Initial 1Password Operator commit

pkg/controller/add_deployment.go

@@ -0,0 +1,10 @@
+package controller
+
+import (
+	"github.com/1Password/onepassword-operator/pkg/controller/deployment"
+)
+
+func init() {
+	// AddToManagerFuncs is a list of functions to create controllers and add them to a manager.
+	AddToManagerFuncs = append(AddToManagerFuncs, deployment.Add)
+}

pkg/controller/add_onepassworditem.go

@@ -0,0 +1,10 @@
+package controller
+
+import (
+	"github.com/1Password/onepassword-operator/pkg/controller/onepassworditem"
+)
+
+func init() {
+	// AddToManagerFuncs is a list of functions to create controllers and add them to a manager.
+	AddToManagerFuncs = append(AddToManagerFuncs, onepassworditem.Add)
+}

pkg/controller/controller.go

@@ -0,0 +1,19 @@
+package controller
+
+import (
+	"github.com/1Password/connect-sdk-go/connect"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+)
+
+// AddToManagerFuncs is a list of functions to add all Controllers to the Manager
+var AddToManagerFuncs []func(manager.Manager, connect.Client) error
+
+// AddToManager adds all Controllers to the Manager
+func AddToManager(m manager.Manager, opConnectClient connect.Client) error {
+	for _, f := range AddToManagerFuncs {
+		if err := f(m, opConnectClient); err != nil {
+			return err
+		}
+	}
+	return nil
+}

