
+{{- if or (eq .Cluster.ConfigItems.stackset_configmap_support_enabled "true") (eq .Cluster.ConfigItems.stackset_secret_support_enabled "true") }}
               configurationResources:
                 description: ConfigurationResources describes the ConfigMaps that
                   will be created. Later Secrets and PlatformCredentialSets will also
@@ -358,8 +358,19 @@ spec:
                   description: ConfigurationResourcesSpec makes it possible to defined
                     the config resources to be created
                   properties:
+{{- if eq .Cluster.ConfigItems.stackset_configmap_support_enabled "true" }}
                     configMapRef:
-                      description: ConfigMap to be versioned for Stack
+                      description: ConfigMap to be owned by Stack
+                      properties:
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                      type: object
+{{ end }}
+{{- if eq .Cluster.ConfigItems.stackset_secret_support_enabled "true" }}
+                    secretRef:
+                      description: Secret to be owned by Stack
                       properties:
                         name:
                           description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
@@ -368,6 +379,7 @@ spec:
                       type: object
                   type: object
                 type: array
+{{ end }}
 {{ end }}
               externalIngress:
                 description: Stack specific ExternalIngress, based on the parent StackSet

cluster/manifests/stackset-controller/01-stackset-crd.yaml

@@ -596,7 +596,7 @@ spec:
                         - maxReplicas
                         - metrics
                         type: object
-{{- if eq .Cluster.ConfigItems.stackset_configmap_support_enabled "true" }}
+{{- if or (eq .Cluster.ConfigItems.stackset_configmap_support_enabled "true") (eq .Cluster.ConfigItems.stackset_secret_support_enabled "true") }}
                       configurationResources:
                         description: ConfigurationResources describes the ConfigMaps
                           that will be created. Later Secrets and PlatformCredentialSets
@@ -605,8 +605,20 @@ spec:
                           description: ConfigurationResourcesSpec makes it possible
                             to defined the config resources to be created
                           properties:
+{{- if eq .Cluster.ConfigItems.stackset_configmap_support_enabled "true" }}
                             configMapRef:
-                              description: ConfigMap to be versioned for Stack
+                              description: ConfigMap to be owned by Stack
+                              properties:
+                                name:
+                                  description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind,
+                                    uid?'
+                                  type: string
+                              type: object
+{{ end }}
+{{- if eq .Cluster.ConfigItems.stackset_secret_support_enabled "true" }}
+                            secretRef:
+                              description: Secret to be owned by Stack
                               properties:
                                 name:
                                   description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
@@ -616,6 +628,7 @@ spec:
                               type: object
                           type: object
                         type: array
+{{ end }}
 {{ end }}
                       minReadySeconds:
                         description: Minimum number of seconds for which a newly created

cluster/manifests/stackset-controller/deployment.yaml

@@ -1,4 +1,4 @@
-{{ $version := "v1.4.27" }}
+{{ $version := "pr-565-26" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -30,7 +30,7 @@ spec:
       serviceAccountName: stackset-controller
       containers:
       - name: stackset-controller
-        image: "container-registry.zalando.net/teapot/stackset-controller:{{ $version }}"
+        image: "container-registry-test.zalando.net/teapot/stackset-controller:{{ $version }}"
         args:
         - "--interval={{ .Cluster.ConfigItems.stackset_controller_sync_interval }}"
 {{- if eq .Cluster.ConfigItems.stackset_routegroup_support_enabled "true" }}
@@ -40,6 +40,9 @@ spec:
 {{- if eq .Cluster.ConfigItems.stackset_configmap_support_enabled "true" }}
         - "--enable-configmap-support"
 {{- end }}
+{{- if eq .Cluster.ConfigItems.stackset_secret_support_enabled "true" }}
+        - "--enable-secret-support"
+{{- end }}
 {{- if eq .Cluster.ConfigItems.stackset_enable_traffic_segments "true" }}
         - "--enable-traffic-segments"
 {{- end }}

cluster/manifests/stackset-controller/rbac.yaml

@@ -110,6 +110,17 @@ rules:
   - create
   - update
 {{- end }}
+{{- if eq .Cluster.ConfigItems.stackset_secret_support_enabled "true" }}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - create
+  - update
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding