fixes redhat-cop#193

davoustp · Nov 4, 2024 · 35241a5 · 35241a5
1 parent 68c6a1c
commit 35241a5
Show file tree

Hide file tree

Showing 30 changed files with 202 additions and 40 deletions.
diff --git a/api/v1alpha1/utils/vaultobject.go b/api/v1alpha1/utils/vaultobject.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"strings"
 
+	"github.com/google/go-cmp/cmp"
 	vault "github.com/hashicorp/vault/api"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -58,6 +59,7 @@ func (ve *VaultEndpoint) DeleteKVv2IfExists(context context.Context) error {
 	// should match pathToDelete := fmt.Sprintf("%s/metadata/%s", kv.mountPath, secretPath)
 	pathToDelete := strings.Replace(ve.vaultObject.GetPath(), "/data/", "/metadata/", 1)
 
+	log.V(1).Info("deleting resource from Vault", "op", "VaultEndpoint.DeleteKVv2IfExists")
 	_, err := vaultClient.Logical().Delete(pathToDelete)
 	if err != nil {
 		if respErr, ok := err.(*vault.ResponseError); ok {
@@ -73,6 +75,7 @@ func (ve *VaultEndpoint) DeleteKVv2IfExists(context context.Context) error {
 
 func (ve *VaultEndpoint) DeleteIfExists(context context.Context) error {
 	log := log.FromContext(context)
+	log.V(1).Info("deleting resource from Vault", "op", "VaultEndpoint.DeleteIfExists")
 	vaultClient := context.Value("vaultClient").(*vault.Client)
 	_, err := vaultClient.Logical().Delete(ve.vaultObject.GetPath())
 	if err != nil {
@@ -88,21 +91,30 @@ func (ve *VaultEndpoint) DeleteIfExists(context context.Context) error {
 }
 
 func (ve *VaultEndpoint) Create(context context.Context) error {
+	log := log.FromContext(context)
+	log.V(1).Info("creating resource in Vault", "op", "VaultEndpoint.Create")
 	return write(context, ve.vaultObject.GetPath(), ve.vaultObject.GetPayload())
 }
 
 func (ve *VaultEndpoint) CreateOrUpdate(context context.Context) error {
 	log := log.FromContext(context)
+	log.V(1).Info("reading resource from Vault", "op", "VaultEndpoint.CreateOrUpdate")
 	currentPayload, found, err := read(context, ve.vaultObject.GetPath())
 	if err != nil {
 		log.Error(err, "unable to read object at", "path", ve.vaultObject.GetPath())
 		return err
 	}
 	if !found {
+		log.V(1).Info("resource does not exist, creating it in Vault", "op", "VaultEndpoint.CreateOrUpdate")
 		return write(context, ve.vaultObject.GetPath(), ve.vaultObject.GetPayload())
 	} else {
 		if !ve.vaultObject.IsEquivalentToDesiredState(currentPayload) {
-			return write(context, ve.vaultObject.GetPath(), ve.vaultObject.GetPayload())
+			updatedPayload := ve.vaultObject.GetPayload()
+			log.V(1).Info("resource is not in sync, writing to Vault", "op", "VaultEndpoint.CreateOrUpdate",
+				"diff", cmp.Diff(currentPayload, updatedPayload))
+			return write(context, ve.vaultObject.GetPath(), updatedPayload)
+		} else {
+			log.V(1).Info("vault resource is already in sync", "op", "VaultEndpoint.CreateOrUpdate")
 		}
 	}
 	return nil
@@ -125,22 +137,31 @@ func (ve *RabbitMQEngineConfigVaultEndpoint) CreateOrUpdateLease(context context
 	if ve.rabbitMQEngineConfigVaultEndpoint.CheckTTLValuesProvided() {
 		return nil
 	}
+	log.V(1).Info("reading resource from Vault", "op", "RabbitMQEngineConfigVaultEndpoint.CreateOrUpdateLease")
 	currentPayload, found, err := read(context, ve.rabbitMQEngineConfigVaultEndpoint.GetLeasePath())
 	if err != nil {
 		log.Error(err, "unable to read object at", "path", ve.rabbitMQEngineConfigVaultEndpoint.GetLeasePath())
 		return err
 	}
 	if !found {
+		log.V(1).Info("resource does not exist, creating it in Vault", "op", "RabbitMQEngineConfigVaultEndpoint.CreateOrUpdateLease")
 		return write(context, ve.rabbitMQEngineConfigVaultEndpoint.GetLeasePath(), ve.rabbitMQEngineConfigVaultEndpoint.GetLeasePayload())
 	} else {
 		if !ve.rabbitMQEngineConfigVaultEndpoint.IsEquivalentToDesiredState(currentPayload) {
-			return write(context, ve.rabbitMQEngineConfigVaultEndpoint.GetLeasePath(), ve.rabbitMQEngineConfigVaultEndpoint.GetLeasePayload())
+			updatedPayload := ve.rabbitMQEngineConfigVaultEndpoint.GetLeasePayload()
+			log.V(1).Info("resource is not in sync, writing to Vault", "op", "RabbitMQEngineConfigVaultEndpoint.CreateOrUpdateLease",
+				"diff", cmp.Diff(currentPayload, updatedPayload))
+			return write(context, ve.rabbitMQEngineConfigVaultEndpoint.GetLeasePath(), updatedPayload)
+		} else {
+			log.V(1).Info("vault resource is already in sync", "op", "RabbitMQEngineConfigVaultEndpoint.CreateOrUpdateLease")
 		}
 	}
 	return nil
 }
 
