Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Preserve labels and annotations on public cert secrets #1580

Merged
merged 2 commits into from
Aug 16, 2019
Merged

Preserve labels and annotations on public cert secrets #1580

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5e9dd60
Preserve labels and annotations on public cert secrets
charith-elastic Aug 15, 2019
cd666d6
Move map functions to utils package
charith-elastic Aug 16, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
213 changes: 43 additions & 170 deletions operators/pkg/controller/common/certificates/http/certificates_secret_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,161 +5,20 @@
package http

import (
"io/ioutil"
"path/filepath"
"reflect"
"testing"

"github.com/elastic/cloud-on-k8s/operators/pkg/controller/common/certificates"
)

const (
ca = `-----BEGIN CERTIFICATE-----
MIIC/zCCAeegAwIBAgIJAIVZ8xw3LMNkMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC21vcmVsbG8ub3ZoMB4XDTE5MDgwOTA5MzQwMFoXDTI5MDgwNjA5MzQwMFow
FjEUMBIGA1UEAwwLbW9yZWxsby5vdmgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCoM2HYyuTTlu41SlgVO0Hdx7eUQevGSKO6pjPjN49/KKY1z/3DoKzr
seWaGOjiWUAqx/GHX8AsR9ToVoKGBbSNeDxT33pt3I9aCnnOPTt3yDIOlr4ZWnKq
NnNHwfydsMBfBAYgdU/L506KuNHJQ18Zey5+A0roTWyHUT48mQBsjetXg77RfDMB
MYVOWETfl70GKAaAlVGZfJHCkfBzYnPcEjqtcuU/7d27WZrSMhXifzHAEmm0KPER
EWdo4UHTK23wLY6dvkp2O5i0bKHv+PuLpqYrm7R7SWGhhwD651n5S5W20FHDow+d
js0yW2gqYsZZN6S1uAsJ8rdYAEPhK9J9AgMBAAGjUDBOMB0GA1UdDgQWBBQ6Lsen
0HbE+7M6iV9r8n5rZrbl4jAfBgNVHSMEGDAWgBQ6Lsen0HbE+7M6iV9r8n5rZrbl
4jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAgrLJnK4s/OVnh8CRk
GmikP+ZxhDs4k1nlr7+rTYkU0huoHK8p802w4zd74szYsHpo8kON/zSmFD7JpU4L
o2kseENqMsgrCPhF3+TDwf/Li43pbK162iAq8ZEpYnSXbQsRyP+Tz0lzoEoli6o7
6KVn4VNookLMyhGIAOmhfbNm0jG+B2zz+bvoTAe9CiDfvq1k0fnuKFzRtRsj09NJ
FNMhSc02N4EDrGpL5CYmEXjPZS3lUsoYPwbYlmUt3Bzuf5hI0mDHCt3BYKH1vFI4
W8/h9wwGn/yytsH21dkj41KEQK6N65gT9i0fBBiubuS2H1SVMMJ/J7PUqol278Ar
zGpS
-----END CERTIFICATE-----
`

