Pull symmetricsecrethelper package up to generator
- rename symmetricsecrethelper.New => generator.NewSymmetricSecretHelper
This commit is contained in:
aram price
parent
b1ee434ddf
commit
b799515f84
@ -36,7 +36,6 @@ import (
|
||||
"go.pinniped.dev/internal/config/supervisor"
|
||||
"go.pinniped.dev/internal/controller/supervisorconfig"
|
||||
"go.pinniped.dev/internal/controller/supervisorconfig/generator"
|
||||
"go.pinniped.dev/internal/controller/supervisorconfig/generator/symmetricsecrethelper"
|
||||
"go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatcher"
|
||||
"go.pinniped.dev/internal/controller/supervisorstorage"
|
||||
"go.pinniped.dev/internal/controllerlib"
|
||||
@ -165,13 +164,13 @@ func startControllers(
|
||||
).
|
||||
WithController(
|
||||
generator.NewOIDCProviderSecretsController(
|
||||
symmetricsecrethelper.New(
|
||||
generator.NewSymmetricSecretHelper(
|
||||
"pinniped-oidc-provider-hmac-key-",
|
||||
cfg.Labels,
|
||||
rand.Reader,
|
||||
func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
||||
plog.Debug("setting hmac secret", "issuer", parent.Spec.Issuer)
|
||||
secretCache.SetTokenHMACKey(parent.Spec.Issuer, child.Data[symmetricsecrethelper.SymmetricSecretDataKey])
|
||||
secretCache.SetTokenHMACKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
|
||||
},
|
||||
),
|
||||
kubeClient,
|
||||
@ -183,13 +182,13 @@ func startControllers(
|
||||
).
|
||||
WithController(
|
||||
generator.NewOIDCProviderSecretsController(
|
||||
symmetricsecrethelper.New(
|
||||
generator.NewSymmetricSecretHelper(
|
||||
"pinniped-oidc-provider-upstream-state-signature-key-",
|
||||
cfg.Labels,
|
||||
rand.Reader,
|
||||
func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
||||
plog.Debug("setting state signature key", "issuer", parent.Spec.Issuer)
|
||||
secretCache.SetStateEncoderHashKey(parent.Spec.Issuer, child.Data[symmetricsecrethelper.SymmetricSecretDataKey])
|
||||
secretCache.SetStateEncoderHashKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
|
||||
},
|
||||
),
|
||||
kubeClient,
|
||||
@ -201,13 +200,13 @@ func startControllers(
|
||||
).
|
||||
WithController(
|
||||
generator.NewOIDCProviderSecretsController(
|
||||
symmetricsecrethelper.New(
|
||||
generator.NewSymmetricSecretHelper(
|
||||
"pinniped-oidc-provider-upstream-state-encryption-key-",
|
||||
cfg.Labels,
|
||||
rand.Reader,
|
||||
func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
||||
plog.Debug("setting state encryption key", "issuer", parent.Spec.Issuer)
|
||||
secretCache.SetStateEncoderBlockKey(parent.Spec.Issuer, child.Data[symmetricsecrethelper.SymmetricSecretDataKey])
|
||||
secretCache.SetStateEncoderBlockKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
|
||||
},
|
||||
),
|
||||
kubeClient,
|
||||
|
||||
@ -15,11 +15,6 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
symmetricKeySecretType = "secrets.pinniped.dev/symmetric"
|
||||
symmetricKeySecretDataKey = "key"
|
||||
|
||||
symmetricKeySize = 32
|
||||
|
||||
opKind = "OIDCProvider"
|
||||
)
|
||||
|
||||
@ -32,11 +27,11 @@ func generateSymmetricKey() ([]byte, error) {
|
||||
}
|
||||
|
||||
func isValid(secret *corev1.Secret) bool {
|
||||
if secret.Type != symmetricKeySecretType {
|
||||
if secret.Type != SymmetricSecretType {
|
||||
return false
|
||||
}
|
||||
|
||||
data, ok := secret.Data[symmetricKeySecretDataKey]
|
||||
data, ok := secret.Data[SymmetricSecretDataKey]
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
@ -54,7 +49,7 @@ func secretDataFunc() (map[string][]byte, error) {
|
||||
}
|
||||
|
||||
return map[string][]byte{
|
||||
symmetricKeySecretDataKey: symmetricKey,
|
||||
SymmetricSecretDataKey: symmetricKey,
|
||||
}, nil
|
||||
}
|
||||
|
||||
@ -78,7 +73,7 @@ func generateSecret(namespace, name string, labels map[string]string, secretData
|
||||
},
|
||||
Labels: labels,
|
||||
},
|
||||
Type: symmetricKeySecretType,
|
||||
Type: SymmetricSecretType,
|
||||
Data: secretData,
|
||||
}, nil
|
||||
}
|
||||
|
||||
@ -22,17 +22,6 @@ import (
|
||||
"go.pinniped.dev/internal/plog"
|
||||
)
|
||||
|
||||
// SecretHelper describes an object that can Generate() a Secret and determine whether a Secret
|
||||
// IsValid(). It can also be Notify()'d about a Secret being persisted.
