Add/check secret update (#57)

* change agekey reconcile logic * change ci * change main.go * fix ci * change ci * fix unwanted labels * fix tests * disable tests for api * add debug print * issues are fixed, remove debug * push on main ci * move unwanted labels to consts dir for controller/controller_test * fix api tests * fix dockerfile --------- Co-authored-by: navid.shariaty <navid.shariaty@snapp.cab>
snapp-incubator · Oct 29, 2023 · 149d464 · 149d464
1 parent 3293aad
commit 149d464
Show file tree

Hide file tree

Showing 17 changed files with 127 additions and 1,886 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -32,15 +32,15 @@ jobs:
       - lint
       - test
     steps:
-      - uses: actions/checkout@v2
-      - uses: docker/setup-qemu-action@v1
-      - uses: docker/setup-buildx-action@v1
-      - uses: docker/login-action@v1
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: docker/metadata-action@v3
+      - uses: docker/metadata-action@v5
         id: meta
         with:
           images: ghcr.io/${{ github.repository }}
@@ -49,12 +49,11 @@ jobs:
             type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
-      - uses: docker/build-push-action@v2
+      - uses: docker/build-push-action@v5
         with:
           file: "Dockerfile"
           context: .
           platforms: linux/amd64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-
diff --git a/Dockerfile b/Dockerfile
@@ -14,6 +14,7 @@ COPY main.go main.go
 COPY api/ api/
 COPY controllers/ controllers/
 COPY k8sutils/ k8sutils/
+COPY consts/ consts/
 COPY lang/ lang/
 
 # Build

diff --git a/api/v1alpha1/agekey_types.go b/api/v1alpha1/agekey_types.go
@@ -35,8 +35,8 @@ type AgeKeyStatus struct {
 //+kubebuilder:subresource:status
 
 // AgeKey is the Schema for the agekeys API
-//+kubebuilder:printcolumn:name="Message",type=string,JSONPath=`.status.message`
-//+kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Message",type=string,JSONPath=`.status.message`
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 type AgeKey struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

diff --git a/api/v1alpha1/agekey_webhook.go b/api/v1alpha1/agekey_webhook.go
@@ -23,6 +23,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 	"strings"
 )
 
@@ -52,28 +53,28 @@ func (r *AgeKey) Default() {
 var _ webhook.Validator = &AgeKey{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *AgeKey) ValidateCreate() error {
+func (r *AgeKey) ValidateCreate() (admission.Warnings, error) {
 	ageKeyLog.Info("validate create", "name", r.Name)
 	if err := r.ValidateAgeKey(); err != nil {
-		return err
+		return nil, err
 	}
-	return nil
+	return nil, nil
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *AgeKey) ValidateUpdate(old runtime.Object) error {
+func (r *AgeKey) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
 	ageKeyLog.Info("validate update", "name", r.Name)
 	if err := r.ValidateAgeKey(); err != nil {
-		return err
+		return nil, err
 	}
-	return nil
+	return nil, nil
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *AgeKey) ValidateDelete() error {
+func (r *AgeKey) ValidateDelete() (admission.Warnings, error) {
 	ageKeyLog.Info("validate delete", "name", r.Name)
 
-	return nil
+	return nil, nil
 }
 
 func (r *AgeKey) ValidateAgeKey() error {

diff --git a/api/v1alpha1/agesecret_webhook.go b/api/v1alpha1/agesecret_webhook.go
@@ -22,6 +22,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 	"strings"
 )
 
@@ -49,28 +50,28 @@ func (r *AgeSecret) Default() {
 var _ webhook.Validator = &AgeSecret{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *AgeSecret) ValidateCreate() error {
+func (r *AgeSecret) ValidateCreate() (admission.Warnings, error) {
 	ageSecretLog.Info("validate create", "name", r.Name)
 	if err := r.ValidateAgeSecret(); err != nil {
-		return err
+		return nil, err
 	}
-	return nil
+	return nil, nil
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *AgeSecret) ValidateUpdate(old runtime.Object) error {
+func (r *AgeSecret) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
 	ageSecretLog.Info("validate update", "name", r.Name)
 	if err := r.ValidateAgeSecret(); err != nil {
-		return err
+		return nil, err
 	}
-	return nil
+	return nil, nil
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *AgeSecret) ValidateDelete() error {
+func (r *AgeSecret) ValidateDelete() (admission.Warnings, error) {
 	ageSecretLog.Info("validate delete", "name", r.Name)
 
