in pkg/controller/keyvault/ingress_secret_provider_class.go [59:158]
func (i *IngressSecretProviderClassReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, retErr error) {
// do metrics
defer func() {
// placing this call inside a closure allows for result and err to be bound after Reconcile executes
// this makes sure they have the proper value
// just calling defer metrics.HandleControllerReconcileMetrics(controllerName, result, err) would bind
// the values of result and err to their zero values, since they were just instantiated
metrics.HandleControllerReconcileMetrics(ingressSecretProviderControllerName, result, retErr)
}()
logger, err := logr.FromContext(ctx)
if err != nil {
return ctrl.Result{}, err
}
logger = ingressSecretProviderControllerName.AddToLogger(logger).WithValues("name", req.Name, "namespace", req.Namespace)
logger.Info("getting Ingress")
ing := &netv1.Ingress{}
err = i.client.Get(ctx, req.NamespacedName, ing)
if err != nil {
return ctrl.Result{}, client.IgnoreNotFound(err)
}
logger = logger.WithValues("name", ing.Name, "namespace", ing.Namespace, "generation", ing.Generation)
spc := &secv1.SecretProviderClass{
TypeMeta: metav1.TypeMeta{
APIVersion: "secrets-store.csi.x-k8s.io/v1",
Kind: "SecretProviderClass",
},
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("keyvault-%s", ing.Name),
Namespace: ing.Namespace,
Labels: manifests.GetTopLevelLabels(),
OwnerReferences: []metav1.OwnerReference{{
APIVersion: ing.APIVersion,
Controller: util.ToPtr(true),
Kind: ing.Kind,
Name: ing.Name,
UID: ing.UID,
}},
},
}
logger = logger.WithValues("spc", spc.Name)
// Checking if we manage the ingress. All false cases without an error are assumed that we don't manage it
var isManaged bool
if isManaged, err = i.ingressManager.IsManaging(ing); err != nil {
logger.Error(err, fmt.Sprintf("failed while checking if ingress was managed with error: %s.", err.Error()))
return ctrl.Result{}, fmt.Errorf("determining if ingress is managed: %w", err)
}
if isManaged {
logManagedIngress(logger, ing)
if shouldDeploySpc(ing) {
spcConf := spcConfig{
ClientId: i.config.MSIClientID,
TenantId: i.config.TenantID,
KeyvaultCertUri: ing.Annotations["kubernetes.azure.com/tls-cert-keyvault-uri"],
Name: certSecretName(ing.Name),
Cloud: i.config.Cloud,
}
if err = buildSPC(spc, spcConf); err != nil {
var userErr util.UserError
if errors.As(err, &userErr) {
logger.Info(fmt.Sprintf("failed to build secret provider class for ingress with error: %s. sending warning event", userErr.Error()))
i.events.Eventf(ing, corev1.EventTypeWarning, "InvalidInput", "error while processing Keyvault reference: %s", userErr.UserError())
return ctrl.Result{}, nil
}
logger.Error(err, fmt.Sprintf("failed to build secret provider class for ingress with error: %s.", err.Error()))
return ctrl.Result{}, err
}
logger.Info("reconciling secret provider class for ingress")
if err = util.Upsert(ctx, i.client, spc); err != nil {
i.events.Eventf(ing, corev1.EventTypeWarning, "FailedUpdateOrCreateSPC", "error while creating or updating SecretProviderClass needed to pull Keyvault reference: %s", err.Error())
logger.Error(err, fmt.Sprintf("failed to upsert secret provider class for ingress with error: %s.", err.Error()))
}
return ctrl.Result{}, err
}
}
logger.Info("cleaning unused managed spc for ingress")
logger.Info("getting secret provider class for ingress")
toCleanSPC := &secv1.SecretProviderClass{}
if err = i.client.Get(ctx, client.ObjectKeyFromObject(spc), toCleanSPC); err != nil {
return ctrl.Result{}, client.IgnoreNotFound(err)
}
if manifests.HasTopLevelLabels(toCleanSPC.Labels) {
logger.Info("removing secret provider class for ingress")
err = i.client.Delete(ctx, toCleanSPC)
return ctrl.Result{}, client.IgnoreNotFound(err)
}
return result, nil
}