mirror of
https://github.com/1Password/onepassword-operator.git
synced 2025-10-22 07:28:06 +00:00
feat: Allow configuration of the Kubernetes Secret type to be created
This commit is contained in:
Andres Montalban
@@ -39,4 +39,7 @@ spec:
|
|||||||
status:
|
status:
|
||||||
description: OnePasswordItemStatus defines the observed state of OnePasswordItem
|
description: OnePasswordItemStatus defines the observed state of OnePasswordItem
|
||||||
type: object
|
type: object
|
||||||
|
type:
|
||||||
|
description: 'Kubernetes secret type. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types'
|
||||||
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
|||||||
@@ -26,6 +26,7 @@ type OnePasswordItemStatus struct {
|
|||||||
type OnePasswordItem struct {
|
type OnePasswordItem struct {
|
||||||
metav1.TypeMeta `json:",inline"`
|
metav1.TypeMeta `json:",inline"`
|
||||||
metav1.ObjectMeta `json:"metadata,omitempty"`
|
metav1.ObjectMeta `json:"metadata,omitempty"`
|
||||||
|
Type string `json:"type,omitempty"`
|
||||||
|
|
||||||
Spec OnePasswordItemSpec `json:"spec,omitempty"`
|
Spec OnePasswordItemSpec `json:"spec,omitempty"`
|
||||||
Status OnePasswordItemStatus `json:"status,omitempty"`
|
Status OnePasswordItemStatus `json:"status,omitempty"`
|
||||||
|
|||||||
@@ -192,6 +192,8 @@ func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotat
|
|||||||
|
|
||||||
secretName := annotations[op.NameAnnotation]
|
secretName := annotations[op.NameAnnotation]
|
||||||
secretLabels := map[string]string(nil)
|
secretLabels := map[string]string(nil)
|
||||||
|
secretType := ""
|
||||||
|
|
||||||
if len(secretName) == 0 {
|
if len(secretName) == 0 {
|
||||||
reqLog.Info("No 'item-name' annotation set. 'item-path' and 'item-name' must be set as annotations to add new secret.")
|
reqLog.Info("No 'item-name' annotation set. 'item-path' and 'item-name' must be set as annotations to add new secret.")
|
||||||
return nil
|
return nil
|
||||||
@@ -202,5 +204,5 @@ func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotat
|
|||||||
return fmt.Errorf("Failed to retrieve item: %v", err)
|
return fmt.Errorf("Failed to retrieve item: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation], secretLabels, annotations)
|
return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation], secretLabels, secretType, annotations)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -3,6 +3,7 @@ package onepassworditem
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
onepasswordv1 "github.com/1Password/onepassword-operator/pkg/apis/onepassword/v1"
|
onepasswordv1 "github.com/1Password/onepassword-operator/pkg/apis/onepassword/v1"
|
||||||
kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
|
kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
|
||||||
"github.com/1Password/onepassword-operator/pkg/onepassword"
|
"github.com/1Password/onepassword-operator/pkg/onepassword"
|
||||||
@@ -145,6 +146,7 @@ func (r *ReconcileOnePasswordItem) HandleOnePasswordItem(resource *onepasswordv1
|
|||||||
secretName := resource.GetName()
|
secretName := resource.GetName()
|
||||||
labels := resource.Labels
|
labels := resource.Labels
|
||||||
annotations := resource.Annotations
|
annotations := resource.Annotations
|
||||||
|
secretType := resource.Type
|
||||||
autoRestart := annotations[op.RestartDeploymentsAnnotation]
|
autoRestart := annotations[op.RestartDeploymentsAnnotation]
|
||||||
|
|
||||||
item, err := onepassword.GetOnePasswordItemByPath(r.opConnectClient, resource.Spec.ItemPath)
|
item, err := onepassword.GetOnePasswordItemByPath(r.opConnectClient, resource.Spec.ItemPath)
|
||||||
@@ -152,5 +154,5 @@ func (r *ReconcileOnePasswordItem) HandleOnePasswordItem(resource *onepasswordv1
|
|||||||
return fmt.Errorf("Failed to retrieve item: %v", err)
|
return fmt.Errorf("Failed to retrieve item: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, resource.Namespace, item, autoRestart, labels, annotations)