-	return nil
+	return nil, nil
 }
 
 func (r *AgeSecret) ValidateAgeSecret() error {

diff --git a/api/v1alpha1/groupversion_info.go b/api/v1alpha1/groupversion_info.go
@@ -15,8 +15,8 @@ limitations under the License.
 */
 
 // Package v1alpha1 contains API Schema definitions for the  v1alpha1 API group
-//+kubebuilder:object:generate=true
-//+groupName=gitopssecret.snappcloud.io
+// +kubebuilder:object:generate=true
+// +groupName=gitopssecret.snappcloud.io
 package v1alpha1
 
 import (

diff --git a/api/v1alpha1/webhook_suite_test.go b/api/v1alpha1/webhook_suite_test.go
@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"net"
 	"path/filepath"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"testing"
 	"time"
 
@@ -35,7 +36,6 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
-	"sigs.k8s.io/controller-runtime/pkg/envtest/printer"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 )
@@ -51,10 +51,7 @@ var cancel context.CancelFunc
 
 func TestAPIs(t *testing.T) {
 	RegisterFailHandler(Fail)
-
-	RunSpecsWithDefaultAndCustomReporters(t,
-		"Webhook Suite",
-		[]Reporter{printer.NewlineReporter{}})
+	RunSpecsWithDefaultAndCustomReporters(t, "Webhook Suite", []Reporter{})
 }
 
 var _ = BeforeSuite(func() {
@@ -92,13 +89,15 @@ var _ = BeforeSuite(func() {
 
 	// start webhook server using Manager
 	webhookInstallOptions := &testEnv.WebhookInstallOptions
+	webhookSrv := webhook.NewServer(webhook.Options{
+		Host:    webhookInstallOptions.LocalServingHost,
+		Port:    webhookInstallOptions.LocalServingPort,
+		CertDir: webhookInstallOptions.LocalServingCertDir,
+	})
 	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
-		Scheme:             scheme,
-		Host:               webhookInstallOptions.LocalServingHost,
-		Port:               webhookInstallOptions.LocalServingPort,
-		CertDir:            webhookInstallOptions.LocalServingCertDir,
-		LeaderElection:     false,
-		MetricsBindAddress: "0",
+		Scheme:         scheme,
+		WebhookServer:  webhookSrv,
+		LeaderElection: false,
 	})
 	Expect(err).NotTo(HaveOccurred())
 

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -51,7 +51,7 @@ spec:
         resources:
           limits:
             cpu: 3
-            memory: 1Gi
+            memory: 4Gi
           requests:
             cpu: 1
             memory: 1Gi

diff --git a/config/samples/_v1alpha1_agesecret.yaml b/config/samples/_v1alpha1_agesecret.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: test-age-secret
   labels:
     key_label: value_label
+    app.kubernetes.io/instance: this-should-be-removed
   annotations:
     key_annotation: value_annotation
 spec:

diff --git a/consts/consts.go b/consts/consts.go
@@ -0,0 +1,10 @@
+package consts
+
+var (
+	ExcessAnnotations = []string{
+		"kubectl.kubernetes.io/last-applied-configuration",
+	}
+	ExcessLabels = []string{
+		"app.kubernetes.io/instance",
+	}
+)
diff --git a/controllers/agekey_controller.go b/controllers/agekey_controller.go
@@ -21,6 +21,7 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/snapp-incubator/age-operator/k8sutils"
 	"k8s.io/apimachinery/pkg/api/errors"
+	"time"
 
