From b6570f48371fd57a8a497792331550bc0c14b274 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Fri, 3 Jan 2025 11:02:05 -0800 Subject: [PATCH] pkg/aws/actuator: Set labels and annotations on all STS Secrets Even when awsSTSIAMRoleARN is empty, we want the label so that pkg/cmd/operator's NewOperator's filteredWatchPossible label-selector can find these Secrets. Then the controller will notice if they're deleted (so it can update the CredentialsRequest status to point that out) or when they haven't been changed (so it can avoid "I can't find the Secret!" overly-frequent bumping in the hasRecentlySynced calculation, because it thinks crSecretExists=false). --- pkg/aws/actuator/actuator.go | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/pkg/aws/actuator/actuator.go b/pkg/aws/actuator/actuator.go index 441712c7d..1bbc0fc08 100644 --- a/pkg/aws/actuator/actuator.go +++ b/pkg/aws/actuator/actuator.go @@ -338,20 +338,14 @@ func (a *AWSActuator) sync(ctx context.Context, cr *minterv1.CredentialsRequest) if err != nil { return err } - if awsSTSIAMRoleARN == "" { - logger.Debug("CredentialsRequest has no awsSTSIAMRoleARN, no reason to sync") - return nil - } cloudTokenPath := cr.Spec.CloudTokenPath - if cr.Spec.CloudTokenPath == "" { + if awsSTSIAMRoleARN != "" && cloudTokenPath == "" { logger.Debug("CredentialsRequest has no cloudTokenPath, defaulting cloudTokenPath to /var/run/secrets/kubernetes.io/serviceaccount/token") cloudTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" } - if awsSTSIAMRoleARN != "" { - err = a.syncSTSSecret(awsSTSIAMRoleARN, cloudTokenPath, cr, logger, ctx) - if err != nil { - return err - } + err = a.syncSTSSecret(awsSTSIAMRoleARN, cloudTokenPath, cr, logger, ctx) + if err != nil { + return err } } else { credentialsRootSecret, err := a.GetCredentialsRootSecret(ctx, cr) @@ -402,6 +396,10 @@ func (a *AWSActuator) sync(ctx context.Context, cr *minterv1.CredentialsRequest) // a path to the JWT token: spec.cloudTokenPath // a spec.SecretRef.Name // a cr.Spec.SecretRef.Namespace +// +// If awsSTSIAMRoleARN or cloudTokenPath are unset, we just set labels +// and annotations on the Secret, so the label-filtered client +// informer can find the Secret in the future. func (a *AWSActuator) syncSTSSecret(awsSTSIAMRoleARN string, cloudTokenPath string, cr *minterv1.CredentialsRequest, logger log.FieldLogger, ctx context.Context) error { sLog := logger.WithFields(log.Fields{ "targetSecret": fmt.Sprintf("%s/%s", cr.Spec.SecretRef.Namespace, cr.Spec.SecretRef.Name), @@ -426,8 +424,10 @@ func (a *AWSActuator) syncSTSSecret(awsSTSIAMRoleARN string, cloudTokenPath stri if secret.StringData == nil { secret.StringData = map[string]string{} } - secret.StringData["credentials"] = fmt.Sprintf(awsSTSCredsTemplate, awsSTSIAMRoleARN, cloudTokenPath) - secret.Type = corev1.SecretTypeOpaque + if awsSTSIAMRoleARN != "" && cloudTokenPath != "" { + secret.StringData["credentials"] = fmt.Sprintf(awsSTSCredsTemplate, awsSTSIAMRoleARN, cloudTokenPath) + secret.Type = corev1.SecretTypeOpaque + } return nil }) sLog.WithField("operation", op).Info("processed secret")