in pkg/secrets/manager.go [154:225]
func (m *Manager) updateSecrets(configs []SecretConfig) error {
var errs []error
// Do a first pass to check for errors and disable those secrets.
secretNamesEnabled := make(map[string]bool)
for _, secret := range configs {
if enabled, ok := secretNamesEnabled[secret.Name]; ok {
if !enabled {
continue
}
errs = append(errs, fmt.Errorf("duplicate secret key %q", secret.Name))
secretNamesEnabled[secret.Name] = false
} else {
secretNamesEnabled[secret.Name] = true
}
}
secretsFinal := map[string]*secretEntry{}
for i := range configs {
secretIncoming := &configs[i]
if enabled := secretNamesEnabled[secretIncoming.Name]; !enabled {
continue
}
// First check if we've registered this secret before.
if secretPrevious, ok := m.secrets[secretIncoming.Name]; ok {
// Track all the secrets we saw. The leftover are later removed.
delete(m.secrets, secretIncoming.Name)
// If the config didn't change, we skip this one.
eq, err := yamlEqual(&secretPrevious.config, &secretIncoming.Config)
if err != nil {
errs = append(errs, err)
continue
}
if eq {
secretsFinal[secretIncoming.Name] = secretPrevious
continue
}
// The config changed, so update it.
s, err := m.provider.Update(&secretPrevious.config, &secretIncoming.Config)
if err != nil {
errs = append(errs, err)
continue
}
secretPrevious.secret = s
secretsFinal[secretIncoming.Name] = secretPrevious
} else {
// We've never seen this secret before, so add it.
s, err := m.provider.Add(&secretIncoming.Config)
if err != nil {
errs = append(errs, err)
continue
}
secretsFinal[secretIncoming.Name] = &secretEntry{
config: secretIncoming.Config,
secret: s,
}
}
}
for _, secretUnused := range m.secrets {
m.provider.Remove(&secretUnused.config)
}
m.secrets = secretsFinal
total := len(secretNamesEnabled)
success := len(m.secrets)
failedSecretConfigs.Set(float64(total - success))
secretsTotal.Set(float64(total))
return errors.Join(errs...)
}