|
return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, resource.Namespace, item, autoRestart, labels, secretType, annotations)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -7,13 +7,14 @@ import (
|
|||||||
"regexp"
|
"regexp"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
"reflect"
|
||||||
|
|
||||||
"github.com/1Password/connect-sdk-go/onepassword"
|
"github.com/1Password/connect-sdk-go/onepassword"
|
||||||
"github.com/1Password/onepassword-operator/pkg/utils"
|
"github.com/1Password/onepassword-operator/pkg/utils"
|
||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/api/errors"
|
"k8s.io/apimachinery/pkg/api/errors"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/types"
|
"k8s.io/apimachinery/pkg/types"
|
||||||
"reflect"
|
|
||||||
kubeValidate "k8s.io/apimachinery/pkg/util/validation"
|
kubeValidate "k8s.io/apimachinery/pkg/util/validation"
|
||||||
|
|
||||||
kubernetesClient "sigs.k8s.io/controller-runtime/pkg/client"
|
kubernetesClient "sigs.k8s.io/controller-runtime/pkg/client"
|
||||||
@@ -29,7 +30,7 @@ const RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart"
|
|||||||
|
|
||||||
var log = logf.Log
|
var log = logf.Log
|
||||||
|
|
||||||
func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretName, namespace string, item *onepassword.Item, autoRestart string, labels map[string]string, secretAnnotations map[string]string) error {
|
func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretName, namespace string, item *onepassword.Item, autoRestart string, labels map[string]string, secretType string, secretAnnotations map[string]string) error {
|
||||||
|
|
||||||
itemVersion := fmt.Sprint(item.Version)
|
itemVersion := fmt.Sprint(item.Version)
|
||||||
|
|
||||||
@@ -49,7 +50,7 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
|
|||||||
}
|
}
|
||||||
secretAnnotations[RestartDeploymentsAnnotation] = autoRestart
|
secretAnnotations[RestartDeploymentsAnnotation] = autoRestart
|
||||||
}
|
}
|
||||||
secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, secretAnnotations, labels, *item)
|
secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, secretAnnotations, labels, secretType, *item)
|
||||||
|
|
||||||
currentSecret := &corev1.Secret{}
|
currentSecret := &corev1.Secret{}
|
||||||
err := kubeClient.Get(context.Background(), types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, currentSecret)
|
err := kubeClient.Get(context.Background(), types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, currentSecret)
|
||||||
@@ -60,11 +61,12 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if ! reflect.DeepEqual(currentSecret.Annotations, secretAnnotations) || ! reflect.DeepEqual(currentSecret.Labels, labels) {
|
if !reflect.DeepEqual(currentSecret.Annotations, secretAnnotations) || !reflect.DeepEqual(currentSecret.Labels, labels) || !reflect.DeepEqual(string(currentSecret.Type), secretType) {
|
||||||
log.Info(fmt.Sprintf("Updating Secret %v at namespace '%v'", secret.Name, secret.Namespace))
|
log.Info(fmt.Sprintf("Updating Secret %v at namespace '%v'", secret.Name, secret.Namespace))
|
||||||
currentSecret.ObjectMeta.Annotations = secretAnnotations
|
currentSecret.ObjectMeta.Annotations = secretAnnotations
|
||||||
currentSecret.ObjectMeta.Labels = labels
|
currentSecret.ObjectMeta.Labels = labels
|
||||||
currentSecret.Data = secret.Data
|
currentSecret.Data = secret.Data
|
||||||
|
currentSecret.Type = KubernetesSecretTypes[secretType]
|
||||||
return kubeClient.Update(context.Background(), currentSecret)
|
return kubeClient.Update(context.Background(), currentSecret)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -72,7 +74,7 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, labels map[string]string, item onepassword.Item) *corev1.Secret {
|
func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, labels map[string]string, secretType string, item onepassword.Item) *corev1.Secret {
