add ownerref to scram secrets (#1204)

nammn · web-flow · commit 696cc8275651 · 2023-01-25T15:27:12.000+01:00
* [CLOUDP-132990] add ownerref to scram secrets
diff --git a/pkg/authentication/scram/mock_types_test.go b/pkg/authentication/scram/mock_types_test.go
@@ -37,6 +37,7 @@ type mockConfigurable struct {
 	opts   Options
 	users  []User
 	nsName types.NamespacedName
+	refs   []metav1.OwnerReference
 }
 
 func (m mockConfigurable) GetAgentPasswordSecretNamespacedName() types.NamespacedName {
@@ -60,5 +61,5 @@ func (m mockConfigurable) NamespacedName() types.NamespacedName {
 }
 
 func (m mockConfigurable) GetOwnerReferences() []metav1.OwnerReference {
-	return nil
+	return m.refs
 }
diff --git a/pkg/authentication/scram/scram.go b/pkg/authentication/scram/scram.go
@@ -37,7 +37,7 @@ type Configurable interface {
 	// GetAgentPasswordSecretNamespacedName returns the NamespacedName of the secret which stores the generated password for the agent.
 	GetAgentPasswordSecretNamespacedName() types.NamespacedName
 
-	// GetAgentScramKeyfileSecretNamespacedName returns the NamespacedName of the secret which stores the keyfile for the agent.
+	// GetAgentKeyfileSecretNamespacedName returns the NamespacedName of the secret which stores the keyfile for the agent.
 	GetAgentKeyfileSecretNamespacedName() types.NamespacedName
 
 	// NamespacedName returns the NamespacedName for the resource that is being configured.
@@ -142,7 +142,7 @@ func Enable(auth *automationconfig.Auth, secretGetUpdateCreateDeleter secret.Get
 
 // ensureScramCredentials will ensure that the ScramSha1 & ScramSha256 credentials exist and are stored in the credentials
 // secret corresponding to user of the given MongoDB deployment.
-func ensureScramCredentials(getUpdateCreator secret.GetUpdateCreator, user User, mdbNamespacedName types.NamespacedName) (scramcredentials.ScramCreds, scramcredentials.ScramCreds, error) {
+func ensureScramCredentials(getUpdateCreator secret.GetUpdateCreator, user User, mdbNamespacedName types.NamespacedName, ownerRef []metav1.OwnerReference) (scramcredentials.ScramCreds, scramcredentials.ScramCreds, error) {
 
 	password, err := secret.ReadKey(getUpdateCreator, user.PasswordSecretKey, types.NamespacedName{Name: user.PasswordSecretName, Namespace: mdbNamespacedName.Namespace})
 	if err != nil {
@@ -176,7 +176,7 @@ func ensureScramCredentials(getUpdateCreator secret.GetUpdateCreator, user User,
 	}
 
 	// create or update our credentials secret for this user
-	if err := createScramCredentialsSecret(getUpdateCreator, mdbNamespacedName, user.ScramCredentialsSecretName, sha1Creds, sha256Creds); err != nil {
+	if err := createScramCredentialsSecret(getUpdateCreator, mdbNamespacedName, ownerRef, user.ScramCredentialsSecretName, sha1Creds, sha256Creds); err != nil {
 		return scramcredentials.ScramCreds{}, scramcredentials.ScramCreds{}, fmt.Errorf("faild to create scram credentials secret %s: %s", user.ScramCredentialsSecretName, err)
 	}
 
@@ -260,7 +260,7 @@ func computeScramShaCredentials(username, password string, sha1Salt, sha256Salt
 
 // createScramCredentialsSecret will create a Secret that contains all of the fields required to read these credentials
 // back in the future.
-func createScramCredentialsSecret(getUpdateCreator secret.GetUpdateCreator, mdbObjectKey types.NamespacedName, scramCredentialsSecretName string, sha1Creds, sha256Creds scramcredentials.ScramCreds) error {
+func createScramCredentialsSecret(getUpdateCreator secret.GetUpdateCreator, mdbObjectKey types.NamespacedName, ref []metav1.OwnerReference, scramCredentialsSecretName string, sha1Creds, sha256Creds scramcredentials.ScramCreds) error {
 	scramCredsSecret := secret.Builder().
 		SetName(scramCredentialsSecretName).
 		SetNamespace(mdbObjectKey.Namespace).
@@ -270,6 +270,7 @@ func createScramCredentialsSecret(getUpdateCreator secret.GetUpdateCreator, mdbO
 		SetField(sha256SaltKey, sha256Creds.Salt).
 		SetField(sha256StoredKeyKey, sha256Creds.StoredKey).
 		SetField(sha256ServerKeyKey, sha256Creds.ServerKey).
+		SetOwnerReferences(ref).
 		Build()
 	return secret.CreateOrUpdate(getUpdateCreator, scramCredsSecret)
 }
@@ -307,7 +308,7 @@ func readExistingCredentials(secretGetter secret.Getter, mdbObjectKey types.Name
 func convertMongoDBResourceUsersToAutomationConfigUsers(secretGetUpdateCreateDeleter secret.GetUpdateCreateDeleter, mdb Configurable) ([]automationconfig.MongoDBUser, error) {
 	var usersWanted []automationconfig.MongoDBUser
 	for _, u := range mdb.GetScramUsers() {
-		acUser, err := convertMongoDBUserToAutomationConfigUser(secretGetUpdateCreateDeleter, mdb.NamespacedName(), u)
+		acUser, err := convertMongoDBUserToAutomationConfigUser(secretGetUpdateCreateDeleter, mdb.NamespacedName(), mdb.GetOwnerReferences(), u)
 		if err != nil {
 			return nil, fmt.Errorf("failed to convert scram user %s to Automation Config user: %s", u.Username, err)
 		}
@@ -318,7 +319,7 @@ func convertMongoDBResourceUsersToAutomationConfigUsers(secretGetUpdateCreateDel
 
 // convertMongoDBUserToAutomationConfigUser converts a single user configured in the MongoDB resource and converts it to a user
 // that can be added directly to the AutomationConfig.
-func convertMongoDBUserToAutomationConfigUser(secretGetUpdateCreateDeleter secret.GetUpdateCreateDeleter, mdbNsName types.NamespacedName, user User) (automationconfig.MongoDBUser, error) {
+func convertMongoDBUserToAutomationConfigUser(secretGetUpdateCreateDeleter secret.GetUpdateCreateDeleter, mdbNsName types.NamespacedName, ownerRef []metav1.OwnerReference, user User) (automationconfig.MongoDBUser, error) {
 	acUser := automationconfig.MongoDBUser{
 		Username: user.Username,
 		Database: user.Database,
@@ -329,7 +330,7 @@ func convertMongoDBUserToAutomationConfigUser(secretGetUpdateCreateDeleter secre
 			Database: role.Database,
 		})
 	}
-	sha1Creds, sha256Creds, err := ensureScramCredentials(secretGetUpdateCreateDeleter, user, mdbNsName)
+	sha1Creds, sha256Creds, err := ensureScramCredentials(secretGetUpdateCreateDeleter, user, mdbNsName, ownerRef)
 	if err != nil {
 		return automationconfig.MongoDBUser{}, fmt.Errorf("could not ensure scram credentials: %s", err)
 	}
diff --git a/pkg/authentication/scram/scram_test.go b/pkg/authentication/scram/scram_test.go
@@ -98,12 +98,12 @@ func TestComputeScramCredentials_ComputesSameStoredAndServerKey_WithSameSalt(t *
 func TestEnsureScramCredentials(t *testing.T) {
 	mdb, user := buildConfigurableAndUser("mdb-0")
 	t.Run("Fails when there is no password secret, and no credentials secret", func(t *testing.T) {
-		_, _, err := ensureScramCredentials(newMockedSecretGetUpdateCreateDeleter(), user, mdb.NamespacedName())
+		_, _, err := ensureScramCredentials(newMockedSecretGetUpdateCreateDeleter(), user, mdb.NamespacedName(), nil)
 		assert.Error(t, err)
 	})
 	t.Run("Existing credentials are used when password does not exist, but credentials secret has been created", func(t *testing.T) {
 		scramCredentialsSecret := validScramCredentialsSecret(mdb.NamespacedName(), user.ScramCredentialsSecretName)
-		scram1Creds, scram256Creds, err := ensureScramCredentials(newMockedSecretGetUpdateCreateDeleter(scramCredentialsSecret), user, mdb.NamespacedName())
+		scram1Creds, scram256Creds, err := ensureScramCredentials(newMockedSecretGetUpdateCreateDeleter(scramCredentialsSecret), user, mdb.NamespacedName(), nil)
 		assert.NoError(t, err)
 		assertScramCredsCredentialsValidity(t, scram1Creds, scram256Creds)
 	})
@@ -118,7 +118,7 @@ func TestEnsureScramCredentials(t *testing.T) {
 			Build()
 