pkg/controller/deployment/deployment_controller.go

@@ -0,0 +1,205 @@
+package deployment
+
+import (
+	"context"
+	"fmt"
+
+	kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
+	op "github.com/1Password/onepassword-operator/pkg/onepassword"
+	"github.com/1Password/onepassword-operator/pkg/utils"
+
+	"regexp"
+
+	"github.com/1Password/connect-sdk-go/connect"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+var log = logf.Log.WithName("controller_deployment")
+var finalizer = "onepassword.com/finalizer.secret"
+
+const annotationRegExpString = "^onepasswordoperator\\/[a-zA-Z\\.]+"
+
+func Add(mgr manager.Manager, opConnectClient connect.Client) error {
+	return add(mgr, newReconciler(mgr, opConnectClient))
+}
+
+func newReconciler(mgr manager.Manager, opConnectClient connect.Client) *ReconcileDeployment {
+	r, _ := regexp.Compile(annotationRegExpString)
+	return &ReconcileDeployment{
+		opAnnotationRegExp: r,
+		kubeClient:         mgr.GetClient(),
+		scheme:             mgr.GetScheme(),
+		opConnectClient:    opConnectClient,
+	}
+}
+
+func add(mgr manager.Manager, r reconcile.Reconciler) error {
+	c, err := controller.New("deployment-controller", mgr, controller.Options{Reconciler: r})
+	if err != nil {
+		return err
+	}
+
+	// Watch for changes to primary resource Deployment
+	err = c.Watch(&source.Kind{Type: &appsv1.Deployment{}}, &handler.EnqueueRequestForObject{})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+var _ reconcile.Reconciler = &ReconcileDeployment{}
+
+type ReconcileDeployment struct {
+	opAnnotationRegExp *regexp.Regexp
+	kubeClient         client.Client
+	scheme             *runtime.Scheme
+	opConnectClient    connect.Client
+}
+
+func (r *ReconcileDeployment) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&appsv1.Deployment{}).
+		Complete(r)
+}
+
+func (r *ReconcileDeployment) test() {
+	return
+}
+
+// Reconcile reads that state of the cluster for a Deployment object and makes changes based on the state read
+// and what is in the Deployment.Spec
+// Note:
+// The Controller will requeue the Request to be processed again if the returned error is non-nil or
+// Result.Requeue is true, otherwise upon completion it will remove the work from the queue.
+func (r *ReconcileDeployment) Reconcile(request reconcile.Request) (reconcile.Result, error) {
+	ctx := context.Background()
+	reqLogger := log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
+	reqLogger.Info("Reconciling Deployment")
+
+	deployment := &appsv1.Deployment{}
+	err := r.kubeClient.Get(ctx, request.NamespacedName, deployment)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return reconcile.Result{}, nil
+		}
+		return reconcile.Result{}, err
+	}
+
+	annotations, annotationsFound := op.GetAnnotationsForDeployment(deployment, r.opAnnotationRegExp)
+	if !annotationsFound {
+		reqLogger.Info("No One Password Annotations found")
+		return reconcile.Result{}, nil
+	}
+
+	//If the deployment is not being deleted
+	if deployment.ObjectMeta.DeletionTimestamp.IsZero() {
+		// Adds a finalizer to the deployment if one does not exist.
+		// This is so we can handle cleanup of associated secrets properly
+		if !utils.ContainsString(deployment.ObjectMeta.Finalizers, finalizer) {
+			deployment.ObjectMeta.Finalizers = append(deployment.ObjectMeta.Finalizers, finalizer)
+			if err := r.kubeClient.Update(context.Background(), deployment); err != nil {
