2020-12-12 04:49:10 +00:00
|
|
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
package generator
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
2020-12-15 14:13:01 +00:00
|
|
|
"reflect"
|
2020-12-12 04:49:10 +00:00
|
|
|
|
|
|
|
corev1 "k8s.io/api/core/v1"
|
|
|
|
k8serrors "k8s.io/apimachinery/pkg/api/errors"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
corev1informers "k8s.io/client-go/informers/core/v1"
|
|
|
|
"k8s.io/client-go/kubernetes"
|
|
|
|
"k8s.io/client-go/util/retry"
|
|
|
|
"k8s.io/klog/v2"
|
|
|
|
|
|
|
|
configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
|
2020-12-15 14:13:01 +00:00
|
|
|
pinnipedclientset "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned"
|
2020-12-12 04:49:10 +00:00
|
|
|
configinformers "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1"
|
|
|
|
pinnipedcontroller "go.pinniped.dev/internal/controller"
|
|
|
|
"go.pinniped.dev/internal/controllerlib"
|
|
|
|
"go.pinniped.dev/internal/plog"
|
|
|
|
)
|
|
|
|
|
2020-12-16 22:27:09 +00:00
|
|
|
type federationDomainSecretsController struct {
|
2020-12-14 15:36:45 +00:00
|
|
|
secretHelper SecretHelper
|
2020-12-17 12:41:53 +00:00
|
|
|
secretRefFunc func(domain *configv1alpha1.FederationDomain) *corev1.LocalObjectReference
|
2020-12-12 04:49:10 +00:00
|
|
|
kubeClient kubernetes.Interface
|
2020-12-15 14:13:01 +00:00
|
|
|
pinnipedClient pinnipedclientset.Interface
|
2020-12-16 22:27:09 +00:00
|
|
|
opcInformer configinformers.FederationDomainInformer
|
2020-12-12 04:49:10 +00:00
|
|
|
secretInformer corev1informers.SecretInformer
|
|
|
|
}
|
|
|
|
|
2020-12-16 22:27:09 +00:00
|
|
|
// NewFederationDomainSecretsController returns a controllerlib.Controller that ensures a child Secret
|
|
|
|
// always exists for a parent FederationDomain. It does this using the provided secretHelper, which
|
2020-12-14 15:36:45 +00:00
|
|
|
// provides the parent/child mapping logic.
|
2020-12-16 22:27:09 +00:00
|
|
|
func NewFederationDomainSecretsController(
|
2020-12-14 15:36:45 +00:00
|
|
|
secretHelper SecretHelper,
|
2020-12-17 12:41:53 +00:00
|
|
|
secretRefFunc func(domain *configv1alpha1.FederationDomain) *corev1.LocalObjectReference,
|
2020-12-12 04:49:10 +00:00
|
|
|
kubeClient kubernetes.Interface,
|
2020-12-15 14:13:01 +00:00
|
|
|
pinnipedClient pinnipedclientset.Interface,
|
2020-12-12 04:49:10 +00:00
|
|
|
secretInformer corev1informers.SecretInformer,
|
2020-12-16 22:27:09 +00:00
|
|
|
opcInformer configinformers.FederationDomainInformer,
|
2020-12-12 04:49:10 +00:00
|
|
|
withInformer pinnipedcontroller.WithInformerOptionFunc,
|
|
|
|
) controllerlib.Controller {
|
|
|
|
return controllerlib.New(
|
|
|
|
controllerlib.Config{
|
2020-12-15 02:36:56 +00:00
|
|
|
Name: fmt.Sprintf("%s%s", secretHelper.NamePrefix(), "controller"),
|
2020-12-16 22:27:09 +00:00
|
|
|
Syncer: &federationDomainSecretsController{
|
2020-12-14 15:36:45 +00:00
|
|
|
secretHelper: secretHelper,
|
2020-12-17 12:41:53 +00:00
|
|
|
secretRefFunc: secretRefFunc,
|
2020-12-12 04:49:10 +00:00
|
|
|
kubeClient: kubeClient,
|
2020-12-15 14:13:01 +00:00
|
|
|
pinnipedClient: pinnipedClient,
|
2020-12-12 04:49:10 +00:00
|
|
|
secretInformer: secretInformer,
|
|
|
|
opcInformer: opcInformer,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
// We want to be notified when a OPC's secret gets updated or deleted. When this happens, we
|
|
|
|
// should get notified via the corresponding OPC key.
