Put a Type on the Secrets that we create for FederationDomain JWKS

Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-17 14:48:49 -08:00 · 2020-12-17 14:48:49 -08:00 · b27e3e1a89
commit b27e3e1a89
parent 780d236d89
3 changed files with 34 additions and 0 deletions
--- a/internal/controller/supervisorconfig/jwks_writer.go
+++ b/internal/controller/supervisorconfig/jwks_writer.go
@ -40,6 +40,8 @@ const (
 	//
 	// Note! The value for this key will contain only public key material!
 	jwksKey = "jwks"
+
+	jwksSecretTypeValue = "secrets.pinniped.dev/federation-domain-jwks"
 )

 const (
@ -251,6 +253,7 @@ func (c *jwksWriterController) generateSecret(federationDomain *configv1alpha1.F
 			activeJWKKey: jwkData,
 			jwksKey:      jwksData,
 		},
+		Type: jwksSecretTypeValue,
 	}

 	return &s, nil
@ -285,6 +288,7 @@ func (c *jwksWriterController) createOrUpdateSecret(
 		}

 		oldSecret.Data = newSecret.Data
+		oldSecret.Type = jwksSecretTypeValue
 		_, err = secretClient.Update(ctx, oldSecret, metav1.UpdateOptions{})
 		return err
 	})
@ -322,6 +326,11 @@ func isFederationDomainControllee(obj metav1.Object) bool {

 // isValid returns whether the provided secret contains a valid active JWK and verification JWKS.
 func isValid(secret *corev1.Secret) bool {
+	if secret.Type != jwksSecretTypeValue {
+		plog.Debug("secret does not have the expected type", "expectedType", jwksSecretTypeValue, "actualType", secret.Type)
+		return false
+	}
+
 	jwkData, ok := secret.Data[activeJWKKey]
 	if !ok {
 		plog.Debug("secret does not contain active jwk")
--- a/internal/controller/supervisorconfig/jwks_writer_test.go
+++ b/internal/controller/supervisorconfig/jwks_writer_test.go
@ -281,6 +281,7 @@ func TestJWKSWriterControllerSync(t *testing.T) {
 					},
 				},
 			},
+			Type: "secrets.pinniped.dev/federation-domain-jwks",
 		}
 		s.Data = make(map[string][]byte)
 		if activeJWKPath != "" {
@ -294,6 +295,9 @@ func TestJWKSWriterControllerSync(t *testing.T) {

 	goodSecret := newSecret("testdata/good-jwk.json", "testdata/good-jwks.json")

+	secretWithWrongType := newSecret("testdata/good-jwk.json", "testdata/good-jwks.json")
+	secretWithWrongType.Type = "not-the-right-type"
+
 	tests := []struct {
 		name                        string
 		key                         controllerlib.Key
@ -407,6 +411,24 @@ func TestJWKSWriterControllerSync(t *testing.T) {
 				kubetesting.NewGetAction(federationDomainGVR, namespace, goodFederationDomain.Name),
 			},
 		},
+		{
+			name: "wrong type in secret",
+			key:  controllerlib.Key{Namespace: goodFederationDomain.Namespace, Name: goodFederationDomain.Name},
+			federationDomains: []*configv1alpha1.FederationDomain{
+				goodFederationDomainWithStatus,
+			},
+			secrets: []*corev1.Secret{
+				secretWithWrongType,
+			},
+			wantGenerateKeyCount: 1,
+			wantSecretActions: []kubetesting.Action{
+				kubetesting.NewGetAction(secretGVR, namespace, goodSecret.Name),
+				kubetesting.NewUpdateAction(secretGVR, namespace, goodSecret),
+			},
+			wantFederationDomainActions: []kubetesting.Action{
+				kubetesting.NewGetAction(federationDomainGVR, namespace, goodFederationDomain.Name),
+			},
+		},
 		{
 			name: "invalid jwk JSON in secret",
 			key:  controllerlib.Key{Namespace: goodFederationDomain.Namespace, Name: goodFederationDomain.Name},
--- a/test/integration/supervisor_secrets_test.go
+++ b/test/integration/supervisor_secrets_test.go
@ -129,6 +129,9 @@ func TestSupervisorSecrets(t *testing.T) {
 func ensureValidJWKS(t *testing.T, secret *corev1.Secret) {
 	t.Helper()

+	// Ensure the secret has the right type.
+	require.Equal(t, "secrets.pinniped.dev/federation-domain-jwks", secret.Type)
+
 	// Ensure the secret has an active key.
 	jwkData, ok := secret.Data["activeJWK"]
 	require.True(t, ok, "secret is missing active jwk")