+				return reconcile.Result{}, err
+			}
+		}
+		// Handles creation or updating secrets for deployment if needed
+		if err := r.HandleApplyingDeployment(deployment.Namespace, annotations, request); err != nil {
+			return reconcile.Result{}, err
+		}
+		return reconcile.Result{}, nil
+	}
+	// The deployment has been marked for deletion. If the one password
+	// finalizer is found there are cleanup tasks to perform
+	if utils.ContainsString(deployment.ObjectMeta.Finalizers, finalizer) {
+
+		secretName := annotations[op.NameAnnotation]
+		r.cleanupKubernetesSecretForDeployment(secretName, deployment)
+
+		// Remove the finalizer from the deployment so deletion of deployment can be completed
+		if err := r.removeOnePasswordFinalizerFromDeployment(deployment); err != nil {
+			return reconcile.Result{}, err
+		}
+	}
+	return reconcile.Result{}, nil
+}
+
+func (r *ReconcileDeployment) cleanupKubernetesSecretForDeployment(secretName string, deletedDeployment *appsv1.Deployment) error {
+	kubernetesSecret := &corev1.Secret{}
+	kubernetesSecret.ObjectMeta.Name = secretName
+	kubernetesSecret.ObjectMeta.Namespace = deletedDeployment.Namespace
+
+	if len(secretName) == 0 {
+		return nil
+	}
+	updatedSecrets := map[string]bool{secretName: true}
+
+	multipleDeploymentsUsingSecret, err := r.areMultipleDeploymentsUsingSecret(updatedSecrets, *deletedDeployment)
+	if err != nil {
+		return err
+	}
+
+	// Only delete the associated kubernetes secret if it is not being used by other deployments
+	if !multipleDeploymentsUsingSecret {
+		if err := r.kubeClient.Delete(context.Background(), kubernetesSecret); err != nil {
+			if !errors.IsNotFound(err) {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (r *ReconcileDeployment) areMultipleDeploymentsUsingSecret(updatedSecrets map[string]bool, deletedDeployment appsv1.Deployment) (bool, error) {
+	deployments := &appsv1.DeploymentList{}
+	opts := []client.ListOption{
+		client.InNamespace(deletedDeployment.Namespace),
+	}
+
+	err := r.kubeClient.List(context.Background(), deployments, opts...)
+	if err != nil {
+		log.Error(err, "Failed to list kubernetes deployments")
+		return false, err
+	}
+
+	for i := 0; i < len(deployments.Items); i++ {
+		if deployments.Items[i].Name != deletedDeployment.Name {
+			if op.IsDeploymentUsingSecrets(&deployments.Items[i], updatedSecrets) {
+				return true, nil
+			}
+		}
+	}
+	return false, nil
+}
+
+func (r *ReconcileDeployment) removeOnePasswordFinalizerFromDeployment(deployment *appsv1.Deployment) error {
+	deployment.ObjectMeta.Finalizers = utils.RemoveString(deployment.ObjectMeta.Finalizers, finalizer)
+	return r.kubeClient.Update(context.Background(), deployment)
+}
+
+func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotations map[string]string, request reconcile.Request) error {
+	reqLog := log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
+
+	secretName := annotations[op.NameAnnotation]
+	if len(secretName) == 0 {
+		reqLog.Info("No 'item-name' annotation set. 'item-path' and 'item-name' must be set as annotations to add new secret.")
+		return nil
+	}
+
+	item, err := op.GetOnePasswordItemByPath(r.opConnectClient, annotations[op.ItemPathAnnotation])
+	if err != nil {
+		return fmt.Errorf("Failed to retrieve item: %v", err)
+	}
+
+	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, namespace, item)
+}

