Merge pull request #34 from zakkg3/0.8

0.8

Author: zakkg3

.gitignore

@@ -1 +1,2 @@
 src/__pycache__/
+yaml/Object_example/debug-*

Makefile

@@ -1,7 +1,7 @@
 IMG_NAMESPACE = flag5
 IMG_NAME = clustersecret
 IMG_FQNAME = $(IMG_NAMESPACE)/$(IMG_NAME)
-IMG_VERSION = 0.0.7
+IMG_VERSION = 0.0.8
 
 .PHONY: container push clean arm-container arm-push arm-clean
 all: container push
@@ -27,3 +27,7 @@ arm-push: arm-container
 
 arm-clean:
 	sudo docker rmi $(IMG_FQNAME):$(IMG_VERSION)_arm32
+
+beta:
+	sudo docker build -t $(IMG_FQNAME):$(IMG_VERSION)-beta .
+	sudo docker push $(IMG_FQNAME):$(IMG_VERSION)-beta

README.md

@@ -112,11 +112,30 @@ data:
 
 This can be archived by changing the RBAC.
 You may want to replace https://github.com/zakkg3/ClusterSecret/blob/master/yaml/00_rbac.yaml#L43-L46
-for a new namespaced role and its correspondient rolebinding.
+for a new namespaced role and its correspondent rolebinding.
 
 Here is the official doc:
 https://kubernetes.io/docs/reference/access-authn-authz/rbac/
 
+## Update a ClusterSecret object
+
+This will trigger the operator to also update all secrets that it matches.
+
+## Value From another secret.
+
+With this we can tell ClusterSecret to take the values from an existing secret.
+yaml/Object_example/value-from-obj.yaml have a working example. Note that you will need first to have the obj2.yaml applied (the source secret).
+
+```
+data:
+  valueFrom:
+    secretKeyRef:
+      name: <secre-name>
+      namespace: <source-namespace>
+```
+
+to-do is to specify keys or matched keys to only sync that ones. For now it will sync the whole secret.
+
 ## optional
 
 overwrite the deployment command with kopf namespaces instead of the "-A" (all namespaces)
@@ -175,8 +194,7 @@ docker.io/flag5/clustersecret:
 # Roadmap:
 
 Tag 0.0.8:
-
- - [] implement `source` to specify a source secret to sync instead of `data` field. (https://github.com/zakkg3/ClusterSecret/issues/3)
+ - [X] implement `source` to specify a source secret to sync instead of `data` field. (https://github.com/zakkg3/ClusterSecret/issues/3)
  
 
  

