feat: add target secret annotation, which will trigger it being repla…

…ced and owned by sopssecret (#81)
isindir · Jun 20, 2021 · 921329f · 921329f
1 parent ff997c9
commit 921329f
Show file tree

Hide file tree

Showing 5 changed files with 96 additions and 47 deletions.
diff --git a/README.md b/README.md
@@ -229,6 +229,21 @@ sops --encrypt \
 > access to one of these is needed. For more information see `sops`
 > documentation.
 
+## Changing ownership of existing secrets
+
+If there is a need to re-own existing `Secrets` by `SopsSecret`, following annotation should
+be added to the target kubernetes native secret:
+
+```yaml
+...
+metadata:
+  annotations:
+    "sopssecret/managed": "true"
+...
+```
+> previously unmanaged secret will be replaced by `SopsSecret` owned at the next rescheduled
+  reconciliation event.
+
 ## Example procedure to upgrade from one `SopsSecret` API version to another
 
 Please see document here: [SopsSecret API and Operator Upgrade](docs/api_upgrade_example/README.md)

diff --git a/api/v1alpha3/sopssecret_types.go b/api/v1alpha3/sopssecret_types.go
@@ -11,6 +11,12 @@ import (
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
 // For upstream reference, see https://github.com/mozilla/sops/blob/master/stores/stores.go
 
+const (
+	// SopsSecretManagedAnnotation is the name for the annotation for
+	// flagging the existing secret be managed by SopsSecret controller.
+	SopsSecretManagedAnnotation = "sopssecret/managed"
+)
+
 // SopsSecretSpec defines the desired state of SopsSecret
 type SopsSecretSpec struct {
 	// Secrets template is a list of definitions to create Kubernetes Secrets

diff --git a/controllers/sopssecret_controller.go b/controllers/sopssecret_controller.go
@@ -181,7 +181,7 @@ func (r *SopsSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 			return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(r.RequeueAfter) * time.Minute}, nil
 		}
 
-		if !metav1.IsControlledBy(foundSecret, instance) {
+		if !metav1.IsControlledBy(foundSecret, instance) && !isAnnotatedToBeManaged(foundSecret) {
 			instanceEncrypted.Status.Message = "Child secret is not owned by controller error"
 			r.Status().Update(context.Background(), instanceEncrypted)
 
@@ -203,6 +203,9 @@ func (r *SopsSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		foundSecret.Type = newSecret.Type
 		foundSecret.ObjectMeta.Annotations = newSecret.ObjectMeta.Annotations
 		foundSecret.ObjectMeta.Labels = newSecret.ObjectMeta.Labels
+		if isAnnotatedToBeManaged(origSecret) {
+			foundSecret.ObjectMeta.OwnerReferences = newSecret.ObjectMeta.OwnerReferences
+		}
 
 		if !apiequality.Semantic.DeepEqual(origSecret, foundSecret) {
 			r.Log.Info(
@@ -246,6 +249,11 @@ func (r *SopsSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	return ctrl.Result{}, nil
 }
 
+// checks if the annotation equals to "true", and it's case sensitive
+func isAnnotatedToBeManaged(secret *corev1.Secret) bool {
+	return secret.Annotations[isindirv1alpha3.SopsSecretManagedAnnotation] == "true"
+}
+
 // SetupWithManager sets up the controller with the Manager.
 func (r *SopsSecretReconciler) SetupWithManager(mgr ctrl.Manager) error {