93 lines
2.7 KiB
Go
93 lines
2.7 KiB
Go
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package secrets
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
corev1 "k8s.io/api/core/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/labels"
|
|
corev1informers "k8s.io/client-go/informers/core/v1"
|
|
"k8s.io/client-go/kubernetes"
|
|
|
|
pinnipedcontroller "go.pinniped.dev/internal/controller"
|
|
"go.pinniped.dev/internal/controllerlib"
|
|
"go.pinniped.dev/internal/plog"
|
|
)
|
|
|
|
func NewServiceAccountTokenCleanupController(
|
|
namespace string,
|
|
legacySecretName string,
|
|
k8sClient kubernetes.Interface,
|
|
secretInformer corev1informers.SecretInformer,
|
|
withInformer pinnipedcontroller.WithInformerOptionFunc,
|
|
logger plog.Logger,
|
|
) controllerlib.Controller {
|
|
name := "service-account-token-cleanup-controller"
|
|
return controllerlib.New(controllerlib.Config{
|
|
Name: name,
|
|
Syncer: &serviceAccountTokenCleanupController{
|
|
name: name,
|
|
namespace: namespace,
|
|
legacySecretName: legacySecretName,
|
|
k8sClient: k8sClient,
|
|
secretInformer: secretInformer,
|
|
logger: logger.WithName(name),
|
|
},
|
|
},
|
|
withInformer(
|
|
secretInformer,
|
|
pinnipedcontroller.SimpleFilterWithSingletonQueue(func(obj metav1.Object) bool {
|
|
secret, ok := obj.(*corev1.Secret)
|
|
|
|
return obj.GetNamespace() == namespace &&
|
|
obj.GetName() == legacySecretName &&
|
|
ok &&
|
|
secret.Type == corev1.SecretTypeServiceAccountToken
|
|
}),
|
|
controllerlib.InformerOption{},
|
|
))
|
|
}
|
|
|
|
type serviceAccountTokenCleanupController struct {
|
|
name string
|
|
namespace string
|
|
legacySecretName string
|
|
k8sClient kubernetes.Interface
|
|
secretInformer corev1informers.SecretInformer
|
|
logger plog.Logger
|
|
}
|
|
|
|
func (c serviceAccountTokenCleanupController) Sync(syncCtx controllerlib.Context) error {
|
|
secrets, err := c.secretInformer.Lister().Secrets(c.namespace).List(labels.Everything())
|
|
if err != nil {
|
|
return fmt.Errorf("unable to list all secrets in namespace %s: %w", c.namespace, err)
|
|
}
|
|
c.logger.Info(fmt.Sprintf("You have now arrived in the %s controller, found %d secrets", c.name, len(secrets)))
|
|
|
|
foundSecret := false
|
|
for _, secret := range secrets {
|
|
if secret.Name == c.legacySecretName && secret.Type == corev1.SecretTypeServiceAccountToken {
|
|
foundSecret = true
|
|
}
|
|
}
|
|
|
|
c.logger.Info(fmt.Sprintf(
|
|
"The %s controller has found a secret of name %s to delete with type %s",
|
|
c.name,
|
|
c.legacySecretName,
|
|
corev1.SecretTypeServiceAccountToken,
|
|
))
|
|
|
|
if foundSecret {
|
|
err = c.k8sClient.CoreV1().Secrets(c.namespace).Delete(syncCtx.Context, c.legacySecretName, metav1.DeleteOptions{})
|
|
if err != nil {
|
|
return fmt.Errorf("unable to delete secret %s in namespace %s: %w", c.legacySecretName, c.namespace, err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|