Merge pull request #156 from contentful-labs/MEC-1478-update-secrets-management

feat: [MEC-1478] use role to describe secret

Author: orYoffe

Makefile

@@ -88,7 +88,7 @@ kind:
 # download controller-gen if necessary
 controller-gen:
 ifeq (, $(shell which controller-gen))
-	go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.4
+	go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.17.1
 CONTROLLER_GEN=$(GOBIN)/controller-gen
 else
 CONTROLLER_GEN=$(shell which controller-gen)

api/v1/syncedsecret_types.go

@@ -80,6 +80,10 @@ type SyncedSecretSpec struct {
 	// DataFrom
 	// +optional
 	DataFrom *DataFrom `json:"dataFrom,omitempty"`
+
+	// AWSAccountID
+	// +optional
+	AWSAccountID *string `json:"AWSAccountID,omitempty"`
 }
 
 // SyncedSecretStatus defines the observed state of SyncedSecret

api/v1/zz_generated.deepcopy.go

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.17.1
   name: syncedsecrets.secrets.contentful.com
 spec:
   group: secrets.contentful.com
@@ -21,20 +20,28 @@ spec:
         description: SyncedSecret is the Schema for the SyncedSecrets API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
           spec:
             description: SyncedSecretSpec defines the desired state of SyncedSecret
             properties:
+              AWSAccountID:
+                description: AWSAccountID
+                type: string
               IAMRole:
                 description: IAMRole
                 type: string

config/crd/bases/secrets.contentful.com_syncedsecrets.yaml

@@ -2,7 +2,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: manager-role
 rules:
 - apiGroups:
@@ -44,10 +43,3 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
-  - update

config/rbac/role.yaml

@@ -26,7 +26,6 @@ import (
 	awsclient "github.com/aws/aws-sdk-go/aws/client"
 	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/aws/session"
-	"sigs.k8s.io/controller-runtime/pkg/envtest/printer"
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@@ -40,6 +39,7 @@ import (
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -56,6 +56,8 @@ var k8sManager ctrl.Manager
 var testEnv *envtest.Environment
 
 const TEST_NAMESPACE = "secret-sync-test"
+const TEST_NAMESPACE2 = "secret-sync-test2"
+const TEST_NAMESPACE3 = "secret-sync-test3"
 
 var time_now = time.Now()
 
@@ -64,8 +66,9 @@ var Secretsoutput *secretsmanager.ListSecretsOutput
 var MockSecretsOutput = mockSecretsOutput{}
 
 type mockSecretsOutput struct {
-	SecretsPageOutput  *secretsmanager.ListSecretsOutput
-	SecretsValueOutput *secretsmanager.GetSecretValueOutput
+	SecretsPageOutput    *secretsmanager.ListSecretsOutput
+	SecretsValueOutput   *secretsmanager.GetSecretValueOutput
+	DescribeSecretOutput *secretsmanager.DescribeSecretOutput
 }
 
 type mockSecretsManagerClient struct {
@@ -80,12 +83,25 @@ func _t(A time.Time) *time.Time {
 	return &A
 }
 
+func keyValue(key, value string) *secretsmanager.Tag {
+	return &secretsmanager.Tag{
+		Key:   aws.String(key),
+		Value: aws.String(value),
+	}
+}
+
 type mockRoleValidator struct{}
 
 func (m *mockRoleValidator) IsWhitelisted(string, string) (bool, error) {
 	return true, nil
 }
 
+type mockNamespaceValidator struct{}
+
+func (m *mockNamespaceValidator) HasNamespaceType(secretsmanager.DescribeSecretOutput, string) (bool, error) {
+	return true, nil
+}
+
 // TODO this needs to be more dynamic when an update comes by
 func (m *mockSecretsManagerClient) ListSecretsPages(input *secretsmanager.ListSecretsInput, fn func(*secretsmanager.ListSecretsOutput, bool) bool) error {
 	fn(MockSecretsOutput.SecretsPageOutput, true)
@@ -96,12 +112,17 @@ func (m *mockSecretsManagerClient) GetSecretValue(*secretsmanager.GetSecretValue
 	return MockSecretsOutput.SecretsValueOutput, nil
 }
 
+func (m *mockSecretsManagerClient) DescribeSecret(*secretsmanager.DescribeSecretInput) (*secretsmanager.DescribeSecretOutput, error) {
+	return MockSecretsOutput.DescribeSecretOutput, nil
+}
+
 func TestAPIs(t *testing.T) {
 	RegisterFailHandler(Fail)
 
+	// This is deprecated, we need to replace it: https://onsi.github.io/ginkgo/MIGRATING_TO_V2#migration-strategy-2
 	RunSpecsWithDefaultAndCustomReporters(t,
 		"Controller Suite",
-		[]Reporter{printer.NewlineReporter{}})
+		[]Reporter{})
 }
 
 var _ = BeforeSuite(func(done Done) {
@@ -124,8 +145,9 @@ var _ = BeforeSuite(func(done Done) {
 
 	syncPeriod := 2 * time.Second
 	k8sManager, err = ctrl.NewManager(cfg, ctrl.Options{
-		Scheme:     scheme.Scheme,
-		SyncPeriod: &syncPeriod,
+		Scheme: scheme.Scheme,
+		Cache:  cache.Options{SyncPeriod: &syncPeriod},
+		// SyncPeriod: &syncPeriod,
 	})
 	Expect(err).ToNot(HaveOccurred())
 	Expect(k8sManager).ToNot(BeNil())
@@ -154,6 +176,28 @@ var _ = BeforeSuite(func(done Done) {
 						_s("AWSPREVIOUS"),
 					},
 				},
+			}, {
+				Name:            _s("random/aws/secret004"),
+				LastChangedDate: _t(time_now.AddDate(0, 0, -3)),
+				SecretVersionsToStages: map[string][]*string{
+					"005": {
+						_s("AWSCURRENT"),
+					},
+					"004": {
+						_s("AWSPREVIOUS"),
+					},
+				},
+			}, {
+				Name:            _s("random/aws/secret005"),
+				LastChangedDate: _t(time_now.AddDate(0, 0, -3)),
+				SecretVersionsToStages: map[string][]*string{
+					"006": {
+						_s("AWSCURRENT"),
+					},
+					"005": {
+						_s("AWSPREVIOUS"),
+					},
+				},
 			},
 		},
 	}
@@ -163,6 +207,14 @@ var _ = BeforeSuite(func(done Done) {
 		VersionId:    _s(`005`),
 	}
 
+	MockSecretsOutput.DescribeSecretOutput = &secretsmanager.DescribeSecretOutput{
+		ARN: _s("arn:aws:secretsmanager:us-west-2:123456789012:secret:random/aws/secret003-abc"),
+		Tags: []*secretsmanager.Tag{
+			keyValue("k8s.contentful.com/namespace_type/secret-sync-test2", "1"),
+			keyValue("k8s.contentful.com/namespace_type/secret-sync-test3", "1"),
+		},
+	}
+
 	// mock the manager setup
 	Retry5Cfg := request.WithRetryer(aws.NewConfig(), awsclient.DefaultRetryer{NumMaxRetries: 5})
 	err = (&SyncedSecretReconciler{
@@ -172,10 +224,11 @@ var _ = BeforeSuite(func(done Done) {
 		GetSMClient: func(IAMRole string) (secretsmanageriface.SecretsManagerAPI, error) {
 			return &smSvc, nil
 		},
-		RoleValidator: &mockRoleValidator{},
-		gauges:        map[string]prometheus.Gauge{},
-		sync_state:    map[string]bool{},
-		PollInterval:  3 * time.Second,
+		RoleValidator:      &mockRoleValidator{},
+		NamespaceValidator: &mockNamespaceValidator{},
+		gauges:             map[string]prometheus.Gauge{},
+		sync_state:         map[string]bool{},
+		PollInterval:       3 * time.Second,
 	}).SetupWithManager(k8sManager)
 	Expect(err).ToNot(HaveOccurred())
 
@@ -194,9 +247,24 @@ var _ = BeforeSuite(func(done Done) {
 			Name: TEST_NAMESPACE,
 		},
 	}
+	toCreate2 := &corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: TEST_NAMESPACE2,
+		},
+	}
+	toCreate3 := &corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: TEST_NAMESPACE3,
+		},
+	}
 
 	err = k8sClient.Create(context.Background(), toCreate)
 	Expect(err).To(BeNil())
+	err = k8sClient.Create(context.Background(), toCreate2)
+	Expect(err).To(BeNil())
+	err = k8sClient.Create(context.Background(), toCreate3)
+	Expect(err).To(BeNil())
+	Expect(err).To(BeNil())
 
 	close(done)
 }, 60)