|
||||
//
|
||||
// A SecretHelper has a Name() that can be used to identify it from other SecretHelper instances.
|
||||
type SecretHelper interface {
|
||||
Name() string
|
||||
Generate(*configv1alpha1.OIDCProvider) (*corev1.Secret, error)
|
||||
IsValid(*configv1alpha1.OIDCProvider, *corev1.Secret) bool
|
||||
Notify(*configv1alpha1.OIDCProvider, *corev1.Secret)
|
||||
}
|
||||
|
||||
type oidcProviderSecretsController struct {
|
||||
secretHelper SecretHelper
|
||||
kubeClient kubernetes.Interface
|
||||
|
||||
@ -1,9 +1,7 @@
|
||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
// Package symmetricsecrethelper provides a type that can generate and validate symmetric keys as
|
||||
// Secret's.
|
||||
package symmetricsecrethelper
|
||||
package generator
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
@ -14,9 +12,19 @@ import (
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
|
||||
configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
|
||||
"go.pinniped.dev/internal/controller/supervisorconfig/generator"
|
||||
)
|
||||
|
||||
// SecretHelper describes an object that can Generate() a Secret and determine whether a Secret
|
||||
// IsValid(). It can also be Notify()'d about a Secret being persisted.
|
||||
//
|
||||
// A SecretHelper has a Name() that can be used to identify it from other SecretHelper instances.
|
||||
type SecretHelper interface {
|
||||
Name() string
|
||||
Generate(*configv1alpha1.OIDCProvider) (*corev1.Secret, error)
|
||||
IsValid(*configv1alpha1.OIDCProvider, *corev1.Secret) bool
|
||||
Notify(*configv1alpha1.OIDCProvider, *corev1.Secret)
|
||||
}
|
||||
|
||||
const (
|
||||
// SymmetricSecretType is corev1.Secret.Type of all corev1.Secret's generated by this helper.
|
||||
SymmetricSecretType = "secrets.pinniped.dev/symmetric"
|
||||
@ -29,24 +37,15 @@ const (
|
||||
symmetricKeySize = 32
|
||||
)
|
||||
|
||||
type secretHelper struct {
|
||||
namePrefix string
|
||||
labels map[string]string
|
||||
rand io.Reader
|
||||
notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret)
|
||||
}
|
||||
|
||||
var _ generator.SecretHelper = &secretHelper{}
|
||||
|
||||
// New returns a SecretHelper that has been parameterized with common symmetric secret generation
|
||||
// knobs.
|
||||
func New(
|
||||
func NewSymmetricSecretHelper(
|
||||
namePrefix string,
|
||||
labels map[string]string,
|
||||
rand io.Reader,
|
||||
notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret),
|
||||
) generator.SecretHelper {
|
||||
return &secretHelper{
|
||||
) SecretHelper {
|
||||
return &symmetricSecretHelper{
|
||||
namePrefix: namePrefix,
|
||||
labels: labels,
|
||||
rand: rand,
|
||||
@ -54,10 +53,17 @@ func New(
|
||||
}
|
||||
}
|
||||
|
||||
func (s *secretHelper) Name() string { return s.namePrefix }
|
||||
type symmetricSecretHelper struct {
|
||||
namePrefix string
|
||||
labels map[string]string
|
||||
rand io.Reader
|
||||
notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret)
|
||||
}
|
||||
|
||||
func (s *symmetricSecretHelper) Name() string { return s.namePrefix }
|
||||
|
||||
// Generate implements SecretHelper.Generate().
