Added sort by key creation timestamp on startup

Controller now reads old keys on startup in order of their creation times. This means the last key added is guaranteed to be the most recent. This commit also fixes an integration test issue when integration tests are run against a controller with more than one key. Issue was that fetching keys may not retrieve them in order, meaning the tests were encrypting the test secret with a different key (via kubeseal) that unencrypting (via retrieved private key), causing some tests to fail. Sort in the tests fixes this issue.
adevhammer · May 2, 2019 · da4194f · da4194f
1 parent 24eeb7b
commit da4194f
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 8 deletions.
diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -10,6 +10,7 @@ import (
 	"log"
 	"os"
 	"os/signal"
+	"sort"
 	"strings"
 	"syscall"
 	"time"
@@ -20,6 +21,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 
+	ssv1alpha1 "github.com/bitnami-labs/sealed-secrets/pkg/apis/sealed-secrets/v1alpha1"
 	sealedsecrets "github.com/bitnami-labs/sealed-secrets/pkg/client/clientset/versioned"
 	ssinformers "github.com/bitnami-labs/sealed-secrets/pkg/client/informers/externalversions"
 )
@@ -69,6 +71,7 @@ func initKeyRegistry(client kubernetes.Interface, r io.Reader, namespace, prefix
 		return nil, err
 	}
 	keyRegistry := NewKeyRegistry(client, namespace, prefix, label, keysize)
+	sort.Sort(ssv1alpha1.ByCreationTimestamp(secretList.Items))
 	for _, secret := range secretList.Items {
 		key, certs, err := readKey(secret)
 		if err != nil {

diff --git a/integration/controller_test.go b/integration/controller_test.go
@@ -9,6 +9,7 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io"
+	"sort"
 	"time"
 
 	"k8s.io/api/core/v1"
@@ -41,15 +42,11 @@ func fetchKeys(c corev1.SecretsGetter) (*rsa.PrivateKey, []*x509.Certificate, er
 		return nil, nil, err
 	}
 
-	// find the latest key
-	var latestKey *v1.Secret
-	timestamp := int64(0)
+	sort.Sort(ssv1alpha1.ByCreationTimestamp(list.Items))
+	latestKey := &list.Items[len(list.Items)-1]
+
 	for _, key := range list.Items {
-		keyCreationTime := key.CreationTimestamp.Unix()
-		if key.CreationTimestamp.Unix() > timestamp {
-			latestKey = &key
-			timestamp = keyCreationTime
-		}
+		fmt.Println(key.GetCreationTimestamp())
 	}
 
 	privKey, err := certUtil.ParsePrivateKeyPEM(latestKey.Data[v1.TLSPrivateKeyKey])

diff --git a/pkg/apis/sealed-secrets/v1alpha1/types.go b/pkg/apis/sealed-secrets/v1alpha1/types.go
@@ -55,3 +55,18 @@ type SealedSecretList struct {
 
 	Items []SealedSecret `json:"items"`
 }
+
+// ByCreationTimestamp is used to sort a list of secrets
+type ByCreationTimestamp []apiv1.Secret
+
+func (s ByCreationTimestamp) Len() int {
+	return len(s)
+}
+
+func (s ByCreationTimestamp) Swap(i, j int) {
+	s[i], s[j] = s[j], s[i]
+}
+
+func (s ByCreationTimestamp) Less(i, j int) bool {
+	return s[i].GetCreationTimestamp().Unix() < s[j].GetCreationTimestamp().Unix()
+}