Skip to content

Commit

Permalink
Merge branch 'master' into restart-pipeline-hjob
Browse files Browse the repository at this point in the history
  • Loading branch information
satr authored Oct 17, 2023
2 parents 3d136b0 + 0dcba8d commit e864286
Showing 1 changed file with 91 additions and 51 deletions.
142 changes: 91 additions & 51 deletions api/models/secret.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ func BuildSecrets(secretList []corev1.Secret, secretProviderClassList []secretss
secrets = append(secrets, getSecretsForVolumeMounts(secretList, rd)...)
secrets = append(secrets, getSecretsForAuthentication(secretList, rd)...)
secrets = append(secrets, getSecretsForSecretRefs(secretList, secretProviderClassList, rd)...)

return secrets
}

Expand All @@ -49,17 +50,15 @@ func getSecretsForDeployment(secretList []corev1.Secret, rd *radixv1.RadixDeploy
componentSecretsMap := make(map[string]map[string]bool)
for _, component := range rd.Spec.Components {
secrets := getSecretsForComponent(&component)
if len(secrets) <= 0 {
continue
if len(secrets) > 0 {
componentSecretsMap[component.Name] = secrets
}
componentSecretsMap[component.Name] = secrets
}
for _, job := range rd.Spec.Jobs {
secrets := getSecretsForComponent(&job)
if len(secrets) <= 0 {
continue
if len(secrets) > 0 {
componentSecretsMap[job.Name] = secrets
}
componentSecretsMap[job.Name] = secrets
}

var secretDTOsMap []secretModels.Secret
Expand All @@ -69,8 +68,13 @@ func getSecretsForDeployment(secretList []corev1.Secret, rd *radixv1.RadixDeploy
if !ok {
// Mark secrets as Pending (exist in config, does not exist in cluster) due to no secret object in the cluster
for secretName := range secretNamesMap {
secretDTO := secretModels.Secret{Name: secretName, DisplayName: secretName, Component: componentName, Status: secretModels.Pending.String(), Type: secretModels.SecretTypeGeneric}
secretDTOsMap = append(secretDTOsMap, secretDTO)
secretDTOsMap = append(secretDTOsMap, secretModels.Secret{
Name: secretName,
DisplayName: secretName,
Type: secretModels.SecretTypeGeneric,
Component: componentName,
Status: secretModels.Pending.String(),
})
}
continue
}
Expand All @@ -81,20 +85,26 @@ func getSecretsForDeployment(secretList []corev1.Secret, rd *radixv1.RadixDeploy
if _, exists := clusterSecretEntriesMap[secretName]; !exists {
status = secretModels.Pending.String()
}
secretDTO := secretModels.Secret{Name: secretName, DisplayName: secretName, Component: componentName, Status: status, Type: secretModels.SecretTypeGeneric}
secretDTOsMap = append(secretDTOsMap, secretDTO)

secretDTOsMap = append(secretDTOsMap, secretModels.Secret{
Name: secretName,
DisplayName: secretName,
Type: secretModels.SecretTypeGeneric,
Component: componentName,
Status: status,
})
}
}

return secretDTOsMap
}

func getSecretsForTLSCertificates(secretList []corev1.Secret, rd *radixv1.RadixDeployment, tlsValidator tlsvalidator.TLSSecretValidator) []secretModels.Secret {
var secrets []secretModels.Secret
if tlsValidator == nil {
tlsValidator = tlsvalidator.DefaultValidator()
}

var secrets []secretModels.Secret
for _, component := range rd.Spec.Components {
for _, externalAlias := range component.DNSExternalAlias {
var certData, keyData []byte
Expand Down Expand Up @@ -141,23 +151,23 @@ func getSecretsForTLSCertificates(secretList []corev1.Secret, rd *radixv1.RadixD
secretModels.Secret{
Name: externalAlias + suffix.ExternalDNSTLSCert,
DisplayName: "Certificate",
Resource: externalAlias,
Type: secretModels.SecretTypeClientCert,
Resource: externalAlias,
ID: secretModels.SecretIdCert,
Component: component.GetName(),
Status: certStatus.String(),
ID: secretModels.SecretIdCert,
StatusMessages: certStatusMessages,
TLSCertificates: tlsCerts,
},
secretModels.Secret{
Name: externalAlias + suffix.ExternalDNSTLSKey,
DisplayName: "Key",
Resource: externalAlias,
Type: secretModels.SecretTypeClientCert,
Resource: externalAlias,
Component: component.GetName(),
ID: secretModels.SecretIdKey,
Status: keyStatus.String(),
StatusMessages: keyStatusMessages,
ID: secretModels.SecretIdKey,
},
)
}
Expand All @@ -174,6 +184,7 @@ func getSecretsForVolumeMounts(secretList []corev1.Secret, rd *radixv1.RadixDepl
for _, job := range rd.Spec.Jobs {
secrets = append(secrets, getCredentialSecretsForBlobVolumes(secretList, &job)...)
}

