stunnel: flip namespace-name, separate func for creating bundle, upda…

…te MarkForCleanup Signed-off-by: Alay Patel <[email protected]>
backube · Nov 18, 2021 · 4b9f475 · 4b9f475
1 parent 75c304a
commit 4b9f475
Show file tree

Hide file tree

Showing 3 changed files with 141 additions and 71 deletions.
diff --git a/transport/stunnel/server.go b/transport/stunnel/server.go
@@ -141,13 +141,35 @@ func (s *server) MarkForCleanup(ctx context.Context, c ctrlclient.Client, key, v
 		return err
 	}
 
-	secret := &corev1.Secret{
+	clientSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      getResourceName(s.namespacedName, clientSecretNameSuffix()),
+			Namespace: s.NamespacedName().Namespace,
+		},
+	}
+	err = utils.UpdateWithLabel(ctx, c, clientSecret, key, value)
+	if err != nil {
+		return err
+	}
+
+	serverSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      getResourceName(s.namespacedName, serverSecretNameSuffix()),
+			Namespace: s.NamespacedName().Namespace,
+		},
+	}
+	err = utils.UpdateWithLabel(ctx, c, serverSecret, key, value)
+	if err != nil {
+		return err
+	}
+
+	crtBundleSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      s.prefixedName(stunnelSecret),
+			Name:      getResourceName(s.namespacedName, caBundleSecretNameSuffix()),
 			Namespace: s.NamespacedName().Namespace,
 		},
 	}
-	return utils.UpdateWithLabel(ctx, c, secret, key, value)
+	return utils.UpdateWithLabel(ctx, c, crtBundleSecret, key, value)
 }
 
 func (s *server) reconcileConfig(ctx context.Context, c ctrlclient.Client) error {
@@ -210,70 +232,7 @@ func (s *server) reconcileSecret(ctx context.Context, c ctrlclient.Client) error
 		s.logger.Error(err, "error generating ssl certs for stunnel server")
 		return err
 	}
-
-	crtBundleSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Namespace: s.NamespacedName().Namespace,
-			Name:      getResourceName(s.namespacedName, caBundleSecretNameSuffix()),
-		},
-	}
-	_, err = controllerutil.CreateOrUpdate(ctx, c, crtBundleSecret, func() error {
-		crtBundleSecret.Labels = s.options.Labels
-		crtBundleSecret.OwnerReferences = s.options.Owners
-
-		crtBundleSecret.Data = map[string][]byte{
-			"server.crt": crtBundle.ServerCrt.Bytes(),
-			"server.key": crtBundle.ServerKey.Bytes(),
-			"client.crt": crtBundle.ClientCrt.Bytes(),
-			"client.key": crtBundle.ClientKey.Bytes(),
-			"ca.crt":     crtBundle.CACrt.Bytes(),
-			"ca.key":     crtBundle.CAKey.Bytes(),
-		}
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-
-	serverSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Namespace: s.NamespacedName().Namespace,
-			Name:      getResourceName(s.namespacedName, serverSecretNameSuffix()),
-		},
-	}
-	_, err = controllerutil.CreateOrUpdate(ctx, c, serverSecret, func() error {
-		serverSecret.Labels = s.options.Labels
-		serverSecret.OwnerReferences = s.options.Owners
-
-		serverSecret.Data = map[string][]byte{
-			"tls.crt": crtBundle.ServerCrt.Bytes(),
-			"tls.key": crtBundle.ServerKey.Bytes(),
-			"ca.crt":  crtBundle.CACrt.Bytes(),
-		}
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-
-	clientSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Namespace: s.NamespacedName().Namespace,
-			Name:      getResourceName(s.namespacedName, clientSecretNameSuffix()),
-		},
-	}
-	_, err = controllerutil.CreateOrUpdate(ctx, c, clientSecret, func() error {
-		clientSecret.Labels = s.options.Labels
-		clientSecret.OwnerReferences = s.options.Owners
-
-		clientSecret.Data = map[string][]byte{
-			"tls.crt": crtBundle.ClientCrt.Bytes(),
-			"tls.key": crtBundle.ClientKey.Bytes(),
-			"ca.crt":  crtBundle.CACrt.Bytes(),
-		}
-		return nil
-	})
-	return err
+	return reconcileCertificateSecrets(ctx, c, s.namespacedName, s.options, crtBundle)
 }
 
 func (s *server) serverContainers() []corev1.Container {

diff --git a/transport/stunnel/server_test.go b/transport/stunnel/server_test.go
@@ -248,6 +248,22 @@ func Test_server_MarkForCleanup(t *testing.T) {
 					},
 					Data: map[string][]byte{"tls.key": []byte(`key`), "tls.crt": []byte(`crt`)},
 				},
+				&corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "foo-client-stunnel-credentials",
+						Namespace: "bar",
+						Labels:    map[string]string{"test": "me"},
+					},
+					Data: map[string][]byte{"tls.key": []byte(`key`), "tls.crt": []byte(`crt`)},
+				},
+				&corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "foo-ca-bundle-stunnel-credentials",
+						Namespace: "bar",
+						Labels:    map[string]string{"test": "me"},
+					},
+					Data: map[string][]byte{"tls.key": []byte(`key`), "tls.crt": []byte(`crt`)},
+				},
 				&corev1.ConfigMap{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "foo-server-stunnel-config",
@@ -289,17 +305,40 @@ func Test_server_MarkForCleanup(t *testing.T) {
 				t.Errorf("labels on configmap = %#v, wanted %#v", cm.Labels, tt.labels)
 			}
 
-			secret := &corev1.Secret{}
+			secretSecret := &corev1.Secret{}
 			err = fakeClient.Get(context.Background(), types.NamespacedName{
 				Namespace: "bar",
 				Name:      "foo-server-" + stunnelSecret,
-			}, secret)
+			}, secretSecret)
+			if err != nil {
+				panic(fmt.Errorf("%#v should not be getting error from fake client", err))
+			}
+			if !reflect.DeepEqual(tt.labels, secretSecret.Labels) {
+				t.Errorf("labels on secretSecret = %#v, wanted %#v", secretSecret.Labels, tt.labels)
+			}
+
+			clientSecret := &corev1.Secret{}
+			err = fakeClient.Get(context.Background(), types.NamespacedName{
+				Namespace: "bar",
+				Name:      "foo-client-" + stunnelSecret,
+			}, clientSecret)
 			if err != nil {
 				panic(fmt.Errorf("%#v should not be getting error from fake client", err))
 			}
+			if !reflect.DeepEqual(tt.labels, clientSecret.Labels) {
+				t.Errorf("labels on secretSecret = %#v, wanted %#v", secretSecret.Labels, tt.labels)
+			}
 
-			if !reflect.DeepEqual(tt.labels, secret.Labels) {
-				t.Errorf("labels on secret = %#v, wanted %#v", secret.Labels, tt.labels)
+			caBundleSecret := &corev1.Secret{}
+			err = fakeClient.Get(context.Background(), types.NamespacedName{
+				Namespace: "bar",
+				Name:      "foo-ca-bundle-" + stunnelSecret,
+			}, caBundleSecret)
+			if err != nil {
+				panic(fmt.Errorf("%#v should not be getting error from fake client", err))
+			}
+			if !reflect.DeepEqual(tt.labels, clientSecret.Labels) {
+				t.Errorf("labels on secretSecret = %#v, wanted %#v", secretSecret.Labels, tt.labels)
 			}
 		})
 	}

diff --git a/transport/stunnel/stunnel.go b/transport/stunnel/stunnel.go
@@ -3,6 +3,8 @@ package stunnel
 import (
 	"bytes"
 	"context"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	"github.com/backube/pvc-transfer/transport"
 	"github.com/backube/pvc-transfer/transport/tls/certs"
@@ -90,3 +92,73 @@ func isSecretValid(ctx context.Context, c ctrlclient.Client, logger logr.Logger,
 
 	return certs.VerifyCertificate(bytes.NewBuffer(ca), bytes.NewBuffer(crt))
 }
+
+func reconcileCertificateSecrets(ctx context.Context,
+	c ctrlclient.Client,
+	key types.NamespacedName,
+	options *transport.Options,
+	crtBundle *certs.CertificateBundle) error {
+	crtBundleSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      getResourceName(key, caBundleSecretNameSuffix()),
+			Namespace: key.Namespace,
+		},
+	}
+	_, err := controllerutil.CreateOrUpdate(ctx, c, crtBundleSecret, func() error {
+		crtBundleSecret.Labels = options.Labels
+		crtBundleSecret.OwnerReferences = options.Owners
+
+		crtBundleSecret.Data = map[string][]byte{
+			"server.crt": crtBundle.ServerCrt.Bytes(),
+			"server.key": crtBundle.ServerKey.Bytes(),
+			"client.crt": crtBundle.ClientCrt.Bytes(),
+			"client.key": crtBundle.ClientKey.Bytes(),
+			"ca.crt":     crtBundle.CACrt.Bytes(),
+			"ca.key":     crtBundle.CAKey.Bytes(),
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	serverSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      getResourceName(key, serverSecretNameSuffix()),
+			Namespace: key.Namespace,
+		},
+	}
+	_, err = controllerutil.CreateOrUpdate(ctx, c, serverSecret, func() error {
+		serverSecret.Labels = options.Labels
+		serverSecret.OwnerReferences = options.Owners
+
+		serverSecret.Data = map[string][]byte{
+			"tls.crt": crtBundle.ServerCrt.Bytes(),
+			"tls.key": crtBundle.ServerKey.Bytes(),
+			"ca.crt":  crtBundle.CACrt.Bytes(),
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	clientSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      getResourceName(key, clientSecretNameSuffix()),
+			Namespace: key.Namespace,
+		},
+	}
+	_, err = controllerutil.CreateOrUpdate(ctx, c, clientSecret, func() error {
+		clientSecret.Labels = options.Labels
+		clientSecret.OwnerReferences = options.Owners
+
+		clientSecret.Data = map[string][]byte{
+			"tls.crt": crtBundle.ClientCrt.Bytes(),
+			"tls.key": crtBundle.ClientKey.Bytes(),
+			"ca.crt":  crtBundle.CACrt.Bytes(),
+		}
+		return nil
+	})
+	return err
+}