-
Notifications
You must be signed in to change notification settings - Fork 66
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: inject bundle data into configmap
Signed-off-by: Erik Godding Boye <[email protected]>
- Loading branch information
Showing
3 changed files
with
296 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,112 @@ | ||
| /* | ||
| Copyright 2021 The cert-manager Authors. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| package inject | ||
|
|
||
| import ( | ||
| "context" | ||
| "crypto/sha256" | ||
| "fmt" | ||
|
|
||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| "k8s.io/apimachinery/pkg/runtime" | ||
| v1 "k8s.io/client-go/applyconfigurations/core/v1" | ||
| ctrl "sigs.k8s.io/controller-runtime" | ||
| "sigs.k8s.io/controller-runtime/pkg/builder" | ||
| "sigs.k8s.io/controller-runtime/pkg/client" | ||
| "sigs.k8s.io/controller-runtime/pkg/predicate" | ||
| "sigs.k8s.io/controller-runtime/pkg/reconcile" | ||
|
|
||
| "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1" | ||
| "github.com/cert-manager/trust-manager/pkg/bundle/internal/ssa_client" | ||
| ) | ||
|
|
||
| const ( | ||
| BundleInjectLabelKey = "trust-manager.io/inject-bundle" | ||
|
|
||
| fieldManager = "trust-manager-injector" | ||
| ) | ||
|
|
||
| var configMap = &metav1.PartialObjectMetadata{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "ConfigMap"}} | ||
|
|
||
| type Injector struct { | ||
| client.Client | ||
| Scheme *runtime.Scheme | ||
| } | ||
|
|
||
| func (i *Injector) SetupWithManager(mgr ctrl.Manager) error { | ||
| return ctrl.NewControllerManagedBy(mgr). | ||
| For(configMap, | ||
| builder.WithPredicates( | ||
| hasLabel(BundleInjectLabelKey), | ||
| )). | ||
| Complete(i) | ||
| } | ||
|
|
||
| func (i *Injector) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { | ||
| data := map[string]string{"ca.crt": "bundle data"} | ||
| dataHash := fmt.Sprintf("%x", sha256.Sum256([]byte("bundle data hash"))) | ||
|
|
||
| applyConfig := v1.ConfigMap(request.Name, request.Namespace). | ||
| WithAnnotations(map[string]string{v1alpha1.BundleHashAnnotationKey: dataHash}). | ||
| WithData(data) | ||
|
|
||
| return reconcile.Result{}, patchConfigMap(ctx, i.Client, applyConfig) | ||
| } | ||
|
|
||
| type Cleaner struct { | ||
| client.Client | ||
| Scheme *runtime.Scheme | ||
| } | ||
|
|
||
| func (c *Cleaner) SetupWithManager(mgr ctrl.Manager) error { | ||
| return ctrl.NewControllerManagedBy(mgr). | ||
| For(configMap, | ||
| builder.WithPredicates( | ||
| hasAnnotation(v1alpha1.BundleHashAnnotationKey), | ||
| predicate.Not(hasLabel(BundleInjectLabelKey)), | ||
| )). | ||
| Complete(c) | ||
| } | ||
|
|
||
| func (c *Cleaner) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { | ||
| applyConfig := v1.ConfigMap(request.Name, request.Namespace) | ||
|
|
||
| return reconcile.Result{}, patchConfigMap(ctx, c.Client, applyConfig) | ||
| } | ||
|
|
||
| func patchConfigMap(ctx context.Context, c client.Client, applyConfig *v1.ConfigMapApplyConfiguration) error { | ||
| configMap, patch, err := ssa_client.GenerateConfigMapPatch(applyConfig) | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| return c.Patch(ctx, configMap, patch, client.FieldOwner(fieldManager), client.ForceOwnership) | ||
| } | ||
|
|
||
| func hasLabel(key string) predicate.Predicate { | ||
| return predicate.NewPredicateFuncs(func(obj client.Object) bool { | ||
| _, ok := obj.GetLabels()[key] | ||
| return ok | ||
| }) | ||
| } | ||
|
|
||
| func hasAnnotation(key string) predicate.Predicate { | ||
| return predicate.NewPredicateFuncs(func(obj client.Object) bool { | ||
| _, ok := obj.GetAnnotations()[key] | ||
| return ok | ||
| }) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| /* | ||
| Copyright 2021 The cert-manager Authors. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| package inject | ||
|
|
||
| import ( | ||
| "context" | ||
|
|
||
| corev1 "k8s.io/api/core/v1" | ||
| "sigs.k8s.io/controller-runtime/pkg/envtest/komega" | ||
|
|
||
| "github.com/cert-manager/trust-manager/pkg/bundle/inject" | ||
|
|
||
| . "github.com/onsi/ginkgo/v2" | ||
| . "github.com/onsi/gomega" | ||
| ) | ||
|
|
||
| var _ = Describe("Injector", func() { | ||
| var namespace string | ||
|
|
||
| BeforeEach(func() { | ||
| ctx = context.Background() | ||
|
|
||
| ns := &corev1.Namespace{} | ||
| ns.GenerateName = "inject-" | ||
| Expect(k8sClient.Create(ctx, ns)).To(Succeed()) | ||
| namespace = ns.Name | ||
| }) | ||
|
|
||
| It("should inject bundle data when ConfigMap labeled", func() { | ||
| cm := &corev1.ConfigMap{} | ||
| cm.GenerateName = "cm-" | ||
| cm.Namespace = namespace | ||
| cm.Labels = map[string]string{ | ||
| inject.BundleInjectLabelKey: "foo-bundle", | ||
| "app": "my-app", | ||
| } | ||
| cm.Data = map[string]string{ | ||
| "tls.crt": "bar", | ||
| "tls.key": "baz", | ||
| } | ||
| Expect(k8sClient.Create(ctx, cm)).To(Succeed()) | ||
|
|
||
| // Wait for ConfigMap to be processed by controller | ||
| Eventually(komega.Object(cm)).Should(HaveField("Data", HaveKeyWithValue("ca.crt", "bundle data"))) | ||
| Expect(cm.Labels).To(HaveKeyWithValue("app", "my-app")) | ||
|
|
||
| By("removing label from ConfigMap, it should remove bundle data", func() { | ||
| Expect(komega.Update(cm, func() { | ||
| delete(cm.Labels, inject.BundleInjectLabelKey) | ||
| })()).To(Succeed()) | ||
|
|
||
| // Wait for ConfigMap to be processed by controller | ||
| Eventually(komega.Object(cm)).Should(HaveField("Data", Not(HaveKey("ca.crt")))) | ||
| Expect(cm.Labels).To(HaveKeyWithValue("app", "my-app")) | ||
| Expect(cm.Data).To(Equal(map[string]string{ | ||
| "tls.crt": "bar", | ||
| "tls.key": "baz", | ||
| })) | ||
| }) | ||
| }) | ||
| }) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| /* | ||
| Copyright 2021 The cert-manager Authors. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| package inject | ||
|
|
||
| import ( | ||
| "context" | ||
| "testing" | ||
|
|
||
| "k8s.io/client-go/kubernetes/scheme" | ||
| "k8s.io/client-go/rest" | ||
| ctrl "sigs.k8s.io/controller-runtime" | ||
| "sigs.k8s.io/controller-runtime/pkg/client" | ||
| "sigs.k8s.io/controller-runtime/pkg/envtest" | ||
| "sigs.k8s.io/controller-runtime/pkg/envtest/komega" | ||
| logf "sigs.k8s.io/controller-runtime/pkg/log" | ||
| "sigs.k8s.io/controller-runtime/pkg/log/zap" | ||
| "sigs.k8s.io/controller-runtime/pkg/metrics/server" | ||
|
|
||
| "github.com/cert-manager/trust-manager/pkg/bundle/inject" | ||
|
|
||
| . "github.com/onsi/ginkgo/v2" | ||
| . "github.com/onsi/gomega" | ||
| ) | ||
|
|
||
| var ( | ||
| cfg *rest.Config | ||
| k8sClient client.Client | ||
| testEnv *envtest.Environment | ||
| ctx context.Context | ||
| cancel context.CancelFunc | ||
| ) | ||
|
|
||
| func TestAPIs(t *testing.T) { | ||
| RegisterFailHandler(Fail) | ||
|
|
||
| RunSpecs(t, "Controller Suite") | ||
| } | ||
|
|
||
| var _ = BeforeSuite(func() { | ||
| logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) | ||
|
|
||
| ctx, cancel = context.WithCancel(context.TODO()) | ||
|
|
||
| By("bootstrapping test environment") | ||
| testEnv = &envtest.Environment{} | ||
|
|
||
| var err error | ||
| // cfg is defined in this file globally. | ||
| cfg, err = testEnv.Start() | ||
| Expect(err).NotTo(HaveOccurred()) | ||
| Expect(cfg).NotTo(BeNil()) | ||
|
|
||
| k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) | ||
| Expect(err).NotTo(HaveOccurred()) | ||
| Expect(k8sClient).NotTo(BeNil()) | ||
| komega.SetClient(k8sClient) | ||
|
|
||
| k8sManager, err := ctrl.NewManager(cfg, ctrl.Options{ | ||
| Client: client.Options{Cache: &client.CacheOptions{Unstructured: true}}, | ||
| Scheme: scheme.Scheme, | ||
| Metrics: server.Options{ | ||
| // Disable metrics server to avoid port conflict | ||
| BindAddress: "0", | ||
| }, | ||
| }) | ||
| Expect(err).NotTo(HaveOccurred()) | ||
|
|
||
| k8sScheme := k8sManager.GetScheme() | ||
|
|
||
| injector := &inject.Injector{ | ||
| Client: k8sManager.GetClient(), | ||
| Scheme: k8sScheme, | ||
| } | ||
| Expect(injector.SetupWithManager(k8sManager)).To(Succeed()) | ||
| cleaner := &inject.Cleaner{ | ||
| Client: k8sManager.GetClient(), | ||
| Scheme: k8sScheme, | ||
| } | ||
| Expect(cleaner.SetupWithManager(k8sManager)).To(Succeed()) | ||
|
|
||
| go func() { | ||
| defer GinkgoRecover() | ||
| var ctrlCtx context.Context | ||
| ctrlCtx, cancel = context.WithCancel(ctrl.SetupSignalHandler()) | ||
| Expect(k8sManager.Start(ctrlCtx)).To(Succeed()) | ||
| }() | ||
| }) | ||
|
|
||
| var _ = AfterSuite(func() { | ||
| cancel() | ||
|
|
||
| By("tearing down the test environment") | ||
| err := testEnv.Stop() | ||
| Expect(err).NotTo(HaveOccurred()) | ||
| }) |