Ensuring secrets are created

arangodb · ewoutp · Feb 27, 2018 · Feb 26, 2018 · Feb 26, 2018 · Feb 26, 2018
commit e68fd5d130aa09b1954c81b129daa1e4a291d1e3
diff --git a/pkg/deployment/deployment.go b/pkg/deployment/deployment.go
@@ -148,6 +148,12 @@ func (d *Deployment) send(ev *deploymentEvent) {
 func (d *Deployment) run() {
 	log := d.deps.Log
 
+	// Create secrets
+	if err := d.createSecrets(d.apiObject); err != nil {
+		d.failOnError(err, "Failed to create secrets")
+		return
+	}
+
 	// Create services
 	if err := d.createServices(d.apiObject); err != nil {
 		d.failOnError(err, "Failed to create services")

diff --git a/pkg/deployment/secrets.go b/pkg/deployment/secrets.go
@@ -23,14 +23,65 @@
 package deployment
 
 import (
+	"crypto/rand"
+	"encoding/hex"
 	"fmt"
 
+	"k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	api "github.com/arangodb/k8s-operator/pkg/apis/arangodb/v1alpha"
 	"github.com/arangodb/k8s-operator/pkg/util/k8sutil"
 )
 
+// createSecrets creates all secrets needed to run the given deployment
+func (d *Deployment) createSecrets(apiObject *api.ArangoDeployment) error {
+	if apiObject.Spec.IsAuthenticated() {
+		if err := d.ensureJWTSecret(apiObject.Spec.Authentication.JWTSecretName); err != nil {
+			return maskAny(err)
+		}
+	}
+	return nil
+}
+
+// ensureJWTSecret checks if a secret with given name exists in the namespace
+// of the deployment. If not, it will add such a secret with a random
+// JWT token.
+func (d *Deployment) ensureJWTSecret(secretName string) error {
+	kubecli := d.deps.KubeCli
+	ns := d.apiObject.GetNamespace()
+	if _, err := kubecli.CoreV1().Secrets(ns).Get(secretName, metav1.GetOptions{}); k8sutil.IsNotFound(err) {
+		// Secret not found, create it
+		// Create token
+		tokenData := make([]byte, 32)
+		rand.Read(tokenData)
+		token := hex.EncodeToString(tokenData)
+
+		// Create secret
+		secret := &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: secretName,
+			},
+			Data: map[string][]byte{
+				"token": []byte(token),
+			},
+		}
+		// Attach secret to deployment
+		secret.SetOwnerReferences(append(secret.GetOwnerReferences(), d.apiObject.AsOwner()))
+		if _, err := kubecli.CoreV1().Secrets(ns).Create(secret); k8sutil.IsAlreadyExists(err) {
+			// Secret added while we tried it also
+			return nil
+		} else if err != nil {
+			// Failed to create secret
+			return maskAny(err)
+		}
+	} else if err != nil {
+		// Failed to get secret for other reasons
+		return maskAny(err)
+	}
+	return nil
+}
+
 // getJWTSecret loads the JWT secret from a Secret configured in apiObject.Spec.Authentication.JWTSecretName.
 func (d *Deployment) getJWTSecret(apiObject *api.ArangoDeployment) (string, error) {
 	if !apiObject.Spec.IsAuthenticated() {