tls = `-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgIRAKtKtQKtGFIUneRz5r1FnUMwDQYJKoZIhvcNAQELBQAw
FjEUMBIGA1UEAwwLbW9yZWxsby5vdmgwHhcNMTkwODA5MDkzOTIyWhcNMTkxMTA3
MDkzOTIyWjBOMRkwFwYDVQQKExBFbGFzdGljc2VhcmNoIENBMTEwLwYDVQQDEyhl
bGFzdGljc2VhcmNoLXNhbXBsZS1lcy1odHRwLmRlZmF1bHQuc3ZjMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq6HRcrfV1kHnXv5Z+ImkgKDvxCezI3/p
yiR0jSv6L7+bblHzzsqkPnz3aaIPJJ2G4sdwaIhl5rJdOvCj48It8OtRidZjzuJH
hN2RpN2Ii5WX4D1u18CrjEQrRUzs/vuwpyP0zWx0yP3lp88fy8kfWHj8cE06KZ3c
jq1fTRjEDv/N6xofqBSIHPsnvOVIP0Sp9bJkw5yO0H3oBfrqP0N2mjnwQknclz30
t/LoXHcRrZTOH42pgG5ODZslqLNgKLXQHzRcglzNQPwYKYHigBiy+xsHxbIIXe1n
R70PYKXisA0bhHTiV1Sa77dqQRdSkm0JzrNg58lHZYA1sVKTh0nRMQIDAQABo4Gv
MIGsMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDou
x6fQdsT7szqJX2vyfmtmtuXiMGsGA1UdEQRkMGKCKGVsYXN0aWNzZWFyY2gtc2Ft
cGxlLWVzLWh0dHAuZGVmYXVsdC5zdmOCNmVsYXN0aWNzZWFyY2gtc2FtcGxlLWVz
LWh0dHAuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbDANBgkqhkiG9w0BAQsFAAOC
AQEAL0EBOx2vPXJSIjv8t0S2HkbCSerdDvGSNtkOrTizBtL7EwRSec6nes6OaWo6
JYVNCP0Y+a4jQQrD9MkFKniKxluvLgbsHHsCnQC5tI5iwaOIZe+33pVyNksTc3CC
l2s6Imqpvt6S3GyuWhcwWhwi3pK0ce9RqoO7GONHZmyuOaHGm1OxPeXJQYu7gTKg
3hMjnNAzLOF1oOIrPKnkxfP4jdOrQE1oKk9QR7ScIKLVHJTJoogCM50I7yD7HnMT
itkHwZhk5ptdA29P/OAcZheO5NOGlWJ6OeQl35A9SxgB3DSRTFORoEBfwPZB4ZLC
zODbmFEr7N0FzCN6hU8PjcLLhg==
-----END CERTIFICATE-----
`

key = `-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAq6HRcrfV1kHnXv5Z+ImkgKDvxCezI3/pyiR0jSv6L7+bblHz
zsqkPnz3aaIPJJ2G4sdwaIhl5rJdOvCj48It8OtRidZjzuJHhN2RpN2Ii5WX4D1u
18CrjEQrRUzs/vuwpyP0zWx0yP3lp88fy8kfWHj8cE06KZ3cjq1fTRjEDv/N6xof
qBSIHPsnvOVIP0Sp9bJkw5yO0H3oBfrqP0N2mjnwQknclz30t/LoXHcRrZTOH42p
gG5ODZslqLNgKLXQHzRcglzNQPwYKYHigBiy+xsHxbIIXe1nR70PYKXisA0bhHTi
V1Sa77dqQRdSkm0JzrNg58lHZYA1sVKTh0nRMQIDAQABAoIBAHZmCPDUdMV7bTsQ
x8w2V68MVprAsEl7AjKad3Szs8Ggsn6mNkSfcjJRTvQmAcBGkzh6UMcr4PAGd14j
h0ulNsAN9Y/av7uGScQUfVZ4JKv2JHFir8ZSeYUnuZny+ULlKfYDTeswOFg3Hmhm
8A5Kzj7gJ3TpMYhoCDC81ROAVC/rkinM3bGm/JFl9MeSBLleWVGVF7S7dyirN0xi
z4pwleF3LwI9N52l0qAg7InFveBWrW2H8UB6PrMW2oLLw04p1IXy0ja+T9qZHUxp
zJhTzhhXAY+5QDpGwvTqKYKkqhusBUTwGx39/p9Eq05wXkIEnh7Q09kGz7RJcUnD
6ji12skCgYEA2MsRy1Jrk9MZ8XO2EknuHEpDPqRcwJG4CvBp+V569Zq7pmuqWRSz
U2XcHvzBy6d2LS4QzuHO/YPCn/YXnSJ3K3kwX7TDjH7zPX22peJpLFg2lJU0+LkB
XizOFGpGib0HJ8o2xhL/Ras4i98mGsNSVM7wcl4Swj9Z3fx2ds69kdMCgYEAyqvp
h0s50kzgvEMwYwveXo7wNjojqe/NU7FFoW02LDU/KRzTNnv0Hs0Xc3WBytqBE94U
kdITBqtzCrYBHo2JhQq4dez6H33RrgIbNSy9aGuqcblvr8gI9roH9fDeF4AqRAnZ
XRFO6IqFiSrkxJkriPt2xJR041UNFyXGG6FR6msCgYBmxlZoOmmPietpoP52yx+b
v8UDRG5ISIykevbyZk0KdFFzguUeGAcviUGCWzcQchI/NvB282vqmXVB2iu1raor
LOe2534w89oik59sItrTT/qIE/gp1aMFX15PJVbNY5Sp016GJmloQNSs0pxA4cn9
NKGexmREPD5BU7dheX87SwKBgQCVoFXIjMEjgZ5pXzFZ7mk9ZknxvvqVe3UbVMUT
aI2WFbmLoLxOfTS9iKzHkPlByg+Bm3OUNIPXaLyGK9intdbRYhjM9yeyGDG1RdjQ
aTds4A/15fGO1R/JB47ZA/rzXqvVj2/qRdz70UjE++XpPyvk9cG5X+Dr9N61OC4K
OA9CAQKBgFdDVaQEG+rERVXAgdYo0KQ741Rc3kbavdVr7tRE3eY+aJUauOcoaWjT
rEdwvajksm6a3Oft5KtsWNfXhNPACUrLxTH2wv9zoejf+q/Xyf7NYq73xWfiRChG
INX8iEaHVcH6jWNyCE/0BdPtMfvw4sypv/yxZH0RlvmhvzqemFmP
-----END RSA PRIVATE KEY-----
`

