Feat: support secret type (#58)

* fix: do not log credstash error twice * feat: add support for custom secret types * fix: run go fmt
ouzi-dev · Mar 2, 2020 · 4078f0c · 4078f0c
1 parent 352515f
commit 4078f0c
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -33,6 +33,8 @@ spec:
       table: credential-store
       # version: the version of the secret in credstash for the provided key (Optional.Defaults to the latest version)
       version: 1
+  # type: the type of the resulting kubernetes secret (Optional. Defaults to Opaque)
+  type: Opaque
 ```
 
 To see the credstash secrets in the cluster, just run:
@@ -59,6 +61,30 @@ prow             prow-bucket-gcs-credentials                    prow-bucket-gcs-
 prow             slack-token                                    slack-token  
 ```
 
+#### Custom secret types
+If you want to create a secret that is not of type `Opaque`, provide a different secret type in .spec.type
+For example a dockerconfigjson secret would look as follows:
+```yaml
+apiVersion: credstash.ouzi.tech/v1alpha1
+kind: CredstashSecret
+metadata:
+  name: dockerconfigjson
+  namespace: test
+spec:
+  # Name of the target secret (Optional. Defaults to the CR name)
+  name: dockerconfigjson
+  # List of secrets from credstash to add to the body of the secret 
+  secrets:
+      # key: the key in credstash to fetch. (Required)
+    - key: docker_secret
+      # name: the name of the resulting data element in the k8s secret (Optional. Defaults to the credstash key)
+      name: .dockerconfigjson
+      # table: the dynamoDB table that contains the credstash secrets (Optional. Defaults to credential-store)
+      table: credential-store
+  # type: the type of the resulting kubernetes secret (Optional. Defaults to Opaque)
+  type: kubernetes.io/dockerconfigjson
+```
+
 
 ## Deployment
 ### Prerequisites

diff --git a/deploy/crds/credstash.ouzi.tech_credstashsecrets_crd.yaml b/deploy/crds/credstash.ouzi.tech_credstashsecrets_crd.yaml
@@ -51,6 +51,8 @@ spec:
                     type: string
                 type: object
               type: array
+            type:
+              type: string
           type: object
         status:
           description: CredstashSecretStatus defines the observed state of CredstashSecret

diff --git a/deploy/helm/credstash-operator/crds/crds.yaml b/deploy/helm/credstash-operator/crds/crds.yaml
@@ -51,6 +51,8 @@ spec:
                     type: string
                 type: object
               type: array
+            type:
+              type: string
           type: object
         status:
           description: CredstashSecretStatus defines the observed state of CredstashSecret

diff --git a/pkg/apis/credstash/v1alpha1/credstashsecret_types.go b/pkg/apis/credstash/v1alpha1/credstashsecret_types.go
@@ -1,6 +1,7 @@
 package v1alpha1
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -15,6 +16,7 @@ type CredstashSecretDef struct {
 type CredstashSecretSpec struct {
 	SecretName string               `json:"name,omitempty"`
 	Secrets    []CredstashSecretDef `json:"secrets,omitempty"`
+	SecretType corev1.SecretType    `json:"type,omitempty"`
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file
 	// Add custom validation using kubebuilder tags: https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html

diff --git a/pkg/controller/credstashsecret/credstashsecret_controller.go b/pkg/controller/credstashsecret/credstashsecret_controller.go
@@ -140,7 +140,6 @@ func (r *ReconcileCredstashSecret) Reconcile(request reconcile.Request) (reconci
 	// Define a new Secret object
 	secret, err := r.secretForCR(instance)
 	if err != nil {
-		reqLogger.Error(err, "Failed fetching secret from credstash")
 		return reconcile.Result{}, err
 	}
 
@@ -235,13 +234,20 @@ func (r *ReconcileCredstashSecret) secretForCR(cr *credstashv1alpha1.CredstashSe
 		secretName = cr.Name
 	}
 
+	// default to Opaque if not provided
+	secretType := cr.Spec.SecretType
+	if secretType == "" {
+		secretType = corev1.SecretTypeOpaque
+	}
+
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      secretName,
 			Namespace: cr.Namespace,
 			Labels:    cr.GetLabels(),
 		},
 		Data: credstashSecretsValueMap,
+		Type: secretType,
 	}
 
 	return secret, nil

diff --git a/pkg/controller/credstashsecret/credstashsecret_controller_test.go b/pkg/controller/credstashsecret/credstashsecret_controller_test.go
@@ -87,6 +87,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Data: credstashGetterReturn,
+			Type: corev1.SecretTypeOpaque,
 		},
 	},
 	{
@@ -115,6 +116,7 @@ var tests = []testReconcileItem{
 			Data: map[string][]byte{
 				"differentKey": []byte("differentValue"),
 			},
+			Type: corev1.SecretTypeOpaque,
 		},
 		credstashError: nil,
 		expectedResultSecret: &corev1.Secret{
@@ -123,6 +125,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Data: credstashGetterReturn,
+			Type: corev1.SecretTypeOpaque,
 		},
 	},
 	{
@@ -157,6 +160,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Data: credstashGetterReturn,
+			Type: corev1.SecretTypeOpaque,
 		},
 	},
 	{
@@ -183,6 +187,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Data: credstashGetterReturn,
+			Type: corev1.SecretTypeOpaque,
 		},
 	},
 	{
@@ -218,6 +223,7 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Data: credstashGetterReturn,
+			Type: corev1.SecretTypeOpaque,
 		},
 	},
 	{
@@ -253,6 +259,35 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 			},
 			Data: credstashGetterReturn,
+			Type: corev1.SecretTypeOpaque,
+		},
+	},
+	{
+		testName: "Custom secret type",
+		customResource: &credstashv1alpha1.CredstashSecret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: credstashv1alpha1.CredstashSecretSpec{
+				SecretName: secretName,
+				Secrets: []credstashv1alpha1.CredstashSecretDef{
+					{
+						Key: credstashKey,
+					},
+				},
+				SecretType: corev1.SecretTypeDockerConfigJson,
+			},
+		},
+		existsingSecret: nil,
+		credstashError:  nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      secretName,
+				Namespace: namespace,
+			},
+			Data: credstashGetterReturn,
+			Type: corev1.SecretTypeDockerConfigJson,
 		},
 	},
 }
@@ -319,6 +354,7 @@ func TestReconcileCredstashSecret_Reconcile(t *testing.T) {
 			} else {
 				assert.Equal(t, testData.expectedResultSecret.Data, secret.Data)
 				assert.Equal(t, testData.expectedResultSecret.Name, secret.Name)
+				assert.Equal(t, testData.expectedResultSecret.Type, secret.Type)
 
 				updatedCR := &credstashv1alpha1.CredstashSecret{}
 				err = cl.Get(context.TODO(), req.NamespacedName, updatedCR)