flatten secrets

api/v1alpha1/aso_types.go

@@ -21,6 +21,7 @@ type ASOStatus struct {
 	RequestedAt        *metav1.Time `json:"requested,omitempty"`
 	CompletedAt        *metav1.Time `json:"completed,omitempty"`
 	FailedProvisioning bool         `json:"failedProvisioning,omitempty"`
+	FlattenedSecrets   bool         `json:"flattenedSecrets,omitempty"`
 }
 
 // GenericSpec is a struct to help get the KeyVaultName from the Spec

api/v1alpha1/azuresqlmanageduser_types.go

@@ -20,6 +20,7 @@ type AzureSQLManagedUserSpec struct {
 	Roles                   []string `json:"roles"`
 	ManagedIdentityName     string   `json:"managedIdentityName,omitempty"`
 	ManagedIdentityClientId string   `json:"managedIdentityClientId"`
+	KeyVaultSecretPrefix    string   `json:"keyVaultSecretPrefix,omitempty"`
 	KeyVaultToStoreSecrets  string   `json:"keyVaultToStoreSecrets,omitempty"`
 }
 

config/samples/azure_v1alpha1_azuresqlmanageduser.yaml

@@ -18,6 +18,9 @@ spec:
 
   managedIdentityClientId:
 
+  # Optionally specify the secret prefix to use when using keyvault
+  #keyVaultSecretPrefix: managed-id
+
   # Use the field below to optionally specify a different keyvault 
   # to store the secrets in
   #keyVaultToStoreSecrets:

controllers/suite_test.go

@@ -113,8 +113,6 @@ func setup() error {
 
 	var k8sManager ctrl.Manager
 
-	err = azurev1alpha1.AddToScheme(scheme.Scheme)
-
 	// +kubebuilder:scaffold:scheme
 	k8sManager, err = ctrl.NewManager(cfg, ctrl.Options{
 		Scheme: scheme.Scheme,

pkg/resourcemanager/azuresql/azuresqlmanageduser/azuresqlmanageduser.go

@@ -151,34 +151,60 @@ func (s *AzureSqlManagedUserManager) DropUser(ctx context.Context, db *sql.DB, u
 func (s *AzureSqlManagedUserManager) UpdateSecret(ctx context.Context, instance *v1alpha1.AzureSQLManagedUser, secretClient secrets.SecretClient) error {
 
 	secretprefix := instance.Name
-	key := types.NamespacedName{Name: instance.Name, Namespace: instance.Namespace}
+	secretnamespace := instance.Namespace
 
-	if len(instance.Spec.ManagedIdentityName) != 0 { // If ManagedIdentityName is specified, use that as the name as is
-		secretprefix = instance.Spec.ManagedIdentityName
-		key = types.NamespacedName{Name: instance.Spec.ManagedIdentityName}
+	if len(instance.Spec.KeyVaultSecretPrefix) != 0 { // If KeyVaultSecretPrefix is specified, use that for secrets
+		secretprefix = instance.Spec.KeyVaultSecretPrefix
+		secretnamespace = ""
 	}
-	secret, err := secretClient.Get(ctx, key)
+
+	secret := map[string][]byte{
+		"clientid": []byte(instance.Spec.ManagedIdentityClientId),
+		"server":   []byte(instance.Spec.Server),
+		"dbName":   []byte(instance.Spec.DbName),
+	}
+
+	key := types.NamespacedName{Name: secretprefix, Namespace: secretnamespace}
+	// We store the different secret fields as different secrets
+	instance.Status.FlattenedSecrets = true
+	err := secretClient.Upsert(ctx, key, secret, secrets.Flatten(true))
 	if err != nil {
-		secret = map[string][]byte{
-			secretprefix:             []byte(instance.Spec.ManagedIdentityClientId),
-			secretprefix + "-server": []byte(instance.Spec.Server),
-			secretprefix + "-dbName": []byte(instance.Spec.DbName),
+		if strings.Contains(err.Error(), "FlattenedSecretsNotSupported") { // kube client does not support Flatten
+			err = secretClient.Upsert(ctx, key, secret)
+			if err != nil {
+				return fmt.Errorf("Upsert into KubeClient without flatten failed")
+			}
+			instance.Status.FlattenedSecrets = false
 		}
 	}
-
-	err = secretClient.Upsert(ctx, key, secret)
 	return err
 }
 
 // DeleteSecret deletes a secret
 func (s *AzureSqlManagedUserManager) DeleteSecrets(ctx context.Context, instance *v1alpha1.AzureSQLManagedUser, secretClient secrets.SecretClient) error {
-	key := types.NamespacedName{Name: instance.Name, Namespace: instance.Namespace}
+	secretprefix := instance.Name
+	secretnamespace := instance.Namespace
 
-	if len(instance.Spec.ManagedIdentityName) != 0 { // If ManagedIdentityName is specified, use that as the name as is
-		key = types.NamespacedName{Name: instance.Spec.ManagedIdentityName}
+	if len(instance.Spec.KeyVaultSecretPrefix) != 0 { // If KeyVaultSecretPrefix is specified, use that for secrets
+		secretprefix = instance.Spec.KeyVaultSecretPrefix
+		secretnamespace = ""
 	}
 
-	return secretClient.Delete(ctx, key)
+	suffixes := []string{"clientid", "server", "dbName"}
+	if instance.Status.FlattenedSecrets == false {
+		key := types.NamespacedName{Name: secretprefix, Namespace: secretnamespace}
+		return secretClient.Delete(ctx, key)
+	} else {
+		// Delete the secrets one by one
+		for _, suffix := range suffixes {
+			key := types.NamespacedName{Name: secretprefix + "-" + suffix, Namespace: secretnamespace}
+			err := secretClient.Delete(ctx, key)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
 }
 
 func getMSITokenProvider() (func() (string, error), error) {

pkg/resourcemanager/azuresql/azuresqlmanageduser/azuresqlmanageduser_reconcile.go

@@ -117,7 +117,7 @@ func (s *AzureSqlManagedUserManager) Ensure(ctx context.Context, obj runtime.Obj
 
 	err = s.UpdateSecret(ctx, instance, s.SecretClient)
 	if err != nil {
-		instance.Status.Message = "Updating secret failed"
+		instance.Status.Message = "Updating secret failed " + err.Error()
 		return false, fmt.Errorf("Updating secret failed")
 	}
 

pkg/secrets/kube/client.go

@@ -31,6 +31,10 @@ func (k *KubeSecretClient) Create(ctx context.Context, key types.NamespacedName,
 		opt(options)
 	}
 
+	if options.Flatten {
+		return fmt.Errorf("FlattenedSecretsNotSupported")
+	}
+
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      key.Name,
@@ -62,6 +66,10 @@ func (k *KubeSecretClient) Upsert(ctx context.Context, key types.NamespacedName,
 		opt(options)
 	}
 
+	if options.Flatten {
+		return fmt.Errorf("FlattenedSecretsNotSupported")
+	}
+
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      key.Name,