Merge pull request #221 from 3scale-ops/feat/generic-secret

feat/generic-secret

.gitattributes

@@ -1,2 +1,4 @@
 bundle/** linguist-generated=true
 bundle.Dockerfile linguist-generated=true
+config/crd/bases/** linguist-generated=true
+docs/api-reference/reference.asciidoc linguist-generated=true

Makefile

@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 0.13.0-alpha.1
+VERSION ?= 0.13.0-alpha.2
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
@@ -231,7 +231,7 @@ $(CONTROLLER_GEN): $(LOCALBIN)
 .PHONY: envtest
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
 $(ENVTEST): $(LOCALBIN)
-	test -s $(ENVTEST) || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+	test -s $(ENVTEST) || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@release-0.17
 
 .PHONY: ginkgo
 ginkgo: $(GINKGO) ## Download ginkgo locally if necessary

apis/marin3r/v1alpha1/envoyconfig_webhook.go

@@ -93,8 +93,8 @@ func (r *EnvoyConfig) ValidateResources() error {
 		switch res.Type {
 
 		case envoy.Secret:
-			if res.GenerateFromTlsSecret == nil {
-				errList = append(errList, fmt.Errorf("'generateFromTlsSecret' cannot be empty for type '%s'", envoy.Secret))
+			if res.GenerateFromTlsSecret == nil && res.GenerateFromOpaqueSecret == nil {
+				errList = append(errList, fmt.Errorf("one of 'generateFromTlsSecret', 'generateFromOpaqueSecret' must be set for type '%s'", envoy.Secret))
 			}
 			if res.Value != nil {
 				errList = append(errList, fmt.Errorf("'value' cannot be used for type '%s'", envoy.Secret))

apis/marin3r/v1alpha1/resources.go

@@ -43,6 +43,11 @@ type Resource struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// +optional
 	GenerateFromTlsSecret *string `json:"generateFromTlsSecret,omitempty"`
+	// The name of a Kubernetes Secret of type "Opaque". It will generate an
+	// envoy "generic secret" proto.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +optional
+	GenerateFromOpaqueSecret *SecretKeySelector `json:"generateFromOpaqueSecret,omitempty"`
 	// Specifies a label selector to watch for EndpointSlices that will
 	// be used to generate the endpoint resource
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
@@ -63,6 +68,27 @@ func (r *Resource) GetBlueprint() Blueprint {
 	return defaultBlueprint
 }
 
+func (r *Resource) SecretRef() (string, error) {
+	if r.Type != envoy.Secret {
+		return "", fmt.Errorf("not a secret type")
+	}
+	if r.GenerateFromOpaqueSecret != nil {
+		return r.GenerateFromOpaqueSecret.Name, nil
+	} else if r.GenerateFromTlsSecret != nil {
+		return *r.GenerateFromTlsSecret, nil
+	}
+	return "", fmt.Errorf("secret reference not set")
+}
+
+type SecretKeySelector struct {
+	// The name of the secret in the pod's namespace to select from.
+	Name string `json:"name"`
+	// The key of the secret to select from.  Must be a valid secret key.
+	Key string `json:"key"`
+	// A unique name to refer to the name:key combination
+	Alias string `json:"alias"`
+}
+
 type GenerateFromEndpointSlices struct {
 	Selector    *metav1.LabelSelector `json:"selector"`
 	ClusterName string                `json:"clusterName"`

config/manager/kustomization.yaml

@@ -13,7 +13,7 @@ kind: Kustomization
 images:
 - name: controller
   newName: quay.io/3scale/marin3r
-  newTag: v0.13.0-alpha.1
+  newTag: v0.13.0-alpha.2
 
 patchesStrategicMerge:
 - custom/manager_patch.yaml

config/manifests/bases/marin3r.clusterserviceversion.yaml

@@ -359,6 +359,10 @@ spec:
           be used to generate the endpoint resource
         displayName: Generate From Endpoint Slices
         path: resources[0].generateFromEndpointSlices
+      - description: The name of a Kubernetes Secret of type "Opaque". It will generate
+          an envoy "generic secret" proto.
+        displayName: Generate From Opaque Secret
+        path: resources[0].generateFromOpaqueSecret
       - description: The name of a Kubernetes Secret of type "kubernetes.io/tls"
         displayName: Generate From Tls Secret
         path: resources[0].generateFromTlsSecret
@@ -541,6 +545,10 @@ spec:
           be used to generate the endpoint resource
         displayName: Generate From Endpoint Slices
         path: resources[0].generateFromEndpointSlices
+      - description: The name of a Kubernetes Secret of type "Opaque". It will generate
+          an envoy "generic secret" proto.
+        displayName: Generate From Opaque Secret
+        path: resources[0].generateFromOpaqueSecret
       - description: The name of a Kubernetes Secret of type "kubernetes.io/tls"
         displayName: Generate From Tls Secret
         path: resources[0].generateFromTlsSecret

config/webhook/kustomization.yaml

@@ -10,7 +10,7 @@ kind: Kustomization
 images:
 - name: controller
   newName: quay.io/3scale/marin3r
-  newTag: v0.13.0-alpha.1
+  newTag: v0.13.0-alpha.2
 
 # [CUSTOM: pod mutating webhook config] This patch adds a label selector to the MutatingWebhookConfig
 patchesStrategicMerge:

controllers/marin3r/envoyconfigrevision_controller.go

@@ -199,15 +199,16 @@ func (r *EnvoyConfigRevisionReconciler) SecretsEventHandler() handler.EventHandl
 		&marin3rv1alpha1.EnvoyConfigRevisionList{},
 		func(event client.Object, o client.Object) bool {
 			secret := event.(*corev1.Secret)
-			if secret.Type != corev1.SecretTypeTLS {
+			if secret.Type != corev1.SecretTypeTLS && secret.Type != corev1.SecretTypeOpaque {
 				return false
 			}
 			ecr := o.(*marin3rv1alpha1.EnvoyConfigRevision)
 			if meta.IsStatusConditionTrue(ecr.Status.Conditions, marin3rv1alpha1.RevisionPublishedCondition) {
 				// check if the k8s Secret is relevant for this EnvoyConfigRevision
 				for _, s := range ecr.Spec.Resources {
 					if s.Type == envoy.Secret {
-						if *s.GenerateFromTlsSecret == secret.GetName() {
+						if (s.GenerateFromTlsSecret != nil && *s.GenerateFromTlsSecret == secret.GetName()) ||
+							(s.GenerateFromOpaqueSecret != nil && s.GenerateFromOpaqueSecret.Name == secret.GetName()) {
 							return true
 						}
 					}