pkg/controller/deployment/deployment_controller_test.go

@@ -0,0 +1,474 @@
+package deployment
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"testing"
+
+	"github.com/1Password/onepassword-operator/pkg/mocks"
+	op "github.com/1Password/onepassword-operator/pkg/onepassword"
+
+	"github.com/1Password/connect-sdk-go/onepassword"
+	"github.com/stretchr/testify/assert"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	errors2 "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/kubectl/pkg/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+const (
+	deploymentKind       = "Deployment"
+	deploymentAPIVersion = "v1"
+	name                 = "test-deployment"
+	namespace            = "default"
+	vaultId              = "hfnjvi6aymbsnfc2xeeoheizda"
+	itemId               = "nwrhuano7bcwddcviubpp4mhfq"
+	username             = "test-user"
+	password             = "QmHumKc$mUeEem7caHtbaBaJ"
+	userKey              = "username"
+	passKey              = "password"
+	version              = 123
+)
+
+type testReconcileItem struct {
+	testName             string
+	deploymentResource   *appsv1.Deployment
+	existingSecret       *corev1.Secret
+	expectedError        error
+	expectedResultSecret *corev1.Secret
+	expectedEvents       []string
+	opItem               map[string]string
+	existingDeployment   *appsv1.Deployment
+}
+
+var (
+	expectedSecretData = map[string][]byte{
+		"password": []byte(password),
+		"username": []byte(username),
+	}
+	itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
+)
+
+var (
+	time     = metav1.Now()
+	regex, _ = regexp.Compile(annotationRegExpString)
+)
+
+var tests = []testReconcileItem{
+	{
+		testName: "Test Delete Deployment where secret is being used in another deployment's volumes",
+		deploymentResource: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:              name,
+				Namespace:         namespace,
+				DeletionTimestamp: &time,
+				Finalizers: []string{
+					finalizer,
+				},
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+		},
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "another-deployment",
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					Spec: corev1.PodSpec{
+						Volumes: []corev1.Volume{
+							{
+								Name: name,
+								VolumeSource: corev1.VolumeSource{
+									Secret: &corev1.SecretVolumeSource{
+										SecretName: name,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Test Delete Deployment where secret is being used in another deployment's container",
+		deploymentResource: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:              name,
+				Namespace:         namespace,
+				DeletionTimestamp: &time,
+				Finalizers: []string{
+					finalizer,
+				},
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+		},
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "another-deployment",
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Env: []corev1.EnvVar{
+									{
+										Name: name,
+										ValueFrom: &corev1.EnvVarSource{
+											SecretKeyRef: &corev1.SecretKeySelector{
+												LocalObjectReference: corev1.LocalObjectReference{
+													Name: name,
+												},
+												Key: passKey,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Test Delete Deployment",
+		deploymentResource: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:              name,
+				Namespace:         namespace,
+				DeletionTimestamp: &time,
+				Finalizers: []string{
+					finalizer,
+				},
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError:        nil,
+		expectedResultSecret: nil,
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Test Do not update if OnePassword Item Version has not changed",
+		deploymentResource: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: "data we don't expect to have updated",
+			passKey: "data we don't expect to have updated",
+		},
+	},
+	{
+		testName: "Test Updating Existing Kubernetes Secret using Deployment",
+		deploymentResource: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: "456",
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Create Deployment",
+		deploymentResource: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
+				},
+			},
+		},
+		existingSecret: nil,
+		expectedError:  nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+}
+
+func TestReconcileDepoyment(t *testing.T) {
+	for _, testData := range tests {
+		t.Run(testData.testName, func(t *testing.T) {
+
+			// Register operator types with the runtime scheme.
+			s := scheme.Scheme
+			s.AddKnownTypes(appsv1.SchemeGroupVersion, testData.deploymentResource)
+
+			// Objects to track in the fake client.
+			objs := []runtime.Object{
+				testData.deploymentResource,
+			}
+
+			if testData.existingSecret != nil {
+				objs = append(objs, testData.existingSecret)
+			}
+
+			if testData.existingDeployment != nil {
+				objs = append(objs, testData.existingDeployment)
+			}
+
+			// Create a fake client to mock API calls.
+			cl := fake.NewFakeClientWithScheme(s, objs...)
+			// Create a Deployment object with the scheme and mock  kubernetes
+			// and 1Password Connect client.
+
+			opConnectClient := &mocks.TestClient{}
+			mocks.GetGetItemFunc = func(uuid string, vaultUUID string) (*onepassword.Item, error) {
+
+				item := onepassword.Item{}
+				item.Fields = generateFields(testData.opItem["username"], testData.opItem["password"])
+				item.Version = version
+				item.Vault.ID = vaultUUID
+				item.ID = uuid
+				return &item, nil
+			}
+			r := &ReconcileDeployment{
+				kubeClient:         cl,
+				scheme:             s,
+				opConnectClient:    opConnectClient,
+				opAnnotationRegExp: regex,
+			}
+
+			// Mock request to simulate Reconcile() being called on an event for a
+			// watched resource .
+			req := reconcile.Request{
+				NamespacedName: types.NamespacedName{
+					Name:      name,
+					Namespace: namespace,
+				},
+			}
+			_, err := r.Reconcile(req)
+
+			assert.Equal(t, testData.expectedError, err)
+
+			var expectedSecretName string
+			if testData.expectedResultSecret == nil {
+				expectedSecretName = testData.deploymentResource.Name
+			} else {
+				expectedSecretName = testData.expectedResultSecret.Name
+			}
+
+			// Check if Secret has been created and has the correct data
+			secret := &corev1.Secret{}
+			err = cl.Get(context.TODO(), types.NamespacedName{Name: expectedSecretName, Namespace: namespace}, secret)
+
+			if testData.expectedResultSecret == nil {
+				assert.Error(t, err)
+				assert.True(t, errors2.IsNotFound(err))
+			} else {
+				assert.Equal(t, testData.expectedResultSecret.Data, secret.Data)
+				assert.Equal(t, testData.expectedResultSecret.Name, secret.Name)
+				assert.Equal(t, testData.expectedResultSecret.Type, secret.Type)
+				assert.Equal(t, testData.expectedResultSecret.Annotations[op.VersionAnnotation], secret.Annotations[op.VersionAnnotation])
+
+				updatedCR := &appsv1.Deployment{}
+				err = cl.Get(context.TODO(), req.NamespacedName, updatedCR)
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+func generateFields(username, password string) []*onepassword.ItemField {
+	fields := []*onepassword.ItemField{
+		{
+			Label: "username",
+			Value: username,
+		},
+		{
+			Label: "password",
+			Value: password,
+		},
+	}
+	return fields
+}