chain = `-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgIRAKtKtQKtGFIUneRz5r1FnUMwDQYJKoZIhvcNAQELBQAw
FjEUMBIGA1UEAwwLbW9yZWxsby5vdmgwHhcNMTkwODA5MDkzOTIyWhcNMTkxMTA3
MDkzOTIyWjBOMRkwFwYDVQQKExBFbGFzdGljc2VhcmNoIENBMTEwLwYDVQQDEyhl
bGFzdGljc2VhcmNoLXNhbXBsZS1lcy1odHRwLmRlZmF1bHQuc3ZjMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq6HRcrfV1kHnXv5Z+ImkgKDvxCezI3/p
yiR0jSv6L7+bblHzzsqkPnz3aaIPJJ2G4sdwaIhl5rJdOvCj48It8OtRidZjzuJH
hN2RpN2Ii5WX4D1u18CrjEQrRUzs/vuwpyP0zWx0yP3lp88fy8kfWHj8cE06KZ3c
jq1fTRjEDv/N6xofqBSIHPsnvOVIP0Sp9bJkw5yO0H3oBfrqP0N2mjnwQknclz30
t/LoXHcRrZTOH42pgG5ODZslqLNgKLXQHzRcglzNQPwYKYHigBiy+xsHxbIIXe1n
R70PYKXisA0bhHTiV1Sa77dqQRdSkm0JzrNg58lHZYA1sVKTh0nRMQIDAQABo4Gv
MIGsMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDou
x6fQdsT7szqJX2vyfmtmtuXiMGsGA1UdEQRkMGKCKGVsYXN0aWNzZWFyY2gtc2Ft
cGxlLWVzLWh0dHAuZGVmYXVsdC5zdmOCNmVsYXN0aWNzZWFyY2gtc2FtcGxlLWVz
LWh0dHAuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbDANBgkqhkiG9w0BAQsFAAOC
AQEAL0EBOx2vPXJSIjv8t0S2HkbCSerdDvGSNtkOrTizBtL7EwRSec6nes6OaWo6
JYVNCP0Y+a4jQQrD9MkFKniKxluvLgbsHHsCnQC5tI5iwaOIZe+33pVyNksTc3CC
l2s6Imqpvt6S3GyuWhcwWhwi3pK0ce9RqoO7GONHZmyuOaHGm1OxPeXJQYu7gTKg
3hMjnNAzLOF1oOIrPKnkxfP4jdOrQE1oKk9QR7ScIKLVHJTJoogCM50I7yD7HnMT
itkHwZhk5ptdA29P/OAcZheO5NOGlWJ6OeQl35A9SxgB3DSRTFORoEBfwPZB4ZLC
zODbmFEr7N0FzCN6hU8PjcLLhg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC/zCCAeegAwIBAgIJAIVZ8xw3LMNkMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC21vcmVsbG8ub3ZoMB4XDTE5MDgwOTA5MzQwMFoXDTI5MDgwNjA5MzQwMFow
FjEUMBIGA1UEAwwLbW9yZWxsby5vdmgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCoM2HYyuTTlu41SlgVO0Hdx7eUQevGSKO6pjPjN49/KKY1z/3DoKzr
seWaGOjiWUAqx/GHX8AsR9ToVoKGBbSNeDxT33pt3I9aCnnOPTt3yDIOlr4ZWnKq
NnNHwfydsMBfBAYgdU/L506KuNHJQ18Zey5+A0roTWyHUT48mQBsjetXg77RfDMB
MYVOWETfl70GKAaAlVGZfJHCkfBzYnPcEjqtcuU/7d27WZrSMhXifzHAEmm0KPER
EWdo4UHTK23wLY6dvkp2O5i0bKHv+PuLpqYrm7R7SWGhhwD651n5S5W20FHDow+d
js0yW2gqYsZZN6S1uAsJ8rdYAEPhK9J9AgMBAAGjUDBOMB0GA1UdDgQWBBQ6Lsen
0HbE+7M6iV9r8n5rZrbl4jAfBgNVHSMEGDAWgBQ6Lsen0HbE+7M6iV9r8n5rZrbl
4jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAgrLJnK4s/OVnh8CRk
GmikP+ZxhDs4k1nlr7+rTYkU0huoHK8p802w4zd74szYsHpo8kON/zSmFD7JpU4L
o2kseENqMsgrCPhF3+TDwf/Li43pbK162iAq8ZEpYnSXbQsRyP+Tz0lzoEoli6o7
6KVn4VNookLMyhGIAOmhfbNm0jG+B2zz+bvoTAe9CiDfvq1k0fnuKFzRtRsj09NJ
FNMhSc02N4EDrGpL5CYmEXjPZS3lUsoYPwbYlmUt3Bzuf5hI0mDHCt3BYKH1vFI4
W8/h9wwGn/yytsH21dkj41KEQK6N65gT9i0fBBiubuS2H1SVMMJ/J7PUqol278Ar
zGpS
-----END CERTIFICATE-----
`

