Implement .metadata.ownerReferences handling

jkroepke · jkroepke · commit 71a75bea2168 · 2021-09-22T12:00:45.000+02:00
diff --git a/README.md b/README.md
@@ -193,3 +193,14 @@ type: kubernetes.io/dockerconfigjson
 data:
   .dockerconfigjson: e30K
 ```
+
+#### Special case: Resource with .metadata.ownerReferences
+
+Sometimes, secrets are generated by external components. Such secrets are configured with an ownerReference. By default, the kubernetes-replicator will copy the 
+ownerReference to the target namespace, too.
+
+ownerReference won't work [across different namespaces](https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/#owners-and-dependents) and the secret at the destination will be removed by the kubernetes garbage collection.
+
+By set `-strip-owner-reference=true` as CLI argument, kubernetes-replicator will strip the ownerReference fields to avoid deletion of the secrets in the destination.
+
+See also: https://github.com/mittwald/kubernetes-replicator/issues/120
diff --git a/config.go b/config.go
@@ -3,11 +3,12 @@ package main
 import "time"
 
 type flags struct {
-	Kubeconfig    string
-	ResyncPeriodS string
-	ResyncPeriod  time.Duration
-	StatusAddr    string
-	AllowAll      bool
-	LogLevel      string
-	LogFormat     string
+	Kubeconfig          string
+	ResyncPeriodS       string
+	ResyncPeriod        time.Duration
+	StatusAddr          string
+	AllowAll            bool
+	StripOwnerReference bool
+	LogLevel            string
+	LogFormat           string
 }
diff --git a/deploy/helm-chart/kubernetes-replicator/values.yaml b/deploy/helm-chart/kubernetes-replicator/values.yaml
@@ -9,6 +9,7 @@ grantClusterAdmin: false
 args: []
   # - -resync-period=30m
   # - -allow-all=false
+  # - -strip-owner-reference=true
 
 serviceAccount:
   create: true
diff --git a/main.go b/main.go
@@ -30,6 +30,7 @@ func init() {
 	flag.StringVar(&f.LogLevel, "log-level", "info", "Log level (trace, debug, info, warn, error)")
 	flag.StringVar(&f.LogFormat, "log-format", "plain", "Log format (plain, json)")
 	flag.BoolVar(&f.AllowAll, "allow-all", false, "allow replication of all secrets (CAUTION: only use when you know what you're doing)")
+	flag.BoolVar(&f.StripOwnerReference, "strip-owner-reference", false, "strip metadata.ownerReference while copy resources")
 	flag.Parse()
 
 	switch strings.ToUpper(strings.TrimSpace(f.LogLevel)) {
@@ -80,10 +81,10 @@ func main() {
 
 	client = kubernetes.NewForConfigOrDie(config)
 
-	secretRepl := secret.NewReplicator(client, f.ResyncPeriod, f.AllowAll)
-	configMapRepl := configmap.NewReplicator(client, f.ResyncPeriod, f.AllowAll)
-	roleRepl := role.NewReplicator(client, f.ResyncPeriod, f.AllowAll)
-	roleBindingRepl := rolebinding.NewReplicator(client, f.ResyncPeriod, f.AllowAll)
+	secretRepl := secret.NewReplicator(client, f.ResyncPeriod, f.AllowAll, f.StripOwnerReference)
+	configMapRepl := configmap.NewReplicator(client, f.ResyncPeriod, f.AllowAll, f.StripOwnerReference)
+	roleRepl := role.NewReplicator(client, f.ResyncPeriod, f.AllowAll, f.StripOwnerReference)
+	roleBindingRepl := rolebinding.NewReplicator(client, f.ResyncPeriod, f.AllowAll, f.StripOwnerReference)
 
 	go secretRepl.Run()
 
diff --git a/replicate/common/generic-replicator.go b/replicate/common/generic-replicator.go
@@ -22,13 +22,14 @@ import (
 )
 
 type ReplicatorConfig struct {
-	Kind         string
-	Client       kubernetes.Interface
-	ResyncPeriod time.Duration
-	AllowAll     bool
-	ListFunc     cache.ListFunc
-	WatchFunc    cache.WatchFunc
-	ObjType      runtime.Object
+	Kind                string
+	Client              kubernetes.Interface
+	ResyncPeriod        time.Duration
