SecretHelper depends less on OIDCProvider

This should allow the helper to be more generic so that it can be used with the SupervisorSecretsController
2020-12-14 19:35:45 -08:00 · 2020-12-14 19:35:45 -08:00 · e03e344dcd
commit e03e344dcd
parent bf86bc3383
3 changed files with 39 additions and 34 deletions
--- a/cmd/pinniped-supervisor/main.go
+++ b/cmd/pinniped-supervisor/main.go
@ -18,7 +18,6 @@ import (
 	"go.pinniped.dev/internal/secret"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/clock"
 	kubeinformers "k8s.io/client-go/informers"
@ -30,7 +29,6 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/klog/v2/klogr"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
 	pinnipedclientset "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned"
 	pinnipedinformers "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions"
 	"go.pinniped.dev/internal/config/supervisor"
@ -168,9 +166,9 @@ func startControllers(
 					"pinniped-oidc-provider-hmac-key-",
 					cfg.Labels,
 					rand.Reader,
-					func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
+					func(oidcProviderIssuer string, symmetricKey []byte) {
-						plog.Debug("setting hmac secret", "issuer", parent.Spec.Issuer)
+						plog.Debug("setting hmac secret", "issuer", oidcProviderIssuer)
-						secretCache.SetTokenHMACKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
+						secretCache.SetTokenHMACKey(oidcProviderIssuer, symmetricKey)
 					},
 				),
 				kubeClient,
@ -186,9 +184,9 @@ func startControllers(
 					"pinniped-oidc-provider-upstream-state-signature-key-",
 					cfg.Labels,
 					rand.Reader,
-					func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
+					func(oidcProviderIssuer string, symmetricKey []byte) {
-						plog.Debug("setting state signature key", "issuer", parent.Spec.Issuer)
+						plog.Debug("setting state signature key", "issuer", oidcProviderIssuer)
-						secretCache.SetStateEncoderHashKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
+						secretCache.SetStateEncoderHashKey(oidcProviderIssuer, symmetricKey)
 					},
 				),
 				kubeClient,
@ -204,9 +202,9 @@ func startControllers(
 					"pinniped-oidc-provider-upstream-state-encryption-key-",
 					cfg.Labels,
 					rand.Reader,
-					func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
+					func(oidcProviderIssuer string, symmetricKey []byte) {
-						plog.Debug("setting state encryption key", "issuer", parent.Spec.Issuer)
+						plog.Debug("setting state encryption key", "issuer", oidcProviderIssuer)
-						secretCache.SetStateEncoderBlockKey(parent.Spec.Issuer, child.Data[generator.SymmetricSecretDataKey])
+						secretCache.SetStateEncoderBlockKey(oidcProviderIssuer, symmetricKey)
 					},
 				),
 				kubeClient,
--- a/internal/controller/supervisorconfig/generator/secret_helper.go
+++ b/internal/controller/supervisorconfig/generator/secret_helper.go
@ -43,21 +43,21 @@ func NewSymmetricSecretHelper(
 	namePrefix string,
 	labels map[string]string,
 	rand io.Reader,
-	notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret),
+	updateCacheFunc func(cacheKey string, cacheValue []byte),
 ) SecretHelper {
 	return &symmetricSecretHelper{
-		namePrefix: namePrefix,
+		namePrefix:      namePrefix,
-		labels:     labels,
+		labels:          labels,
-		rand:       rand,
+		rand:            rand,
-		notifyFunc: notifyFunc,
+		updateCacheFunc: updateCacheFunc,
 	}
 }
 type symmetricSecretHelper struct {
-	namePrefix string
+	namePrefix      string
-	labels     map[string]string
+	labels          map[string]string
-	rand       io.Reader
+	rand            io.Reader
-	notifyFunc func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret)
+	updateCacheFunc func(cacheKey string, cacheValue []byte)
 }
 func (s *symmetricSecretHelper) NamePrefix() string { return s.namePrefix }
@ -90,16 +90,16 @@ func (s *symmetricSecretHelper) Generate(parent *configv1alpha1.OIDCProvider) (*
 }
 // IsValid implements SecretHelper.IsValid().
-func (s *symmetricSecretHelper) IsValid(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) bool {
+func (s *symmetricSecretHelper) IsValid(parent *configv1alpha1.OIDCProvider, secret *corev1.Secret) bool {
-	if !metav1.IsControlledBy(child, parent) {
+	if !metav1.IsControlledBy(secret, parent) {
 		return false
 	}
-	if child.Type != SymmetricSecretType {
+	if secret.Type != SymmetricSecretType {
 		return false
 	}
-	key, ok := child.Data[SymmetricSecretDataKey]
+	key, ok := secret.Data[SymmetricSecretDataKey]
 	if !ok {
 		return false
 	}
@ -111,6 +111,11 @@ func (s *symmetricSecretHelper) IsValid(parent *configv1alpha1.OIDCProvider, chi
 }
 // Notify implements SecretHelper.Notify().
-func (s *symmetricSecretHelper) Notify(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
+func (s *symmetricSecretHelper) Notify(op *configv1alpha1.OIDCProvider, secret *corev1.Secret) {
-	s.notifyFunc(parent, child)
+	var cacheKey string
 	if op != nil {
 		cacheKey = op.Spec.Issuer
 	}
 	s.updateCacheFunc(cacheKey, secret.Data[SymmetricSecretDataKey])
 }
--- a/internal/controller/supervisorconfig/generator/secret_helper_test.go
+++ b/internal/controller/supervisorconfig/generator/secret_helper_test.go
@ -23,12 +23,14 @@ func TestSymmetricSecretHHelper(t *testing.T) {
 		"some-label-key-2": "some-label-value-2",
 	}
 	randSource := strings.NewReader(keyWith32Bytes)
-	var notifyParent *configv1alpha1.OIDCProvider
+	// var notifyParent *configv1alpha1.OIDCProvider
-	var notifyChild *corev1.Secret
+	// var notifyChild *corev1.Secret
-	h := NewSymmetricSecretHelper("some-name-prefix-", labels, randSource, func(parent *configv1alpha1.OIDCProvider, child *corev1.Secret) {
+	var oidcProviderIssuerValue string
-		require.True(t, notifyParent == nil && notifyChild == nil, "expected notify func not to have been called yet")
+	var symmetricKeyValue []byte
-		notifyParent = parent
+	h := NewSymmetricSecretHelper("some-name-prefix-", labels, randSource, func(oidcProviderIssuer string, symmetricKey []byte) {
-		notifyChild = child
+		require.True(t, oidcProviderIssuer == "" && symmetricKeyValue == nil, "expected notify func not to have been called yet")
 		oidcProviderIssuerValue = oidcProviderIssuer
 		symmetricKeyValue = symmetricKey
 	})
 	parent := &configv1alpha1.OIDCProvider{
@ -61,8 +63,8 @@ func TestSymmetricSecretHHelper(t *testing.T) {
 	require.True(t, h.IsValid(parent, child))
 	h.Notify(parent, child)
-	require.Equal(t, parent, notifyParent)
+	require.Equal(t, parent.Spec.Issuer, oidcProviderIssuerValue)
-	require.Equal(t, child, notifyChild)
+	require.Equal(t, child.Data[SymmetricSecretDataKey], symmetricKeyValue)
 }
 func TestSymmetricSecretHHelperIsValid(t *testing.T) {