github/Reloader
1
0
Fork 0
mirror of https://github.com/stakater/Reloader.git synced 2026-02-14 18:09:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: Merge from master

Browse Source
This commit is contained in:
TheiLLeniumStudios
2026-01-08 22:12:19 +01:00
parent 193f64c0ec 1652c62775
commit b945e5e828
26 changed files with 1919 additions and 184 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/pkg/callbacks/rolling_upgrade_test.go
View File

@@ -49,7 +49,7 @@ func newTestFixtures() testFixtures {
func setupTestClients() kube.Clients {
return kube.Clients{
KubernetesClient: fake.NewSimpleClientset(),
KubernetesClient: fake.NewClientset(),
ArgoRolloutClient: fakeargoclientset.NewSimpleClientset(),
}
}

16
internal/pkg/cmd/reloader.go
View File

@@ -160,6 +160,10 @@ func startReloader(cmd *cobra.Command, args []string) {
var controllers []*controller.Controller
for k := range kube.ResourceMap {
if k == constants.SecretProviderClassController && !shouldRunCSIController() {
continue
}
if ignoredResourcesList.Contains(k) || (len(namespaceLabelSelector) == 0 && k == "namespaces") {
continue
}
@@ -207,3 +211,15 @@ func startPProfServer() {
logrus.Errorf("Failed to start pprof server: %v", err)
}
}
func shouldRunCSIController() bool {
if !options.EnableCSIIntegration {
logrus.Info("Skipping secretproviderclasspodstatuses controller: EnableCSIIntegration is disabled")
return false
}
if !kube.IsCSIInstalled {
logrus.Info("Skipping secretproviderclasspodstatuses controller: CSI CRDs not installed")
return false
}
return true
}

4
internal/pkg/constants/constants.go
View File

@@ -8,6 +8,8 @@ const (
ConfigmapEnvVarPostfix = "CONFIGMAP"
// SecretEnvVarPostfix is a postfix for secret envVar
SecretEnvVarPostfix = "SECRET"
// SecretProviderClassEnvVarPostfix is a postfix for secretproviderclasspodstatus envVar
SecretProviderClassEnvVarPostfix = "SECRETPROVIDERCLASS"
// EnvVarPrefix is a Prefix for environment variable
EnvVarPrefix = "STAKATER_"
@@ -22,6 +24,8 @@ const (
EnvVarsReloadStrategy = "env-vars"
// AnnotationsReloadStrategy instructs Reloader to add pod template annotations to facilitate a restart
AnnotationsReloadStrategy = "annotations"
// SecretProviderClassController enables support for SecretProviderClassPodStatus resources
SecretProviderClassController = "secretproviderclasspodstatuses"
)
// Leadership election related consts

40
internal/pkg/controller/controller.go
View File

@@ -2,9 +2,11 @@ package controller
import (
"fmt"
"slices"
"time"
"github.com/sirupsen/logrus"
"github.com/stakater/Reloader/internal/pkg/constants"
"github.com/stakater/Reloader/internal/pkg/handler"
"github.com/stakater/Reloader/internal/pkg/metrics"
"github.com/stakater/Reloader/internal/pkg/options"
@@ -21,7 +23,7 @@ import (
"k8s.io/client-go/tools/record"
"k8s.io/client-go/util/workqueue"
"k8s.io/kubectl/pkg/scheme"
"k8s.io/utils/strings/slices"
csiv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
)
// Controller for checking events
@@ -79,7 +81,12 @@ func NewController(
}
}
listWatcher := cache.NewFilteredListWatchFromClient(client.CoreV1().RESTClient(), resource, namespace, optionsModifier)
getterRESTClient, err := getClientForResource(resource, client)
if err != nil {
return nil, fmt.Errorf("failed to initialize REST client for %s: %w", resource, err)
}
listWatcher := cache.NewFilteredListWatchFromClient(getterRESTClient, resource, namespace, optionsModifier)
_, informer := cache.NewInformerWithOptions(cache.InformerOptions{
ListerWatcher: listWatcher,
@@ -110,6 +117,8 @@ func (c *Controller) Add(obj interface{}) {
case *v1.Namespace:
c.addSelectedNamespaceToCache(*object)
return
case *csiv1.SecretProviderClassPodStatus:
return
}
if options.ReloadOnCreate == "true" {
@@ -127,11 +136,13 @@ func (c *Controller) Add(obj interface{}) {
}
func (c *Controller) resourceInIgnoredNamespace(raw interface{}) bool {
switch object := raw.(type) {
switch obj := raw.(type) {
case *v1.ConfigMap:
return c.ignoredNamespaces.Contains(object.Namespace)
return c.ignoredNamespaces.Contains(obj.Namespace)
case *v1.Secret:
return c.ignoredNamespaces.Contains(object.Namespace)
return c.ignoredNamespaces.Contains(obj.Namespace)
case *csiv1.SecretProviderClassPodStatus:
return c.ignoredNamespaces.Contains(obj.Namespace)
}
return false
}
@@ -150,6 +161,10 @@ func (c *Controller) resourceInSelectedNamespaces(raw interface{}) bool {
if slices.Contains(selectedNamespacesCache, object.GetNamespace()) {
return true
}
case *csiv1.SecretProviderClassPodStatus:
if slices.Contains(selectedNamespacesCache, object.GetNamespace()) {
return true
}
}
return false
}
@@ -197,6 +212,10 @@ func (c *Controller) Delete(old interface{}) {
// Record event received
c.collectors.RecordEventReceived("delete", c.resource)
if _, ok := old.(*csiv1.SecretProviderClassPodStatus); ok {
return
}
if options.ReloadOnDelete == "true" {
if !c.resourceInIgnoredNamespace(old) && c.resourceInSelectedNamespaces(old) && secretControllerInitialized && configmapControllerInitialized {
c.enqueue(handler.ResourceDeleteHandler{
@@ -339,3 +358,14 @@ func (c *Controller) handleErr(err error, key interface{}) {
// Record failed event processing
c.collectors.RecordEventProcessed("unknown", c.resource, "dropped")
}
func getClientForResource(resource string, coreClient kubernetes.Interface) (cache.Getter, error) {
if resource == constants.SecretProviderClassController {
csiClient, err := kube.GetCSIClient()
if err != nil {
return nil, fmt.Errorf("failed to get CSI client: %w", err)
}
return csiClient.SecretsstoreV1().RESTClient(), nil
}
return coreClient.CoreV1().RESTClient(), nil
}

443
internal/pkg/controller/controller_test.go
View File

@@ -26,14 +26,15 @@ import (
)
var (
clients = kube.GetClients()
namespace = "test-reloader-" + testutil.RandSeq(5)
configmapNamePrefix = "testconfigmap-reloader"
secretNamePrefix = "testsecret-reloader"
data = "dGVzdFNlY3JldEVuY29kaW5nRm9yUmVsb2FkZXI="
newData = "dGVzdE5ld1NlY3JldEVuY29kaW5nRm9yUmVsb2FkZXI="
updatedData = "dGVzdFVwZGF0ZWRTZWNyZXRFbmNvZGluZ0ZvclJlbG9hZGVy"
collectors = metrics.NewCollectors()
clients = kube.GetClients()
namespace = "test-reloader-" + testutil.RandSeq(5)
configmapNamePrefix = "testconfigmap-reloader"
secretNamePrefix = "testsecret-reloader"
secretProviderClassPodStatusPrefix = "testsecretproviderclasspodstatus-reloader"
data = "dGVzdFNlY3JldEVuY29kaW5nRm9yUmVsb2FkZXI="
newData = "dGVzdE5ld1NlY3JldEVuY29kaW5nRm9yUmVsb2FkZXI="
updatedData = "dGVzdFVwZGF0ZWRTZWNyZXRFbmNvZGluZ0ZvclJlbG9hZGVy"
collectors = metrics.NewCollectors()
)
const (
@@ -46,6 +47,10 @@ func TestMain(m *testing.M) {
logrus.Infof("Creating controller")
for k := range kube.ResourceMap {
// Don't create controller if CSI provider is not installed
if k == "secretproviderclasspodstatuses" && !kube.IsCSIInstalled {
continue
}
if k == "namespaces" {
continue
}
@@ -579,6 +584,217 @@ func TestControllerUpdatingSecretLabelsShouldNotCreateOrUpdatePodAnnotationInDep
time.Sleep(sleepDuration)
}
// Perform rolling upgrade on deployment and create pod annotation var upon updating the secretclassproviderpodstatus
func TestControllerUpdatingSecretProviderClassPodStatusShouldCreatePodAnnotationInDeployment(t *testing.T) {
options.ReloadStrategy = constants.AnnotationsReloadStrategy
if !kube.IsCSIInstalled {
return
}
// Creating secretproviderclass
secretproviderclasspodstatusName := secretProviderClassPodStatusPrefix + "-update-" + testutil.RandSeq(5)
_, err := testutil.CreateSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
if err != nil {
t.Errorf("Error while creating the secretproviderclass %v", err)
}
// Creating secretproviderclasspodstatus
spcpsClient, err := testutil.CreateSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
if err != nil {
t.Errorf("Error while creating the secretclasssproviderpodstatus %v", err)
}
// Creating deployment
_, err = testutil.CreateDeployment(clients.KubernetesClient, secretproviderclasspodstatusName, namespace, true)
if err != nil {
t.Errorf("Error in deployment creation: %v", err)
}
// Updating secretproviderclasspodstatus for first time
updateErr := testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "", newData)
if updateErr != nil {
t.Errorf("Secretproviderclasspodstatus was not updated")
}
// Verifying deployment update
logrus.Infof("Verifying pod annotation has been created")
shaData := testutil.ConvertResourceToSHA(testutil.SecretProviderClassPodStatusResourceType, namespace, secretproviderclasspodstatusName, newData)
config := common.Config{
Namespace: namespace,
ResourceName: secretproviderclasspodstatusName,
SHAValue: shaData,
Annotation: options.SecretProviderClassUpdateOnChangeAnnotation,
}
deploymentFuncs := handler.GetDeploymentRollingUpgradeFuncs()
updated := testutil.VerifyResourceAnnotationUpdate(clients, config, deploymentFuncs)
if !updated {
t.Errorf("Deployment was not updated")
}
time.Sleep(sleepDuration)
// Deleting deployment
err = testutil.DeleteDeployment(clients.KubernetesClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the deployment %v", err)
}
// Deleting secretproviderclass
err = testutil.DeleteSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the secretproviderclass %v", err)
}
// Deleting secretproviderclasspodstatus
err = testutil.DeleteSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the secretproviderclasspodstatus %v", err)
}
time.Sleep(sleepDuration)
}
// Perform rolling upgrade on deployment and update pod annotation var upon updating the secretproviderclasspodstatus
func TestControllerUpdatingSecretProviderClassPodStatusShouldUpdatePodAnnotationInDeployment(t *testing.T) {
options.ReloadStrategy = constants.AnnotationsReloadStrategy
if !kube.IsCSIInstalled {
return
}
// Creating secretproviderclass
secretproviderclasspodstatusName := secretProviderClassPodStatusPrefix + "-update-" + testutil.RandSeq(5)
_, err := testutil.CreateSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
if err != nil {
t.Errorf("Error while creating the secretproviderclass %v", err)
}
// Creating secretproviderclasspodstatus
spcpsClient, err := testutil.CreateSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
if err != nil {
t.Errorf("Error while creating the secretclasssproviderpodstatus %v", err)
}
// Creating deployment
_, err = testutil.CreateDeployment(clients.KubernetesClient, secretproviderclasspodstatusName, namespace, true)
if err != nil {
t.Errorf("Error in deployment creation: %v", err)
}
// Updating Secret
err = testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "", newData)
if err != nil {
t.Errorf("Error while updating secretproviderclasspodstatus %v", err)
}
// Updating Secret
err = testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "", updatedData)
if err != nil {
t.Errorf("Error while updating secretproviderclasspodstatus %v", err)
}
// Verifying Upgrade
logrus.Infof("Verifying pod annotation has been updated")
shaData := testutil.ConvertResourceToSHA(testutil.SecretProviderClassPodStatusResourceType, namespace, secretproviderclasspodstatusName, updatedData)
config := common.Config{
Namespace: namespace,
ResourceName: secretproviderclasspodstatusName,
SHAValue: shaData,
Annotation: options.SecretProviderClassUpdateOnChangeAnnotation,
}
deploymentFuncs := handler.GetDeploymentRollingUpgradeFuncs()
updated := testutil.VerifyResourceAnnotationUpdate(clients, config, deploymentFuncs)
if !updated {
t.Errorf("Deployment was not updated")
}
// Deleting Deployment
err = testutil.DeleteDeployment(clients.KubernetesClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the deployment %v", err)
}
// Deleting secretproviderclass
err = testutil.DeleteSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the secretproviderclass %v", err)
}
// Deleting secretproviderclasspodstatus
err = testutil.DeleteSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the secretproviderclasspodstatus %v", err)
}
time.Sleep(sleepDuration)
}
// Do not Perform rolling upgrade on pod and create or update a pod annotation upon updating the label in secretproviderclasspodstatus
func TestControllerUpdatingSecretProviderClassPodStatusWithSameDataShouldNotCreateOrUpdatePodAnnotationInDeployment(t *testing.T) {
options.ReloadStrategy = constants.AnnotationsReloadStrategy
if !kube.IsCSIInstalled {
return
}
// Creating secretproviderclass
secretproviderclasspodstatusName := secretProviderClassPodStatusPrefix + "-update-" + testutil.RandSeq(5)
_, err := testutil.CreateSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
if err != nil {
t.Errorf("Error while creating the secretproviderclass %v", err)
}
// Creating secretproviderclasspodstatus
spcpsClient, err := testutil.CreateSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
if err != nil {
t.Errorf("Error while creating the secretclasssproviderpodstatus %v", err)
}
// Creating deployment
_, err = testutil.CreateDeployment(clients.KubernetesClient, secretproviderclasspodstatusName, namespace, true)
if err != nil {
t.Errorf("Error in deployment creation: %v", err)
}
err = testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "", data)
if err != nil {
t.Errorf("Error while updating secretproviderclasspodstatus %v", err)
}
// Verifying Upgrade
logrus.Infof("Verifying pod annotation has been created")
shaData := testutil.ConvertResourceToSHA(testutil.SecretProviderClassPodStatusResourceType, namespace, secretproviderclasspodstatusName, data)
config := common.Config{
Namespace: namespace,
ResourceName: secretproviderclasspodstatusName,
SHAValue: shaData,
Annotation: options.SecretProviderClassUpdateOnChangeAnnotation,
}
deploymentFuncs := handler.GetDeploymentRollingUpgradeFuncs()
updated := testutil.VerifyResourceAnnotationUpdate(clients, config, deploymentFuncs)
if updated {
t.Errorf("Deployment should not be updated by changing in secretproviderclasspodstatus")
}
// Deleting Deployment
err = testutil.DeleteDeployment(clients.KubernetesClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the deployment %v", err)
}
// Deleting secretproviderclass
err = testutil.DeleteSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the secretproviderclass %v", err)
}
// Deleting secretproviderclasspodstatus
err = testutil.DeleteSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the secretproviderclasspodstatus %v", err)
}
time.Sleep(sleepDuration)
}
// Perform rolling upgrade on DaemonSet and create pod annotation var upon updating the configmap
func TestControllerUpdatingConfigmapShouldCreatePodAnnotationInDaemonSet(t *testing.T) {
options.ReloadStrategy = constants.AnnotationsReloadStrategy
@@ -1531,6 +1747,215 @@ func TestControllerUpdatingSecretLabelsShouldNotCreateOrUpdateEnvInDeployment(t
time.Sleep(sleepDuration)
}
// Perform rolling upgrade on pod and create a env var upon updating the secretproviderclasspodstatus
func TestControllerUpdatingSecretProviderClassPodStatusShouldCreateEnvInDeployment(t *testing.T) {
options.ReloadStrategy = constants.EnvVarsReloadStrategy
if !kube.IsCSIInstalled {
return
}
// Creating secretproviderclass
secretproviderclasspodstatusName := secretProviderClassPodStatusPrefix + "-update-" + testutil.RandSeq(5)
_, err := testutil.CreateSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
if err != nil {
t.Errorf("Error while creating the secretproviderclass %v", err)
}
// Creating secretproviderclasspodstatus
spcpsClient, err := testutil.CreateSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
if err != nil {
t.Errorf("Error while creating the secretclasssproviderpodstatus %v", err)
}
// Creating deployment
_, err = testutil.CreateDeployment(clients.KubernetesClient, secretproviderclasspodstatusName, namespace, true)
if err != nil {
t.Errorf("Error in deployment creation: %v", err)
}
// Updating Secret
err = testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "", newData)
if err != nil {
t.Errorf("Error while updating secretproviderclasspodstatus %v", err)
}
// Verifying Upgrade
logrus.Infof("Verifying env var has been created")
shaData := testutil.ConvertResourceToSHA(testutil.SecretProviderClassPodStatusResourceType, namespace, secretproviderclasspodstatusName, newData)
config := common.Config{
Namespace: namespace,
ResourceName: secretproviderclasspodstatusName,
SHAValue: shaData,
Annotation: options.SecretProviderClassUpdateOnChangeAnnotation,
}
deploymentFuncs := handler.GetDeploymentRollingUpgradeFuncs()
updated := testutil.VerifyResourceEnvVarUpdate(clients, config, constants.SecretProviderClassEnvVarPostfix, deploymentFuncs)
if !updated {
t.Errorf("Deployment was not updated")
}
// Deleting Deployment
err = testutil.DeleteDeployment(clients.KubernetesClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the deployment %v", err)
}
// Deleting secretproviderclass
err = testutil.DeleteSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the secretproviderclass %v", err)
}
// Deleting secretproviderclasspodstatus
err = testutil.DeleteSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the secretproviderclasspodstatus %v", err)
}
time.Sleep(sleepDuration)
}
// Perform rolling upgrade on deployment and update env var upon updating the secretproviderclasspodstatus
func TestControllerUpdatingSecretProviderClassPodStatusShouldUpdateEnvInDeployment(t *testing.T) {
options.ReloadStrategy = constants.EnvVarsReloadStrategy
if !kube.IsCSIInstalled {
return
}
// Creating secretproviderclass
secretproviderclasspodstatusName := secretProviderClassPodStatusPrefix + "-update-" + testutil.RandSeq(5)
_, err := testutil.CreateSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
if err != nil {
t.Errorf("Error while creating the secretproviderclass %v", err)
}
// Creating secretproviderclasspodstatus
spcpsClient, err := testutil.CreateSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
if err != nil {
t.Errorf("Error while creating the secretclasssproviderpodstatus %v", err)
}
// Creating deployment
_, err = testutil.CreateDeployment(clients.KubernetesClient, secretproviderclasspodstatusName, namespace, true)
if err != nil {
t.Errorf("Error in deployment creation: %v", err)
}
// Updating secretproviderclasspodstatus
err = testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "", newData)
if err != nil {
t.Errorf("Error while updating secretproviderclasspodstatus %v", err)
}
// Updating secretproviderclasspodstatus
err = testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "", updatedData)
if err != nil {
t.Errorf("Error while updating secretproviderclasspodstatus %v", err)
}
// Verifying Upgrade
logrus.Infof("Verifying env var has been updated")
shaData := testutil.ConvertResourceToSHA(testutil.SecretProviderClassPodStatusResourceType, namespace, secretproviderclasspodstatusName, updatedData)
config := common.Config{
Namespace: namespace,
ResourceName: secretproviderclasspodstatusName,
SHAValue: shaData,
Annotation: options.SecretProviderClassUpdateOnChangeAnnotation,
}
deploymentFuncs := handler.GetDeploymentRollingUpgradeFuncs()
updated := testutil.VerifyResourceEnvVarUpdate(clients, config, constants.SecretProviderClassEnvVarPostfix, deploymentFuncs)
if !updated {
t.Errorf("Deployment was not updated")
}
// Deleting Deployment
err = testutil.DeleteDeployment(clients.KubernetesClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the deployment %v", err)
}
// Deleting secretproviderclass
err = testutil.DeleteSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the secretproviderclass %v", err)
}
// Deleting secretproviderclasspodstatus
err = testutil.DeleteSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the secretproviderclasspodstatus %v", err)
}
time.Sleep(sleepDuration)
}
// Do not Perform rolling upgrade on pod and create or update a env var upon updating the label in secretclasssproviderpodstatus
func TestControllerUpdatingSecretProviderClassPodStatusLabelsShouldNotCreateOrUpdateEnvInDeployment(t *testing.T) {
options.ReloadStrategy = constants.EnvVarsReloadStrategy
if !kube.IsCSIInstalled {
return
}
// Creating secretproviderclass
secretproviderclasspodstatusName := secretProviderClassPodStatusPrefix + "-update-" + testutil.RandSeq(5)
_, err := testutil.CreateSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
if err != nil {
t.Errorf("Error while creating the secretproviderclass %v", err)
}
// Creating secretproviderclasspodstatus
spcpsClient, err := testutil.CreateSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
if err != nil {
t.Errorf("Error while creating the secretclasssproviderpodstatus %v", err)
}
// Creating deployment
_, err = testutil.CreateDeployment(clients.KubernetesClient, secretproviderclasspodstatusName, namespace, true)
if err != nil {
t.Errorf("Error in deployment creation: %v", err)
}
err = testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "test", data)
if err != nil {
t.Errorf("Error while updating secretproviderclasspodstatus %v", err)
}
// Verifying Upgrade
logrus.Infof("Verifying env var has been created")
shaData := testutil.ConvertResourceToSHA(testutil.SecretProviderClassPodStatusResourceType, namespace, secretproviderclasspodstatusName, data)
config := common.Config{
Namespace: namespace,
ResourceName: secretproviderclasspodstatusName,
SHAValue: shaData,
Annotation: options.SecretProviderClassUpdateOnChangeAnnotation,
}
deploymentFuncs := handler.GetDeploymentRollingUpgradeFuncs()
updated := testutil.VerifyResourceEnvVarUpdate(clients, config, constants.SecretProviderClassEnvVarPostfix, deploymentFuncs)
if updated {
t.Errorf("Deployment should not be updated by changing label in secretproviderclasspodstatus")
}
// Deleting Deployment
err = testutil.DeleteDeployment(clients.KubernetesClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the deployment %v", err)
}
// Deleting secretproviderclass
err = testutil.DeleteSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the secretproviderclass %v", err)
}
// Deleting secretproviderclasspodstatus
err = testutil.DeleteSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName)
if err != nil {
logrus.Errorf("Error while deleting the secretproviderclasspodstatus %v", err)
}
time.Sleep(sleepDuration)
}
// Perform rolling upgrade on DaemonSet and create env var upon updating the configmap
func TestControllerUpdatingConfigmapShouldCreateEnvInDaemonSet(t *testing.T) {
options.ReloadStrategy = constants.EnvVarsReloadStrategy
@@ -2335,7 +2760,7 @@ func TestController_resourceInNamespaceSelector(t *testing.T) {
for _, tt := range tests {
t.Run(
tt.name, func(t *testing.T) {
fakeClient := fake.NewSimpleClientset()
fakeClient := fake.NewClientset()
namespace, _ := fakeClient.CoreV1().Namespaces().Create(context.Background(), &tt.fields.namespace, metav1.CreateOptions{})
logrus.Infof("created fakeClient namespace for testing = %s", namespace.Name)

13
internal/pkg/crypto/sha_test.go
View File

@@ -13,3 +13,16 @@ func TestGenerateSHA(t *testing.T) {
t.Errorf("Failed to generate SHA")
}
}
// TestGenerateSHAEmptyString verifies that empty string generates a valid hash
// This ensures consistent behavior and avoids issues with string matching operations
func TestGenerateSHAEmptyString(t *testing.T) {
result := GenerateSHA("")
expected := "da39a3ee5e6b4b0d3255bfef95601890afd80709"
if result != expected {
t.Errorf("Failed to generate SHA for empty string. Expected: %s, Got: %s", expected, result)
}
if len(result) != 40 {
t.Errorf("SHA hash should be 40 characters long, got %d", len(result))
}
}

4
internal/pkg/handler/pause_deployment_test.go
View File

@@ -244,7 +244,7 @@ func TestHandleMissingTimerSimple(t *testing.T) {
}()
t.Run(test.name, func(t *testing.T) {
fakeClient := testclient.NewSimpleClientset()
fakeClient := testclient.NewClientset()
clients := kube.Clients{
KubernetesClient: fakeClient,
}
@@ -337,7 +337,7 @@ func TestPauseDeployment(t *testing.T) {
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
fakeClient := testclient.NewSimpleClientset()
fakeClient := testclient.NewClientset()
clients := kube.Clients{
KubernetesClient: fakeClient,
}

36
internal/pkg/handler/update.go
View File

@@ -10,6 +10,7 @@ import (
"github.com/stakater/Reloader/pkg/common"
v1 "k8s.io/api/core/v1"
"k8s.io/client-go/tools/record"
csiv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
)
// ResourceUpdatedHandler contains updated objects
@@ -66,16 +67,31 @@ func (r ResourceUpdatedHandler) Handle() error {
// GetConfig gets configurations containing SHA, annotations, namespace and resource name
func (r ResourceUpdatedHandler) GetConfig() (common.Config, string) {
var oldSHAData string
var config common.Config
if _, ok := r.Resource.(*v1.ConfigMap); ok {
oldSHAData = util.GetSHAfromConfigmap(r.OldResource.(*v1.ConfigMap))
config = common.GetConfigmapConfig(r.Resource.(*v1.ConfigMap))
} else if _, ok := r.Resource.(*v1.Secret); ok {
oldSHAData = util.GetSHAfromSecret(r.OldResource.(*v1.Secret).Data)
config = common.GetSecretConfig(r.Resource.(*v1.Secret))
} else {
logrus.Warnf("Invalid resource: Resource should be 'Secret' or 'Configmap' but found, %v", r.Resource)
var (
oldSHAData string
config common.Config
)
switch res := r.Resource.(type) {
case *v1.ConfigMap:
if old, ok := r.OldResource.(*v1.ConfigMap); ok && old != nil {
oldSHAData = util.GetSHAfromConfigmap(old)
}
config = common.GetConfigmapConfig(res)
case *v1.Secret:
if old, ok := r.OldResource.(*v1.Secret); ok && old != nil {
oldSHAData = util.GetSHAfromSecret(old.Data)
}
config = common.GetSecretConfig(res)
case *csiv1.SecretProviderClassPodStatus:
if old, ok := r.OldResource.(*csiv1.SecretProviderClassPodStatus); ok && old != nil && old.Status.Objects != nil {
oldSHAData = util.GetSHAfromSecretProviderClassPodStatus(old.Status)
}
config = common.GetSecretProviderClassPodStatusConfig(res)
default:
logrus.Warnf("Invalid resource: Resource should be 'Secret', 'Configmap' or 'SecretProviderClassPodStatus' but found, %T", r.Resource)
}
return config, oldSHAData
}

50
internal/pkg/handler/upgrade.go
View File

@@ -2,11 +2,13 @@ package handler
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"io"
"os"
"strings"
"time"
"github.com/parnurzeal/gorequest"
@@ -24,6 +26,7 @@ import (
v1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/api/meta"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
patchtypes "k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/wait"
@@ -298,6 +301,10 @@ func upgradeResource(clients kube.Clients, config common.Config, upgradeFuncs ca
return false, err
}
}
if config.Type == constants.SecretProviderClassEnvVarPostfix {
populateAnnotationsFromSecretProviderClass(clients, &config)
}
annotations := upgradeFuncs.AnnotationsFunc(resource)
podAnnotations := upgradeFuncs.PodAnnotationsFunc(resource)
result := common.ShouldReload(config, upgradeFuncs.ResourceType, annotations, podAnnotations, common.GetCommandLineOptions())
@@ -400,6 +407,10 @@ func getVolumeMountName(volumes []v1.Volume, mountType string, volumeName string
}
}
}
case constants.SecretProviderClassEnvVarPostfix:
if volumes[i].CSI != nil && volumes[i].CSI.VolumeAttributes["secretProviderClass"] == volumeName {
return volumes[i].Name
}
}
}
@@ -536,6 +547,10 @@ func updatePodAnnotations(upgradeFuncs callbacks.RollingUpgradeFuncs, item runti
return InvokeStrategyResult{constants.NotUpdated, nil}
}
if config.Type == constants.SecretProviderClassEnvVarPostfix && secretProviderClassAnnotationReloaded(pa, config) {
return InvokeStrategyResult{constants.NotUpdated, nil}
}
for k, v := range annotations {
pa[k] = v
}
@@ -543,6 +558,11 @@ func updatePodAnnotations(upgradeFuncs callbacks.RollingUpgradeFuncs, item runti
return InvokeStrategyResult{constants.Updated, &Patch{Type: patchtypes.StrategicMergePatchType, Bytes: patch}}
}
func secretProviderClassAnnotationReloaded(oldAnnotations map[string]string, newConfig common.Config) bool {
annotation := oldAnnotations[getReloaderAnnotationKey()]
return strings.Contains(annotation, newConfig.ResourceName) && strings.Contains(annotation, newConfig.SHAValue)
}
func getReloaderAnnotationKey() string {
return fmt.Sprintf("%s/%s",
constants.ReloaderAnnotationPrefix,
@@ -593,6 +613,10 @@ func updateContainerEnvVars(upgradeFuncs callbacks.RollingUpgradeFuncs, item run
return InvokeStrategyResult{constants.NoContainerFound, nil}
}
if config.Type == constants.SecretProviderClassEnvVarPostfix && secretProviderClassEnvReloaded(upgradeFuncs.ContainersFunc(item), envVar, config.SHAValue) {
return InvokeStrategyResult{constants.NotUpdated, nil}
}
//update if env var exists
updateResult := updateEnvVar(container, envVar, config.SHAValue)
@@ -629,6 +653,32 @@ func updateEnvVar(container *v1.Container, envVar string, shaData string) consta
return constants.NoEnvVarFound
}
func secretProviderClassEnvReloaded(containers []v1.Container, envVar string, shaData string) bool {
for _, container := range containers {
for _, env := range container.Env {
if env.Name == envVar {
return env.Value == shaData
}
}
}
return false
}
func populateAnnotationsFromSecretProviderClass(clients kube.Clients, config *common.Config) {
obj, err := clients.CSIClient.SecretsstoreV1().SecretProviderClasses(config.Namespace).Get(context.Background(), config.ResourceName, metav1.GetOptions{})
annotations := make(map[string]string)
if err != nil {
if apierrors.IsNotFound(err) {
logrus.Warnf("SecretProviderClass '%s' not found in namespace '%s'", config.ResourceName, config.Namespace)
} else {
logrus.Errorf("Failed to get SecretProviderClass '%s' in namespace '%s': %v", config.ResourceName, config.Namespace, err)
}
} else if obj.Annotations != nil {
annotations = obj.Annotations
}
config.ResourceAnnotations = annotations
}
func jsonEscape(toEscape string) (string, error) {
bytes, err := json.Marshal(toEscape)
if err != nil {

875
internal/pkg/handler/upgrade_test.go
View File

File diff suppressed because it is too large Load Diff

9
internal/pkg/options/flags.go
View File

@@ -20,6 +20,9 @@ var (
// SecretUpdateOnChangeAnnotation is an annotation to detect changes in
// secrets specified by name
SecretUpdateOnChangeAnnotation = "secret.reloader.stakater.com/reload"
// SecretProviderClassUpdateOnChangeAnnotation is an annotation to detect changes in
// secretproviderclasses specified by name
SecretProviderClassUpdateOnChangeAnnotation = "secretproviderclass.reloader.stakater.com/reload"
// ReloaderAutoAnnotation is an annotation to detect changes in secrets/configmaps
ReloaderAutoAnnotation = "reloader.stakater.com/auto"
// IgnoreResourceAnnotation is an annotation to ignore changes in secrets/configmaps
@@ -28,10 +31,14 @@ var (
ConfigmapReloaderAutoAnnotation = "configmap.reloader.stakater.com/auto"
// SecretReloaderAutoAnnotation is an annotation to detect changes in secrets
SecretReloaderAutoAnnotation = "secret.reloader.stakater.com/auto"
// SecretProviderClassReloaderAutoAnnotation is an annotation to detect changes in secretproviderclasses
SecretProviderClassReloaderAutoAnnotation = "secretproviderclass.reloader.stakater.com/auto"
// ConfigmapReloaderAutoAnnotation is a comma separated list of configmaps that excludes detecting changes on cms
ConfigmapExcludeReloaderAnnotation = "configmaps.exclude.reloader.stakater.com/reload"
// SecretExcludeReloaderAnnotation is a comma separated list of secrets that excludes detecting changes on secrets
SecretExcludeReloaderAnnotation = "secrets.exclude.reloader.stakater.com/reload"
// SecretProviderClassExcludeReloaderAnnotation is a comma separated list of secret provider classes that excludes detecting changes on secret provider class
SecretProviderClassExcludeReloaderAnnotation = "secretproviderclasses.exclude.reloader.stakater.com/reload"
// AutoSearchAnnotation is an annotation to detect changes in
// configmaps or triggers with the SearchMatchAnnotation
AutoSearchAnnotation = "reloader.stakater.com/search"
@@ -63,6 +70,8 @@ var (
EnableHA = false
// Url to send a request to instead of triggering a reload
WebhookUrl = ""
// EnableCSIIntegration Adds support to watch SecretProviderClassPodStatus and restart deployment based on it
EnableCSIIntegration = false
// ResourcesToIgnore is a list of resources to ignore when watching for changes
ResourcesToIgnore = []string{}
// WorkloadTypesToIgnore is a list of workload types to ignore when watching for changes

183
internal/pkg/testutil/kube.go
View File

@@ -30,6 +30,9 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
core_v1 "k8s.io/client-go/kubernetes/typed/core/v1"
csiv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
csiclient "sigs.k8s.io/secrets-store-csi-driver/pkg/client/clientset/versioned"
csiclient_v1 "sigs.k8s.io/secrets-store-csi-driver/pkg/client/clientset/versioned/typed/apis/v1"
)
var (
@@ -38,6 +41,8 @@ var (
ConfigmapResourceType = "configMaps"
// SecretResourceType is a resource type which controller watches for changes
SecretResourceType = "secrets"
// SecretproviderclasspodstatusResourceType is a resource type which controller watches for changes
SecretProviderClassPodStatusResourceType = "secretproviderclasspodstatuses"
)
var (
@@ -73,16 +78,16 @@ func DeleteNamespace(namespace string, client kubernetes.Interface) {
}
}
func getObjectMeta(namespace string, name string, autoReload bool, secretAutoReload bool, configmapAutoReload bool, extraAnnotations map[string]string) metav1.ObjectMeta {
func getObjectMeta(namespace string, name string, autoReload bool, secretAutoReload bool, configmapAutoReload bool, secretproviderclass bool, extraAnnotations map[string]string) metav1.ObjectMeta {
return metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Labels: map[string]string{"firstLabel": "temp"},
Annotations: getAnnotations(name, autoReload, secretAutoReload, configmapAutoReload, extraAnnotations),
Annotations: getAnnotations(name, autoReload, secretAutoReload, configmapAutoReload, secretproviderclass, extraAnnotations),
}
}
func getAnnotations(name string, autoReload bool, secretAutoReload bool, configmapAutoReload bool, extraAnnotations map[string]string) map[string]string {
func getAnnotations(name string, autoReload bool, secretAutoReload bool, configmapAutoReload bool, secretproviderclass bool, extraAnnotations map[string]string) map[string]string {
annotations := make(map[string]string)
if autoReload {
annotations[options.ReloaderAutoAnnotation] = "true"
@@ -93,11 +98,16 @@ func getAnnotations(name string, autoReload bool, secretAutoReload bool, configm
if configmapAutoReload {
annotations[options.ConfigmapReloaderAutoAnnotation] = "true"
}
if secretproviderclass {
annotations[options.SecretProviderClassReloaderAutoAnnotation] = "true"
}
if len(annotations) == 0 {
annotations = map[string]string{
options.ConfigmapUpdateOnChangeAnnotation: name,
options.SecretUpdateOnChangeAnnotation: name}
options.ConfigmapUpdateOnChangeAnnotation: name,
options.SecretUpdateOnChangeAnnotation: name,
options.SecretProviderClassUpdateOnChangeAnnotation: name,
}
}
for k, v := range extraAnnotations {
annotations[k] = v
@@ -176,6 +186,15 @@ func getVolumes(name string) []v1.Volume {
},
},
},
{
Name: "secretproviderclass",
VolumeSource: v1.VolumeSource{
CSI: &v1.CSIVolumeSource{
Driver: "secrets-store.csi.k8s.io",
VolumeAttributes: map[string]string{"secretProviderClass": name},
},
},
},
}
}
@@ -189,6 +208,10 @@ func getVolumeMounts() []v1.VolumeMount {
MountPath: "etc/sec",
Name: "secret",
},
{
MountPath: "etc/spc",
Name: "secretproviderclass",
},
{
MountPath: "etc/projectedconfig",
Name: "projectedconfigmap",
@@ -348,7 +371,7 @@ func getPodTemplateSpecWithInitContainerAndEnv(name string) v1.PodTemplateSpec {
func GetDeployment(namespace string, deploymentName string) *appsv1.Deployment {
replicaset := int32(1)
return &appsv1.Deployment{
ObjectMeta: getObjectMeta(namespace, deploymentName, false, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, deploymentName, false, false, false, false, map[string]string{}),
Spec: appsv1.DeploymentSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -367,7 +390,7 @@ func GetDeploymentConfig(namespace string, deploymentConfigName string) *openshi
replicaset := int32(1)
podTemplateSpecWithVolume := getPodTemplateSpecWithVolumes(deploymentConfigName)
return &openshiftv1.DeploymentConfig{
ObjectMeta: getObjectMeta(namespace, deploymentConfigName, false, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, deploymentConfigName, false, false, false, false, map[string]string{}),
Spec: openshiftv1.DeploymentConfigSpec{
Replicas: replicaset,
Strategy: openshiftv1.DeploymentStrategy{
@@ -382,7 +405,7 @@ func GetDeploymentConfig(namespace string, deploymentConfigName string) *openshi
func GetDeploymentWithInitContainer(namespace string, deploymentName string) *appsv1.Deployment {
replicaset := int32(1)
return &appsv1.Deployment{
ObjectMeta: getObjectMeta(namespace, deploymentName, false, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, deploymentName, false, false, false, false, map[string]string{}),
Spec: appsv1.DeploymentSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -400,7 +423,7 @@ func GetDeploymentWithInitContainer(namespace string, deploymentName string) *ap
func GetDeploymentWithInitContainerAndEnv(namespace string, deploymentName string) *appsv1.Deployment {
replicaset := int32(1)
return &appsv1.Deployment{
ObjectMeta: getObjectMeta(namespace, deploymentName, true, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, deploymentName, true, false, false, false, map[string]string{}),
Spec: appsv1.DeploymentSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -417,7 +440,7 @@ func GetDeploymentWithInitContainerAndEnv(namespace string, deploymentName strin
func GetDeploymentWithEnvVars(namespace string, deploymentName string) *appsv1.Deployment {
replicaset := int32(1)
return &appsv1.Deployment{
ObjectMeta: getObjectMeta(namespace, deploymentName, true, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, deploymentName, true, false, false, false, map[string]string{}),
Spec: appsv1.DeploymentSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -435,7 +458,7 @@ func GetDeploymentConfigWithEnvVars(namespace string, deploymentConfigName strin
replicaset := int32(1)
podTemplateSpecWithEnvVars := getPodTemplateSpecWithEnvVars(deploymentConfigName)
return &openshiftv1.DeploymentConfig{
ObjectMeta: getObjectMeta(namespace, deploymentConfigName, false, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, deploymentConfigName, false, false, false, false, map[string]string{}),
Spec: openshiftv1.DeploymentConfigSpec{
Replicas: replicaset,
Strategy: openshiftv1.DeploymentStrategy{
@@ -449,7 +472,7 @@ func GetDeploymentConfigWithEnvVars(namespace string, deploymentConfigName strin
func GetDeploymentWithEnvVarSources(namespace string, deploymentName string) *appsv1.Deployment {
replicaset := int32(1)
return &appsv1.Deployment{
ObjectMeta: getObjectMeta(namespace, deploymentName, true, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, deploymentName, true, false, false, false, map[string]string{}),
Spec: appsv1.DeploymentSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -466,7 +489,7 @@ func GetDeploymentWithEnvVarSources(namespace string, deploymentName string) *ap
func GetDeploymentWithPodAnnotations(namespace string, deploymentName string, both bool) *appsv1.Deployment {
replicaset := int32(1)
deployment := &appsv1.Deployment{
ObjectMeta: getObjectMeta(namespace, deploymentName, false, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, deploymentName, false, false, false, false, map[string]string{}),
Spec: appsv1.DeploymentSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -481,7 +504,7 @@ func GetDeploymentWithPodAnnotations(namespace string, deploymentName string, bo
if !both {
deployment.Annotations = nil
}
deployment.Spec.Template.Annotations = getAnnotations(deploymentName, true, false, false, map[string]string{})
deployment.Spec.Template.Annotations = getAnnotations(deploymentName, true, false, false, false, map[string]string{})
return deployment
}
@@ -490,9 +513,11 @@ func GetDeploymentWithTypedAutoAnnotation(namespace string, deploymentName strin
var objectMeta metav1.ObjectMeta
switch resourceType {
case SecretResourceType:
objectMeta = getObjectMeta(namespace, deploymentName, false, true, false, map[string]string{})
objectMeta = getObjectMeta(namespace, deploymentName, false, true, false, false, map[string]string{})
case ConfigmapResourceType:
objectMeta = getObjectMeta(namespace, deploymentName, false, false, true, map[string]string{})
objectMeta = getObjectMeta(namespace, deploymentName, false, false, true, false, map[string]string{})
case SecretProviderClassPodStatusResourceType:
objectMeta = getObjectMeta(namespace, deploymentName, false, false, false, true, map[string]string{})
}
return &appsv1.Deployment{
@@ -520,6 +545,8 @@ func GetDeploymentWithExcludeAnnotation(namespace string, deploymentName string,
annotation[options.SecretExcludeReloaderAnnotation] = deploymentName
case ConfigmapResourceType:
annotation[options.ConfigmapExcludeReloaderAnnotation] = deploymentName
case SecretProviderClassPodStatusResourceType:
annotation[options.SecretProviderClassExcludeReloaderAnnotation] = deploymentName
}
return &appsv1.Deployment{
@@ -545,7 +572,7 @@ func GetDeploymentWithExcludeAnnotation(namespace string, deploymentName string,
// GetDaemonSet provides daemonset for testing
func GetDaemonSet(namespace string, daemonsetName string) *appsv1.DaemonSet {
return &appsv1.DaemonSet{
ObjectMeta: getObjectMeta(namespace, daemonsetName, false, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, daemonsetName, false, false, false, false, map[string]string{}),
Spec: appsv1.DaemonSetSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -560,7 +587,7 @@ func GetDaemonSet(namespace string, daemonsetName string) *appsv1.DaemonSet {
func GetDaemonSetWithEnvVars(namespace string, daemonSetName string) *appsv1.DaemonSet {
return &appsv1.DaemonSet{
ObjectMeta: getObjectMeta(namespace, daemonSetName, true, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, daemonSetName, true, false, false, false, map[string]string{}),
Spec: appsv1.DaemonSetSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -576,7 +603,7 @@ func GetDaemonSetWithEnvVars(namespace string, daemonSetName string) *appsv1.Dae
// GetStatefulSet provides statefulset for testing
func GetStatefulSet(namespace string, statefulsetName string) *appsv1.StatefulSet {
return &appsv1.StatefulSet{
ObjectMeta: getObjectMeta(namespace, statefulsetName, false, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, statefulsetName, false, false, false, false, map[string]string{}),
Spec: appsv1.StatefulSetSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -592,7 +619,7 @@ func GetStatefulSet(namespace string, statefulsetName string) *appsv1.StatefulSe
// GetStatefulSet provides statefulset for testing
func GetStatefulSetWithEnvVar(namespace string, statefulsetName string) *appsv1.StatefulSet {
return &appsv1.StatefulSet{
ObjectMeta: getObjectMeta(namespace, statefulsetName, true, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, statefulsetName, true, false, false, false, map[string]string{}),
Spec: appsv1.StatefulSetSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -617,6 +644,42 @@ func GetConfigmap(namespace string, configmapName string, testData string) *v1.C
}
}
func GetSecretProviderClass(namespace string, secretProviderClassName string, data string) *csiv1.SecretProviderClass {
return &csiv1.SecretProviderClass{
ObjectMeta: metav1.ObjectMeta{
Name: secretProviderClassName,
Namespace: namespace,
},
Spec: csiv1.SecretProviderClassSpec{
Provider: "Test",
Parameters: map[string]string{
"parameter1": data,
},
},
}
}
func GetSecretProviderClassPodStatus(namespace string, secretProviderClassPodStatusName string, data string) *csiv1.SecretProviderClassPodStatus {
return &csiv1.SecretProviderClassPodStatus{
ObjectMeta: metav1.ObjectMeta{
Name: secretProviderClassPodStatusName,
Namespace: namespace,
},
Status: csiv1.SecretProviderClassPodStatusStatus{
PodName: "test123",
SecretProviderClassName: secretProviderClassPodStatusName,
TargetPath: "/var/lib/kubelet/d8771ddf-935a-4199-a20b-f35f71c1d9e7/volumes/kubernetes.io~csi/secrets-store-inline/mount",
Mounted: true,
Objects: []csiv1.SecretProviderClassObject{
{
ID: "parameter1",
Version: data,
},
},
},
}
}
// GetConfigmapWithUpdatedLabel provides configmap for testing
func GetConfigmapWithUpdatedLabel(namespace string, configmapName string, testLabel string, testData string) *v1.ConfigMap {
return &v1.ConfigMap{
@@ -643,7 +706,7 @@ func GetSecret(namespace string, secretName string, data string) *v1.Secret {
func GetCronJob(namespace string, cronJobName string) *batchv1.CronJob {
return &batchv1.CronJob{
ObjectMeta: getObjectMeta(namespace, cronJobName, false, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, cronJobName, false, false, false, false, map[string]string{}),
Spec: batchv1.CronJobSpec{
Schedule: "*/5 * * * *", // Run every 5 minutes
JobTemplate: batchv1.JobTemplateSpec{
@@ -660,7 +723,7 @@ func GetCronJob(namespace string, cronJobName string) *batchv1.CronJob {
func GetJob(namespace string, jobName string) *batchv1.Job {
return &batchv1.Job{
ObjectMeta: getObjectMeta(namespace, jobName, false, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, jobName, false, false, false, false, map[string]string{}),
Spec: batchv1.JobSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -672,7 +735,7 @@ func GetJob(namespace string, jobName string) *batchv1.Job {
func GetCronJobWithEnvVar(namespace string, cronJobName string) *batchv1.CronJob {
return &batchv1.CronJob{
ObjectMeta: getObjectMeta(namespace, cronJobName, true, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, cronJobName, true, false, false, false, map[string]string{}),
Spec: batchv1.CronJobSpec{
Schedule: "*/5 * * * *", // Run every 5 minutes
JobTemplate: batchv1.JobTemplateSpec{
@@ -689,7 +752,7 @@ func GetCronJobWithEnvVar(namespace string, cronJobName string) *batchv1.CronJob
func GetJobWithEnvVar(namespace string, jobName string) *batchv1.Job {
return &batchv1.Job{
ObjectMeta: getObjectMeta(namespace, jobName, true, false, false, map[string]string{}),
ObjectMeta: getObjectMeta(namespace, jobName, true, false, false, false, map[string]string{}),
Spec: batchv1.JobSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -746,7 +809,7 @@ func GetResourceSHAFromAnnotation(podAnnotations map[string]string) string {
return last.Hash
}
// ConvertResourceToSHA generates SHA from secret or configmap data
// ConvertResourceToSHA generates SHA from secret, configmap or secretproviderclasspodstatus data
func ConvertResourceToSHA(resourceType string, namespace string, resourceName string, data string) string {
values := []string{}
switch resourceType {
@@ -760,6 +823,12 @@ func ConvertResourceToSHA(resourceType string, namespace string, resourceName st
for k, v := range configmap.Data {
values = append(values, k+"="+v)
}
case SecretProviderClassPodStatusResourceType:
secretproviderclasspodstatus := GetSecretProviderClassPodStatus(namespace, resourceName, data)
for _, v := range secretproviderclasspodstatus.Status.Objects {
values = append(values, v.ID+"="+v.Version)
}
values = append(values, "SecretProviderClassName="+secretproviderclasspodstatus.Status.SecretProviderClassName)
}
sort.Strings(values)
return crypto.GenerateSHA(strings.Join(values, ";"))
@@ -774,6 +843,25 @@ func CreateConfigMap(client kubernetes.Interface, namespace string, configmapNam
return configmapClient, err
}
// CreateSecretProviderClass creates a SecretProviderClass in given namespace and returns the SecretProviderClassInterface
func CreateSecretProviderClass(client csiclient.Interface, namespace string, secretProviderClassName string, data string) (csiclient_v1.SecretProviderClassInterface, error) {
logrus.Infof("Creating SecretProviderClass")
secretProviderClassClient := client.SecretsstoreV1().SecretProviderClasses(namespace)
_, err := secretProviderClassClient.Create(context.TODO(), GetSecretProviderClass(namespace, secretProviderClassName, data), metav1.CreateOptions{})
time.Sleep(3 * time.Second)
return secretProviderClassClient, err
}
// CreateSecretProviderClassPodStatus creates a SecretProviderClassPodStatus in given namespace and returns the SecretProviderClassPodStatusInterface
func CreateSecretProviderClassPodStatus(client csiclient.Interface, namespace string, secretProviderClassPodStatusName string, data string) (csiclient_v1.SecretProviderClassPodStatusInterface, error) {
logrus.Infof("Creating SecretProviderClassPodStatus")
secretProviderClassPodStatusClient := client.SecretsstoreV1().SecretProviderClassPodStatuses(namespace)
secretProviderClassPodStatus := GetSecretProviderClassPodStatus(namespace, secretProviderClassPodStatusName, data)
_, err := secretProviderClassPodStatusClient.Create(context.TODO(), secretProviderClassPodStatus, metav1.CreateOptions{})
time.Sleep(3 * time.Second)
return secretProviderClassPodStatusClient, err
}
// CreateSecret creates a secret in given namespace and returns the SecretInterface
func CreateSecret(client kubernetes.Interface, namespace string, secretName string, data string) (core_v1.SecretInterface, error) {
logrus.Infof("Creating secret")
@@ -1036,6 +1124,27 @@ func UpdateSecret(secretClient core_v1.SecretInterface, namespace string, secret
return updateErr
}
// UpdateSecretProviderClassPodStatus updates a secretproviderclasspodstatus in given namespace and returns the error if any
func UpdateSecretProviderClassPodStatus(spcpsClient csiclient_v1.SecretProviderClassPodStatusInterface, namespace string, spcpsName string, label string, data string) error {
logrus.Infof("Updating secretproviderclasspodstatus %q.\n", spcpsName)
updatedStatus := GetSecretProviderClassPodStatus(namespace, spcpsName, data).Status
secretproviderclasspodstatus, err := spcpsClient.Get(context.TODO(), spcpsName, metav1.GetOptions{})
if err != nil {
return err
}
secretproviderclasspodstatus.Status = updatedStatus
if label != "" {
labels := secretproviderclasspodstatus.Labels
if labels == nil {
labels = make(map[string]string)
}
labels["firstLabel"] = label
}
_, updateErr := spcpsClient.Update(context.TODO(), secretproviderclasspodstatus, metav1.UpdateOptions{})
time.Sleep(3 * time.Second)
return updateErr
}
// DeleteConfigMap deletes a configmap in given namespace and returns the error if any
func DeleteConfigMap(client kubernetes.Interface, namespace string, configmapName string) error {
logrus.Infof("Deleting configmap %q.\n", configmapName)
@@ -1052,6 +1161,22 @@ func DeleteSecret(client kubernetes.Interface, namespace string, secretName stri
return err
}
// DeleteSecretProviderClass deletes a secretproviderclass in given namespace and returns the error if any
func DeleteSecretProviderClass(client csiclient.Interface, namespace string, secretProviderClassName string) error {
logrus.Infof("Deleting secretproviderclass %q.\n", secretProviderClassName)
err := client.SecretsstoreV1().SecretProviderClasses(namespace).Delete(context.TODO(), secretProviderClassName, metav1.DeleteOptions{})
time.Sleep(3 * time.Second)
return err
}
// DeleteSecretProviderClassPodStatus deletes a secretproviderclasspodstatus in given namespace and returns the error if any
func DeleteSecretProviderClassPodStatus(client csiclient.Interface, namespace string, secretProviderClassPodStatusName string) error {
logrus.Infof("Deleting secretproviderclasspodstatus %q.\n", secretProviderClassPodStatusName)
err := client.SecretsstoreV1().SecretProviderClassPodStatuses(namespace).Delete(context.TODO(), secretProviderClassPodStatusName, metav1.DeleteOptions{})
time.Sleep(3 * time.Second)
return err
}
// RandSeq generates a random sequence
func RandSeq(n int) string {
b := make([]rune, n)
@@ -1202,14 +1327,18 @@ func VerifyResourceAnnotationUpdate(clients kube.Clients, config common.Config,
}
func GetSHAfromEmptyData() string {
return crypto.GenerateSHA("")
// Use a special marker that represents "deleted" or "empty" state
// This ensures we have a distinct, deterministic hash for the delete strategy
// Note: We could use GenerateSHA("") which now returns a hash, but using a marker
// makes the intent clearer and avoids potential confusion with actual empty data
return crypto.GenerateSHA("__RELOADER_EMPTY_DELETE_MARKER__")
}
// GetRollout provides rollout for testing
func GetRollout(namespace string, rolloutName string, annotations map[string]string) *argorolloutv1alpha1.Rollout {
replicaset := int32(1)
return &argorolloutv1alpha1.Rollout{
ObjectMeta: getObjectMeta(namespace, rolloutName, false, false, false, annotations),
ObjectMeta: getObjectMeta(namespace, rolloutName, false, false, false, false, annotations),
Spec: argorolloutv1alpha1.RolloutSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"secondLabel": "temp"},

12
internal/pkg/util/util.go
View File

@@ -13,6 +13,7 @@ import (
"github.com/stakater/Reloader/internal/pkg/crypto"
"github.com/stakater/Reloader/internal/pkg/options"
v1 "k8s.io/api/core/v1"
csiv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
)
// ConvertToEnvVarName converts the given text into a usable env var
@@ -57,6 +58,16 @@ func GetSHAfromSecret(data map[string][]byte) string {
return crypto.GenerateSHA(strings.Join(values, ";"))
}
func GetSHAfromSecretProviderClassPodStatus(data csiv1.SecretProviderClassPodStatusStatus) string {
values := []string{}
for _, v := range data.Objects {
values = append(values, v.ID+"="+v.Version)
}
values = append(values, "SecretProviderClassName="+data.SecretProviderClassName)
sort.Strings(values)
return crypto.GenerateSHA(strings.Join(values, ";"))
}
type List []string
func (l *List) Contains(s string) bool {
@@ -95,6 +106,7 @@ func ConfigureReloaderFlags(cmd *cobra.Command) {
cmd.PersistentFlags().BoolVar(&options.SyncAfterRestart, "sync-after-restart", false, "Sync add events after reloader restarts")
cmd.PersistentFlags().BoolVar(&options.EnablePProf, "enable-pprof", false, "Enable pprof for profiling")
cmd.PersistentFlags().StringVar(&options.PProfAddr, "pprof-addr", ":6060", "Address to start pprof server on. Default is :6060")
cmd.PersistentFlags().BoolVar(&options.EnableCSIIntegration, "enable-csi-integration", false, "Enables CSI integration. Default is :false")
}
func GetIgnoredResourcesList() (List, error) {