corruptedKey = `-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAq6HRcrfV1kHnXv5Z+ImkgKDvxCezI3/pyiR0jSv6L7+bblHz
zsqkPnz3aaIPJJ2G4sdwaIhl5rJdOvCj48It8OtRidZjzuJHhN2RpN2Ii5WX4D1u
18CrjEQrRUzs/vuwpyP0zWx0yP3lp88fy8kfWHj8cE06KZ3cjq1fTRjEDv/N6xof
qBSIHPsnvOVIP0Sp9bJkw5yO0H3oBfrqP0N2mjnwQknclz30t/LoXHcRrZTOH42p
gG5ODZslqLNgKLXQHzRcglzNQPwYKYHigBiy+xsHxbIIXe1nR70PYKXisA0bhHTi
V1Sa77dqQRdSkm0JzrNg58lHZYA1sVKTh0nRMQIDAQABAoIBAHZmCPDUdMV7bTsQ
x8w2V68MVprAsEl7AjKad3Szs8Ggsn6mNkSfcjJRTvQmAcBGkzh6UMcr4PAGd14j
h0ulNsAN9Y/av7uGScQUfVZ4JKv2JHFir8ZSeYUnuZny+ULlKfYDTeswOFg3Hmhm
8A5Kzj7gJ3TpMYhoCDC81ROAVC/rkinM3bGm/JFl9MeSBLleWVGVF7S7dyirN0xi
z4pwleF3LwI9N52l0qAgXXXXXXXXrW2H8UB6PrMW2oLLw04p1IXy0ja+T9qZHUxp
zJhTzhhXAY+5QDpGwvTqKYKkqhusBUTwGx39/p9Eq05wXkIEnh7Q09kGz7RJcUnD
6ji12skCgYEA2MsRy1Jrk9MZ8XO2EknuHEpDPqRcwJG4CvBp+V569Zq7pmuqWRSz
U2XcHvzBy6d2LS4QzuHO/YPCn/YXnSJ3K3kwX7TDjH7zPX22peJpLFg2lJU0+LkB
XizOFGpGib0HJ8o2xhL/Ras4i98mGsNSVM7wcl4Swj9Z3fx2ds69kdMCgYEAyqvp
h0s50kzgvEMwYwveXo7wNjojqe/NU7FFoW02LDU/KRzTNnv0Hs0Xc3WBytqBE94U
kdITBqtzCrYBHo2JhQq4dez6H33RrgIbNSy9aGuqcblvr8gI9roH9fDeF4AqRAnZ
XRFO6IqFiSrkxJkriPt2xJR041UNFyXGG6FR6msCgYBmxlZoOmmPietpoP52yx+b
v8UDRG5ISIykevbyZk0KdFFzguUeGAcviUGCWzcQchI/NvB282vqmXVB2iu1raor
LOe2534w89oik59sItrTT/qIE/gp1aMFX15PJVbNY5Sp016GJmloQNSs0pxA4cn9
NKGexmREPD5BU7dheX87SwKBgQCVoFXIjMEjgZ5pXzFZ7mk9ZknxvvqVe3UbVMUT
aI2WFbmLoLxOfTS9iKzHkPlByg+Bm3OUNIPXaLyGK9intdbRYhjM9yeyGDG1RdjQ
aTds4A/15fGO1R/JB47ZA/rzXqvVj2/qRdz70UjE++XpPyvk9cG5X+Dr9N61OC4K
OA9CAQKBgFdDVaQEG+rERVXAgdYo0KQ741Rc3kbavdVr7tRE3eY+aJUauOcoaWjT
rEdwvajksm6a3Oft5KtsWNfXhNPACUrLxTH2wv9zoejf+q/Xyf7NYq73xWfiRChG
INX8iEaHVcH6jWNyCE/0BdPtMfvw4sypv/yxZH0RlvmhvzqemFmP
-----END RSA PRIVATE KEY-----
`
)