 	gitopssecretsnappcloudiov1alpha1 "github.com/snapp-incubator/age-operator/api/v1alpha1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -54,7 +55,7 @@ func (r *AgeKeyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 		if errors.IsNotFound(err) {
 			return ctrl.Result{}, nil
 		}
-		return ctrl.Result{}, err
+		return ctrl.Result{Requeue: true, RequeueAfter: 20 * time.Second}, err
 	}
 
 	if err = k8sutils.HandleAgeKeyFinalizers(ageKeyInstance, r.Client); err != nil {

diff --git a/controllers/agesecret_controller_test.go b/controllers/agesecret_controller_test.go
@@ -5,6 +5,7 @@ import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 	"github.com/snapp-incubator/age-operator/api/v1alpha1"
+	"github.com/snapp-incubator/age-operator/consts"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -74,9 +75,24 @@ var _ = Describe("", func() {
 			fooSecretObj := &corev1.Secret{}
 			err = k8sClient.Get(ctx, types.NamespacedName{Namespace: validAgeSecretObj.Namespace, Name: validAgeSecretObj.Name}, fooSecretObj)
 			Expect(err).To(BeNil())
-			Expect(fooSecretObj.GetLabels()).Should(Equal(validAgeSecretObj.GetLabels()))
 			Expect(fooSecretObj.GetAnnotations()).Should(Equal(validAgeSecretObj.GetAnnotations()))
 
+			// make sure unwanted label is removed
+			unwantedLabelExists := false
+			secretLabels := fooSecretObj.GetLabels()
+			for _, label := range secretLabels {
+				for _, unwantedLabel := range consts.ExcessLabels {
+					if label == unwantedLabel {
+						unwantedLabelExists = true
+						break
+					}
+				}
+				if unwantedLabelExists {
+					break
+				}
+			}
+			Expect(unwantedLabelExists).To(BeFalse())
+
 			sampleKeyValue, exists := fooSecretObj.Data["sample_key"]
 			Expect(string(sampleKeyValue)).Should(Equal("sample_value"))
 			Expect(exists).To(BeTrue())

diff --git a/controllers/suite_test.go b/controllers/suite_test.go
@@ -28,7 +28,6 @@ import (
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
-	"sigs.k8s.io/controller-runtime/pkg/envtest/printer"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
@@ -45,10 +44,7 @@ var testEnv *envtest.Environment
 
 func TestAPIs(t *testing.T) {
 	RegisterFailHandler(Fail)
-
-	RunSpecsWithDefaultAndCustomReporters(t,
-		"Controller Suite",
-		[]Reporter{printer.NewlineReporter{}})
+	RunSpecsWithDefaultAndCustomReporters(t, "Controller Suite", []Reporter{})
 }
 
 var _ = BeforeSuite(func() {

diff --git a/go.mod b/go.mod
@@ -1,23 +1,23 @@
 module github.com/snapp-incubator/age-operator
 
-go 1.17
+go 1.20
 
 require (
 	filippo.io/age v1.1.1
 	github.com/go-logr/logr v1.2.4
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.27.10
-	k8s.io/api v0.28.1
-	k8s.io/apimachinery v0.28.1
-	k8s.io/client-go v0.28.1
-	sigs.k8s.io/controller-runtime v0.16.1
+	k8s.io/api v0.28.3
+	k8s.io/apimachinery v0.28.3
+	k8s.io/client-go v0.28.3
+	sigs.k8s.io/controller-runtime v0.16.3
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-logr/zapr v1.2.4 // indirect
@@ -48,13 +48,13 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.25.0 // indirect
-	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
-	golang.org/x/net v0.13.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.8.0 // indirect
-	golang.org/x/sys v0.11.0 // indirect
-	golang.org/x/term v0.10.0 // indirect
-	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
@@ -63,8 +63,8 @@ require (
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.28.0 // indirect
-	k8s.io/component-base v0.28.1 // indirect
+	k8s.io/apiextensions-apiserver v0.28.3 // indirect
+	k8s.io/component-base v0.28.3 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
 	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect