djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Secrets owned by Deployment have Controller: false

Browse Source 
- This is to prevent K8s internal Deployment controller from trying to
manage these objects

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Andrew Keesler 2020-12-15 12:05:06 -08:00
parent 2e784e006c
commit 9d9040944a
3 changed files with 91 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
internal/controller/supervisorconfig/generator/generator.go
View File

@ -64,12 +64,23 @@ func generateSecret(namespace, name string, labels map[string]string, secretData
Version: appsv1.SchemeGroupVersion.Version,
Kind: "Deployment",
}
blockOwnerDeletion := true
isController := false
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
OwnerReferences: []metav1.OwnerReference{
*metav1.NewControllerRef(owner, deploymentGVK),
{
APIVersion: deploymentGVK.GroupVersion().String(),
Kind: deploymentGVK.Kind,
Name: owner.GetName(),
UID: owner.GetUID(),
BlockOwnerDeletion: &blockOwnerDeletion,
Controller: &isController,
},
},
Labels: labels,
},

8
internal/controller/supervisorconfig/generator/supervisor_secrets.go
View File

@ -56,7 +56,13 @@ func NewSupervisorSecretsController(
withInformer(
secretInformer,
pinnipedcontroller.SimpleFilter(func(obj metav1.Object) bool {
return metav1.IsControlledBy(obj, owner)
ownerReferences := obj.GetOwnerReferences()
for i := range obj.GetOwnerReferences() {
if ownerReferences[i].UID == owner.GetUID() {
return true
}
}
return false
}, nil),
controllerlib.InformerOption{},
),

102
internal/controller/supervisorconfig/generator/supervisor_secrets_test.go
View File

@ -46,6 +46,7 @@ var (
}
)
// TODO want what??
func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
t.Parallel()
@ -57,39 +58,25 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
wantDelete bool
}{
{
name: "no owner reference",
secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{},
},
},
{
name: "owner reference without controller set to true",
name: "owner reference is missing",
secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace",
OwnerReferences: []metav1.OwnerReference{
{
APIVersion: ownerGVK.String(),
Name: "some-name",
Kind: ownerGVK.Kind,
UID: owner.GetUID(),
},
},
},
},
},
{
name: "owner reference without correct APIVersion",
name: "owner reference with incorrect `APIVersion`",
secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace",
OwnerReferences: []metav1.OwnerReference{
{
Name: "some-name",
Kind: ownerGVK.Kind,
Controller: boolPtr(true),
UID: owner.GetUID(),
}},
Name: owner.GetName(),
Kind: ownerGVK.Kind,
UID: owner.GetUID(),
},
},
},
},
wantAdd: true,
@ -97,16 +84,15 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
wantDelete: true,
},
{
name: "owner reference without correct Kind",
name: "owner reference with incorrect `Kind`",
secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace",
OwnerReferences: []metav1.OwnerReference{
{
APIVersion: ownerGVK.String(),
Name: "some-name",
Name: owner.GetName(),
Kind: "IncorrectKind",
Controller: boolPtr(true),
UID: owner.GetUID(),
},
},
@ -117,7 +103,7 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
wantDelete: true,
},
{
name: "correct owner reference",
name: "owner reference with `Controller`: true",
secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace",
@ -131,7 +117,42 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
wantDelete: true,
},
{
name: "multiple owner references",
name: "expected owner reference with incorrect `UID`",
secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace",
OwnerReferences: []metav1.OwnerReference{
{
APIVersion: ownerGVK.String(),
Name: owner.GetName(),
Kind: ownerGVK.Kind,
UID: "DOES_NOT_MATCH",
},
},
},
},
},
{
name: "expected owner reference - where `Controller`: false",
secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace",
OwnerReferences: []metav1.OwnerReference{
{
APIVersion: ownerGVK.String(),
Name: owner.GetName(),
Kind: ownerGVK.Kind,
UID: owner.GetUID(),
},
},
},
},
wantAdd: true,
wantUpdate: true,
wantDelete: true,
},
{
name: "multiple owner references (expected owner reference, and one more)",
secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace",
@ -139,7 +160,12 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
{
Kind: "UnrelatedKind",
},
*metav1.NewControllerRef(owner, ownerGVK),
{
APIVersion: ownerGVK.String(),
Name: owner.GetName(),
Kind: ownerGVK.Kind,
UID: owner.GetUID(),
},
},
},
},
@ -215,12 +241,21 @@ func TestSupervisorSecretsControllerSync(t *testing.T) {
generatedSymmetricKey = []byte("some-neato-32-byte-generated-key")
otherGeneratedSymmetricKey = []byte("some-funio-32-byte-generated-key")
generatedSecret = &corev1.Secret{
blockOwnerDeletion = true
isController = false
generatedSecret = &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: generatedSecretName,
Namespace: generatedSecretNamespace,
OwnerReferences: []metav1.OwnerReference{
*metav1.NewControllerRef(owner, ownerGVK),
{
APIVersion: ownerGVK.GroupVersion().String(),
Kind: ownerGVK.Kind,
Name: owner.GetName(),
UID: owner.GetUID(),
BlockOwnerDeletion: &blockOwnerDeletion,
Controller: &isController,
},
},
Labels: labels,
},
@ -235,7 +270,14 @@ func TestSupervisorSecretsControllerSync(t *testing.T) {
Name: generatedSecretName,
Namespace: generatedSecretNamespace,
OwnerReferences: []metav1.OwnerReference{
*metav1.NewControllerRef(owner, ownerGVK),
{
APIVersion: ownerGVK.GroupVersion().String(),
Kind: ownerGVK.Kind,
Name: owner.GetName(),
UID: owner.GetUID(),
BlockOwnerDeletion: &blockOwnerDeletion,
Controller: &isController,
},
},
Labels: labels,
},