 func (ve *RabbitMQEngineConfigVaultEndpoint) Create(context context.Context) error {
+	log := log.FromContext(context)
+	log.V(1).Info("creating resource in Vault", "op", "RabbitMQEngineConfigVaultEndpoint.Create")
 	return write(context, ve.rabbitMQEngineConfigVaultEndpoint.GetPath(), ve.rabbitMQEngineConfigVaultEndpoint.GetPayload())
 }
 

diff --git a/controllers/databasesecretengineconfig_controller.go b/controllers/databasesecretengineconfig_controller.go
@@ -22,6 +22,7 @@ import (
 	"time"
 
 	redhatcopv1alpha1 "github.com/redhat-cop/vault-config-operator/api/v1alpha1"
+	"github.com/redhat-cop/vault-config-operator/controllers/k8sevt"
 	"github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -210,14 +211,16 @@ func (r *DatabaseSecretEngineConfigReconciler) SetupWithManager(mgr ctrl.Manager
 	}
 
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&redhatcopv1alpha1.DatabaseSecretEngineConfig{}, builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{})).
+		For(&redhatcopv1alpha1.DatabaseSecretEngineConfig{},
+			builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{}, k8sevt.Log{})).
 		Watches(&corev1.Secret{
 			TypeMeta: metav1.TypeMeta{
 				Kind: "Secret",
 			},
 		}, handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, a client.Object) []reconcile.Request {
 			res := []reconcile.Request{}
 			s := a.(*corev1.Secret)
+			r.Log.V(1).Info("fanning event on Secret out to applicable DatabaseSecretEngineConfigs", "namespace", s.Namespace, "name", s.Name)
 			dbsecs, err := r.findApplicableBDSCForSecret(ctx, s)
 			if err != nil {
 				r.Log.Error(err, "unable to find applicable databaseSecretEngines for namespace", "namespace", s.Name)
@@ -232,14 +235,15 @@ func (r *DatabaseSecretEngineConfigReconciler) SetupWithManager(mgr ctrl.Manager
 				})
 			}
 			return res
-		}), builder.WithPredicates(isBasicAuthSecret)).
+		}), builder.WithPredicates(isBasicAuthSecret, k8sevt.Log{})).
 		Watches(&redhatcopv1alpha1.RandomSecret{
 			TypeMeta: metav1.TypeMeta{
 				Kind: "RandomSecret",
 			},
 		}, handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, a client.Object) []reconcile.Request {
 			res := []reconcile.Request{}
 			rs := a.(*redhatcopv1alpha1.RandomSecret)
+			r.Log.V(1).Info("fanning event on RandomSecret out to applicable RandomSecrets", "namespace", rs.Namespace, "name", rs.Name)
 			dbsecs, err := r.findApplicableDBSCForRandomSecret(ctx, rs)
 			if err != nil {
 				r.Log.Error(err, "unable to find applicable databaseSecretEngines for namespace", "namespace", rs.Name)
@@ -254,7 +258,7 @@ func (r *DatabaseSecretEngineConfigReconciler) SetupWithManager(mgr ctrl.Manager
 				})
 			}
 			return res
-		}), builder.WithPredicates(isUpdatedRandomSecret)).
+		}), builder.WithPredicates(isUpdatedRandomSecret, k8sevt.Log{})).
 		Complete(r)
 }
 

diff --git a/controllers/databasesecretenginerole_controller.go b/controllers/databasesecretenginerole_controller.go
@@ -26,6 +26,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	redhatcopv1alpha1 "github.com/redhat-cop/vault-config-operator/api/v1alpha1"
+	"github.com/redhat-cop/vault-config-operator/controllers/k8sevt"
 	"github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller"
 )
 