func TestCertificatesSecret(t *testing.T) {
ca := loadFileBytes("ca.crt")
tls := loadFileBytes("tls.crt")
key := loadFileBytes("tls.key")
chain := loadFileBytes("chain.crt")

tests := []struct {
name string
s CertificatesSecret
Expand All @@ -169,28 +28,28 @@ func TestCertificatesSecret(t *testing.T) {
name: "Simple chain",
s: CertificatesSecret{
Data: map[string][]byte{
certificates.CAFileName: []byte(ca),
certificates.CertFileName: []byte(tls),
certificates.KeyFileName: []byte(key),
certificates.CAFileName: ca,
certificates.CertFileName: tls,
certificates.KeyFileName: key,
},
},
wantCa: []byte(ca),
wantKey: []byte(key),
wantCert: []byte(tls),
wantChain: []byte(chain),
wantCa: ca,
wantKey: key,
wantCert: tls,
wantChain: chain,
},
{
name: "No CA cert",
s: CertificatesSecret{
Data: map[string][]byte{
certificates.CertFileName: []byte(tls),
certificates.KeyFileName: []byte(key),
certificates.CertFileName: tls,
certificates.KeyFileName: key,
},
},
wantCa: nil,
wantKey: []byte(key),
wantCert: []byte(tls),
wantChain: []byte(tls),
wantKey: key,
wantCert: tls,
wantChain: tls,
},
}
for _, tt := range tests {
Expand All @@ -212,6 +71,11 @@ func TestCertificatesSecret(t *testing.T) {
}

func TestCertificatesSecret_Validate(t *testing.T) {
ca := loadFileBytes("ca.crt")
tls := loadFileBytes("tls.crt")
key := loadFileBytes("tls.key")
corruptedKey := loadFileBytes("corrupted.key")

tests := []struct {
name string
s CertificatesSecret
Expand All @@ -221,9 +85,9 @@ func TestCertificatesSecret_Validate(t *testing.T) {
name: "Happy path",
s: CertificatesSecret{
Data: map[string][]byte{
certificates.CAFileName: []byte(ca),
certificates.CertFileName: []byte(tls),
certificates.KeyFileName: []byte(key),
certificates.CAFileName: ca,
certificates.CertFileName: tls,
certificates.KeyFileName: key,
},
},
wantErr: false,
Expand All @@ -239,7 +103,7 @@ func TestCertificatesSecret_Validate(t *testing.T) {
name: "No cert",
s: CertificatesSecret{
Data: map[string][]byte{
certificates.KeyFileName: []byte(key),
certificates.KeyFileName: key,
},
},
wantErr: true,
Expand All @@ -248,8 +112,8 @@ func TestCertificatesSecret_Validate(t *testing.T) {
name: "No key",
s: CertificatesSecret{
Data: map[string][]byte{
certificates.CAFileName: []byte(ca),
certificates.CertFileName: []byte(tls),
certificates.CAFileName: ca,
certificates.CertFileName: tls,
},
},
wantErr: true,
Expand All @@ -258,8 +122,8 @@ func TestCertificatesSecret_Validate(t *testing.T) {
name: "No CA cert",
s: CertificatesSecret{
Data: map[string][]byte{
certificates.CertFileName: []byte(tls),
certificates.KeyFileName: []byte(key),
certificates.CertFileName: tls,
certificates.KeyFileName: key,
},
},
wantErr: false,
Expand All @@ -268,8 +132,8 @@ func TestCertificatesSecret_Validate(t *testing.T) {
name: "Corrupted key",
s: CertificatesSecret{
Data: map[string][]byte{
certificates.CertFileName: []byte(tls),
certificates.KeyFileName: []byte(corruptedKey),
certificates.CertFileName: tls,
certificates.KeyFileName: corruptedKey,
},
},
wantErr: true,
Expand All @@ -283,3 +147,12 @@ func TestCertificatesSecret_Validate(t *testing.T) {
})
}
}

func loadFileBytes(fileName string) []byte {
contents, err := ioutil.ReadFile(filepath.Join("testdata", fileName))
if err != nil {
panic(err)
}

return contents
}
20 changes: 9 additions & 11 deletions operators/pkg/controller/common/certificates/http/public_secret.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"github.com/elastic/cloud-on-k8s/operators/pkg/controller/common/name"
"github.com/elastic/cloud-on-k8s/operators/pkg/controller/common/reconciler"
"github.com/elastic/cloud-on-k8s/operators/pkg/utils/k8s"
"github.com/elastic/cloud-on-k8s/operators/pkg/utils/maps"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
Expand All @@ -33,8 +34,6 @@ func ReconcileHTTPCertsPublicSecret(
},
}

// TODO: reconcile labels and annotations?

reconciled := &corev1.Secret{}

return reconciler.ReconcileResource(reconciler.Params{
Expand All @@ -44,21 +43,20 @@ func ReconcileHTTPCertsPublicSecret(
Expected: expected,
Reconciled: reconciled,
NeedsUpdate: func() bool {
// TODO: these label and annotation comparisons are very strict
if !reflect.DeepEqual(reconciled.Labels, expected.Labels) {
switch {
case !maps.IsSubset(expected.Labels, reconciled.Labels):
return true
}
if !reflect.DeepEqual(reconciled.Annotations, expected.Annotations) {
case !maps.IsSubset(expected.Annotations, reconciled.Annotations):
return true
}
if !reflect.DeepEqual(reconciled.Data, expected.Data) {
case !reflect.DeepEqual(expected.Data, reconciled.Data):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if it would make sense to use a hash of the expected service here, similar to what we do for Elasticsearch ssets and Kibana deployments? Not sure myself, so this is not necessary for this to get merged I would say. Wdyt?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you suggesting something like comparing the certificate fingerprints? The comparison here is between two Secret objects so in order to use hashes, I think we will have to figure out how to hash the items in the Data map in a deterministic way.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe I am missing something important but I was thinking of https://github.com/pebrc/cloud-on-k8s/blob/d495796116a956d4d09c773bfd55921b8ddd0702/operators/pkg/controller/common/hash/hash.go#L47 which uses spew. I think that just hexdumps byte arrays and calculates the hash of that. In any case this is not for this PR, your solution is fine IMO

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't realise that existed and it's certainly worth investigating. I was initially going to evaluate https://github.com/banzaicloud/k8s-objectmatcher for this issue but it felt like too large a change at this point.

I will create a new issue to explore these options.

return true
default:
return false
}
return false
},
UpdateReconciled: func() {
reconciled.Labels = expected.Labels
reconciled.Annotations = expected.Annotations
reconciled.Labels = maps.Merge(reconciled.Labels, expected.Labels)
reconciled.Annotations = maps.Merge(reconciled.Annotations, expected.Annotations)
reconciled.Data = expected.Data
},
})
Expand Down
Loading