 		scramCredentialsSecret := validScramCredentialsSecret(mdb.NamespacedName(), user.ScramCredentialsSecretName)
-		scram1Creds, scram256Creds, err := ensureScramCredentials(newMockedSecretGetUpdateCreateDeleter(scramCredentialsSecret, differentPasswordSecret), user, mdb.NamespacedName())
+		scram1Creds, scram256Creds, err := ensureScramCredentials(newMockedSecretGetUpdateCreateDeleter(scramCredentialsSecret, differentPasswordSecret), user, mdb.NamespacedName(), nil)
 		assert.NoError(t, err)
 		assert.NotEqual(t, testSha1Salt, scram1Creds.Salt)
 		assert.NotEmpty(t, scram1Creds.Salt)
@@ -148,7 +148,7 @@ func TestConvertMongoDBUserToAutomationConfigUser(t *testing.T) {
 			SetField(user.PasswordSecretKey, "TDg_DESiScDrJV6").
 			Build()
 
-		acUser, err := convertMongoDBUserToAutomationConfigUser(newMockedSecretGetUpdateCreateDeleter(passwordSecret), mdb.NamespacedName(), user)
+		acUser, err := convertMongoDBUserToAutomationConfigUser(newMockedSecretGetUpdateCreateDeleter(passwordSecret), mdb.NamespacedName(), nil, user)
 
 		assert.NoError(t, err)
 		assert.Equal(t, user.Username, acUser.Username)
@@ -163,7 +163,7 @@ func TestConvertMongoDBUserToAutomationConfigUser(t *testing.T) {
 	})
 
 	t.Run("If there is no password secret, the creation fails", func(t *testing.T) {
-		_, err := convertMongoDBUserToAutomationConfigUser(newMockedSecretGetUpdateCreateDeleter(), mdb.NamespacedName(), user)
+		_, err := convertMongoDBUserToAutomationConfigUser(newMockedSecretGetUpdateCreateDeleter(), mdb.NamespacedName(), nil, user)
 		assert.Error(t, err)
 	})
 }
@@ -177,6 +177,7 @@ func TestConfigureScram(t *testing.T) {
 		err := Enable(&auth, s, mdb)
 		assert.Error(t, err)
 	})
+
 	t.Run("Agent Credentials Secret should be created if there are no users", func(t *testing.T) {
 		mdb := buildConfigurable("mdb-0")
 		s := newMockedSecretGetUpdateCreateDeleter()
@@ -195,6 +196,25 @@ func TestConfigureScram(t *testing.T) {
 		assert.NotEmpty(t, keyfileSecret.Data[AgentKeyfileKey])
 	})
 
+	t.Run("Agent Credentials Secret should contain owner reference", func(t *testing.T) {
+		mdb := buildConfigurable("mdb-0")
+		s := newMockedSecretGetUpdateCreateDeleter()
+		auth := automationconfig.Auth{}
+		err := Enable(&auth, s, mdb)
+		assert.NoError(t, err)
+
+		passwordSecret, err := s.GetSecret(mdb.GetAgentPasswordSecretNamespacedName())
+		assert.NoError(t, err)
+
+		actualRef := passwordSecret.GetOwnerReferences()
+		expectedRef := []metav1.OwnerReference{{
+			APIVersion: "v1",
+			Kind:       "mdbc",
+			Name:       "my-ref",
+		}}
+		assert.Equal(t, expectedRef, actualRef)
+	})
+
 	t.Run("Agent Password Secret is used if it exists", func(t *testing.T) {
 		mdb := buildConfigurable("mdb-0")
 
@@ -261,6 +281,11 @@ func buildConfigurable(name string, users ...User) Configurable {
 			Name:      name,
 			Namespace: "default",
 		},
+		refs: []metav1.OwnerReference{{
+			APIVersion: "v1",
+			Kind:       "mdbc",
+			Name:       "my-ref",
+		}},
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@ type mockConfigurable struct {`
`37`	`37`	`opts Options`
`38`	`38`	`users []User`
`39`	`39`	`nsName types.NamespacedName`
	`40`	`+ refs []metav1.OwnerReference`
`40`	`41`	`}`
`41`	`42`
`42`	`43`	`func (m mockConfigurable) GetAgentPasswordSecretNamespacedName() types.NamespacedName {`
`@@ -60,5 +61,5 @@ func (m mockConfigurable) NamespacedName() types.NamespacedName {`
`60`	`61`	`}`
`61`	`62`
`62`	`63`	`func (m mockConfigurable) GetOwnerReferences() []metav1.OwnerReference {`
`63`		`- return nil`
	`64`	`+ return m.refs`
`64`	`65`	`}`