feat: preserve secrets referenced by application replicasets

nais · Dec 19, 2024 · d558418 · d558418
1 parent da37f82
commit d558418
Show file tree

Hide file tree

Showing 8 changed files with 33 additions and 64 deletions.
diff --git a/charts/Chart.yaml b/charts/Chart.yaml
@@ -2,6 +2,6 @@ apiVersion: v2
 name: tokenx-jwker
 description: A Helm chart for deploying the JWKer service for TokenX
 type: application
-version: 0.4.5
+version: 0.4.6
 sources:
   - https://github.com/nais/jwker/tree/master/charts
diff --git a/charts/templates/rbac.yaml b/charts/templates/rbac.yaml
@@ -18,7 +18,7 @@ rules:
       - delete
       - update
   - apiGroups:
-      - '*'
+      - ""
     resources:
       - secrets
       - events
@@ -30,15 +30,22 @@ rules:
       - delete
       - update
   - apiGroups:
-      - '*'
+      - ""
     resources:
       - pods
       - namespaces
     verbs:
       - list
       - get
       - watch
-
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+    verbs:
+      - list
+      - get
+      - watch
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -54,4 +61,3 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "tokenx.fullname" . }}-jwker
     namespace: "{{ .Release.Namespace }}"
----
diff --git a/controllers/jwker_controller.go b/controllers/jwker_controller.go
@@ -25,7 +25,6 @@ import (
 	"github.com/nais/jwker/jwkutils"
 	"github.com/nais/jwker/pkg/config"
 	jwkermetrics "github.com/nais/jwker/pkg/metrics"
-	"github.com/nais/jwker/pkg/pods"
 	"github.com/nais/jwker/pkg/secret"
 	"github.com/nais/jwker/pkg/tokendings"
 )
@@ -91,21 +90,11 @@ type transaction struct {
 func (r *JwkerReconciler) prepare(ctx context.Context, req ctrl.Request, jwker jwkerv1.Jwker) (*transaction, error) {
 	app := r.appClientID(req)
 
-	// fetch running pods for this app
-	podList, err := pods.ApplicationPods(ctx, app, r.Client)
+	secrets, err := libernetes.ListSecretsForApplication(ctx, r.Client, app.KubeObjectKey(), secret.Labels(app.Name))
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("list secrets for app: %w", err)
 	}
 
-	// fetch all jwker managed secrets
-	allSecrets, err := secret.ClusterSecrets(ctx, app, r.Client)
-	if err != nil {
-		return nil, err
-	}
-
-	// find intersect between secrets in use by deployment and all jwker managed secrets
-	secrets := libernetes.ListUsedAndUnusedSecretsForPods(allSecrets, *podList)
-
 	existingJwks := jose.JSONWebKeySet{}
 
 	var newJwk jose.JSONWebKey

diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/go-logr/zapr v1.3.0
 	github.com/golang-jwt/jwt/v4 v4.5.1
 	github.com/google/uuid v1.6.0
-	github.com/nais/liberator v0.0.0-20241210070031-8875af382632
+	github.com/nais/liberator v0.0.0-20241219121707-182675e6f1ad
 	github.com/prometheus/client_golang v1.20.5
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/pflag v1.0.5

diff --git a/go.sum b/go.sum
@@ -11,8 +11,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k=
-github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
+github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
+github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
@@ -87,8 +87,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/nais/liberator v0.0.0-20241210070031-8875af382632 h1:jzK0ItVkFaDPbRvL3WWbl69GkzWIHPQFjt/q36enStA=
-github.com/nais/liberator v0.0.0-20241210070031-8875af382632/go.mod h1:gRUXR0S/Il3JnHlfc6ESLAih27Su+WFPm5aaXp/tHpE=
+github.com/nais/liberator v0.0.0-20241219121707-182675e6f1ad h1:Z/HPNfZgmNsqlBwfwUE9DMyhsQThpQnudadqncwGdik=
+github.com/nais/liberator v0.0.0-20241219121707-182675e6f1ad/go.mod h1:DtQgc26XvoZFe8jy0++wbuFUu5yCFTQ3vGV+y7TA7Uw=
 github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=
 github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
 github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=

diff --git a/pkg/pods/pods.go b/pkg/pods/pods.go
diff --git a/pkg/secret/secrets.go b/pkg/secret/secrets.go
@@ -1,17 +1,14 @@
 package secret
 
 import (
-	"context"
 	"encoding/json"
 	"fmt"
 
 	"github.com/go-jose/go-jose/v4"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
 	"github.com/nais/jwker/pkg/config"
 	"github.com/nais/jwker/pkg/tokendings"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 const (
@@ -71,10 +68,7 @@ func CreateSecretSpec(secretName string, data PodSecretData) (*corev1.Secret, er
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      secretName,
 			Namespace: data.ClientId.Namespace,
-			Labels: map[string]string{
-				"app":                data.ClientId.Name,
-				TokenXSecretLabelKey: TokenXSecretLabelType,
-			},
+			Labels:    Labels(data.ClientId.Name),
 			Annotations: map[string]string{
 				StakaterReloaderAnnotationKey: "true",
 			},
@@ -91,14 +85,9 @@ func CreateSecretSpec(secretName string, data PodSecretData) (*corev1.Secret, er
 	}, nil
 }
 
-func ClusterSecrets(ctx context.Context, app tokendings.ClientId, cli client.Client) (corev1.SecretList, error) {
-	var secrets corev1.SecretList
-	mLabels := client.MatchingLabels{}
-
-	mLabels["app"] = app.Name
-	mLabels[TokenXSecretLabelKey] = TokenXSecretLabelType
-	if err := cli.List(ctx, &secrets, client.InNamespace(app.Namespace), mLabels); err != nil {
-		return secrets, err
+func Labels(appName string) map[string]string {
+	return map[string]string{
+		"app":                appName,
+		TokenXSecretLabelKey: TokenXSecretLabelType,
 	}
-	return secrets, nil
 }
diff --git a/pkg/tokendings/registration.go b/pkg/tokendings/registration.go
@@ -14,6 +14,7 @@ import (
 	"github.com/go-jose/go-jose/v4/jwt"
 	v1 "github.com/nais/liberator/pkg/apis/nais.io/v1"
 	"github.com/nais/liberator/pkg/oauth"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 type ClientId struct {
@@ -30,6 +31,13 @@ func (a *ClientId) ToFileName() string {
 	return fmt.Sprintf("%s/%s/%s", a.Cluster, a.Namespace, a.Name)
 }
 
+func (a *ClientId) KubeObjectKey() client.ObjectKey {
+	return client.ObjectKey{
+		Name:      a.Name,
+		Namespace: a.Namespace,
+	}
+}
+
 type ClientRegistration struct {
 	ClientName        string             `json:"client_name"`
 	Jwks              jose.JSONWebKeySet `json:"jwks"`