try to create every secret instead of returning eraly

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
envoyproxy · Mar 8, 2024 · 71509cf · 71509cf
1 parent af0837e
commit 71509cf
Show file tree

Hide file tree

Showing 3 changed files with 114 additions and 12 deletions.
diff --git a/internal/cmd/certgen.go b/internal/cmd/certgen.go
@@ -74,17 +74,18 @@ func outputCerts(ctx context.Context, cli client.Client, cfg *config.Server, cer
 	log := cfg.Logger
 
 	if err != nil {
-		if errors.Is(err, kubernetes.ErrSecretExists) {
-			log.Info("exiting early", "reason", err)
-			return nil
+		if !errors.Is(err, kubernetes.ErrSecretExists) {
+			log.Info(err.Error())
+		} else {
+			return fmt.Errorf("failed to create or update secrets: %w", err)
 		}
-
-		return fmt.Errorf("failed to create or update secrets: %w", err)
 	}
 
-	for i := range secrets {
-		s := secrets[i]
-		log.Info("created secret", "namespace", s.Namespace, "name", s.Name)
+	if secrets != nil {
+		for i := range secrets {
+			s := secrets[i]
+			log.Info("created secret", "namespace", s.Namespace, "name", s.Name)
+		}
 	}
 
 	return nil

diff --git a/internal/provider/kubernetes/secrets.go b/internal/provider/kubernetes/secrets.go
@@ -92,7 +92,11 @@ func CertsToSecret(namespace string, certs *crypto.Certificates) []corev1.Secret
 // CreateOrUpdateSecrets creates the provided secrets if they don't exist or updates
 // them if they do.
 func CreateOrUpdateSecrets(ctx context.Context, client client.Client, secrets []corev1.Secret, update bool) ([]corev1.Secret, error) {
-	var tidySecrets []corev1.Secret
+	var (
+		tidySecrets     []corev1.Secret
+		existingSecrets []string
+	)
+
 	for i := range secrets {
 		secret := secrets[i]
 		current := new(corev1.Secret)
@@ -109,9 +113,8 @@ func CreateOrUpdateSecrets(ctx context.Context, client client.Client, secrets []
 			// Update if current value is different and update arg is set.
 		} else {
 			if !update {
-				return nil, fmt.Errorf("%s/%s: %w;"+
-					"Either update it manually or set overwriteControlPlaneCerts "+
-					"in the EnvoyGateway config", secret.Namespace, secret.Name, ErrSecretExists)
+				existingSecrets = append(existingSecrets, fmt.Sprintf("%s/%s", secret.Namespace, secret.Name))
+				continue
 			}
 
 			if !reflect.DeepEqual(secret.Data, current.Data) {
@@ -123,5 +126,11 @@ func CreateOrUpdateSecrets(ctx context.Context, client client.Client, secrets []
 		tidySecrets = append(tidySecrets, secret)
 	}
 
+	if len(existingSecrets) > 0 {
+		return tidySecrets, fmt.Errorf("%v: %w;"+
+			"Either update the secrets manually or set overwriteControlPlaneCerts "+
+			"in the EnvoyGateway config", existingSecrets, ErrSecretExists)
+	}
+
 	return tidySecrets, nil
 }
diff --git a/internal/provider/kubernetes/secrets_test.go b/internal/provider/kubernetes/secrets_test.go
@@ -0,0 +1,92 @@
+package kubernetes
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+var (
+	envoyGatewaySecret = corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "envoy-gateway",
+			Namespace: "envoy-gateway-system",
+		},
+	}
+
+	envoySecret = corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "envoy",
+			Namespace: "envoy-gateway-system",
+		},
+	}
+
+	envoyRateLimitSecret = corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "envoy-rate-limit",
+			Namespace: "envoy-gateway-system",
+		},
+	}
+
+	oidcHMACSecret = corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "envoy-oidc-hmac",
+			Namespace: "envoy-gateway-system",
+		},
+	}
+
+	existingSecretsWithoutHMAC = []client.Object{
+		&envoyGatewaySecret,
+		&envoySecret,
+		&envoyRateLimitSecret,
+	}
+
+	existingSecretsWithHMAC = []client.Object{
+		&envoyGatewaySecret,
+		&envoySecret,
+		&envoyRateLimitSecret,
+		&oidcHMACSecret,
+	}
+
+	SecretsToCreate = []corev1.Secret{
+		envoyGatewaySecret,
+		envoySecret,
+		envoyRateLimitSecret,
+		oidcHMACSecret,
+	}
+)
+
+func TestCreateSecretsWhenUpgrade(t *testing.T) {
+	t.Run("create HMAC secret when it does not exist", func(t *testing.T) {
+		cli := fakeclient.NewClientBuilder().WithObjects(existingSecretsWithoutHMAC...).Build()
+
+		secrets, err := CreateOrUpdateSecrets(context.Background(), cli, SecretsToCreate, false)
+		require.ErrorAs(t, err, &ErrSecretExists)
+		require.Len(t, secrets, 1)
+		require.Equal(t, "envoy-oidc-hmac", secrets[0].Name)
+
+		err = cli.Get(context.Background(), client.ObjectKeyFromObject(&oidcHMACSecret), &corev1.Secret{})
+		require.NoError(t, err)
+	})
+
+	t.Run("skip HMAC secret when it exist", func(t *testing.T) {
+		cli := fakeclient.NewClientBuilder().WithObjects(existingSecretsWithHMAC...).Build()
+
+		secrets, err := CreateOrUpdateSecrets(context.Background(), cli, SecretsToCreate, false)
+		require.ErrorAs(t, err, &ErrSecretExists)
+		require.Len(t, secrets, 0)
+	})
+
+	t.Run("update secrets when they exist", func(t *testing.T) {
+		cli := fakeclient.NewClientBuilder().WithObjects(existingSecretsWithHMAC...).Build()
+
+		secrets, err := CreateOrUpdateSecrets(context.Background(), cli, SecretsToCreate, true)
+		require.NoError(t, err)
+		require.Len(t, secrets, 4)
+	})
+}