Put a Type on the Secrets that we create for FederationDomain JWKS

Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-17 14:48:49 -08:00 · 2020-12-17 14:48:49 -08:00 · b27e3e1a89
commit b27e3e1a89
parent 780d236d89
3 changed files with 34 additions and 0 deletions
--- a/internal/controller/supervisorconfig/jwks_writer.go
+++ b/internal/controller/supervisorconfig/jwks_writer.go
@ -40,6 +40,8 @@ const (
 	//
 	// Note! The value for this key will contain only public key material!
 	jwksKey = "jwks"
 	jwksSecretTypeValue = "secrets.pinniped.dev/federation-domain-jwks"
 )
 const (
@ -251,6 +253,7 @@ func (c *jwksWriterController) generateSecret(federationDomain *configv1alpha1.F
 			activeJWKKey: jwkData,
 			jwksKey:      jwksData,
 		},
 		Type: jwksSecretTypeValue,
 	}
 	return &s, nil
@ -285,6 +288,7 @@ func (c *jwksWriterController) createOrUpdateSecret(
 		}
 		oldSecret.Data = newSecret.Data
 		oldSecret.Type = jwksSecretTypeValue
 		_, err = secretClient.Update(ctx, oldSecret, metav1.UpdateOptions{})
 		return err
 	})
@ -322,6 +326,11 @@ func isFederationDomainControllee(obj metav1.Object) bool {
 // isValid returns whether the provided secret contains a valid active JWK and verification JWKS.
 func isValid(secret *corev1.Secret) bool {
 	if secret.Type != jwksSecretTypeValue {
 		plog.Debug("secret does not have the expected type", "expectedType", jwksSecretTypeValue, "actualType", secret.Type)
 		return false
 	}
 	jwkData, ok := secret.Data[activeJWKKey]
 	if !ok {
 		plog.Debug("secret does not contain active jwk")
--- a/internal/controller/supervisorconfig/jwks_writer_test.go
+++ b/internal/controller/supervisorconfig/jwks_writer_test.go
@ -281,6 +281,7 @@ func TestJWKSWriterControllerSync(t *testing.T) {
 					},
 				},
 			},
 			Type: "secrets.pinniped.dev/federation-domain-jwks",
 		}
 		s.Data = make(map[string][]byte)
 		if activeJWKPath != "" {
@ -294,6 +295,9 @@ func TestJWKSWriterControllerSync(t *testing.T) {
 	goodSecret := newSecret("testdata/good-jwk.json", "testdata/good-jwks.json")
 	secretWithWrongType := newSecret("testdata/good-jwk.json", "testdata/good-jwks.json")
 	secretWithWrongType.Type = "not-the-right-type"
 	tests := []struct {
 		name                        string
 		key                         controllerlib.Key
@ -407,6 +411,24 @@ func TestJWKSWriterControllerSync(t *testing.T) {
 				kubetesting.NewGetAction(federationDomainGVR, namespace, goodFederationDomain.Name),
 			},
 		},
 		{
 			name: "wrong type in secret",
 			key:  controllerlib.Key{Namespace: goodFederationDomain.Namespace, Name: goodFederationDomain.Name},
 			federationDomains: []*configv1alpha1.FederationDomain{
 				goodFederationDomainWithStatus,
 			},
 			secrets: []*corev1.Secret{
 				secretWithWrongType,
 			},
 			wantGenerateKeyCount: 1,
 			wantSecretActions: []kubetesting.Action{
 				kubetesting.NewGetAction(secretGVR, namespace, goodSecret.Name),
 				kubetesting.NewUpdateAction(secretGVR, namespace, goodSecret),
 			},
 			wantFederationDomainActions: []kubetesting.Action{
 				kubetesting.NewGetAction(federationDomainGVR, namespace, goodFederationDomain.Name),
 			},
 		},
 		{
 			name: "invalid jwk JSON in secret",
 			key:  controllerlib.Key{Namespace: goodFederationDomain.Namespace, Name: goodFederationDomain.Name},
--- a/test/integration/supervisor_secrets_test.go
+++ b/test/integration/supervisor_secrets_test.go
@ -129,6 +129,9 @@ func TestSupervisorSecrets(t *testing.T) {
 func ensureValidJWKS(t *testing.T, secret *corev1.Secret) {
 	t.Helper()
 	// Ensure the secret has the right type.
 	require.Equal(t, "secrets.pinniped.dev/federation-domain-jwks", secret.Type)
 	// Ensure the secret has an active key.
 	jwkData, ok := secret.Data["activeJWK"]
 	require.True(t, ok, "secret is missing active jwk")