add secrets ready to sync condition

2026-01-09 15:38:03 -05:00 · 2022-12-15 20:02:22 -05:00
parent 0ef9db99b4
commit 72bf160f2e
5 changed files with 56 additions and 18 deletions
--- a/k8-operator/api/v1alpha1/infisicalsecret_types.go
+++ b/k8-operator/api/v1alpha1/infisicalsecret_types.go
@@ -7,11 +7,11 @@ import (
 type KubeSecretReference struct {
 	// The name of the Kubernetes Secret
 	// +kubebuilder:validation:Required
-	Name string `json:"name"`
+	SecretName string `json:"secretName"`

 	// The name space where the Kubernetes Secret is located
 	// +kubebuilder:validation:Required
-	Namespace string `json:"namespace,omitempty"`
+	SecretNamespace string `json:"secretNamespace,omitempty"`
 }

 // InfisicalSecretSpec defines the desired state of InfisicalSecret
--- a/k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml
+++ b/k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml
@@ -40,25 +40,25 @@ spec:
                type: string
              infisicalToken:
                properties:
-                  name:
+                  secretName:
                    description: The name of the Kubernetes Secret
                    type: string
-                  namespace:
+                  secretNamespace:
                    description: The name space where the Kubernetes Secret is located
                    type: string
                required:
-                - name
+                - secretName
                type: object
              managedSecret:
                properties:
-                  name:
+                  secretName:
                    description: The name of the Kubernetes Secret
                    type: string
-                  namespace:
+                  secretNamespace:
                    description: The name space where the Kubernetes Secret is located
                    type: string
                required:
-                - name
+                - secretName
                type: object
              projectId:
                description: The Infisical project id
--- a/k8-operator/config/samples/secrets_v1alpha1_infisicalsecret.yaml
+++ b/k8-operator/config/samples/secrets_v1alpha1_infisicalsecret.yaml
@@ -9,4 +9,10 @@ metadata:
    app.kubernetes.io/created-by: k8-operator
  name: infisicalsecret-sample
 spec:
-  # TODO(user): Add fields here
+  projectId: 62faf98ae0b05e8529b5da46
+  infisicalToken:
+    secretName: service-token
+    secretNamespace: default
+  managedSecret:
+    secretName: managed-secret
+    secretNamespace: default
--- a/k8-operator/controllers/infisicalsecret_controller.go
+++ b/k8-operator/controllers/infisicalsecret_controller.go
@@ -54,6 +54,7 @@ func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	}

 	err = r.ReconcileInfisicalSecret(ctx, infisicalSecretCR)
+	r.SetReadyToSyncSecretsConditions(ctx, &infisicalSecretCR, err)
 	if err != nil {
 		log.Error(err, "Unable to reconcile Infisical Secret and will try again")
 		return ctrl.Result{
@@ -61,7 +62,10 @@ func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		}, nil
 	}

-	return ctrl.Result{}, nil
+	// Sync again after the specified time
+	return ctrl.Result{
+		RequeueAfter: time.Minute,
+	}, nil
 }

 // SetupWithManager sets up the controller with the Manager.
--- a/k8-operator/controllers/infisicalsecret_helper.go
+++ b/k8-operator/controllers/infisicalsecret_helper.go
@@ -9,6 +9,7 @@ import (
 	models "github.com/Infisical/infisical/k8-operator/packages/models"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 )
@@ -27,17 +28,17 @@ func (r *InfisicalSecretReconciler) GetKubeSecretByNamespacedName(ctx context.Co

 func (r *InfisicalSecretReconciler) GetInfisicalToken(ctx context.Context, infisicalSecret v1alpha1.InfisicalSecret) (string, error) {
 	tokenSecret, err := r.GetKubeSecretByNamespacedName(ctx, types.NamespacedName{
-		Namespace: infisicalSecret.Spec.ManagedSecret.Namespace,
-		Name:      infisicalSecret.Spec.ManagedSecret.Name,
+		Namespace: infisicalSecret.Spec.ManagedSecret.SecretNamespace,
+		Name:      infisicalSecret.Spec.ManagedSecret.SecretName,
 	})

