Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(k8-operator): push secrets #2815

Merged
merged 14 commits into from
Dec 18, 2024
Merged

feat(k8-operator): push secrets #2815

merged 14 commits into from
Dec 18, 2024

Conversation

DanielHougaard
Copy link
Contributor

@DanielHougaard DanielHougaard commented Nov 28, 2024
edited
Loading

Description 📣

This PR introduces support for pushing secrets from the K8 operator into Infisical. We are using policies for the replacement of existing secrets. This mean the user can opt-in to overwrite existing/conflicting secrets in Infisical, to treat the K8 operator as the source of truth.

The operator will automatically update the serverside secret values if it detects a drift has happened, even if the key of a secret changes. If a secret key changes, the secret will be deleted and re-created with the correct secret key. We do this by keeping a map of ID/secret-key, that we are verifying on each reconcile.

If the deletionPolicy is set to Delete, all secrets managed by the operator will be deleted once the InfisicalPushSecret CRD is deleted.

Additionally, we are now using a proper logger for all our CRD's. No more printf or println statements.

Type ✨

  • Bug fix
  • New feature
  • Improvement
  • Breaking change
  • Documentation

@DanielHougaard DanielHougaard self-assigned this Nov 28, 2024
@maidul98 maidul98 requested review from akhilmhdh and removed request for maidul98 December 5, 2024 03:26
akhilmhdh
akhilmhdh requested changes Dec 5, 2024
View reviewed changes
Copy link
Member

@akhilmhdh akhilmhdh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to application test. But some questions from my side

  1. Was this library something we were using before go-logr because I feel like it's quite unused one and uber zap is the most prominent one in this space.
  2. Nit: Some messages starts with sentence case while others in small case

k8-operator/api/v1alpha1/infisicalpushsecret_types.go Outdated Show resolved Hide resolved
k8-operator/controllers/infisicalpushsecret/conditions.go Outdated Show resolved Hide resolved
k8-operator/controllers/infisicalpushsecret/infisicalpushsecret_controller.go Outdated Show resolved Hide resolved
@DanielHougaard DanielHougaard force-pushed the daniel/k8-push-secret branch 2 times, most recently from 56760a0 to 01dcbb0 Compare December 7, 2024 01:22
@maidul98
Copy link
Collaborator

CleanShot 2024-12-17 at 15 54 28@2x
Something is wrong, it keeps updating secrets even though there were no secrets updated

maidul98
maidul98 reviewed Dec 17, 2024
View reviewed changes
Copy link
Collaborator

@maidul98 maidul98 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: The secrets that are created by the operator keep being updated (so the number of secret versions keep going up). If there aren't any changes, we shouldn't make a update.

For future PRs, i recommend doing a separate PR to do folder restructure first and get it merged. This helps to reduce the surface area of pr testing and allows us to merge prs quicker.

Testing i did:

  • auto secrets auto redeploy
  • delete managed secret
  • add new key and have it synced

Need to do more testing on secret push after the update bug is patched.

For docs:

  • I think we now have too many things in one page. Let's break it up into another sub page of k8s integration page

helm-charts/secrets-operator/Chart.yaml Outdated Show resolved Hide resolved
helm-charts/secrets-operator/values.yaml Outdated Show resolved Hide resolved
k8-operator/controllers/infisicalpushsecret/infisicalpushsecret_controller.go Show resolved Hide resolved
@maidul98
Copy link
Collaborator

maidul98 commented Dec 18, 2024
edited
Loading

When deletionPolicy: Delete and you delete the kube secret, this is what i see:

CleanShot 2024-12-17 at 20 18 12@2x

The secrets in Infisical are not deleted

@DanielHougaard DanielHougaard requested review from maidul98 and removed request for akhilmhdh December 18, 2024 04:52
@maidul98 maidul98 merged commit 21eb2be into main Dec 18, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akhilmhdh akhilmhdh akhilmhdh requested changes

@maidul98 maidul98 maidul98 approved these changes

Assignees

@DanielHougaard DanielHougaard

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DanielHougaard @maidul98 @akhilmhdh