feat: manage the secrets annotated to be managed by the controller

firebuggirl · Dec 8, 2019 · 3d46462 · 3d46462
1 parent 04043c3
commit 3d46462
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/cmd/controller/controller.go b/cmd/controller/controller.go
@@ -61,6 +61,10 @@ type Controller struct {
 	oldGCBehavior bool // feature flag to revert to old behavior where we delete the secrets instead of relying on owners reference.
 }
 
+// Annotation flag key that the controller will check on the found Secret
+// objects to decide if it's will take over and manage it or not.
+const ManagedAnnotation = "sealedsecrets.bitnami.com/managed"
+
 func unseal(sclient v1.SecretsGetter, codecs runtimeserializer.CodecFactory, keyRegistry *KeyRegistry, ssecret *ssv1alpha1.SealedSecret) error {
 	// Important: Be careful not to reveal the namespace/name of
 	// the *decrypted* Secret (or any other detail) in error/log
@@ -241,7 +245,7 @@ func (c *Controller) unseal(key string) error {
 		return err
 	}
 
-	if !metav1.IsControlledBy(secret, ssecret) {
+	if !metav1.IsControlledBy(secret, ssecret) && !isAnnotatedToBeManaged(secret) {
 		msg := fmt.Sprintf("Resource %q already exists and is not managed by SealedSecret", secret.Name)
 		c.recorder.Event(ssecret, corev1.EventTypeWarning, ErrUpdateFailed, msg)
 		return fmt.Errorf("failed update: %s", msg)
@@ -253,6 +257,7 @@ func (c *Controller) unseal(key string) error {
 	secret.Data = newSecret.Data
 	secret.Type = newSecret.Type
 	secret.ObjectMeta.Annotations = newSecret.ObjectMeta.Annotations
+	secret.ObjectMeta.OwnerReferences = newSecret.ObjectMeta.OwnerReferences
 	secret.ObjectMeta.Labels = newSecret.ObjectMeta.Labels
 
 	if !apiequality.Semantic.DeepEqual(origSecret, secret) {
@@ -316,6 +321,11 @@ func (c *Controller) updateOwnerReferences(existing, new *corev1.Secret) {
 	existing.SetOwnerReferences(ownerRefs)
 }
 
+// checks if the annotation equals to "true", and it's case sensitive
+func isAnnotatedToBeManaged(secret *corev1.Secret) bool {
+	return secret.Annotations[ManagedAnnotation] == "true"
+}
+
 // AttemptUnseal tries to unseal a secret.
 func (c *Controller) AttemptUnseal(content []byte) (bool, error) {
 	object, err := runtime.Decode(scheme.Codecs.UniversalDecoder(ssv1alpha1.SchemeGroupVersion), content)