@@ -80,6 +81,7 @@ func (r *DatabaseSecretEngineRoleReconciler) Reconcile(ctx context.Context, req
 // SetupWithManager sets up the controller with the Manager.
 func (r *DatabaseSecretEngineRoleReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&redhatcopv1alpha1.DatabaseSecretEngineRole{}, builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{})).
+		For(&redhatcopv1alpha1.DatabaseSecretEngineRole{},
+			builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{}, k8sevt.Log{})).
 		Complete(r)
 }
diff --git a/controllers/databasesecretenginestaticrole_controller.go b/controllers/databasesecretenginestaticrole_controller.go
@@ -26,6 +26,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	redhatcopv1alpha1 "github.com/redhat-cop/vault-config-operator/api/v1alpha1"
+	"github.com/redhat-cop/vault-config-operator/controllers/k8sevt"
 	"github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller"
 )
 
@@ -71,6 +72,7 @@ func (r *DatabaseSecretEngineStaticRoleReconciler) Reconcile(ctx context.Context
 // SetupWithManager sets up the controller with the Manager.
 func (r *DatabaseSecretEngineStaticRoleReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&redhatcopv1alpha1.DatabaseSecretEngineStaticRole{}, builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{})).
+		For(&redhatcopv1alpha1.DatabaseSecretEngineStaticRole{},
+			builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{}, k8sevt.Log{})).
 		Complete(r)
 }
diff --git a/controllers/githubsecretengineconfig_controller.go b/controllers/githubsecretengineconfig_controller.go
@@ -34,6 +34,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	redhatcopv1alpha1 "github.com/redhat-cop/vault-config-operator/api/v1alpha1"
+	"github.com/redhat-cop/vault-config-operator/controllers/k8sevt"
 	"github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller"
 )
 
@@ -118,14 +119,16 @@ func (r *GitHubSecretEngineConfigReconciler) SetupWithManager(mgr ctrl.Manager)
 	}
 
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&redhatcopv1alpha1.GitHubSecretEngineConfig{}, builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{})).
+		For(&redhatcopv1alpha1.GitHubSecretEngineConfig{},
+			builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{}, k8sevt.Log{})).
 		Watches(&corev1.Secret{
 			TypeMeta: metav1.TypeMeta{
 				Kind: "Secret",
 			},
 		}, handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, a client.Object) []reconcile.Request {
 			res := []reconcile.Request{}
 			s := a.(*corev1.Secret)
+			r.Log.V(1).Info("fanning event on Secret out to applicable GitHubSecretEngineConfigs", "namespace", s.Namespace, "name", s.Name)
 			dbsecs, err := r.findApplicableGHSCForSecret(ctx, s)
 			if err != nil {
 				r.Log.Error(err, "unable to find applicable github SecretEngines for namespace", "namespace", s.Name)
@@ -140,7 +143,7 @@ func (r *GitHubSecretEngineConfigReconciler) SetupWithManager(mgr ctrl.Manager)
 				})
 			}
 			return res
-		}), builder.WithPredicates(isSSHSecret)).
+		}), builder.WithPredicates(isSSHSecret, k8sevt.Log{})).
 		Complete(r)
 }
 

diff --git a/controllers/githubsecretenginerole_controller.go b/controllers/githubsecretenginerole_controller.go
@@ -26,6 +26,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	redhatcopv1alpha1 "github.com/redhat-cop/vault-config-operator/api/v1alpha1"
+	"github.com/redhat-cop/vault-config-operator/controllers/k8sevt"
 	"github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller"
 )
 
@@ -80,6 +81,7 @@ func (r *GitHubSecretEngineRoleReconciler) Reconcile(ctx context.Context, req ct
 // SetupWithManager sets up the controller with the Manager.
 func (r *GitHubSecretEngineRoleReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&redhatcopv1alpha1.GitHubSecretEngineRole{}, builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{})).
+		For(&redhatcopv1alpha1.GitHubSecretEngineRole{},
+			builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{}, k8sevt.Log{})).
 		Complete(r)
 }
diff --git a/controllers/group_controller.go b/controllers/group_controller.go
@@ -26,6 +26,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	redhatcopv1alpha1 "github.com/redhat-cop/vault-config-operator/api/v1alpha1"
+	"github.com/redhat-cop/vault-config-operator/controllers/k8sevt"
 	"github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller"
 )
 
@@ -77,6 +78,7 @@ func (r *GroupReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl
 // SetupWithManager sets up the controller with the Manager.
 func (r *GroupReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&redhatcopv1alpha1.Group{}, builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{})).
+		For(&redhatcopv1alpha1.Group{},
+			builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{}, k8sevt.Log{})).
 		Complete(r)
 }
diff --git a/controllers/groupalias_controller.go b/controllers/groupalias_controller.go
@@ -26,6 +26,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	redhatcopv1alpha1 "github.com/redhat-cop/vault-config-operator/api/v1alpha1"
+	"github.com/redhat-cop/vault-config-operator/controllers/k8sevt"
 	"github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller"
 )
 