src/csHelper.py

@@ -0,0 +1,118 @@
+import kopf
+import re
+from kubernetes import client
+
+def get_ns_list(logger,body,v1=None):
+    """Returns a list of namespaces where the secret should be matched
+    """
+    if v1 is None:
+        v1 = client.CoreV1Api()
+        logger.debug('new client - fn get_ns_list')
+    
+    try:
+        matchNamespace = body.get('matchNamespace')
+    except KeyError:
+        matchNamespace = '*'
+        logger.debug("matching all namespaces.")
+    logger.debug(f'Matching namespaces: {matchNamespace}')
+    
+    if matchNamespace is None:  # if delted key (issue 26)
+        matchNamespace = '*'
+    
+    try:
+        avoidNamespaces = body.get('avoidNamespaces')
+    except KeyError:
+        avoidNamespaces = ''
+        logger.debug("not avoiding namespaces")
+
+    nss = v1.list_namespace().items
+    matchedns = []
+    avoidedns = []
+
+    for matchns in matchNamespace:
+        for ns in nss:
+            if re.match(matchns, ns.metadata.name):
+                matchedns.append(ns.metadata.name)
+                logger.debug(f'Matched namespaces: {ns.metadata.name} matchpathern: {matchns}')
+    if avoidNamespaces:
+        for avoidns in avoidNamespaces:
+            for ns in nss:
+                if re.match(avoidns, ns.metadata.name):
+                    avoidedns.append(ns.metadata.name)
+                    logger.debug(f'Skipping namespaces: {ns.metadata.name} avoidpatrn: {avoidns}')  
+    # purge
+    for ns in matchedns.copy():
+        if ns in avoidedns:
+            matchedns.remove(ns)
+
+    return matchedns
+
+def read_data_secret(logger,name,namespace,v1):
+    """Gets the data from the 'name' secret in namspace
+    """
+    data={}
+    logger.debug(f'Reading {name} from ns {namespace}')
+    try: 
+        secret = v1.read_namespaced_secret(name, namespace)
+        logger.debug(f'Obtained secret {secret}')
+        data = secret.data
+    except client.exceptions.ApiException as e:
+        logger.error(f'Error reading secret {e}')
+        if e == "404":
+            logger.error(f"Secret {name} in ns {namespace} not found!")
+        raise kopf.TemporaryError("Error reading secret")
+    return data
+    
+def create_secret(logger,namespace,body,v1=None):
+    """Creates a given secret on a given namespace
+    """
+    if v1 is None:
+        v1 = client.CoreV1Api()
+        logger.debug('new client - fn create secret')
+    try:
+        sec_name = body['metadata']['name']
+    except KeyError:
+        logger.debug("No name in body ?")
+        raise kopf.TemporaryError("can not get the name.")
+    try:
+        data = body.get('data')
+    except KeyError:
+        data = ''
+        logger.error("Empty secret?? could not get the data.")
+    
+    if 'valueFrom' in data:
+        if len(data.keys()) > 1:
+            logger.error(f'Data keys with ValueFrom error: {data.keys()}  len {len(data.keys())}')
+            raise kopf.TemporaryError("ValueFrom can not coexist with other keys in the data")
+            
+        try:
+            ns_from = data['valueFrom']['secretKeyRef']['namespace']
+            name_from = data['valueFrom']['secretKeyRef']['name']
+            # key_from = data['ValueFrom']['secretKeyRef']['name']
+            # to-do specifie keys. for now. it will clone all.
+            logger.debug(f'Taking value from secret {name_from} from namespace {ns_from} - All keys')
+            data = read_data_secret(logger,name_from,ns_from,v1)
+        except KeyError:
+            logger.error (f'ERROR reading data from remote secret = {data}')
+            raise kopf.TemporaryError("Can not get Values from external secret")
+
+    logger.debug(f'Going to create with data: {data}')
+    secret_type = 'Opaque'
+    if 'type' in body:
+        secret_type = body['type']
+    body  = client.V1Secret()
+    body.metadata = client.V1ObjectMeta(name=sec_name)
+    body.type = secret_type
+    body.data = data
+    # kopf.adopt(body)
+    logger.info(f"cloning secret in namespace {namespace}")
+    try:
+        api_response = v1.create_namespaced_secret(namespace, body)
+    except client.rest.ApiException as e:
+        if e.reason == 'Conflict':
+            logger.info(f"secret `{sec_name}` already exist in namesace '{namespace}'")
+            return 0
+        logger.error(f'Can not create a secret, it is base64 encoded? data: {data}')
+        logger.error(f'Kube exception {e}')
+        return 1
+    return 0

src/handlers.py

@@ -1,7 +1,8 @@
 import kopf
-import re
 from kubernetes import client, config
+from csHelper import *
 
+csecs = {} # all cluster secrets.
 
 @kopf.on.delete('clustersecret.io', 'v1', 'clustersecrets')
 def on_delete(spec,uid,body,name,logger=None, **_):
@@ -31,7 +32,14 @@ def on_delete(spec,uid,body,name,logger=None, **_):
 def on_field_data(old, new, body,name,logger=None, **_):
     logger.debug(f'Data changed: {old} -> {new}')
     if old is not None:
-        syncedns = body['status']['create_fn']['syncedns']
+        logger.debug(f'Updating Object body == {body}')
+
+        try:
+            syncedns = body['status']['create_fn']['syncedns']
+        except KeyError:
+            logger.error('No Synced or status Namespaces found')
+            syncedns=[]
+            
         v1 = client.CoreV1Api()
 
         secret_type = 'Opaque'
@@ -56,8 +64,6 @@ def on_field_data(old, new, body,name,logger=None, **_):
     else:
         logger.debug('This is a new object')
 
-csecs = {} # all cluster secrets.
-
 @kopf.on.resume('clustersecret.io', 'v1', 'clustersecrets')
 @kopf.on.create('clustersecret.io', 'v1', 'clustersecrets')
 async def create_fn(spec,uid,logger=None,body=None,**kwargs):
@@ -78,103 +84,6 @@ async def create_fn(spec,uid,logger=None,body=None,**kwargs):
 
