feat: preserve secrets referenced by application replicasets

Author: tronghn

charts/Chart.yaml

@@ -2,6 +2,6 @@ apiVersion: v2
 name: azurerator
 description: Operator that reconciles Azure AD applications.
 type: application
-version: 0.6.0
+version: 0.7.0
 sources:
   - https://github.com/nais/azurerator/tree/master/charts

charts/templates/rbac.yaml

@@ -39,6 +39,14 @@ rules:
       - list
       - get
       - watch
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+    verbs:
+      - list
+      - get
+      - watch
 
 ---
 # permissions to do leader election.

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/go-jose/go-jose/v4 v4.0.4
 	github.com/go-logr/zapr v1.3.0
 	github.com/google/uuid v1.6.0
-	github.com/nais/liberator v0.0.0-20241216095017-87471bb214d0
+	github.com/nais/liberator v0.0.0-20241219121707-182675e6f1ad
 	github.com/nais/msgraph.go v0.1.5
 	github.com/prometheus/client_golang v1.20.5
 	github.com/sethvargo/go-retry v0.3.0

go.sum

@@ -42,8 +42,8 @@ github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc=
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k=
-github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
+github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
+github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -163,8 +163,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/nais/liberator v0.0.0-20241216095017-87471bb214d0 h1:N2yzxyyI5h8w4NtcYWeGaDIZhiluf1vN1/nGbeKkNSs=
-github.com/nais/liberator v0.0.0-20241216095017-87471bb214d0/go.mod h1:gRUXR0S/Il3JnHlfc6ESLAih27Su+WFPm5aaXp/tHpE=
+github.com/nais/liberator v0.0.0-20241219121707-182675e6f1ad h1:Z/HPNfZgmNsqlBwfwUE9DMyhsQThpQnudadqncwGdik=
+github.com/nais/liberator v0.0.0-20241219121707-182675e6f1ad/go.mod h1:DtQgc26XvoZFe8jy0++wbuFUu5yCFTQ3vGV+y7TA7Uw=
 github.com/nais/msgraph.go v0.1.5 h1:Sf9/DUZ8mMipgG2bDE249mHTo8E9qV8tBJpAbuuQsJw=
 github.com/nais/msgraph.go v0.1.5/go.mod h1:WhEs+KY7Nrt3rpUZwCpSKtwy2CiL+YG+OJ+vhh2/ZMU=
 github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=

hack/resources/02-rbac.yaml

@@ -18,7 +18,7 @@ rules:
       - create
       - update
   - apiGroups:
-      - '*'
+      - ""
     resources:
       - secrets
       - events
@@ -31,14 +31,22 @@ rules:
       - update
       - patch
   - apiGroups:
-      - '*'
+      - ""
     resources:
       - pods
       - namespaces
     verbs:
       - list
       - get
       - watch
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+    verbs:
+      - list
+      - get
+      - watch
   - apiGroups:
     - coordination.k8s.io
     resources:

pkg/reconciler/secrets/secrets.go

@@ -58,7 +58,7 @@ func (s secretsReconciler) Prepare(ctx context.Context, instance *v1.AzureAdAppl
 		return nil, fmt.Errorf("getting managed secrets: %w", err)
 	}
 
-	secretsExtractor := secrets.NewExtractor(*managedSecrets, dataKeys)
+	secretsExtractor := secrets.NewExtractor(managedSecrets, dataKeys)
 
 	keyIDs := func() credentials.KeyIDs {
 		keyIDs := secretsExtractor.GetKeyIDs()
@@ -79,7 +79,7 @@ func (s secretsReconciler) Prepare(ctx context.Context, instance *v1.AzureAdAppl
 		},
 		DataKeys:       dataKeys,
 		KeyIDs:         keyIDs,
-		ManagedSecrets: *managedSecrets,
+		ManagedSecrets: managedSecrets,
 	}, nil
 }
 
@@ -156,26 +156,13 @@ func (s secretsReconciler) createOrUpdate(tx transaction.Transaction, result res
 	return nil
 }
 
-func (s secretsReconciler) getManaged(ctx context.Context, instance *v1.AzureAdApplication) (*kubernetes.SecretLists, error) {
-	// fetch all application pods for this app
-	podList, err := kubernetes.ListPodsForApplication(ctx, s.reader, instance.GetName(), instance.GetNamespace())
-	if err != nil {
-		return nil, err
-	}
-
-	// fetch all managed secrets
-	var allSecrets corev1.SecretList
-	opts := []client.ListOption{
-		client.InNamespace(instance.GetNamespace()),
-		client.MatchingLabels(labels.Labels(instance)),
+func (s secretsReconciler) getManaged(ctx context.Context, instance *v1.AzureAdApplication) (kubernetes.SecretLists, error) {
+	objectKey := client.ObjectKey{
+		Name:      instance.GetName(),
+		Namespace: instance.GetNamespace(),
 	}
-	if err := s.reader.List(ctx, &allSecrets, opts...); err != nil {
-		return nil, err
-	}
-
-	// find intersect between secrets in use by application pods and all managed secrets
-	podSecrets := kubernetes.ListUsedAndUnusedSecretsForPods(allSecrets, podList)
-	return &podSecrets, nil
+	secretLabels := labels.Labels(instance)
+	return kubernetes.ListSecretsForApplication(ctx, s.reader, objectKey, secretLabels)
 }
 
 func (s secretsReconciler) DeleteUnused(tx transaction.Transaction) error {