+	AllowAll            bool
+	StripOwnerReference bool
+	ListFunc            cache.ListFunc
+	WatchFunc           cache.WatchFunc
+	ObjType             runtime.Object
 }
 
 type UpdateFuncs struct {
diff --git a/replicate/common/namespaces.go b/replicate/common/namespaces.go
@@ -61,7 +61,7 @@ func (nw *NamespaceWatcher) create(client kubernetes.Interface, resyncPeriod tim
 			&v1.Namespace{},
 			resyncPeriod,
 			cache.ResourceEventHandlerFuncs{
-				AddFunc: namespaceAdded,
+				AddFunc:    namespaceAdded,
 				UpdateFunc: namespaceUpdated,
 			},
 		)
diff --git a/replicate/configmap/configmaps.go b/replicate/configmap/configmaps.go
@@ -25,14 +25,15 @@ type Replicator struct {
 }
 
 // NewReplicator creates a new config map replicator
-func NewReplicator(client kubernetes.Interface, resyncPeriod time.Duration, allowAll bool) common.Replicator {
+func NewReplicator(client kubernetes.Interface, resyncPeriod time.Duration, allowAll bool, stripOwnerReference bool) common.Replicator {
 	repl := Replicator{
 		GenericReplicator: common.NewGenericReplicator(common.ReplicatorConfig{
-			Kind:         "ConfigMap",
-			ObjType:      &v1.ConfigMap{},
-			AllowAll:     allowAll,
-			ResyncPeriod: resyncPeriod,
-			Client:       client,
+			Kind:                "ConfigMap",
+			ObjType:             &v1.ConfigMap{},
+			AllowAll:            allowAll,
+			StripOwnerReference: stripOwnerReference,
+			ResyncPeriod:        resyncPeriod,
+			Client:              client,
 			ListFunc: func(lo metav1.ListOptions) (runtime.Object, error) {
 				return client.CoreV1().ConfigMaps("").List(context.TODO(), lo)
 			},
@@ -72,6 +73,10 @@ func (r *Replicator) ReplicateDataFrom(sourceObj interface{}, targetObj interfac
 
 	targetCopy := target.DeepCopy()
 
+	if r.StripOwnerReference {
+		targetCopy.OwnerReferences = nil
+	}
+
 	if targetCopy.Data == nil {
 		targetCopy.Data = make(map[string]string)
 	}
diff --git a/replicate/role/roles.go b/replicate/role/roles.go
@@ -24,14 +24,15 @@ type Replicator struct {
 }
 
 // NewReplicator creates a new role replicator
-func NewReplicator(client kubernetes.Interface, resyncPeriod time.Duration, allowAll bool) common.Replicator {
+func NewReplicator(client kubernetes.Interface, resyncPeriod time.Duration, allowAll bool, stripOwnerReference bool) common.Replicator {
 	repl := Replicator{
 		GenericReplicator: common.NewGenericReplicator(common.ReplicatorConfig{
-			Kind:         "Role",
-			ObjType:      &rbacv1.Role{},
-			AllowAll:     allowAll,
-			ResyncPeriod: resyncPeriod,
-			Client:       client,
+			Kind:                "Role",
+			ObjType:             &rbacv1.Role{},
+			AllowAll:            allowAll,
+			StripOwnerReference: stripOwnerReference,
+			ResyncPeriod:        resyncPeriod,
+			Client:              client,
 			ListFunc: func(lo metav1.ListOptions) (runtime.Object, error) {
 				return client.RbacV1().Roles("").List(context.TODO(), lo)
 			},
@@ -74,6 +75,10 @@ func (r *Replicator) ReplicateDataFrom(sourceObj interface{}, targetObj interfac
 
 	targetCopy := target.DeepCopy()
 
+	if r.StripOwnerReference {
+		targetCopy.OwnerReferences = nil
+	}
+
 	targetCopy.Rules = source.Rules
 
 	logger.Infof("updating target %s/%s", target.Namespace, target.Name)
diff --git a/replicate/role/roles_test.go b/replicate/role/roles_test.go
@@ -79,7 +79,7 @@ func TestRoleReplicator(t *testing.T) {
 	prefix := namespacePrefix()
 	client := kubernetes.NewForConfigOrDie(config)
 
-	repl := NewReplicator(client, 60*time.Second, false)
+	repl := NewReplicator(client, 60*time.Second, false, false)
 	go repl.Run()
 
 	time.Sleep(200 * time.Millisecond)