|
|
|
|
withInformer(
|
|
|
|
secretInformer,
|
2020-12-14 22:24:13 +00:00
|
|
|
pinnipedcontroller.SimpleFilter(isOPControllee, func(obj metav1.Object) controllerlib.Key {
|
|
|
|
if isOPControllee(obj) {
|
2020-12-14 15:37:27 +00:00
|
|
|
controller := metav1.GetControllerOf(obj)
|
|
|
|
return controllerlib.Key{
|
|
|
|
Name: controller.Name,
|
|
|
|
Namespace: obj.GetNamespace(),
|
2020-12-12 04:49:10 +00:00
|
|
|
}
|
2020-12-14 15:37:27 +00:00
|
|
|
}
|
|
|
|
return controllerlib.Key{}
|
|
|
|
}),
|
2020-12-12 04:49:10 +00:00
|
|
|
controllerlib.InformerOption{},
|
|
|
|
),
|
|
|
|
// We want to be notified when anything happens to an OPC.
|
|
|
|
withInformer(
|
|
|
|
opcInformer,
|
|
|
|
pinnipedcontroller.MatchAnythingFilter(nil), // nil parent func is fine because each event is distinct
|
|
|
|
controllerlib.InformerOption{},
|
|
|
|
),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
2020-12-16 22:27:09 +00:00
|
|
|
func (c *federationDomainSecretsController) Sync(ctx controllerlib.Context) error {
|
|
|
|
op, err := c.opcInformer.Lister().FederationDomains(ctx.Key.Namespace).Get(ctx.Key.Name)
|
2020-12-12 04:49:10 +00:00
|
|
|
notFound := k8serrors.IsNotFound(err)
|
|
|
|
if err != nil && !notFound {
|
|
|
|
return fmt.Errorf(
|
2020-12-16 22:27:09 +00:00
|
|
|
"failed to get %s/%s FederationDomain: %w",
|
2020-12-12 04:49:10 +00:00
|
|
|
ctx.Key.Namespace,
|
|
|
|
ctx.Key.Name,
|
|
|
|
err,
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
if notFound {
|
2020-12-14 15:36:45 +00:00
|
|
|
// The corresponding secret to this OP should have been garbage collected since it should have
|
|
|
|
// had this OP as its owner.
|
2020-12-12 04:49:10 +00:00
|
|
|
plog.Debug(
|
2020-12-16 22:27:09 +00:00
|
|
|
"federationdomain deleted",
|
|
|
|
"federationdomain",
|
2020-12-12 04:49:10 +00:00
|
|
|
klog.KRef(ctx.Key.Namespace, ctx.Key.Name),
|
|
|
|
)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-12-17 12:41:53 +00:00
|
|
|
op = op.DeepCopy()
|
2020-12-14 15:36:45 +00:00
|
|
|
newSecret, err := c.secretHelper.Generate(op)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("failed to generate secret: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
secretNeedsUpdate, existingSecret, err := c.secretNeedsUpdate(op, newSecret.Name)
|
2020-12-12 04:49:10 +00:00
|
|
|
if err != nil {
|
2020-12-14 15:36:45 +00:00
|
|
|
return fmt.Errorf("failed to determine secret status: %w", err)
|
2020-12-12 04:49:10 +00:00
|
|
|
}
|
|
|
|
if !secretNeedsUpdate {
|
|
|
|
// Secret is up to date - we are good to go.
|
|
|
|
plog.Debug(
|
|
|
|
"secret is up to date",
|
2020-12-16 22:27:09 +00:00
|
|
|
"federationdomain",
|
2020-12-14 15:36:45 +00:00
|
|
|
klog.KObj(op),
|
|
|
|
"secret",
|
|
|
|
klog.KObj(existingSecret),
|
2020-12-12 04:49:10 +00:00
|
|
|
)
|
2020-12-15 14:13:01 +00:00
|
|
|
|
2020-12-16 22:27:09 +00:00
|
|
|
op = c.secretHelper.ObserveActiveSecretAndUpdateParentFederationDomain(op, existingSecret)
|
|
|
|
if err := c.updateFederationDomain(ctx.Context, op); err != nil {
|
|
|
|
return fmt.Errorf("failed to update federationdomain: %w", err)
|
2020-12-15 14:13:01 +00:00
|
|
|
}
|
2020-12-16 22:27:09 +00:00
|
|
|
plog.Debug("updated federationdomain", "federationdomain", klog.KObj(op), "secret", klog.KObj(newSecret))
|
2020-12-15 14:13:01 +00:00
|
|
|
|
2020-12-12 04:49:10 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-12-14 15:36:45 +00:00
|
|
|
// If the OP does not have a secret associated with it, that secret does not exist, or the secret
|
|
|
|
// is invalid, we will create a new secret.
