resolve comment and add test

adevhammer · Dec 10, 2019 · 1cec0d1 · 1cec0d1
1 parent 3d46462
commit 1cec0d1
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -290,6 +290,9 @@ that only the intended `SealedSecret` is uploaded to the cluster.  The
 only change from existing Kubernetes is that the *contents* of the
 `Secret` are now hidden while outside the cluster.
 
+### Managing existing secrets
+If you want `SealedSecret` controller to take management of an existing `Secret`, then you have to annotate that `Secret` with the annotation `sealedsecrets.bitnami.com/managed: true` ahead applying the [Usage](#USage) steps.
+
 ### Update existing secrets
 
 If you want to add or update exising sealed secrets without having the cleartext for the other items,

diff --git a/cmd/controller/controller.go b/cmd/controller/controller.go
@@ -61,10 +61,6 @@ type Controller struct {
 	oldGCBehavior bool // feature flag to revert to old behavior where we delete the secrets instead of relying on owners reference.
 }
 
-// Annotation flag key that the controller will check on the found Secret
-// objects to decide if it's will take over and manage it or not.
-const ManagedAnnotation = "sealedsecrets.bitnami.com/managed"
-
 func unseal(sclient v1.SecretsGetter, codecs runtimeserializer.CodecFactory, keyRegistry *KeyRegistry, ssecret *ssv1alpha1.SealedSecret) error {
 	// Important: Be careful not to reveal the namespace/name of
 	// the *decrypted* Secret (or any other detail) in error/log
@@ -323,7 +319,7 @@ func (c *Controller) updateOwnerReferences(existing, new *corev1.Secret) {
 
 // checks if the annotation equals to "true", and it's case sensitive
 func isAnnotatedToBeManaged(secret *corev1.Secret) bool {
-	return secret.Annotations[ManagedAnnotation] == "true"
+	return secret.Annotations[ssv1alpha1.SealedSecretManagedAnnotation] == "true"
 }
 
 // AttemptUnseal tries to unseal a secret.

diff --git a/integration/controller_test.go b/integration/controller_test.go
@@ -43,6 +43,11 @@ func getData(s *v1.Secret) map[string][]byte {
 	return s.Data
 }
 
+// get the first owner name assuming there is only one owner
+func getFirstOwnerName(s *v1.Secret) string {
+	return s.OwnerReferences[0].Name
+}
+
 func getSecretType(s *v1.Secret) v1.SecretType {
 	return s.Type
 }
@@ -230,6 +235,29 @@ var _ = Describe("create", func() {
 		})
 	})
 
+	Describe("Secret already exists", func() {
+		Context("With managed annoation", func() {
+			BeforeEach(func() {
+				s.Annotations = map[string]string{
+					ssv1alpha1.SealedSecretManagedAnnotation: "true",
+				}
+				c.Secrets(ns).Create(s)
+
+			})
+			It("should manage existing Secret", func() {
+				expected := map[string][]byte{
+					"foo": []byte("bar"),
+				}
+				Eventually(func() (*v1.Secret, error) {
+					return c.Secrets(ns).Get(secretName, metav1.GetOptions{})
+				}, Timeout, PollingInterval).Should(WithTransform(getData, Equal(expected)))
+				Eventually(func() (*v1.Secret, error) {
+					return c.Secrets(ns).Get(secretName, metav1.GetOptions{})
+				}, Timeout, PollingInterval).Should(WithTransform(getFirstOwnerName, Equal(ss.GetName())))
+			})
+		})
+	})
+
 	Describe("Same name, wrong key", func() {
 		BeforeEach(func() {
 			// NB: weak keysize - this is just a test case

diff --git a/pkg/apis/sealed-secrets/v1alpha1/types.go b/pkg/apis/sealed-secrets/v1alpha1/types.go
@@ -21,6 +21,10 @@ const (
 	// SealedSecretNamespaceWideAnnotation is the name for the annotation for
 	// setting the secret to be available namespace wide.
 	SealedSecretNamespaceWideAnnotation = annoNs + "namespace-wide"
+
+	// SealedSecretManagedAnnotation is the name for the annotation for
+	// flaging the existing secrets be managed by SealedSecret controller.
+ 	SealedSecretManagedAnnotation = annoNs + "managed"
 )
 
 // SecretTemplateSpec describes the structure a Secret should have