     return {'syncedns': matchedns}
 
-def get_ns_list(logger,body,v1=None):
-    """Returns a list of namespaces where the secret should be matched
-    """
-    if v1 is None:
-        v1 = client.CoreV1Api()
-        logger.debug('new client - fn get_ns_list')
-    
-    try:
-        matchNamespace = body.get('matchNamespace')
-    except KeyError:
-        matchNamespace = '*'
-        logger.debug("matching all namespaces.")
-    logger.debug(f'Matching namespaces: {matchNamespace}')
-    
-    if matchNamespace is None:  # if delted key (issue 26)
-        matchNamespace = '*'
-    
-    try:
-        avoidNamespaces = body.get('avoidNamespaces')
-    except KeyError:
-        avoidNamespaces = ''
-        logger.debug("not avoiding namespaces")
-
-    nss = v1.list_namespace().items
-    matchedns = []
-    avoidedns = []
-
-    for matchns in matchNamespace:
-        for ns in nss:
-            if re.match(matchns, ns.metadata.name):
-                matchedns.append(ns.metadata.name)
-                logger.debug(f'Matched namespaces: {ns.metadata.name} matchpathern: {matchns}')
-    if avoidNamespaces:
-        for avoidns in avoidNamespaces:
-            for ns in nss:
-                if re.match(avoidns, ns.metadata.name):
-                    avoidedns.append(ns.metadata.name)
-                    logger.debug(f'Skipping namespaces: {ns.metadata.name} avoidpatrn: {avoidns}')  
-    # purge
-    for ns in matchedns.copy():
-        if ns in avoidedns:
-            matchedns.remove(ns)
-
-    return matchedns
-    
-            
-def create_secret(logger,namespace,body,v1=None):
-    """Creates a given secret on a given namespace
-    """
-    if v1 is None:
-        v1 = client.CoreV1Api()
-        logger.debug('new client - fn create secret')
-    try:
-        sec_name = body['metadata']['name']
-    except KeyError:
-        logger.debug("No name in body ?")
-        raise kopf.TemporaryError("can not get the name.")
-    try:
-        data = body.get('data')
-    except KeyError:
-        data = ''
-        logger.error("Empty secret?? could not get the data.")
-    
-    if 'valueFrom' in data:
-        if len(data.keys()) > 1:
-            raise kopf.TemporaryError("ValueFrom can not coexist with other keys in the data")
-            
-        try:
-            ns_from = data['ValueFrom']['namespace']
-            name_from = data['ValueFrom']['name']
-        except KeyError:
-            logger.error("Can not get Values from external secret")
-            # to-do keys_from
-        logger.debug(f'Take value from secret {name_from} from namespace {ns_from}')
-        # data = read_data_secret(name,namespace)
-        #here - doing the valuform thing. but first fix and update all.
-        
-    secret_type = 'Opaque'
-    if 'type' in body:
-        secret_type = body['type']
-    body  = client.V1Secret()
-    body.metadata = client.V1ObjectMeta(name=sec_name)
-    body.type = secret_type
-    body.data = data
-    # kopf.adopt(body)
-    logger.info(f"cloning secret in namespace {namespace}")
-    try:
-        api_response = v1.create_namespaced_secret(namespace, body)
-    except client.rest.ApiException as e:
-        if e.reason == 'Conflict':
-            logger.warning(f"secret `{sec_name}` already exist in namesace '{namespace}'")
-            return 0
-        logger.error(f'Can not create a secret, it is base64 encoded? data: {data}')
-        logger.error(f'Kube exception {e}')
-        return 1
-    return 0
-
 @kopf.on.create('', 'v1', 'namespaces')
 async def namespace_watcher(spec,patch,logger,meta,body,**kwargs):
     """Watch for namespace events

yaml/02_deployment.yaml

@@ -20,7 +20,7 @@ spec:
         # - name: regcred
         containers:
         - name: clustersecret
-          image: flag5/clustersecret:0.0.7
+          image: flag5/clustersecret:0.0.8-beta
           # imagePullPolicy: Always
           # Uncomment next lines for debug:
           # command:

yaml/Object_example/obj2.yaml

@@ -6,6 +6,7 @@ metadata:
   namespace: clustersecret
 matchNamespace:
   - 'cluster.*'
+  # it will be replicated in clustersecret namespace.
 data:
   username: YWRtaW4=
   password: MWYyZDFlMmU2N2Rm

yaml/Object_example/value-from-obj.yaml

@@ -0,0 +1,22 @@
+# A demo custom resource for the Kopf example operators.
+apiVersion: clustersecret.io/v1
+kind: ClusterSecret
+metadata:
+  name: value-from
+  namespace: clustersecret
+  labels:
+    somelabel: somevalue
+  annotations:
+    someannotation: somevalue
+matchNamespace:
+  - '.*'
+avoidNamespaces:
+  - 'default'
+  - 'kube-system'
+# as output in kubectl create secret docker-registry regkey --docker-server my.docker.registry --docker-username adminuser --docker-password adminpass -o yaml --dry-run
+data:
+  valueFrom:
+    secretKeyRef:
+#it requires obj2.yaml first. 
+            name: global-secret2
+            namespace: clustersecret