diff --git a/replicate/rolebinding/rolebindings.go b/replicate/rolebinding/rolebindings.go
@@ -26,14 +26,15 @@ type Replicator struct {
 const sleepTime = 100 * time.Millisecond
 
 // NewReplicator creates a new secret replicator
-func NewReplicator(client kubernetes.Interface, resyncPeriod time.Duration, allowAll bool) common.Replicator {
+func NewReplicator(client kubernetes.Interface, resyncPeriod time.Duration, allowAll bool, stripOwnerReference bool) common.Replicator {
 	repl := Replicator{
 		GenericReplicator: common.NewGenericReplicator(common.ReplicatorConfig{
-			Kind:         "RoleBinding",
-			ObjType:      &rbacv1.RoleBinding{},
-			AllowAll:     allowAll,
-			ResyncPeriod: resyncPeriod,
-			Client:       client,
+			Kind:                "RoleBinding",
+			ObjType:             &rbacv1.RoleBinding{},
+			AllowAll:            allowAll,
+			StripOwnerReference: stripOwnerReference,
+			ResyncPeriod:        resyncPeriod,
+			Client:              client,
 			ListFunc: func(lo metav1.ListOptions) (runtime.Object, error) {
 				return client.RbacV1().RoleBindings("").List(context.TODO(), lo)
 			},
@@ -75,6 +76,11 @@ func (r *Replicator) ReplicateDataFrom(sourceObj interface{}, targetObj interfac
 	}
 
 	targetCopy := target.DeepCopy()
+
+	if r.StripOwnerReference {
+		targetCopy.OwnerReferences = nil
+	}
+
 	targetCopy.Subjects = source.Subjects
 
 	log.Infof("updating target %s/%s", target.Namespace, target.Name)
diff --git a/replicate/secret/secrets.go b/replicate/secret/secrets.go
@@ -25,14 +25,15 @@ type Replicator struct {
 }
 
 // NewReplicator creates a new secret replicator
-func NewReplicator(client kubernetes.Interface, resyncPeriod time.Duration, allowAll bool) common.Replicator {
+func NewReplicator(client kubernetes.Interface, resyncPeriod time.Duration, allowAll bool, stripOwnerReference bool) common.Replicator {
 	repl := Replicator{
 		GenericReplicator: common.NewGenericReplicator(common.ReplicatorConfig{
-			Kind:         "Secret",
-			ObjType:      &v1.Secret{},
-			AllowAll:     allowAll,
-			ResyncPeriod: resyncPeriod,
-			Client:       client,
+			Kind:                "Secret",
+			ObjType:             &v1.Secret{},
+			AllowAll:            allowAll,
+			StripOwnerReference: stripOwnerReference,
+			ResyncPeriod:        resyncPeriod,
+			Client:              client,
 			ListFunc: func(lo metav1.ListOptions) (runtime.Object, error) {
 				return client.CoreV1().Secrets("").List(context.TODO(), lo)
 			},
@@ -76,6 +77,10 @@ func (r *Replicator) ReplicateDataFrom(sourceObj interface{}, targetObj interfac
 
 	targetCopy := target.DeepCopy()
 
+	if r.StripOwnerReference {
+		targetCopy.OwnerReferences = nil
+	}
+
 	if targetCopy.Data == nil {
 		targetCopy.Data = make(map[string][]byte)
 	}
diff --git a/replicate/secret/secrets_test.go b/replicate/secret/secrets_test.go
@@ -80,7 +80,7 @@ func TestSecretReplicator(t *testing.T) {
 	prefix := namespacePrefix()
 	client := kubernetes.NewForConfigOrDie(config)
 
-	repl := NewReplicator(client, 60*time.Second, false)
+	repl := NewReplicator(client, 60*time.Second, false, false)
 	go repl.Run()
 
 	time.Sleep(200 * time.Millisecond)
@@ -1062,6 +1062,126 @@ func TestSecretReplicator(t *testing.T) {
 
 }
 
+func TestSecretReplicatorWithStripOwnerReference(t *testing.T) {
+
+	log.SetLevel(log.TraceLevel)
+	log.SetFormatter(&PlainFormatter{})
+
+	kubeconfig := os.Getenv("KUBECONFIG")
+	//is KUBECONFIG is not specified try to use the local KUBECONFIG or the in cluster config
+	if len(kubeconfig) == 0 {
+		if home := homeDir(); home != "" && home != "/root" {
+			kubeconfig = filepath.Join(home, ".kube", "config")
+		}
+	}
+
+	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+	require.NoError(t, err)