|
|
|
|
if err := c.createOrUpdateSecret(ctx.Context, op, &newSecret); err != nil {
|
|
|
|
return fmt.Errorf("failed to create or update secret: %w", err)
|
2020-12-12 04:49:10 +00:00
|
|
|
}
|
2020-12-16 22:27:09 +00:00
|
|
|
plog.Debug("created/updated secret", "federationdomain", klog.KObj(op), "secret", klog.KObj(newSecret))
|
2020-12-12 04:49:10 +00:00
|
|
|
|
2020-12-16 22:27:09 +00:00
|
|
|
op = c.secretHelper.ObserveActiveSecretAndUpdateParentFederationDomain(op, newSecret)
|
|
|
|
if err := c.updateFederationDomain(ctx.Context, op); err != nil {
|
|
|
|
return fmt.Errorf("failed to update federationdomain: %w", err)
|
2020-12-15 14:13:01 +00:00
|
|
|
}
|
2020-12-16 22:27:09 +00:00
|
|
|
plog.Debug("updated federationdomain", "federationdomain", klog.KObj(op), "secret", klog.KObj(newSecret))
|
2020-12-12 04:49:10 +00:00
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-12-16 22:27:09 +00:00
|
|
|
// secretNeedsUpdate returns whether or not the Secret, with name secretName, for FederationDomain op
|
2020-12-14 15:36:45 +00:00
|
|
|
// needs to be updated. It returns the existing secret as its second argument.
|
2020-12-16 22:27:09 +00:00
|
|
|
func (c *federationDomainSecretsController) secretNeedsUpdate(
|
|
|
|
op *configv1alpha1.FederationDomain,
|
2020-12-14 15:36:45 +00:00
|
|
|
secretName string,
|
|
|
|
) (bool, *corev1.Secret, error) {
|
2020-12-12 04:49:10 +00:00
|
|
|
// This OPC says it has a secret associated with it. Let's try to get it from the cache.
|
2020-12-14 15:36:45 +00:00
|
|
|
secret, err := c.secretInformer.Lister().Secrets(op.Namespace).Get(secretName)
|
2020-12-12 04:49:10 +00:00
|
|
|
notFound := k8serrors.IsNotFound(err)
|
|
|
|
if err != nil && !notFound {
|
2020-12-14 15:36:45 +00:00
|
|
|
return false, nil, fmt.Errorf("cannot get secret: %w", err)
|
2020-12-12 04:49:10 +00:00
|
|
|
}
|
|
|
|
if notFound {
|
|
|
|
// If we can't find the secret, let's assume we need to create it.
|
2020-12-14 15:36:45 +00:00
|
|
|
return true, nil, nil
|
2020-12-12 04:49:10 +00:00
|
|
|
}
|
|
|
|
|
2020-12-14 15:36:45 +00:00
|
|
|
if !c.secretHelper.IsValid(op, secret) {
|
2020-12-12 04:49:10 +00:00
|
|
|
// If this secret is invalid, we need to generate a new one.