@@ -77,6 +78,7 @@ func (r *GroupAliasReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 // SetupWithManager sets up the controller with the Manager.
 func (r *GroupAliasReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&redhatcopv1alpha1.GroupAlias{}, builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{})).
+		For(&redhatcopv1alpha1.GroupAlias{},
+			builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{}, k8sevt.Log{})).
 		Complete(r)
 }
diff --git a/controllers/jwtoidcauthengineconfig_controller.go b/controllers/jwtoidcauthengineconfig_controller.go
@@ -34,6 +34,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	redhatcopv1alpha1 "github.com/redhat-cop/vault-config-operator/api/v1alpha1"
+	"github.com/redhat-cop/vault-config-operator/controllers/k8sevt"
 	"github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller"
 )
 
@@ -142,14 +143,16 @@ func (r *JWTOIDCAuthEngineConfigReconciler) SetupWithManager(mgr ctrl.Manager) e
 	}
 
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&redhatcopv1alpha1.JWTOIDCAuthEngineConfig{}, builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{})).
+		For(&redhatcopv1alpha1.JWTOIDCAuthEngineConfig{},
+			builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{}, k8sevt.Log{})).
 		Watches(&corev1.Secret{
 			TypeMeta: metav1.TypeMeta{
 				Kind: "Secret",
 			},
 		}, handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, a client.Object) []reconcile.Request {
 			res := []reconcile.Request{}
 			s := a.(*corev1.Secret)
+			r.Log.V(1).Info("fanning event on Secret out to applicable JWTOIDCAuthEngineConfigs", "namespace", s.Namespace, "name", s.Name)
 			dbsecs, err := r.findApplicableJOAEForSecret(ctx, s)
 			if err != nil {
 				r.Log.Error(err, "unable to find applicable JWTOIDCAuthEngine for namespace", "namespace", s.Name)
@@ -164,14 +167,15 @@ func (r *JWTOIDCAuthEngineConfigReconciler) SetupWithManager(mgr ctrl.Manager) e
 				})
 			}
 			return res
-		}), builder.WithPredicates(isBasicAuthSecret)).
+		}), builder.WithPredicates(isBasicAuthSecret, k8sevt.Log{})).
 		Watches(&redhatcopv1alpha1.RandomSecret{
 			TypeMeta: metav1.TypeMeta{
 				Kind: "RandomSecret",
 			},
 		}, handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, a client.Object) []reconcile.Request {
 			res := []reconcile.Request{}
 			rs := a.(*redhatcopv1alpha1.RandomSecret)
+			r.Log.V(1).Info("fanning event on RandomSecret out to applicable JWTOIDCAuthEngineConfigs", "namespace", rs.Namespace, "name", rs.Name)
 			dbsecs, err := r.findApplicableJOAEForRandomSecret(ctx, rs)
 			if err != nil {
 				r.Log.Error(err, "unable to find applicable JWTOIDCAuthEngine for namespace", "namespace", rs.Name)
@@ -186,7 +190,7 @@ func (r *JWTOIDCAuthEngineConfigReconciler) SetupWithManager(mgr ctrl.Manager) e
 				})
 			}
 			return res
-		}), builder.WithPredicates(isUpdatedRandomSecret)).
+		}), builder.WithPredicates(isUpdatedRandomSecret, k8sevt.Log{})).
 		Complete(r)
 
 }

diff --git a/controllers/jwtoidcauthenginerole_controller.go b/controllers/jwtoidcauthenginerole_controller.go
@@ -26,6 +26,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	redhatcopv1alpha1 "github.com/redhat-cop/vault-config-operator/api/v1alpha1"
+	"github.com/redhat-cop/vault-config-operator/controllers/k8sevt"
 	"github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller"
 )
 
@@ -75,6 +76,7 @@ func (r *JWTOIDCAuthEngineRoleReconciler) Reconcile(ctx context.Context, req ctr
 // SetupWithManager sets up the controller with the Manager.
 func (r *JWTOIDCAuthEngineRoleReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&redhatcopv1alpha1.JWTOIDCAuthEngineRole{}, builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{})).
+		For(&redhatcopv1alpha1.JWTOIDCAuthEngineRole{},
+			builder.WithPredicates(vaultresourcecontroller.ResourceGenerationChangedPredicate{}, k8sevt.Log{})).
 		Complete(r)
 }