From 48944b0d561859ca783d17f88eeaa7603bdda0ca Mon Sep 17 00:00:00 2001 From: mcmarkj Date: Thu, 22 Jul 2021 07:11:50 +0100 Subject: [PATCH 1/4] Deal with item paths changing --- pkg/kubernetessecrets/kubernetes_secrets_builder.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/kubernetessecrets/kubernetes_secrets_builder.go b/pkg/kubernetessecrets/kubernetes_secrets_builder.go index 0c658f7..05a7c20 100644 --- a/pkg/kubernetessecrets/kubernetes_secrets_builder.go +++ b/pkg/kubernetessecrets/kubernetes_secrets_builder.go @@ -49,7 +49,7 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa return err } - if currentSecret.Annotations[VersionAnnotation] != itemVersion { + if currentSecret.Annotations[VersionAnnotation] != itemVersion || currentSecret.Annotations[ItemPathAnnotation] != annotations[ItemPathAnnotation]{ log.Info(fmt.Sprintf("Updating Secret %v at namespace '%v'", secret.Name, secret.Namespace)) currentSecret.ObjectMeta.Annotations = annotations currentSecret.Data = secret.Data From c57aa22a9c43f8447d1cbcbb719072830d30f997 Mon Sep 17 00:00:00 2001 From: mcmarkj Date: Thu, 22 Jul 2021 08:18:52 +0100 Subject: [PATCH 2/4] Update if in the poller --- pkg/onepassword/secret_update_handler.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/onepassword/secret_update_handler.go b/pkg/onepassword/secret_update_handler.go index cb1f659..121f512 100644 --- a/pkg/onepassword/secret_update_handler.go +++ b/pkg/onepassword/secret_update_handler.go @@ -122,7 +122,9 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]* } itemVersion := fmt.Sprint(item.Version) - if currentVersion != itemVersion { + itemPathString := fmt.Sprintf("vaults/%v/items/%v", item.Vault.ID, item.ID) + + if currentVersion != itemVersion || secret.Annotations[ItemPathAnnotation] != itemPathString { if isItemLockedForForcedRestarts(item) { log.Info(fmt.Sprintf("Secret '%v' has been updated in 1Password but is set to be ignored. Updates to an ignored secret will not trigger an update to a kubernetes secret or a rolling restart.", secret.GetName())) secret.Annotations[VersionAnnotation] = itemVersion From ba8d3fa698cadd72b11335a599817bdcbf9835e4 Mon Sep 17 00:00:00 2001 From: mcmarkj Date: Fri, 23 Jul 2021 13:32:15 +0100 Subject: [PATCH 3/4] Lookup the vaultPath for secrets to check for updates --- pkg/onepassword/secret_update_handler.go | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/pkg/onepassword/secret_update_handler.go b/pkg/onepassword/secret_update_handler.go index 121f512..088b0cb 100644 --- a/pkg/onepassword/secret_update_handler.go +++ b/pkg/onepassword/secret_update_handler.go @@ -3,6 +3,7 @@ package onepassword import ( "context" "fmt" + v1 "github.com/1Password/onepassword-operator/pkg/apis/onepassword/v1" "time" kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets" @@ -116,7 +117,9 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]* continue } - item, err := GetOnePasswordItemByPath(h.opConnectClient, secret.Annotations[ItemPathAnnotation]) + OnePasswordItemPath := h.getPathFromOnePasswordItem(secret) + + item, err := GetOnePasswordItemByPath(h.opConnectClient, OnePasswordItemPath) if err != nil { return nil, fmt.Errorf("Failed to retrieve item: %v", err) } @@ -128,12 +131,15 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]* if isItemLockedForForcedRestarts(item) { log.Info(fmt.Sprintf("Secret '%v' has been updated in 1Password but is set to be ignored. Updates to an ignored secret will not trigger an update to a kubernetes secret or a rolling restart.", secret.GetName())) secret.Annotations[VersionAnnotation] = itemVersion + secret.Annotations[ItemPathAnnotation] = itemPathString h.client.Update(context.Background(), &secret) continue } log.Info(fmt.Sprintf("Updating kubernetes secret '%v'", secret.GetName())) secret.Annotations[VersionAnnotation] = itemVersion + secret.Annotations[ItemPathAnnotation] = itemPathString updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, *item) + log.Info(fmt.Sprintf("New secret path: %v and version: %v", updatedSecret.Annotations[ItemPathAnnotation], updatedSecret.Annotations[VersionAnnotation])) h.client.Update(context.Background(), updatedSecret) if updatedSecrets[secret.Namespace] == nil { updatedSecrets[secret.Namespace] = make(map[string]*corev1.Secret) @@ -178,6 +184,22 @@ func (h *SecretUpdateHandler) getIsSetForAutoRestartByNamespaceMap() (map[string return namespacesMap, nil } +func (h *SecretUpdateHandler) getPathFromOnePasswordItem(secret corev1.Secret) string { + onePasswordItem := &v1.OnePasswordItem{} + + // Search for our original OnePasswordItem if it exists + err := h.client.Get(context.TODO(), client.ObjectKey{ + Namespace: secret.Namespace, + Name: secret.Name}, onePasswordItem) + + if err == nil { + return onePasswordItem.Spec.ItemPath + } + + // If we can't find the OnePassword Item we'll just return the annotation from the secret item. + return secret.Annotations[ItemPathAnnotation] +} + func isSecretSetForAutoRestart(secret *corev1.Secret, deployment *appsv1.Deployment, setForAutoRestartByNamespace map[string]bool) bool { restartDeployment := secret.Annotations[RestartDeploymentsAnnotation] //If annotation for auto restarts for deployment is not set. Check for the annotation on its namepsace From 32643651d9a368468acf2c07dbb3fd374644f428 Mon Sep 17 00:00:00 2001 From: mcmarkj Date: Fri, 23 Jul 2021 15:08:44 +0100 Subject: [PATCH 4/4] Fix tests --- pkg/controller/deployment/deployment_controller_test.go | 5 +++-- pkg/controller/onepassworditem/onepassworditem_test.go | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/pkg/controller/deployment/deployment_controller_test.go b/pkg/controller/deployment/deployment_controller_test.go index d4b99d2..0d5e427 100644 --- a/pkg/controller/deployment/deployment_controller_test.go +++ b/pkg/controller/deployment/deployment_controller_test.go @@ -258,7 +258,7 @@ var tests = []testReconcileItem{ }, }, { - testName: "Test Do not update if OnePassword Item Version has not changed", + testName: "Test Do not update if OnePassword Item Version or VaultPath has not changed", deploymentResource: &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{ Kind: deploymentKind, @@ -278,7 +278,8 @@ var tests = []testReconcileItem{ Name: name, Namespace: namespace, Annotations: map[string]string{ - op.VersionAnnotation: fmt.Sprint(version), + op.VersionAnnotation: fmt.Sprint(version), + op.ItemPathAnnotation: itemPath, }, }, Data: expectedSecretData, diff --git a/pkg/controller/onepassworditem/onepassworditem_test.go b/pkg/controller/onepassworditem/onepassworditem_test.go index 2639f18..90100c3 100644 --- a/pkg/controller/onepassworditem/onepassworditem_test.go +++ b/pkg/controller/onepassworditem/onepassworditem_test.go @@ -97,7 +97,7 @@ var tests = []testReconcileItem{ }, }, { - testName: "Test Do not update if OnePassword Version has not changed", + testName: "Test Do not update if OnePassword Version or VaultPath has not changed", customResource: &onepasswordv1.OnePasswordItem{ TypeMeta: metav1.TypeMeta{ Kind: onePasswordItemKind, @@ -117,6 +117,7 @@ var tests = []testReconcileItem{ Namespace: namespace, Annotations: map[string]string{ op.VersionAnnotation: fmt.Sprint(version), + op.ItemPathAnnotation: itemPath, }, }, Data: expectedSecretData,