|
||||||
return &corev1.Secret{
|
return &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: formatSecretName(name),
|
Name: formatSecretName(name),
|
||||||
@@ -81,6 +83,7 @@ func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotation
|
|||||||
Labels: labels,
|
Labels: labels,
|
||||||
},
|
},
|
||||||
Data: BuildKubernetesSecretData(item.Fields),
|
Data: BuildKubernetesSecretData(item.Fields),
|
||||||
|
Type: KubernetesSecretTypes[secretType],
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -35,7 +35,9 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
|
|||||||
secretAnnotations := map[string]string{
|
secretAnnotations := map[string]string{
|
||||||
"testAnnotation": "exists",
|
"testAnnotation": "exists",
|
||||||
}
|
}
|
||||||
err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretAnnotations)
|
secretType := ""
|
||||||
|
|
||||||
|
err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, secretAnnotations)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("Unexpected error: %v", err)
|
t.Errorf("Unexpected error: %v", err)
|
||||||
}
|
}
|
||||||
@@ -66,7 +68,10 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
|
|||||||
kubeClient := fake.NewFakeClient()
|
kubeClient := fake.NewFakeClient()
|
||||||
secretLabels := map[string]string{}
|
secretLabels := map[string]string{}
|
||||||
secretAnnotations := map[string]string{}
|
secretAnnotations := map[string]string{}
|
||||||
err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretAnnotations)
|
secretType := ""
|
||||||
|
|
||||||
|
err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, secretAnnotations)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("Unexpected error: %v", err)
|
t.Errorf("Unexpected error: %v", err)
|
||||||
}
|
}
|
||||||
@@ -77,7 +82,7 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
|
|||||||
newItem.Version = 456
|
newItem.Version = 456
|
||||||
newItem.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
|
newItem.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
|
||||||
newItem.ID = "h46bb3jddvay7nxopfhvlwg35q"
|
newItem.ID = "h46bb3jddvay7nxopfhvlwg35q"
|
||||||
err = CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation, secretLabels, secretAnnotations)
|
err = CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation, secretLabels, secretType, secretAnnotations)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("Unexpected error: %v", err)
|
t.Errorf("Unexpected error: %v", err)
|
||||||
}
|
}
|
||||||
@@ -111,8 +116,9 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
|
|||||||
item := onepassword.Item{}
|
item := onepassword.Item{}
|
||||||
item.Fields = generateFields(5)
|
item.Fields = generateFields(5)
|
||||||
labels := map[string]string{}
|
labels := map[string]string{}
|
||||||
|
secretType := ""
|
||||||
|
|
||||||
kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels, item)
|
kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels, secretType, item)
|
||||||
if kubeSecret.Name != strings.ToLower(name) {
|
if kubeSecret.Name != strings.ToLower(name) {
|
||||||
t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
|
t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
|
||||||
}
|
}
|
||||||
@@ -134,6 +140,7 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
|
|||||||
}
|
}
|
||||||
labels := map[string]string{}
|
labels := map[string]string{}
|
||||||
item := onepassword.Item{}
|
item := onepassword.Item{}
|
||||||
|
secretType := ""
|
||||||
|
|
||||||
item.Fields = []*onepassword.ItemField{
|
item.Fields = []*onepassword.ItemField{
|
||||||
{
|
{
|
||||||
@@ -146,7 +153,7 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels, item)
|
kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels, secretType, item)
|
||||||
|
|
||||||
// Assert Secret's meta.name was fixed
|
// Assert Secret's meta.name was fixed