pkg/controller/onepassworditem/onepassworditem_controller.go

@@ -0,0 +1,153 @@
+package onepassworditem
+
+import (
+	"context"
+	"fmt"
+
+	onepasswordv1 "github.com/1Password/onepassword-operator/pkg/apis/onepassword/v1"
+	kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
+	"github.com/1Password/onepassword-operator/pkg/onepassword"
+	"github.com/1Password/onepassword-operator/pkg/utils"
+
+	"github.com/1Password/connect-sdk-go/connect"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	kubeClient "sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+var log = logf.Log.WithName("controller_onepassworditem")
+var finalizer = "onepassword.com/finalizer.secret"
+
+func Add(mgr manager.Manager, opConnectClient connect.Client) error {
+	return add(mgr, newReconciler(mgr, opConnectClient))
+}
+
+func newReconciler(mgr manager.Manager, opConnectClient connect.Client) *ReconcileOnePasswordItem {
+	return &ReconcileOnePasswordItem{
+		kubeClient:      mgr.GetClient(),
+		scheme:          mgr.GetScheme(),
+		opConnectClient: opConnectClient,
+	}
+}
+
+func add(mgr manager.Manager, r reconcile.Reconciler) error {
+	c, err := controller.New("onepassworditem-controller", mgr, controller.Options{Reconciler: r})
+	if err != nil {
+		return err
+	}
+
+	// Watch for changes to primary resource OnePasswordItem
+	err = c.Watch(&source.Kind{Type: &onepasswordv1.OnePasswordItem{}}, &handler.EnqueueRequestForObject{})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+var _ reconcile.Reconciler = &ReconcileOnePasswordItem{}
+
+type ReconcileOnePasswordItem struct {
+	kubeClient      kubeClient.Client
+	scheme          *runtime.Scheme
+	opConnectClient connect.Client
+}
+
+func (r *ReconcileOnePasswordItem) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&onepasswordv1.OnePasswordItem{}).
+		Complete(r)
+}
+
+func (r *ReconcileOnePasswordItem) Reconcile(request reconcile.Request) (reconcile.Result, error) {
+	reqLogger := log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
+	reqLogger.Info("Reconciling OnePasswordItem")
+
+	onepassworditem := &onepasswordv1.OnePasswordItem{}
+	err := r.kubeClient.Get(context.Background(), request.NamespacedName, onepassworditem)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return reconcile.Result{}, nil
+		}
+		return reconcile.Result{}, err
+	}
+
+	// If the deployment is not being deleted
+	if onepassworditem.ObjectMeta.DeletionTimestamp.IsZero() {
+		// Adds a finalizer to the deployment if one does not exist.
+		// This is so we can handle cleanup of associated secrets properly
+		if !utils.ContainsString(onepassworditem.ObjectMeta.Finalizers, finalizer) {
+			onepassworditem.ObjectMeta.Finalizers = append(onepassworditem.ObjectMeta.Finalizers, finalizer)
+			if err := r.kubeClient.Update(context.Background(), onepassworditem); err != nil {
+				return reconcile.Result{}, err
+			}
+		}
+
+		// Handles creation or updating secrets for deployment if needed
+		if err := r.HandleOnePasswordItem(onepassworditem, request); err != nil {
+			return reconcile.Result{}, err
+		}
+		return reconcile.Result{}, nil
+	}
+	// If one password finalizer exists then we must cleanup associated secrets
+	if utils.ContainsString(onepassworditem.ObjectMeta.Finalizers, finalizer) {
+
+		// Delete associated kubernetes secret
+		if err = r.cleanupKubernetesSecret(onepassworditem); err != nil {
+			return reconcile.Result{}, err
+		}
+
+		// Remove finalizer now that cleanup is complete
+		if err := r.removeFinalizer(onepassworditem); err != nil {
+			return reconcile.Result{}, err
+		}
+	}
+	return reconcile.Result{}, nil
+}
+
+func (r *ReconcileOnePasswordItem) removeFinalizer(onePasswordItem *onepasswordv1.OnePasswordItem) error {
+	onePasswordItem.ObjectMeta.Finalizers = utils.RemoveString(onePasswordItem.ObjectMeta.Finalizers, finalizer)
+	if err := r.kubeClient.Update(context.Background(), onePasswordItem); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (r *ReconcileOnePasswordItem) cleanupKubernetesSecret(onePasswordItem *onepasswordv1.OnePasswordItem) error {
+	kubernetesSecret := &corev1.Secret{}
+	kubernetesSecret.ObjectMeta.Name = onePasswordItem.Name
+	kubernetesSecret.ObjectMeta.Namespace = onePasswordItem.Namespace
+
+	r.kubeClient.Delete(context.Background(), kubernetesSecret)
+	if err := r.kubeClient.Delete(context.Background(), kubernetesSecret); err != nil {
+		if !errors.IsNotFound(err) {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *ReconcileOnePasswordItem) removeOnePasswordFinalizerFromOnePasswordItem(opSecret *onepasswordv1.OnePasswordItem) error {
+	opSecret.ObjectMeta.Finalizers = utils.RemoveString(opSecret.ObjectMeta.Finalizers, finalizer)
+	return r.kubeClient.Update(context.Background(), opSecret)
+}
+
+func (r *ReconcileOnePasswordItem) HandleOnePasswordItem(resource *onepasswordv1.OnePasswordItem, request reconcile.Request) error {
+	secretName := resource.GetName()
+
+	item, err := onepassword.GetOnePasswordItemByPath(r.opConnectClient, resource.Spec.ItemPath)
+	if err != nil {
+		return fmt.Errorf("Failed to retrieve item: %v", err)
+	}
+
+	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, resource.Namespace, item)
+}

