[release-1.14] fix: virtual secrets created from netspec have name an…

…d namespace (#4006) * fix: virtual secrets created from netspec have name and namespace Signed-off-by: Calum Murray <[email protected]> * cleanup: return a secret instead of data, name, namespace Signed-off-by: Calum Murray <[email protected]> --------- Signed-off-by: Calum Murray <[email protected]> Co-authored-by: Calum Murray <[email protected]>
knative-extensions · Jul 24, 2024 · 4844e64 · 4844e64
1 parent 12d1f32
commit 4844e64
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 7 deletions.
diff --git a/control-plane/pkg/security/secrets_provider_net_spec.go b/control-plane/pkg/security/secrets_provider_net_spec.go
@@ -19,8 +19,11 @@ package security
 import (
 	"context"
 	"fmt"
+	"sort"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	corelisters "k8s.io/client-go/listers/core/v1"
 	bindings "knative.dev/eventing-kafka-broker/control-plane/pkg/apis/bindings/v1beta1"
 
@@ -53,21 +56,21 @@ func ResolveAuthContextFromNetSpec(lister corelisters.SecretLister, namespace st
 			return nil, err
 		}
 	}
-	references, virtualSecretData := toContract(securityFields)
+	references, virtualSecret := toContract(securityFields)
 	multiSecretReference := &contract.MultiSecretReference{
 		Protocol:   getProtocolContractFromNetSpec(netSpec),
 		References: references,
 	}
-	virtualSecretData[ProtocolKey] = []byte(getProtocolFromNetSpec(netSpec))
+	virtualSecret.Data[ProtocolKey] = []byte(getProtocolFromNetSpec(netSpec))
 
 	authContext := &NetSpecAuthContext{
-		VirtualSecret:        &corev1.Secret{Data: virtualSecretData},
+		VirtualSecret:        &virtualSecret,
 		MultiSecretReference: multiSecretReference,
 	}
 	return authContext, nil
 }
 
-func toContract(securityFields []*securityField) ([]*contract.SecretReference, map[string][]byte) {
+func toContract(securityFields []*securityField) ([]*contract.SecretReference, corev1.Secret) {
 	virtualSecretData := make(map[string][]byte)
 	bySecretName := make(map[string][]securityField)
 	for _, f := range securityFields {
@@ -79,6 +82,8 @@ func toContract(securityFields []*securityField) ([]*contract.SecretReference, m
 	}
 
 	refs := make([]*contract.SecretReference, 0, 6 /* max number of secrets */)
+	names := make([]string, 0, 6)
+	namespaces := make([]string, 0, 6)
 	for secretName, securityFields := range bySecretName {
 		keyFieldReferences := make([]*contract.KeyFieldReference, 0, len(securityFields))
 		for _, f := range securityFields {
@@ -97,8 +102,16 @@ func toContract(securityFields []*securityField) ([]*contract.SecretReference, m
 			},
 			KeyFieldReferences: keyFieldReferences,
 		})
+		names = append(names, any.secret.Name)
+		namespaces = append(namespaces, any.secret.Namespace)
+	}
+	return refs, corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      stableConcat(names),
+			Namespace: stableConcat(namespaces),
+		},
+		Data: virtualSecretData,
 	}
-	return refs, virtualSecretData
 }
 
 type securityField struct {
@@ -160,3 +173,11 @@ func resolveSecret(lister corelisters.SecretLister, ns string, ref *corev1.Secre
 	}
 	return value, secret, nil
 }
+
+func stableConcat(elements []string) string {
+	sort.SliceStable(elements, func(i, j int) bool {
+		return elements[i] < elements[j]
+	})
+
+	return strings.Join(elements, "")
+}
diff --git a/control-plane/pkg/security/secrets_provider_net_spec_test.go b/control-plane/pkg/security/secrets_provider_net_spec_test.go
@@ -123,7 +123,11 @@ func TestResolveAuthContextFromNetSpec(t *testing.T) {
 					SaslMechanismKey: SaslScramSha512,
 					SaslUserKey:      "key",
 					SaslPasswordKey:  "key",
-				}},
+				}, ObjectMeta: metav1.ObjectMeta{
+					Name:      "cacertcertkeypasswordtypeuser",
+					Namespace: "nsnsnsnsnsns",
+				},
+				},
 				MultiSecretReference: &contract.MultiSecretReference{
 					Protocol: contract.Protocol_SASL_SSL,
 					References: []*contract.SecretReference{
@@ -249,7 +253,11 @@ func TestResolveAuthContextFromNetSpec(t *testing.T) {
 					SaslMechanismKey: SaslScramSha256,
 					SaslUserKey:      "key",
 					SaslPasswordKey:  "key",
-				}},
+				}, ObjectMeta: metav1.ObjectMeta{
+					Name:      "cacertcertkeypasswordtypeuser",
+					Namespace: "nsnsnsnsnsns",
+				},
+				},
 				MultiSecretReference: &contract.MultiSecretReference{
 					Protocol: contract.Protocol_SASL_SSL,
 					References: []*contract.SecretReference{
@@ -339,6 +347,9 @@ func TestResolveAuthContextFromNetSpec(t *testing.T) {
 					CaCertificateKey: "key",
 					UserCertificate:  "key",
 					UserKey:          "key",
+				}, ObjectMeta: metav1.ObjectMeta{
+					Name:      "cacertcertkey",
+					Namespace: "nsnsns",
 				}},
 				MultiSecretReference: &contract.MultiSecretReference{
 					Protocol: contract.Protocol_SSL,
@@ -400,6 +411,9 @@ func TestResolveAuthContextFromNetSpec(t *testing.T) {
 					ProtocolKey:     ProtocolSSL,
 					UserCertificate: "key",
 					UserKey:         "key",
+				}, ObjectMeta: metav1.ObjectMeta{
+					Name:      "certkey",
+					Namespace: "nsns",
 				}},
 				MultiSecretReference: &contract.MultiSecretReference{
 					Protocol: contract.Protocol_SSL,
@@ -466,6 +480,9 @@ func TestResolveAuthContextFromNetSpec(t *testing.T) {
 					SaslMechanismKey: SaslScramSha256,
 					SaslUserKey:      "key",
 					SaslPasswordKey:  "key",
+				}, ObjectMeta: metav1.ObjectMeta{
+					Name:      "passwordtypeuser",
+					Namespace: "nsnsns",
 				}},
 				MultiSecretReference: &contract.MultiSecretReference{
 					Protocol: contract.Protocol_SASL_PLAINTEXT,
@@ -538,6 +555,9 @@ func TestResolveAuthContextFromNetSpec(t *testing.T) {
 					SaslMechanismKey: SaslScramSha512,
 					SaslUserKey:      "key",
 					SaslPasswordKey:  "key",
+				}, ObjectMeta: metav1.ObjectMeta{
+					Name:      "passwordtypeuser",
+					Namespace: "nsnsns",
 				}},
 				MultiSecretReference: &contract.MultiSecretReference{
 					Protocol: contract.Protocol_SASL_PLAINTEXT,