Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: refactor the external reference for SecretManagerSecret #3176

Merged
merged 1 commit into from
Nov 14, 2024
Merged

chore: refactor the external reference for SecretManagerSecret #3176

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions apis/common/utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
// Copyright 2024 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package common

func ValueOf[T any](t *T) T {
var zeroVal T
if t == nil {
return zeroVal
}
return *t
}
87 changes: 87 additions & 0 deletions apis/secretmanager/v1beta1/secret_identity.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
// Copyright 2024 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package v1beta1

import (
"context"
"fmt"

"github.com/GoogleCloudPlatform/k8s-config-connector/apis/common"
refsv1beta1 "github.com/GoogleCloudPlatform/k8s-config-connector/apis/refs/v1beta1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"sigs.k8s.io/controller-runtime/pkg/client"
)

type SecretIdentity struct {
id string
parent *SecretParent
}

func (i *SecretIdentity) String() string {
return i.parent.String() + "/secrets/" + i.id
}

func (r *SecretIdentity) Parent() *SecretParent {
return r.parent
}

func (r *SecretIdentity) ID() string {
return r.id
}

type SecretParent struct {
ProjectID string
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we planning to add to SecretParent? If not we could probably drop the struct as per https://go.dev/play/p/D8y1EF81zyF

}

func (p *SecretParent) String() string {
return "projects/" + p.ProjectID
}

func NewSecretIdentity(ctx context.Context, reader client.Reader, obj *SecretManagerSecret, u *unstructured.Unstructured) (*SecretIdentity, error) {
// Get Parent
projectID, err := refsv1beta1.ResolveProjectID(ctx, reader, u)
if err != nil {
return nil, err
}
// Get desired ID
resourceID := common.ValueOf(obj.Spec.ResourceID)
if resourceID == "" {
resourceID = obj.GetName()
}
if resourceID == "" {
return nil, fmt.Errorf("cannot resolve resource ID")
}

// Use approved External
externalRef := common.ValueOf(obj.Status.ExternalRef)
if externalRef != "" {
actualIdentity, err := ParseSecretExternal(externalRef)
if err != nil {
return nil, err
}
if actualIdentity.parent.ProjectID != projectID {
return nil, fmt.Errorf("spec.projectRef changed, expect %s, got %s", actualIdentity.parent.ProjectID, projectID)
}
if actualIdentity.id != resourceID {
return nil, fmt.Errorf("cannot reset `metadata.name` or `spec.resourceID` to %s, since it has already assigned to %s",
resourceID, actualIdentity.id)
}
}

return &SecretIdentity{
parent: &SecretParent{ProjectID: projectID},
id: resourceID,
}, nil
}
106 changes: 12 additions & 94 deletions apis/secretmanager/v1beta1/secret_reference.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,11 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
)

var _ refsv1beta1.ExternalNormalizer = &SecretManagerSecretRef{}
var _ refsv1beta1.ExternalNormalizer = &SecretRef{}

// SecretManagerSecretRef defines the resource reference to SecretManagerSecret, which "External" field
// SecretRef defines the resource reference to SecretManagerSecret, which "External" field
// holds the GCP identifier for the KRM object.
type SecretManagerSecretRef struct {
type SecretRef struct {
// A reference to an externally managed SecretManagerSecret resource.
// Should be in the format "projects/<projectID>/locations/<location>/secrets/<secretID>".
External string `json:"external,omitempty"`
Expand All @@ -41,20 +41,18 @@ type SecretManagerSecretRef struct {

// The namespace of a SecretManagerSecret resource.
Namespace string `json:"namespace,omitempty"`

parent *SecretManagerSecretParent
}

// NormalizedExternal provision the "External" value for other resource that depends on SecretManagerSecret.
// If the "External" is given in the other resource's spec.SecretManagerSecretRef, the given value will be used.
// Otherwise, the "Name" and "Namespace" will be used to query the actual SecretManagerSecret object from the cluster.
func (r *SecretManagerSecretRef) NormalizedExternal(ctx context.Context, reader client.Reader, otherNamespace string) (string, error) {
func (r *SecretRef) NormalizedExternal(ctx context.Context, reader client.Reader, otherNamespace string) (string, error) {
if r.External != "" && r.Name != "" {
return "", fmt.Errorf("cannot specify both name and external on %s reference", SecretManagerSecretGVK.Kind)
}
// From given External
if r.External != "" {
if _, _, err := ParseSecretManagerSecretExternal(r.External); err != nil {
if _, err := ParseSecretExternal(r.External); err != nil {
return "", err
}
return r.External, nil
Expand Down Expand Up @@ -85,97 +83,17 @@ func (r *SecretManagerSecretRef) NormalizedExternal(ctx context.Context, reader
return r.External, nil
}