|
||||
func (s *secretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*corev1.Secret, error) {
|
||||
func (s *symmetricSecretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*corev1.Secret, error) {
|
||||
key := make([]byte, symmetricKeySize)
|
||||
if _, err := s.rand.Read(key); err != nil {
|
||||
return nil, err
|
||||
@ -84,7 +90,7 @@ func (s *secretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*corev1.Se
|
||||
}
|
||||
|
||||
// IsValid implements SecretHelper.IsValid().
|
||||
func (s *secretHelper) IsValid(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) bool {
|
||||
func (s *symmetricSecretHelper) IsValid(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) bool {
|
||||
if !metav1.IsControlledBy(child, parent) {
|
||||
return false
|
||||
}
|
||||
@ -105,6 +111,6 @@ func (s *secretHelper) IsValid(parent *configv1alpha1.OIDCProvider, child *corev
|
||||
}
|
||||
|
||||
// Notify implements SecretHelper.Notify().
|
||||
func (s *secretHelper) Notify(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
||||
func (s *symmetricSecretHelper) Notify(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
||||
s.notifyFunc(parent, child)
|
||||
}
|
||||
@ -1,7 +1,7 @@
|
||||
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package symmetricsecrethelper
|
||||
package generator
|
||||
|
||||
import (
|
||||
"strings"
|
||||
@ -17,7 +17,7 @@ import (
|
||||
|
||||
const keyWith32Bytes = "0123456789abcdef0123456789abcdef"
|
||||
|
||||
func TestHelper(t *testing.T) {
|
||||
func TestSymmetricSecretHHelper(t *testing.T) {
|
||||
labels := map[string]string{
|
||||
"some-label-key-1": "some-label-value-1",
|
||||
"some-label-key-2": "some-label-value-2",
|
||||
@ -25,7 +25,7 @@ func TestHelper(t *testing.T) {
|
||||
randSource := strings.NewReader(keyWith32Bytes)
|
||||
var notifyParent *configv1alpha1.OIDCProvider
|
||||
var notifyChild *corev1.Secret
|
||||
h := New("some-name-prefix-", labels, randSource, func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
||||
h := NewSymmetricSecretHelper("some-name-prefix-", labels, randSource, func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
|
||||
require.True(t, notifyParent == nil && notifyChild == nil, "expected notify func not to have been called yet")
|
||||
notifyParent = parent
|
||||
notifyChild = child
|
||||
@ -65,7 +65,7 @@ func TestHelper(t *testing.T) {
|
||||
require.Equal(t, child, notifyChild)
|
||||
}
|
||||
|
||||
func TestHelperIsValid(t *testing.T) {
|
||||
func TestSymmetricSecretHHelperIsValid(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
child func(*corev1.Secret)
|
||||
@ -115,7 +115,7 @@ func TestHelperIsValid(t *testing.T) {
|
||||
for _, test := range tests {
|
||||
test := test
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
h := New("none of these args matter", nil, nil, nil)
|
||||
h := NewSymmetricSecretHelper("none of these args matter", nil, nil, nil)
|
||||
|
||||
parent := &configv1alpha1.OIDCProvider{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
@ -78,7 +78,7 @@ func (c *supervisorSecretsController) Sync(ctx controllerlib.Context) error {
|
||||
secretNeedsUpdate := isNotFound || !isValid(secret)
|
||||
if !secretNeedsUpdate {
|
||||
plog.Debug("secret is up to date", "secret", klog.KObj(secret))
|
||||
c.setCacheFunc(secret.Data[symmetricKeySecretDataKey])
|
||||
c.setCacheFunc(secret.Data[SymmetricSecretDataKey])
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -96,7 +96,7 @@ func (c *supervisorSecretsController) Sync(ctx controllerlib.Context) error {
|
||||
return fmt.Errorf("failed to create/update secret %s/%s: %w", newSecret.Namespace, newSecret.Name, err)
|
||||
}
|
||||
|
||||
c.setCacheFunc(newSecret.Data[symmetricKeySecretDataKey])
|
||||
c.setCacheFunc(newSecret.Data[SymmetricSecretDataKey])
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user