+
+	prefix := namespacePrefix()
+	client := kubernetes.NewForConfigOrDie(config)
+
+	repl := NewReplicator(client, 60*time.Second, false, true)
+	go repl.Run()
+
+	time.Sleep(200 * time.Millisecond)
+
+	ns := corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: prefix + "test-1",
+		},
+	}
+	_, err = client.CoreV1().Namespaces().Create(context.TODO(), &ns, metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	ns2 := corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: prefix + "test2-2",
+			Labels: map[string]string{
+				"foo": "bar",
+			}},
+	}
+	_, err = client.CoreV1().Namespaces().Create(context.TODO(), &ns2, metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	defer func() {
+		_ = client.CoreV1().Namespaces().Delete(context.TODO(), ns.Name, metav1.DeleteOptions{})
+		_ = client.CoreV1().Namespaces().Delete(context.TODO(), ns2.Name, metav1.DeleteOptions{})
+	}()
+
+	secrets := client.CoreV1().Secrets(prefix + "test")
+
+	const MaxWaitTime = 1000 * time.Millisecond
+	t.Run("replicates from existing secret", func(t *testing.T) {
+		source := corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "source",
+				Namespace: ns.Name,
+				Annotations: map[string]string{
+					common.ReplicationAllowed:           "true",
+					common.ReplicationAllowedNamespaces: ns.Name,
+				},
+				OwnerReferences: []metav1.OwnerReference{
+					{
+						APIVersion: "v1",
+						Kind:       "Deployment",
+						Name:       "test",
+						UID:        "1234",
+					},
+				},
+			},
+			Type: corev1.SecretTypeOpaque,
+			Data: map[string][]byte{
+				"foo": []byte("Hello World"),
+			},
+		}
+
+		target := corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "target",
+				Namespace: ns.Name,
+				Annotations: map[string]string{
+					common.ReplicateFromAnnotation: common.MustGetKey(&source),
+				},
+			},
+			Type: corev1.SecretTypeOpaque,
+		}
+
+		wg, stop := waitForSecrets(client, 3, EventHandlerFuncs{
+			AddFunc: func(wg *sync.WaitGroup, obj interface{}) {
+				secret := obj.(*corev1.Secret)
+				if secret.Namespace == source.Namespace && secret.Name == source.Name {
+					log.Debugf("AddFunc %+v", obj)
+					wg.Done()
+				} else if secret.Namespace == target.Namespace && secret.Name == target.Name {
+					log.Debugf("AddFunc %+v", obj)
+					wg.Done()
+				}
+			},
+			UpdateFunc: func(wg *sync.WaitGroup, oldObj interface{}, newObj interface{}) {
+				secret := oldObj.(*corev1.Secret)
+				if secret.Namespace == target.Namespace && secret.Name == target.Name {
+					log.Debugf("UpdateFunc %+v -> %+v", oldObj, newObj)
+					wg.Done()
+				}
+			},
+		})
+
+		_, err := secrets.Create(context.TODO(), &source, metav1.CreateOptions{})
+		require.NoError(t, err)
+
+		_, err = secrets.Create(context.TODO(), &target, metav1.CreateOptions{})
+		require.NoError(t, err)
+
+		waitWithTimeout(wg, MaxWaitTime)
+		close(stop)
+
+		updTarget, err := secrets.Get(context.TODO(), target.Name, metav1.GetOptions{})
+		require.NoError(t, err)
+		require.Equal(t, []byte("Hello World"), updTarget.Data["foo"])
+	})
+}
+
 func waitForNamespaces(client *kubernetes.Clientset, count int, eventHandlers EventHandlerFuncs) (wg *sync.WaitGroup, stop chan struct{}) {
 	wg = &sync.WaitGroup{}
 	wg.Add(count)

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ func (nw *NamespaceWatcher) create(client kubernetes.Interface, resyncPeriod tim`
`61`	`61`	`&v1.Namespace{},`
`62`	`62`	`resyncPeriod,`
`63`	`63`	`cache.ResourceEventHandlerFuncs{`
`64`		`- AddFunc: namespaceAdded,`
	`64`	`+ AddFunc: namespaceAdded,`
`65`	`65`	`UpdateFunc: namespaceUpdated,`
`66`	`66`	`},`
`67`	`67`	`)`