feat(action): support refresh of ExternalSecret (argoproj#13951)

* feat(action): support refresh of ExternalSecret Signed-off-by: Alexandre Gaudreault <alexandre.gaudreault@logmein.com> * fix test Signed-off-by: Alexandre Gaudreault <alexandre.gaudreault@logmein.com> --------- Signed-off-by: Alexandre Gaudreault <alexandre.gaudreault@logmein.com>
tesla59 · Dec 16, 2023 · 87bd919 · 87bd919
1 parent e8d526e
commit 87bd919
Show file tree

Hide file tree

Showing 6 changed files with 133 additions and 5 deletions.
diff --git a/resource_customizations/external-secrets.io/ExternalSecret/actions/action_test.yaml b/resource_customizations/external-secrets.io/ExternalSecret/actions/action_test.yaml
@@ -0,0 +1,4 @@
+actionTests:
+  - action: refresh
+    inputPath: testdata/external-secret.yaml
+    expectedOutputPath: testdata/external-secret-updated.yaml
diff --git a/resource_customizations/external-secrets.io/ExternalSecret/actions/discovery.lua b/resource_customizations/external-secrets.io/ExternalSecret/actions/discovery.lua
@@ -0,0 +1,3 @@
+actions = {}
+actions["refresh"] = {["disabled"] = false}
+return actions
diff --git a/resource_customizations/external-secrets.io/ExternalSecret/actions/refresh/action.lua b/resource_customizations/external-secrets.io/ExternalSecret/actions/refresh/action.lua
@@ -0,0 +1,6 @@
+local os = require("os")
+if obj.metadata.annotations == nil then
+    obj.metadata.annotations = {}
+end
+obj.metadata.annotations["force-sync"] = os.date("!%Y-%m-%dT%XZ")
+return obj
diff --git a/...izations/external-secrets.io/ExternalSecret/actions/testdata/external-secret-updated.yaml b/...izations/external-secrets.io/ExternalSecret/actions/testdata/external-secret-updated.yaml
@@ -0,0 +1,56 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  annotations:
+    force-sync: '0001-01-01T00:00:00Z'
+  creationTimestamp: '2021-11-16T21:59:33Z'
+  generation: 1
+  name: test-healthy
+  namespace: argocd
+  resourceVersion: '136487331'
+  selfLink: /apis/external-secrets.io/v1alpha1/namespaces/argocd/externalsecrets/test-healthy
+  uid: 1e754a7e-0781-4d57-932d-4651d5b19586
+spec:
+  data:
+    - remoteRef:
+        key: secret/sa/example
+        property: api.address
+      secretKey: url
+    - remoteRef:
+        key: secret/sa/example
+        property: ca.crt
+      secretKey: ca
+    - remoteRef:
+        key: secret/sa/example
+        property: token
+      secretKey: token
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: SecretStore
+    name: example
+  target:
+    creationPolicy: Owner
+    template:
+      data:
+        config: |
+          {
+            "bearerToken": "{{ .token | base64decode | toString }}",
+            "tlsClientConfig": {
+              "insecure": false,
+              "caData": "{{ .ca | toString }}"
+            }
+          }
+        name: cluster-test
+        server: '{{ .url | toString }}'
+      metadata:
+        labels:
+          argocd.argoproj.io/secret-type: cluster
+status:
+  conditions:
+    - lastTransitionTime: '2021-11-16T21:59:34Z'
+      message: Secret was synced
+      reason: SecretSynced
+      status: 'True'
+      type: Ready
+  refreshTime: '2021-11-29T18:32:24Z'
+  syncedResourceVersion: 1-519a61da0dc68b2575b4f8efada70e42
diff --git a/...e_customizations/external-secrets.io/ExternalSecret/actions/testdata/external-secret.yaml b/...e_customizations/external-secrets.io/ExternalSecret/actions/testdata/external-secret.yaml
@@ -0,0 +1,54 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  creationTimestamp: '2021-11-16T21:59:33Z'
+  generation: 1
+  name: test-healthy
+  namespace: argocd
+  resourceVersion: '136487331'
+  selfLink: /apis/external-secrets.io/v1alpha1/namespaces/argocd/externalsecrets/test-healthy
+  uid: 1e754a7e-0781-4d57-932d-4651d5b19586
+spec:
+  data:
+    - remoteRef:
+        key: secret/sa/example
+        property: api.address
+      secretKey: url
+    - remoteRef:
+        key: secret/sa/example
+        property: ca.crt
+      secretKey: ca
+    - remoteRef:
+        key: secret/sa/example
+        property: token
+      secretKey: token
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: SecretStore
+    name: example
+  target:
+    creationPolicy: Owner
+    template:
+      data:
+        config: |
+          {
+            "bearerToken": "{{ .token | base64decode | toString }}",
+            "tlsClientConfig": {
+              "insecure": false,
+              "caData": "{{ .ca | toString }}"
+            }
+          }
+        name: cluster-test
+        server: '{{ .url | toString }}'
+      metadata:
+        labels:
+          argocd.argoproj.io/secret-type: cluster
+status:
+  conditions:
+    - lastTransitionTime: '2021-11-16T21:59:34Z'
+      message: Secret was synced
+      reason: SecretSynced
+      status: 'True'
+      type: Ready
+  refreshTime: '2021-11-29T18:32:24Z'
+  syncedResourceVersion: 1-519a61da0dc68b2575b4f8efada70e42
diff --git a/util/lua/custom_actions_test.go b/util/lua/custom_actions_test.go
@@ -26,27 +26,32 @@ func (t testNormalizer) Normalize(un *unstructured.Unstructured) error {
 	case "DaemonSet", "Deployment", "StatefulSet":
 		err := unstructured.SetNestedStringMap(un.Object, map[string]string{"kubectl.kubernetes.io/restartedAt": "0001-01-01T00:00:00Z"}, "spec", "template", "metadata", "annotations")
 		if err != nil {
-			return fmt.Errorf("failed to normalize DaemonSet: %w", err)
+			return fmt.Errorf("failed to normalize %s: %w", un.GetKind(), err)
 		}
 	}
 	switch un.GetKind() {
 	case "Deployment":
 		err := unstructured.SetNestedField(un.Object, nil, "status")
 		if err != nil {
-			return fmt.Errorf("failed to normalize DaemonSet: %w", err)
+			return fmt.Errorf("failed to normalize %s: %w", un.GetKind(), err)
 		}
 		err = unstructured.SetNestedField(un.Object, nil, "metadata", "creationTimestamp")
 		if err != nil {
-			return fmt.Errorf("failed to normalize DaemonSet: %w", err)
+			return fmt.Errorf("failed to normalize %s: %w", un.GetKind(), err)
 		}
 		err = unstructured.SetNestedField(un.Object, nil, "metadata", "generation")
 		if err != nil {
-			return fmt.Errorf("failed to normalize DaemonSet: %w", err)
+			return fmt.Errorf("failed to normalize %s: %w", un.GetKind(), err)
 		}
 	case "Rollout":
 		err := unstructured.SetNestedField(un.Object, nil, "spec", "restartAt")
 		if err != nil {
-			return fmt.Errorf("failed to normalize Rollout: %w", err)
+			return fmt.Errorf("failed to normalize %s: %w", un.GetKind(), err)
+		}
+	case "ExternalSecret":
+		err := unstructured.SetNestedStringMap(un.Object, map[string]string{"force-sync": "0001-01-01T00:00:00Z"}, "metadata", "annotations")
+		if err != nil {
+			return fmt.Errorf("failed to normalize %s: %w", un.GetKind(), err)
 		}
 	}
 	return nil