 	if err != nil {
-		return "", fmt.Errorf("failed to read infisical token secret from secret named [%s] in namespace [%s]: with error [%w]", infisicalSecret.Spec.ManagedSecret.Name, infisicalSecret.Spec.ManagedSecret.Namespace, err)
+		return "", fmt.Errorf("failed to read infisical token secret from secret named [%s] in namespace [%s]: with error [%w]", infisicalSecret.Spec.ManagedSecret.SecretName, infisicalSecret.Spec.ManagedSecret.SecretNamespace, err)
 	}

 	infisicalServiceToken := tokenSecret.Data[INFISICAL_TOKEN_SECRET_KEY_NAME]
 	if infisicalServiceToken == nil {
-		return "", fmt.Errorf("the Infisical token is not set in the Kubernetes secret. Please add the key [%s] with the corresponding token value.", INFISICAL_TOKEN_SECRET_KEY_NAME)
+		return "", fmt.Errorf("the Infisical token is not set in the Kubernetes secret. Please add the key [%s] with the corresponding token value", INFISICAL_TOKEN_SECRET_KEY_NAME)
 	}

 	return string(infisicalServiceToken), nil
@@ -52,8 +53,8 @@ func (r *InfisicalSecretReconciler) CreateInfisicalManagedKubeSecret(ctx context
 	// create a new secret as specified by the managed secret spec of CRD
 	newKubeSecretInstance := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      infisicalSecret.Spec.ManagedSecret.Name,
-			Namespace: infisicalSecret.Spec.ManagedSecret.Namespace,
+			Name:      infisicalSecret.Spec.ManagedSecret.SecretName,
+			Namespace: infisicalSecret.Spec.ManagedSecret.SecretNamespace,
 		},
 		Type: "Opaque",
 		Data: plainProcessedSecrets,
@@ -91,8 +92,8 @@ func (r *InfisicalSecretReconciler) ReconcileInfisicalSecret(ctx context.Context
 	}

 	managedKubeSecret, err := r.GetKubeSecretByNamespacedName(ctx, types.NamespacedName{
-		Name:      infisicalSecret.Spec.ManagedSecret.Name,
-		Namespace: infisicalSecret.Spec.ManagedSecret.Namespace,
+		Name:      infisicalSecret.Spec.ManagedSecret.SecretName,
+		Namespace: infisicalSecret.Spec.ManagedSecret.SecretNamespace,
 	})

 	if err != nil && !errors.IsNotFound(err) {
@@ -111,3 +112,30 @@ func (r *InfisicalSecretReconciler) ReconcileInfisicalSecret(ctx context.Context
 	}

 }
+
+func (r *InfisicalSecretReconciler) SetReadyToSyncSecretsConditions(ctx context.Context, infisicalSecret *v1alpha1.InfisicalSecret, maybeSecretsSyncError error) {
+	if infisicalSecret.Status.Conditions == nil {
+		infisicalSecret.Status.Conditions = []metav1.Condition{}
+	}
+
+	if maybeSecretsSyncError == nil {
+		meta.SetStatusCondition(&infisicalSecret.Status.Conditions, metav1.Condition{
+			Type:    "secrets.infisical.com/ReadyToSyncSecrets",
+			Status:  metav1.ConditionTrue,
+			Reason:  "OK",
+			Message: "Infisical controller has started syncing your secrets",
+		})
+	} else {
+		meta.SetStatusCondition(&infisicalSecret.Status.Conditions, metav1.Condition{
+			Type:    "secrets.infisical.com/ReadyToSyncSecrets",
+			Status:  metav1.ConditionFalse,
+			Reason:  "Error",
+			Message: fmt.Sprintf("Failed to update secret because: %v", maybeSecretsSyncError),
+		})
+	}
+
+	err := r.Client.Status().Update(ctx, infisicalSecret)
+	if err != nil {
+		fmt.Println("Could not set condition")
+	}
+}