return secrets
}

Expand All @@ -184,14 +195,13 @@ func getCredentialSecretsForBlobVolumes(secretList []corev1.Secret, component ra
switch volumeMountType {
case radixv1.MountTypeBlob:
accountKeySecret, accountNameSecret := getBlobFuseSecrets(secretList, component, volumeMount)
secrets = append(secrets, accountKeySecret)
secrets = append(secrets, accountNameSecret)
secrets = append(secrets, accountKeySecret, accountNameSecret)
case radixv1.MountTypeBlobFuse2FuseCsiAzure, radixv1.MountTypeBlobFuse2Fuse2CsiAzure, radixv1.MountTypeBlobFuse2NfsCsiAzure, radixv1.MountTypeAzureFileCsiAzure:
accountKeySecret, accountNameSecret := getCsiAzureSecrets(secretList, component, volumeMount)
secrets = append(secrets, accountKeySecret)
secrets = append(secrets, accountNameSecret)
secrets = append(secrets, accountKeySecret, accountNameSecret)
}
}

return secrets
}

Expand All @@ -203,7 +213,8 @@ func getBlobFuseSecrets(secretList []corev1.Secret, component radixv1.RadixCommo
defaults.BlobFuseCredsAccountKeyPart,
defaults.BlobFuseCredsAccountNamePartSuffix,
defaults.BlobFuseCredsAccountKeyPartSuffix,
secretModels.SecretTypeAzureBlobFuseVolume)
secretModels.SecretTypeAzureBlobFuseVolume,
)
}

func getCsiAzureSecrets(secretList []corev1.Secret, component radixv1.RadixCommonDeployComponent, volumeMount radixv1.RadixVolumeMount) (secretModels.Secret, secretModels.Secret) {
Expand All @@ -214,7 +225,8 @@ func getCsiAzureSecrets(secretList []corev1.Secret, component radixv1.RadixCommo
defaults.CsiAzureCredsAccountKeyPart,
defaults.CsiAzureCredsAccountNamePartSuffix,
defaults.CsiAzureCredsAccountKeyPartSuffix,
secretModels.SecretTypeCsiAzureBlobVolume)
secretModels.SecretTypeCsiAzureBlobVolume,
)
}

func getAzureVolumeMountSecrets(secretList []corev1.Secret, component radixv1.RadixCommonDeployComponent, secretName, volumeMountName, accountNamePart, accountKeyPart, accountNamePartSuffix, accountKeyPartSuffix string, secretType secretModels.SecretType) (secretModels.Secret, secretModels.Secret) {
Expand All @@ -226,6 +238,7 @@ func getAzureVolumeMountSecrets(secretList []corev1.Secret, component radixv1.Ra
if strings.EqualFold(accountkeyValue, secretDefaultData) {
accountkeyStatus = secretModels.Pending.String()
}

accountnameValue := strings.TrimSpace(string(secretValue.Data[accountNamePart]))
if strings.EqualFold(accountnameValue, secretDefaultData) {
accountnameStatus = secretModels.Pending.String()
Expand All @@ -234,30 +247,33 @@ func getAzureVolumeMountSecrets(secretList []corev1.Secret, component radixv1.Ra
accountkeyStatus = secretModels.Pending.String()
accountnameStatus = secretModels.Pending.String()
}

// "accountkey"
accountKeySecretDTO := secretModels.Secret{
Name: secretName + accountKeyPartSuffix,
DisplayName: "Account Key",
Type: secretType,
Resource: volumeMountName,
ID: secretModels.SecretIdAccountKey,
Component: component.GetName(),
Status: accountkeyStatus,
Type: secretType,
ID: secretModels.SecretIdAccountKey}
}
// "accountname"
accountNameSecretDTO := secretModels.Secret{
Name: secretName + accountNamePartSuffix,
DisplayName: "Account Name",
Type: secretType,
Resource: volumeMountName,
ID: secretModels.SecretIdAccountName,
Component: component.GetName(),
Status: accountnameStatus,
Type: secretType,
ID: secretModels.SecretIdAccountName}
}

return accountKeySecretDTO, accountNameSecretDTO
}

func getSecretsForAuthentication(secretList []corev1.Secret, activeDeployment *radixv1.RadixDeployment) []secretModels.Secret {
var secrets []secretModels.Secret

for _, component := range activeDeployment.Spec.Components {
authSecrets := getSecretsForComponentAuthentication(secretList, &component)
secrets = append(secrets, authSecrets...)
Expand All @@ -270,6 +286,7 @@ func getSecretsForComponentAuthentication(secretList []corev1.Secret, component
var secrets []secretModels.Secret
secrets = append(secrets, getSecretsForComponentAuthenticationClientCertificate(secretList, component)...)
secrets = append(secrets, getSecretsForComponentAuthenticationOAuth2(secretList, component)...)

return secrets
}

Expand All @@ -288,9 +305,13 @@ func getSecretsForComponentAuthenticationClientCertificate(secretList []corev1.S
secretStatus = secretModels.Pending.String()
}

secrets = append(secrets, secretModels.Secret{Name: secretName,
secrets = append(secrets, secretModels.Secret{
Name: secretName,
DisplayName: "",
Type: secretModels.SecretTypeClientCertificateAuth, Component: component.GetName(), Status: secretStatus})
Type: secretModels.SecretTypeClientCertificateAuth,
Component: component.GetName(),
Status: secretStatus,
})
}

return secrets
Expand Down Expand Up @@ -325,18 +346,29 @@ func getSecretsForComponentAuthenticationOAuth2(secretList []corev1.Secret, comp
redisPasswordStatus = secretModels.Pending.String()
}

secrets = append(secrets, secretModels.Secret{Name: component.GetName() + suffix.OAuth2ClientSecret,
secrets = append(secrets, secretModels.Secret{
Name: component.GetName() + suffix.OAuth2ClientSecret,
DisplayName: "Client Secret",
Type: secretModels.SecretTypeOAuth2Proxy, Component: component.GetName(),
Status: clientSecretStatus})
secrets = append(secrets, secretModels.Secret{Name: component.GetName() + suffix.OAuth2CookieSecret,
Type: secretModels.SecretTypeOAuth2Proxy,
Component: component.GetName(),
Status: clientSecretStatus,
})
secrets = append(secrets, secretModels.Secret{
Name: component.GetName() + suffix.OAuth2CookieSecret,
DisplayName: "Cookie Secret",
Type: secretModels.SecretTypeOAuth2Proxy, Component: component.GetName(), Status: cookieSecretStatus})
Type: secretModels.SecretTypeOAuth2Proxy,
Component: component.GetName(),
Status: cookieSecretStatus,
})

if oauth2.SessionStoreType == radixv1.SessionStoreRedis {
secrets = append(secrets, secretModels.Secret{Name: component.GetName() + suffix.OAuth2RedisPassword,
secrets = append(secrets, secretModels.Secret{
Name: component.GetName() + suffix.OAuth2RedisPassword,
DisplayName: "Redis Password",
Type: secretModels.SecretTypeOAuth2Proxy, Component: component.GetName(), Status: redisPasswordStatus})
Type: secretModels.SecretTypeOAuth2Proxy,
Component: component.GetName(),
Status: redisPasswordStatus,
})
}
}

Expand All @@ -363,7 +395,6 @@ func getSecretsForSecretRefs(secretList []corev1.Secret, secretProviderClassList
)

var secrets []secretModels.Secret

for _, component := range rd.Spec.Components {
secretRefs := component.GetSecretRefs()
componentSecrets := getComponentSecretRefsSecrets(secretList, component.GetName(), &secretRefs, secretProviderClassMapForDeployment, csiSecretStoreSecretMap)
Expand All @@ -374,6 +405,7 @@ func getSecretsForSecretRefs(secretList []corev1.Secret, secretProviderClassList
jobComponentSecrets := getComponentSecretRefsSecrets(secretList, jobComponent.GetName(), &secretRefs, secretProviderClassMapForDeployment, csiSecretStoreSecretMap)
secrets = append(secrets, jobComponentSecrets...)
}

return secrets
}

Expand All @@ -385,34 +417,38 @@ func getComponentSecretRefsSecrets(secretList []corev1.Secret, componentName str
credSecrets := getCredentialSecretsForSecretRefsAzureKeyVault(secretList, componentName, azureKeyVault.Name)
secrets = append(secrets, credSecrets...)
}

secretStatus := getAzureKeyVaultSecretStatus(componentName, azureKeyVault.Name, secretProviderClassMap, csiSecretStoreSecretMap)
for _, item := range azureKeyVault.Items {
secrets = append(secrets, secretModels.Secret{
Name: secret.GetSecretNameForAzureKeyVaultItem(componentName, azureKeyVault.Name, &item),
DisplayName: secret.GetSecretDisplayNameForAzureKeyVaultItem(&item),
Type: secretModels.SecretTypeCsiAzureKeyVaultItem,
Resource: azureKeyVault.Name,
ID: secret.GetSecretIdForAzureKeyVaultItem(&item),
Component: componentName,
Status: secretStatus,
ID: secret.GetSecretIdForAzureKeyVaultItem(&item),
})
}
}

return secrets
}

func getAzureKeyVaultSecretStatus(componentName, azureKeyVaultName string, secretProviderClassMap map[string]secretsstorev1.SecretProviderClass, csiSecretStoreSecretMap map[string]corev1.Secret) string {
secretStatus := secretModels.NotAvailable.String()
secretProviderClass := getComponentSecretProviderClassMapForAzureKeyVault(componentName, secretProviderClassMap, azureKeyVaultName)
if secretProviderClass != nil {
secretStatus = secretModels.Consistent.String()
for _, secretObject := range secretProviderClass.Spec.SecretObjects {
if _, ok := csiSecretStoreSecretMap[secretObject.SecretName]; !ok {
secretStatus = secretModels.NotAvailable.String() // Secrets does not exist for the secretProviderClass secret object
break
}
if secretProviderClass == nil {
return secretModels.NotAvailable.String()
}

secretStatus := secretModels.Consistent.String()
for _, secretObject := range secretProviderClass.Spec.SecretObjects {
if _, ok := csiSecretStoreSecretMap[secretObject.SecretName]; !ok {
secretStatus = secretModels.NotAvailable.String() // Secrets does not exist for the secretProviderClass secret object
break
}
}

return secretStatus
}

Expand All @@ -423,6 +459,7 @@ func getComponentSecretProviderClassMapForAzureKeyVault(componentName string, co
return &secretProviderClass
}
}

return nil
}

Expand All @@ -437,6 +474,7 @@ func getCredentialSecretsForSecretRefsAzureKeyVault(secretList []corev1.Secret,
if strings.EqualFold(clientIdValue, secretDefaultData) {
clientIdStatus = secretModels.Pending.String()
}

clientSecretValue := strings.TrimSpace(string(secretValue.Data[defaults.CsiAzureKeyVaultCredsClientSecretPart]))
if strings.EqualFold(clientSecretValue, secretDefaultData) {
clientSecretStatus = secretModels.Pending.String()
Expand All @@ -445,24 +483,26 @@ func getCredentialSecretsForSecretRefsAzureKeyVault(secretList []corev1.Secret,
clientIdStatus = secretModels.Pending.String()
clientSecretStatus = secretModels.Pending.String()
}

secrets = append(secrets, secretModels.Secret{
Name: secretName + defaults.CsiAzureKeyVaultCredsClientIdSuffix,
DisplayName: "Client ID",
Type: secretModels.SecretTypeCsiAzureKeyVaultCreds,
Resource: azureKeyVaultName,
ID: secretModels.SecretIdClientId,
Component: componentName,
Status: clientIdStatus,
Type: secretModels.SecretTypeCsiAzureKeyVaultCreds,
ID: secretModels.SecretIdClientId},
)
})
secrets = append(secrets, secretModels.Secret{
Name: secretName + defaults.CsiAzureKeyVaultCredsClientSecretSuffix,
DisplayName: "Client Secret",
Type: secretModels.SecretTypeCsiAzureKeyVaultCreds,
Resource: azureKeyVaultName,
ID: secretModels.SecretIdClientSecret,
Component: componentName,
Status: clientSecretStatus,
Type: secretModels.SecretTypeCsiAzureKeyVaultCreds,
ID: secretModels.SecretIdClientSecret},
)
})

return secrets
}

Expand Down

0 comments on commit e864286

Please sign in to comment.