|
||||||
if kubeSecret.Name != expectedName {
|
if kubeSecret.Name != expectedName {
|
||||||
@@ -164,6 +171,39 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestCreateKubernetesTLSSecretFromOnePasswordItem(t *testing.T) {
|
||||||
|
secretName := "tls-test-secret-name"
|
||||||
|
namespace := "test"
|
||||||
|
|
||||||
|
item := onepassword.Item{}
|
||||||
|
item.Fields = generateFields(5)
|
||||||
|
item.Version = 123
|
||||||
|
item.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
|
||||||
|
item.ID = "h46bb3jddvay7nxopfhvlwg35q"
|
||||||
|
|
||||||
|
kubeClient := fake.NewFakeClient()
|
||||||
|
secretLabels := map[string]string{}
|
||||||
|
secretAnnotations := map[string]string{
|
||||||
|
"testAnnotation": "exists",
|
||||||
|
}
|
||||||
|
secretType := "kubernetes.io/tls"
|
||||||
|
|
||||||
|
err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, secretAnnotations)
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("Unexpected error: %v", err)
|
||||||
|
}
|
||||||
|
createdSecret := &corev1.Secret{}
|
||||||
|
err = kubeClient.Get(context.Background(), types.NamespacedName{Name: secretName, Namespace: namespace}, createdSecret)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("Secret was not created: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if createdSecret.Type != corev1.SecretTypeTLS {
|
||||||
|
t.Errorf("Expected secretType to be of tyype corev1.SecretTypeTLS, got %s", string(createdSecret.Type))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func compareAnnotationsToItem(annotations map[string]string, item onepassword.Item, t *testing.T) {
|
func compareAnnotationsToItem(annotations map[string]string, item onepassword.Item, t *testing.T) {
|
||||||
actualVaultId, actualItemId, err := ParseVaultIdAndItemIdFromPath(annotations[ItemPathAnnotation])
|
actualVaultId, actualItemId, err := ParseVaultIdAndItemIdFromPath(annotations[ItemPathAnnotation])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
17
pkg/kubernetessecrets/kubernetes_secrets_types.go
Normal file
17
pkg/kubernetessecrets/kubernetes_secrets_types.go
Normal file
@@ -0,0 +1,17 @@
|
|||||||
|
package kubernetessecrets
|
||||||
|
|
||||||
|
import (
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Default to Opaque as this is Kubernetes' default
|
||||||
|
var KubernetesSecretTypes = map[string]corev1.SecretType{
|
||||||
|
"Opaque": corev1.SecretTypeOpaque,
|
||||||
|
"kubernetes.io/basic-auth": corev1.SecretTypeBasicAuth,
|
||||||
|
"kubernetes.io/service-account-token": corev1.SecretTypeServiceAccountToken,
|
||||||
|
"kubernetes.io/dockercfg": corev1.SecretTypeDockercfg,
|
||||||
|
"kubernetes.io/dockerconfigjson": corev1.SecretTypeDockerConfigJson,
|
||||||
|
"kubernetes.io/ssh-auth": corev1.SecretTypeSSHAuth,
|
||||||
|
"kubernetes.io/tls": corev1.SecretTypeTLS,
|
||||||
|
"bootstrap.kubernetes.io/token": corev1.SecretTypeBootstrapToken,
|
||||||
|
}
|
||||||
@@ -131,7 +131,7 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]*
|
|||||||
}
|
}
|
||||||
log.Info(fmt.Sprintf("Updating kubernetes secret '%v'", secret.GetName()))
|
log.Info(fmt.Sprintf("Updating kubernetes secret '%v'", secret.GetName()))
|
||||||
secret.Annotations[VersionAnnotation] = itemVersion
|
secret.Annotations[VersionAnnotation] = itemVersion
|
||||||
updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, secret.Labels, *item)
|
updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, secret.Labels, string(secret.Type), *item)
|
||||||
h.client.Update(context.Background(), updatedSecret)
|
h.client.Update(context.Background(), updatedSecret)
|
||||||
if updatedSecrets[secret.Namespace] == nil {
|
if updatedSecrets[secret.Namespace] == nil {
|
||||||
updatedSecrets[secret.Namespace] = make(map[string]*corev1.Secret)
|
updatedSecrets[secret.Namespace] = make(map[string]*corev1.Secret)
|
||||||
|
|||||||
Reference in New Issue
Block a user