pkg/controller/onepassworditem/onepassworditem_test.go

@@ -0,0 +1,308 @@
+package onepassworditem
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/1Password/onepassword-operator/pkg/mocks"
+	op "github.com/1Password/onepassword-operator/pkg/onepassword"
+
+	onepasswordv1 "github.com/1Password/onepassword-operator/pkg/apis/onepassword/v1"
+
+	"github.com/1Password/connect-sdk-go/onepassword"
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	errors2 "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/kubectl/pkg/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+const (
+	onePasswordItemKind       = "OnePasswordItem"
+	onePasswordItemAPIVersion = "onepassword.com/v1"
+	name                      = "test"
+	namespace                 = "default"
+	vaultId                   = "hfnjvi6aymbsnfc2xeeoheizda"
+	itemId                    = "nwrhuano7bcwddcviubpp4mhfq"
+	username                  = "test-user"
+	password                  = "QmHumKc$mUeEem7caHtbaBaJ"
+	userKey                   = "username"
+	passKey                   = "password"
+	version                   = 123
+)
+
+type testReconcileItem struct {
+	testName                string
+	customResource          *onepasswordv1.OnePasswordItem
+	existingSecret          *corev1.Secret
+	expectedError           error
+	expectedResultSecret    *corev1.Secret
+	expectedEvents          []string
+	opItem                  map[string]string
+	existingOnePasswordItem *onepasswordv1.OnePasswordItem
+}
+
+var (
+	expectedSecretData = map[string][]byte{
+		"password": []byte(password),
+		"username": []byte(username),
+	}
+	itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
+)
+
+var (
+	time = metav1.Now()
+)
+
+var tests = []testReconcileItem{
+	{
+		testName: "Test Delete OnePasswordItem",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:              name,
+				Namespace:         namespace,
+				DeletionTimestamp: &time,
+				Finalizers: []string{
+					finalizer,
+				},
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError:        nil,
+		expectedResultSecret: nil,
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Test Do not update if OnePassword Version has not changed",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: "data we don't expect to have updated",
+			passKey: "data we don't expect to have updated",
+		},
+	},
+	{
+		testName: "Test Updating Existing Kubernetes Secret using OnePasswordItem",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: "456",
+				},
+			},
+			Data: expectedSecretData,
+		},
+		expectedError: nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+	{
+		testName: "Custom secret type",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: nil,
+		expectedError:  nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: expectedSecretData,
+		},
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+	},
+}
+
+func TestReconcileOnePasswordItem(t *testing.T) {
+	for _, testData := range tests {
+		t.Run(testData.testName, func(t *testing.T) {
+
+			// Register operator types with the runtime scheme.
+			s := scheme.Scheme
+			s.AddKnownTypes(onepasswordv1.SchemeGroupVersion, testData.customResource)
+
+			// Objects to track in the fake client.
+			objs := []runtime.Object{
+				testData.customResource,
+			}
+
+			if testData.existingSecret != nil {
+				objs = append(objs, testData.existingSecret)
+			}
+
+			if testData.existingOnePasswordItem != nil {
+				objs = append(objs, testData.existingOnePasswordItem)
+			}
+			// Create a fake client to mock API calls.
+			cl := fake.NewFakeClientWithScheme(s, objs...)
+			// Create a OnePasswordItem object with the scheme and mock  kubernetes
+			// and 1Password Connect client.
+
+			opConnectClient := &mocks.TestClient{}
+			mocks.GetGetItemFunc = func(uuid string, vaultUUID string) (*onepassword.Item, error) {
+
+				item := onepassword.Item{}
+				item.Fields = generateFields(testData.opItem["username"], testData.opItem["password"])
+				item.Version = version
+				item.Vault.ID = vaultUUID
+				item.ID = uuid
+				return &item, nil
+			}
+			r := &ReconcileOnePasswordItem{
+				kubeClient:      cl,
+				scheme:          s,
+				opConnectClient: opConnectClient,
+			}
+
+			// Mock request to simulate Reconcile() being called on an event for a
+			// watched resource .
+			req := reconcile.Request{
+				NamespacedName: types.NamespacedName{
+					Name:      name,
+					Namespace: namespace,
+				},
+			}
+			_, err := r.Reconcile(req)
+
+			assert.Equal(t, testData.expectedError, err)
+
+			var expectedSecretName string
+			if testData.expectedResultSecret == nil {
+				expectedSecretName = testData.customResource.Name
+			} else {
+				expectedSecretName = testData.expectedResultSecret.Name
+			}
+
+			// Check if Secret has been created and has the correct data
+			secret := &corev1.Secret{}
+			err = cl.Get(context.TODO(), types.NamespacedName{Name: expectedSecretName, Namespace: namespace}, secret)
+
+			if testData.expectedResultSecret == nil {
+				assert.Error(t, err)
+				assert.True(t, errors2.IsNotFound(err))
+			} else {
+				assert.Equal(t, testData.expectedResultSecret.Data, secret.Data)
+				assert.Equal(t, testData.expectedResultSecret.Name, secret.Name)
+				assert.Equal(t, testData.expectedResultSecret.Type, secret.Type)
+				assert.Equal(t, testData.expectedResultSecret.Annotations[op.VersionAnnotation], secret.Annotations[op.VersionAnnotation])
+
+				updatedCR := &onepasswordv1.OnePasswordItem{}
+				err = cl.Get(context.TODO(), req.NamespacedName, updatedCR)
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+func generateFields(username, password string) []*onepassword.ItemField {
+	fields := []*onepassword.ItemField{
+		{
+			Label: "username",
+			Value: username,
+		},
+		{
+			Label: "password",
+			Value: password,
+		},
+	}
+	return fields
+}