Secrets owned by Deployment have Controller: false

- This is to prevent K8s internal Deployment controller from trying to
manage these objects

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Andrew Keesler 2020-12-15 12:05:06 -08:00
parent 2e784e006c
commit 9d9040944a
3 changed files with 91 additions and 32 deletions

View File

@ -64,12 +64,23 @@ func generateSecret(namespace, name string, labels map[string]string, secretData
Version: appsv1.SchemeGroupVersion.Version, Version: appsv1.SchemeGroupVersion.Version,
Kind: "Deployment", Kind: "Deployment",
} }
blockOwnerDeletion := true
isController := false
return &corev1.Secret{ return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: name, Name: name,
Namespace: namespace, Namespace: namespace,
OwnerReferences: []metav1.OwnerReference{ OwnerReferences: []metav1.OwnerReference{
*metav1.NewControllerRef(owner, deploymentGVK), {
APIVersion: deploymentGVK.GroupVersion().String(),
Kind: deploymentGVK.Kind,
Name: owner.GetName(),
UID: owner.GetUID(),
BlockOwnerDeletion: &blockOwnerDeletion,
Controller: &isController,
},
}, },
Labels: labels, Labels: labels,
}, },

View File

@ -56,7 +56,13 @@ func NewSupervisorSecretsController(
withInformer( withInformer(
secretInformer, secretInformer,
pinnipedcontroller.SimpleFilter(func(obj metav1.Object) bool { pinnipedcontroller.SimpleFilter(func(obj metav1.Object) bool {
return metav1.IsControlledBy(obj, owner) ownerReferences := obj.GetOwnerReferences()
for i := range obj.GetOwnerReferences() {
if ownerReferences[i].UID == owner.GetUID() {
return true
}
}
return false
}, nil), }, nil),
controllerlib.InformerOption{}, controllerlib.InformerOption{},
), ),

View File

@ -46,6 +46,7 @@ var (
} }
) )
// TODO want what??
func TestSupervisorSecretsControllerFilterSecret(t *testing.T) { func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
t.Parallel() t.Parallel()
@ -57,56 +58,41 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
wantDelete bool wantDelete bool
}{ }{
{ {
name: "no owner reference", name: "owner reference is missing",
secret: corev1.Secret{ secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{}, ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace",
},
}, },
}, },
{ {
name: "owner reference without controller set to true", name: "owner reference with incorrect `APIVersion`",
secret: corev1.Secret{ secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace", Namespace: "some-namespace",
OwnerReferences: []metav1.OwnerReference{ OwnerReferences: []metav1.OwnerReference{
{ {
APIVersion: ownerGVK.String(), Name: owner.GetName(),
Name: "some-name",
Kind: ownerGVK.Kind, Kind: ownerGVK.Kind,
UID: owner.GetUID(), UID: owner.GetUID(),
}, },
}, },
}, },
}, },
},
{
name: "owner reference without correct APIVersion",
secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace",
OwnerReferences: []metav1.OwnerReference{
{
Name: "some-name",
Kind: ownerGVK.Kind,
Controller: boolPtr(true),
UID: owner.GetUID(),
}},
},
},
wantAdd: true, wantAdd: true,
wantUpdate: true, wantUpdate: true,
wantDelete: true, wantDelete: true,
}, },
{ {
name: "owner reference without correct Kind", name: "owner reference with incorrect `Kind`",
secret: corev1.Secret{ secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace", Namespace: "some-namespace",
OwnerReferences: []metav1.OwnerReference{ OwnerReferences: []metav1.OwnerReference{
{ {
APIVersion: ownerGVK.String(), APIVersion: ownerGVK.String(),
Name: "some-name", Name: owner.GetName(),
Kind: "IncorrectKind", Kind: "IncorrectKind",
Controller: boolPtr(true),
UID: owner.GetUID(), UID: owner.GetUID(),
}, },
}, },
@ -117,7 +103,7 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
wantDelete: true, wantDelete: true,
}, },
{ {
name: "correct owner reference", name: "owner reference with `Controller`: true",
secret: corev1.Secret{ secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace", Namespace: "some-namespace",
@ -131,7 +117,42 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
wantDelete: true, wantDelete: true,
}, },
{ {
name: "multiple owner references", name: "expected owner reference with incorrect `UID`",
secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace",
OwnerReferences: []metav1.OwnerReference{
{
APIVersion: ownerGVK.String(),
Name: owner.GetName(),
Kind: ownerGVK.Kind,
UID: "DOES_NOT_MATCH",
},
},
},
},
},
{
name: "expected owner reference - where `Controller`: false",
secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace",
OwnerReferences: []metav1.OwnerReference{
{
APIVersion: ownerGVK.String(),
Name: owner.GetName(),
Kind: ownerGVK.Kind,
UID: owner.GetUID(),
},
},
},
},
wantAdd: true,
wantUpdate: true,
wantDelete: true,
},
{
name: "multiple owner references (expected owner reference, and one more)",
secret: corev1.Secret{ secret: corev1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "some-namespace", Namespace: "some-namespace",
@ -139,7 +160,12 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
{ {
Kind: "UnrelatedKind", Kind: "UnrelatedKind",
}, },
*metav1.NewControllerRef(owner, ownerGVK), {
APIVersion: ownerGVK.String(),
Name: owner.GetName(),
Kind: ownerGVK.Kind,
UID: owner.GetUID(),
},
}, },
}, },
}, },
@ -215,12 +241,21 @@ func TestSupervisorSecretsControllerSync(t *testing.T) {
generatedSymmetricKey = []byte("some-neato-32-byte-generated-key") generatedSymmetricKey = []byte("some-neato-32-byte-generated-key")
otherGeneratedSymmetricKey = []byte("some-funio-32-byte-generated-key") otherGeneratedSymmetricKey = []byte("some-funio-32-byte-generated-key")
blockOwnerDeletion = true
isController = false
generatedSecret = &corev1.Secret{ generatedSecret = &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: generatedSecretName, Name: generatedSecretName,
Namespace: generatedSecretNamespace, Namespace: generatedSecretNamespace,
OwnerReferences: []metav1.OwnerReference{ OwnerReferences: []metav1.OwnerReference{
*metav1.NewControllerRef(owner, ownerGVK), {
APIVersion: ownerGVK.GroupVersion().String(),
Kind: ownerGVK.Kind,
Name: owner.GetName(),
UID: owner.GetUID(),
BlockOwnerDeletion: &blockOwnerDeletion,
Controller: &isController,
},
}, },
Labels: labels, Labels: labels,
}, },
@ -235,7 +270,14 @@ func TestSupervisorSecretsControllerSync(t *testing.T) {
Name: generatedSecretName, Name: generatedSecretName,
Namespace: generatedSecretNamespace, Namespace: generatedSecretNamespace,
OwnerReferences: []metav1.OwnerReference{ OwnerReferences: []metav1.OwnerReference{
*metav1.NewControllerRef(owner, ownerGVK), {
APIVersion: ownerGVK.GroupVersion().String(),
Kind: ownerGVK.Kind,
Name: owner.GetName(),
UID: owner.GetUID(),
BlockOwnerDeletion: &blockOwnerDeletion,
Controller: &isController,
},
}, },
Labels: labels, Labels: labels,
}, },