|
2020-12-14 15:36:45 +00:00
|
|
|
return true, secret, nil
|
2020-12-12 04:49:10 +00:00
|
|
|
}
|
|
|
|
|
2020-12-14 15:36:45 +00:00
|
|
|
return false, secret, nil
|
2020-12-12 04:49:10 +00:00
|
|
|
}
|
|
|
|
|
2020-12-16 22:27:09 +00:00
|
|
|
func (c *federationDomainSecretsController) createOrUpdateSecret(
|
2020-12-12 04:49:10 +00:00
|
|
|
ctx context.Context,
|
2020-12-16 22:27:09 +00:00
|
|
|
op *configv1alpha1.FederationDomain,
|
2020-12-14 15:36:45 +00:00
|
|
|
newSecret **corev1.Secret,
|
2020-12-12 04:49:10 +00:00
|
|
|
) error {
|
2020-12-14 15:36:45 +00:00
|
|
|
secretClient := c.kubeClient.CoreV1().Secrets((*newSecret).Namespace)
|
2020-12-12 04:49:10 +00:00
|
|
|
return retry.RetryOnConflict(retry.DefaultRetry, func() error {
|
2020-12-14 15:36:45 +00:00
|
|
|
oldSecret, err := secretClient.Get(ctx, (*newSecret).Name, metav1.GetOptions{})
|
2020-12-12 04:49:10 +00:00
|
|
|
notFound := k8serrors.IsNotFound(err)
|
|
|
|
if err != nil && !notFound {
|
2020-12-14 15:36:45 +00:00
|
|
|
return fmt.Errorf("failed to get secret %s/%s: %w", (*newSecret).Namespace, (*newSecret).Name, err)
|
2020-12-12 04:49:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if notFound {
|
|
|
|
// New secret doesn't exist, so create it.
|
2020-12-14 15:36:45 +00:00
|
|
|
_, err := secretClient.Create(ctx, *newSecret, metav1.CreateOptions{})
|
2020-12-12 04:49:10 +00:00
|
|
|
if err != nil {
|
2020-12-14 15:36:45 +00:00
|
|
|
return fmt.Errorf("failed to create secret %s/%s: %w", (*newSecret).Namespace, (*newSecret).Name, err)
|
2020-12-12 04:49:10 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// New secret already exists, so ensure it is up to date.
|
2020-12-14 15:36:45 +00:00
|
|
|
if c.secretHelper.IsValid(op, oldSecret) {
|
|
|
|
// If the secret already has valid a valid Secret, then we are good to go and we don't need an
|
|
|
|
// update.
|
|
|
|
*newSecret = oldSecret
|
2020-12-12 04:49:10 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-12-14 15:36:45 +00:00
|
|
|
oldSecret.Labels = (*newSecret).Labels
|
|
|
|
oldSecret.Type = (*newSecret).Type
|
|
|
|
oldSecret.Data = (*newSecret).Data
|
|
|
|
*newSecret = oldSecret
|
2020-12-12 04:49:10 +00:00
|
|
|
_, err = secretClient.Update(ctx, oldSecret, metav1.UpdateOptions{})
|
|
|
|
return err
|
|
|
|
})
|
|
|
|
}
|
2020-12-15 14:13:01 +00:00
|
|
|
|
2020-12-16 22:27:09 +00:00
|
|
|
func (c *federationDomainSecretsController) updateFederationDomain(
|
2020-12-15 14:13:01 +00:00
|
|
|
ctx context.Context,
|
2020-12-16 22:27:09 +00:00
|
|
|
newOP *configv1alpha1.FederationDomain,
|
2020-12-15 14:13:01 +00:00
|
|
|
) error {
|
2020-12-16 22:27:09 +00:00
|
|
|
opcClient := c.pinnipedClient.ConfigV1alpha1().FederationDomains(newOP.Namespace)
|
2020-12-15 14:13:01 +00:00
|
|
|
return retry.RetryOnConflict(retry.DefaultRetry, func() error {
|
|
|
|
oldOP, err := opcClient.Get(ctx, newOP.Name, metav1.GetOptions{})
|
|
|
|
if err != nil {
|
2020-12-16 22:27:09 +00:00
|
|
|
return fmt.Errorf("failed to get federationdomain %s/%s: %w", newOP.Namespace, newOP.Name, err)
|
2020-12-15 14:13:01 +00:00
|
|
|
}
|
|
|
|
|
2020-12-17 12:41:53 +00:00
|
|
|
oldOPSecretRef := c.secretRefFunc(oldOP)
|
|
|
|
newOPSecretRef := c.secretRefFunc(newOP)
|
|
|
|
if reflect.DeepEqual(oldOPSecretRef, newOPSecretRef) {
|
2020-12-15 14:13:01 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-12-17 12:41:53 +00:00
|
|
|
*oldOPSecretRef = *newOPSecretRef
|
2020-12-15 14:13:01 +00:00
|
|
|
_, err = opcClient.Update(ctx, oldOP, metav1.UpdateOptions{})
|
|
|
|
return err
|
|
|
|
})
|
|
|
|
}
|