The impersonation controller should sync when any secret of type kubernetes.io/tls changes in the namespace

2023-07-19 16:15:41 -05:00 · 2023-07-19 16:15:41 -05:00 · 3e57716f0e
commit 3e57716f0e
parent c78db66665
2 changed files with 23 additions and 3 deletions
--- a/internal/controller/impersonatorconfig/impersonator_config.go
+++ b/internal/controller/impersonatorconfig/impersonator_config.go
@ -17,6 +17,7 @@ import (
 	"time"

 	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@ -161,7 +162,16 @@ func NewImpersonatorConfigController(
 		withInformer(
 			secretsInformer,
 			pinnipedcontroller.SimpleFilterWithSingletonQueue(func(obj metav1.Object) bool {
-				return obj.GetNamespace() == namespace && secretNames.Has(obj.GetName())
+				secret, ok := obj.(*corev1.Secret)
+				if !ok {
+					return false
+				}
+
+				if secret.GetNamespace() != namespace {
+					return false
+				}
+
+				return secretNames.Has(secret.GetName()) || secret.Type == corev1.SecretTypeTLS
 			}),
 			controllerlib.InformerOption{},
 		),
--- a/internal/controller/impersonatorconfig/impersonator_config_test.go
+++ b/internal/controller/impersonatorconfig/impersonator_config_test.go
@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package impersonatorconfig
@ -184,7 +184,7 @@ func TestImpersonatorConfigControllerOptions(t *testing.T) {

 		when("watching Secret objects", func() {
 			var subject controllerlib.Filter
-			var target1, target2, target3, wrongNamespace1, wrongNamespace2, wrongName, unrelated *corev1.Secret
+			var target1, target2, target3, wrongNamespace1, wrongNamespace2, wrongName, unrelated, typeTLS, typeTLSWrongNamespace *corev1.Secret

 			it.Before(func() {
 				subject = secretsInformerFilter
@ -195,6 +195,8 @@ func TestImpersonatorConfigControllerOptions(t *testing.T) {
 				wrongNamespace2 = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: caSecretName, Namespace: "wrong-namespace"}}
 				wrongName = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "wrong-name", Namespace: installedInNamespace}}
 				unrelated = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "wrong-name", Namespace: "wrong-namespace"}}
+				typeTLS = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-name", Namespace: installedInNamespace}, Type: corev1.SecretTypeTLS}
+				typeTLSWrongNamespace = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-name", Namespace: "wrong-namespace"}, Type: corev1.SecretTypeTLS}
 			})

 			when("one of the target Secrets changes", func() {
@ -211,6 +213,10 @@ func TestImpersonatorConfigControllerOptions(t *testing.T) {
 					r.True(subject.Update(target3, unrelated))
 					r.True(subject.Update(unrelated, target3))
 					r.True(subject.Delete(target3))
+					r.True(subject.Add(typeTLS))
+					r.True(subject.Update(typeTLS, unrelated))
+					r.True(subject.Update(unrelated, typeTLS))
+					r.True(subject.Delete(typeTLS))
 				})
 			})

@ -224,6 +230,10 @@ func TestImpersonatorConfigControllerOptions(t *testing.T) {
 					r.False(subject.Update(wrongNamespace2, unrelated))
 					r.False(subject.Update(unrelated, wrongNamespace2))
 					r.False(subject.Delete(wrongNamespace2))
+					r.False(subject.Add(typeTLSWrongNamespace))
+					r.False(subject.Update(typeTLSWrongNamespace, unrelated))
+					r.False(subject.Update(unrelated, typeTLSWrongNamespace))
+					r.False(subject.Delete(typeTLSWrongNamespace))
 				})
 			})