Add annotation checksum (#45)

Signed-off-by: Matthew DeVenny <[email protected]>
boxboat · Apr 18, 2022 · 51795b3 · 51795b3
1 parent 7b41b91
commit 51795b3
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 3 deletions.
diff --git a/pkg/apis/dhs.dockhand.dev/v1alpha2/types.go b/pkg/apis/dhs.dockhand.dev/v1alpha2/types.go
@@ -115,6 +115,7 @@ type SecretSpec struct {
 
 type SecretStatus struct {
 	State                         SecretState `json:"state"`
+	ObservedAnnotationChecksum    string      `json:"observedAnnotationChecksum"`
 	ObservedGeneration            int64       `json:"observedGeneration"`
 	ObservedSecretResourceVersion string      `json:"observedSecretResourceVersion"`
 	SyncTimestamp                 string      `json:"syncTimestamp"`

diff --git a/pkg/controller/v2/controller.go b/pkg/controller/v2/controller.go
@@ -183,8 +183,13 @@ func (h *Handler) onDockhandSecretChange(_ string, secret *dockhand.Secret) (*do
 		return nil, nil
 	}
 
+	annotationChecksum := k8s.GetAnnotationsChecksum(secret.Annotations)
+
 	// Ready Secret, Generation and observedGeneration match - no change necessarily required
-	if secret.Generation == secret.Status.ObservedGeneration && secret.Status.State == dockhand.Ready {
+	if secret.Generation == secret.Status.ObservedGeneration &&
+		annotationChecksum == secret.Status.ObservedAnnotationChecksum &&
+		secret.Status.State == dockhand.Ready {
+
 		updateRequired := false
 
 		// check for syncInterval setting
@@ -209,7 +214,6 @@ func (h *Handler) onDockhandSecretChange(_ string, secret *dockhand.Secret) (*do
 			common.Log.Debugf("enqueing %s/%s for sync after %s", secret.Namespace, secret.Name, syncDuration.String())
 			h.dhSecretsController.EnqueueAfter(secret.Namespace, secret.Name, syncDuration)
 		} else {
-			common.Log.Debugf("%s metadata.generation[%d]==status.observedGeneration[%d]", secret.Name, secret.Generation, secret.Status.ObservedGeneration)
 			if managedSecret, err := h.secrets.Get(secret.Namespace, secret.SecretSpec.Name, metav1.GetOptions{}); err == nil {
 				if managedSecret.ResourceVersion != secret.Status.ObservedSecretResourceVersion {
 					updateRequired = true
@@ -221,6 +225,8 @@ func (h *Handler) onDockhandSecretChange(_ string, secret *dockhand.Secret) (*do
 
 		if !updateRequired {
 			common.Log.Debugf("skipping update %s", secret.Name)
+			common.Log.Debugf("%s metadata.generation[%d]==status.observedGeneration[%d]", secret.Name, secret.Generation, secret.Status.ObservedGeneration)
+			common.Log.Debugf("%s annotationChecksum[%s]==status.observedAnnotationChecksum[%s]", secret.Name, annotationChecksum, secret.Status.ObservedAnnotationChecksum)
 			return nil, nil
 		}
 	}
@@ -726,8 +732,14 @@ func (h *Handler) updateDockhandSecretStatus(secret *dockhand.Secret, managedSec
 	common.Log.Debugf("updating %s status", secret.Name)
 	secretCopy := secret.DeepCopy()
 	secretCopy.Status.State = state
+
+	if secretCopy.Status.SyncTimestamp == "" {
+		secretCopy.Status.SyncTimestamp = time.Unix(0, 0).Format(time.RFC3339)
+	}
+
 	// generation successfully processed so store observedGeneration
 	if state == dockhand.Ready {
+		secretCopy.Status.ObservedAnnotationChecksum = k8s.GetAnnotationsChecksum(secretCopy.Annotations)
 		secretCopy.Status.ObservedGeneration = secret.Generation
 		secretCopy.Status.SyncTimestamp = time.Now().Format(time.RFC3339)
 	}

diff --git a/pkg/k8s/k8s.go b/pkg/k8s/k8s.go
@@ -125,6 +125,23 @@ func GetDockhandSecretsListFromK8sSecrets(ctx context.Context, secretNames []str
 
 }
 
+// GetAnnotationsChecksum takes an annotation map and returns a sha1 checksum.
+func GetAnnotationsChecksum(annotations map[string]string) string {
+	keys := make([]string, 0, len(annotations))
+	for _, k := range annotations {
+		keys = append(keys, k)
+	}
+
+	sort.Strings(keys)
+	hash := sha1.New()
+
+	for _, k := range keys {
+		hash.Write([]byte(k))
+		hash.Write([]byte(annotations[k]))
+	}
+	return hex.EncodeToString(hash.Sum(nil))
+}
+
 // GetSecretsChecksum takes a set of secrets in a namespace and returns a checksum of all of the data in those secrets
 func GetSecretsChecksum(ctx context.Context, names []string, namespace string) (string, error) {
 	config, err := rest.InClusterConfig()
@@ -148,7 +165,7 @@ func GetSecretsChecksum(ctx context.Context, names []string, namespace string) (
 			common.Log.Warnf("error retrieving %s/%s %v", namespace, name, err)
 			return "", fmt.Errorf("unable to checksum secret %s/%s", namespace, name)
 		}
-		var keys []string
+		keys := make([]string, 0, len(secret.Data))
 		for k := range secret.Data {
 			keys = append(keys, k)
 		}