// New builds a SecretManagerSecretRef from the Config Connector SecretManagerSecret object.
func NewSecretManagerSecretRef(ctx context.Context, reader client.Reader, obj *SecretManagerSecret, u *unstructured.Unstructured) (*SecretManagerSecretRef, error) {
id := &SecretManagerSecretRef{}

// Get Parent
projectID, err := refsv1beta1.ResolveProjectID(ctx, reader, u)
if err != nil {
return nil, err
}

id.parent = &SecretManagerSecretParent{ProjectID: projectID}

// Get desired ID
resourceID := valueOf(obj.Spec.ResourceID)
if resourceID == "" {
resourceID = obj.GetName()
}
if resourceID == "" {
return nil, fmt.Errorf("cannot resolve resource ID")
}

// Use approved External
externalRef := valueOf(obj.Status.ExternalRef)
if externalRef == "" {
id.External = asSecretManagerSecretExternal(id.parent, resourceID)
return id, nil
}

// Validate desired with actual
actualParent, actualResourceID, err := ParseSecretManagerSecretExternal(externalRef)
if err != nil {
return nil, err
}
if actualParent.ProjectID != projectID {
return nil, fmt.Errorf("spec.projectRef changed, expect %s, got %s", actualParent.ProjectID, projectID)
}
if actualResourceID != resourceID {
return nil, fmt.Errorf("cannot reset `metadata.name` or `spec.resourceID` to %s, since it has already assigned to %s",
resourceID, actualResourceID)
}
id.External = externalRef
id.parent = &SecretManagerSecretParent{ProjectID: projectID}
return id, nil
}

func (r *SecretManagerSecretRef) Parent() (*SecretManagerSecretParent, error) {
if r.parent != nil {
return r.parent, nil
}
if r.External != "" {
parent, _, err := ParseSecretManagerSecretExternal(r.External)
if err != nil {
return nil, err
}
return parent, nil
}
return nil, fmt.Errorf("SecretManagerSecretRef not initialized from `NewSecretManagerSecretRef` or `NormalizedExternal`")
}

type SecretManagerSecretParent struct {
ProjectID string
}

func (p *SecretManagerSecretParent) String() string {
return "projects/" + p.ProjectID
}

func asSecretManagerSecretExternal(parent *SecretManagerSecretParent, resourceID string) (external string) {
return parent.String() + "/secrets/" + resourceID
}

func ParseSecretManagerSecretExternal(external string) (parent *SecretManagerSecretParent, resourceID string, err error) {
func ParseSecretExternal(external string) (*SecretIdentity, error) {
if external == "" {
return nil, "", fmt.Errorf("missing external value")
return nil, fmt.Errorf("missing external value")
}
external = strings.TrimPrefix(external, "/")
tokens := strings.Split(external, "/")
if len(tokens) != 4 || tokens[0] != "projects" || tokens[2] != "secrets" {
return nil, "", fmt.Errorf("format of SecretManagerSecret external=%q was not known (use projects/<projectId>/secrets/<secretID>)", external)
}
parent = &SecretManagerSecretParent{
ProjectID: tokens[1],
}
resourceID = tokens[3]
return parent, resourceID, nil
}

func valueOf[T any](t *T) T {
var zeroVal T
if t == nil {
return zeroVal
return nil, fmt.Errorf("format of SecretManagerSecret external=%q was not known (use projects/<projectId>/secrets/<secretID>)", external)
}
return *t
return &SecretIdentity{
parent: &SecretParent{ProjectID: tokens[1]},
id: tokens[3],
}, nil
}
85 changes: 50 additions & 35 deletions apis/secretmanager/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading