✨ Add SecretSyncer controller to save pull secret data locally

anik120 · anik120 · commit d2dea55f7e4c · 2024-09-30T21:37:36.000+05:30
RFC: https://docs.google.com/document/d/1BXD6kj5zXHcGiqvJOikU2xs8kV26TPnzEKp6n7TKD4M/edit#heading=h.x3tfh25grvnv
diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -91,6 +91,8 @@ func main() {
 		operatorControllerVersion bool
 		systemNamespace           string
 		caCertDir                 string
+		globalPullSecretName      string
+		globalPullSecretNamespace string
 	)
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
@@ -101,6 +103,8 @@ func main() {
 	flag.StringVar(&cachePath, "cache-path", "/var/cache", "The local directory path used for filesystem based caching")
 	flag.BoolVar(&operatorControllerVersion, "version", false, "Prints operator-controller version information")
 	flag.StringVar(&systemNamespace, "system-namespace", "", "Configures the namespace that gets used to deploy system resources.")
+	flag.StringVar(&globalPullSecretName, "global-pull-secret-name", "", "The name of the global pull secret that is going to be used to pull bundle images.")
+	flag.StringVar(&globalPullSecretNamespace, "global-pull-secret-namespace", "", "The namespace of the global pull secret.")
 
 	klog.InitFlags(flag.CommandLine)
 
@@ -115,6 +119,11 @@ func main() {
 
 	ctrl.SetLogger(textlogger.NewLogger(textlogger.NewConfig()))
 
+	if (globalPullSecretName != "" && globalPullSecretNamespace == "") || (globalPullSecretName == "" && globalPullSecretNamespace != "") {
+		setupLog.Error(fmt.Errorf("Both --global-pull-secret-name and --global-pull-secret-namespace must be provided together."), "incorrect flag usage")
+		os.Exit(1)
+	}
+
 	setupLog.Info("starting up the controller", "version info", version.String())
 
 	if systemNamespace == "" {
@@ -289,6 +298,18 @@ func main() {
 		os.Exit(1)
 	}
 
+	if globalPullSecretName != "" && globalPullSecretNamespace != "" {
+		err := (&controllers.SecretSyncerReconciler{
+			Client:          mgr.GetClient(),
+			SecretName:      globalPullSecretName,
+			SecretNamespace: globalPullSecretNamespace,
+		}).SetupWithManager(mgr)
+		if err != nil {
+			setupLog.Error(err, "unable to create controller", "controller", "SecretSyncer")
+			os.Exit(1)
+		}
+	}
+
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
diff --git a/config/base/rbac/role.yaml b/config/base/rbac/role.yaml
@@ -4,6 +4,14 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - apiextensions.k8s.io
   resources:
diff --git a/internal/controllers/secret_syncer_controller.go b/internal/controllers/secret_syncer_controller.go
@@ -0,0 +1,117 @@
+/*
+Copyright 2024.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+)
+
+// SecretSyncerReconciler reconciles a specific secret object
+type SecretSyncerReconciler struct {
+	client.Client
+	SecretName      string
+	SecretNamespace string
+	AuthFilePath    string
+}
+
+// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
+
+func (r *SecretSyncerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	logger := log.FromContext(ctx)
+
+	// Ensure that the request matches the specific secret you want to watch
+	if req.Name != r.SecretName || req.Namespace != r.SecretNamespace {
+		logger.Info("Received unexpected request for secret", req.Name, "in namespace", req.Namespace)
+		return ctrl.Result{}, nil
+	}
+
+	secret := &corev1.Secret{}
+	err := r.Get(ctx, req.NamespacedName, secret)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			logger.Info("Secret", req.Name, "in namespace", req.Namespace, "deleted.")
+			return r.deleteSecretFile(logger)
+		}
+		logger.Error(err, "Failed to get Secret")
+		return ctrl.Result{}, err
+	}
+
+	return r.writeSecretToFile(secret, logger)
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *SecretSyncerReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	_, err := ctrl.NewControllerManagedBy(mgr).
+		For(&corev1.Secret{}).
+		WithEventFilter(newSecretPredicate(r.SecretName, r.SecretNamespace)).
+		Build(r)
+
+	return err
+}
+
+func newSecretPredicate(secretName, secretNamespace string) predicate.Predicate {
+	return predicate.NewPredicateFuncs(func(obj client.Object) bool {
+		secret, ok := obj.(*corev1.Secret)
+		if !ok {
+			return false
+		}
+		return secret.Name == secretName && secret.Namespace == secretNamespace
+	})
+}
+
+// writeSecretToFile writes the secret data to the specified file
+func (r *SecretSyncerReconciler) writeSecretToFile(secret *corev1.Secret, logger logr.Logger) (ctrl.Result, error) {
+	jsonData, err := json.Marshal(secret.Data)
+	if err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to marshal secret data: %w", err)
+	}
+	err = os.WriteFile(r.AuthFilePath, jsonData, 0644)
+	if err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to write secret data to file: %w", err)
+	}
+	logger.Info("Saved Secret data locally")
+	return ctrl.Result{}, nil
+}
+
+// deleteSecretFile deletes the secret file if the secret is deleted
+func (r *SecretSyncerReconciler) deleteSecretFile(logger logr.Logger) (ctrl.Result, error) {
+	logger.Info("Deleting local auth file.")
+	if _, err := os.Stat(r.AuthFilePath); err == nil {
+		err := os.Remove(r.AuthFilePath)
+		if err != nil {
+			return ctrl.Result{}, fmt.Errorf("failed to delete secret file: %w", err)
+		}
+		logger.Info("Auth file deleted successfully", "file", r.AuthFilePath)
+	} else if os.IsNotExist(err) {
+		logger.Info("Secret file does not exist, nothing to delete", "file", r.AuthFilePath)
+	} else {
+		return ctrl.Result{}, fmt.Errorf("failed to check secret file: %w", err)
+	}
+
+	return ctrl.Result{}, nil
+}
