From 96da05aea026da29c708f61f0912d85f4a45a549 Mon Sep 17 00:00:00 2001 From: Frank Jogeleit Date: Tue, 30 May 2023 20:40:01 +0200 Subject: [PATCH] retry secret fetching and fix config for mountedSecret usage Signed-off-by: Frank Jogeleit --- charts/policy-reporter/config.yaml | 9 +++++++++ pkg/kubernetes/secrets/client.go | 31 +++++++++++++++++++++++++++++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/charts/policy-reporter/config.yaml b/charts/policy-reporter/config.yaml index f5d32b50..fc8af8d2 100644 --- a/charts/policy-reporter/config.yaml +++ b/charts/policy-reporter/config.yaml @@ -4,6 +4,7 @@ loki: skipTLS: {{ .Values.target.loki.skipTLS }} path: {{ .Values.target.loki.path | quote }} secretRef: {{ .Values.target.loki.secretRef | quote }} + mountedSecret: {{ .Values.target.loki.mountedSecret | quote }} minimumPriority: {{ .Values.target.loki.minimumPriority | quote }} skipExistingOnStartup: {{ .Values.target.loki.skipExistingOnStartup }} {{- with .Values.target.loki.customLabels }} @@ -30,6 +31,7 @@ elasticsearch: username: {{ .Values.target.elasticsearch.username | quote }} password: {{ .Values.target.elasticsearch.password | quote }} secretRef: {{ .Values.target.elasticsearch.secretRef | quote }} + mountedSecret: {{ .Values.target.elasticsearch.mountedSecret | quote }} index: {{ .Values.target.elasticsearch.index | default "policy-reporter" | quote }} rotation: {{ .Values.target.elasticsearch.rotation | default "daily" | quote }} minimumPriority: {{ .Values.target.elasticsearch.minimumPriority | quote }} @@ -55,6 +57,7 @@ slack: webhook: {{ .Values.target.slack.webhook | quote }} channel: {{ .Values.target.slack.channel | quote }} secretRef: {{ .Values.target.slack.secretRef | quote }} + mountedSecret: {{ .Values.target.slack.mountedSecret | quote }} minimumPriority: {{ .Values.target.slack.minimumPriority | quote }} skipExistingOnStartup: {{ .Values.target.slack.skipExistingOnStartup }} {{- with .Values.target.slack.customFields }} @@ -77,6 +80,7 @@ slack: discord: webhook: {{ .Values.target.discord.webhook | quote }} secretRef: {{ .Values.target.discord.secretRef | quote }} + mountedSecret: {{ .Values.target.discord.mountedSecret | quote }} minimumPriority: {{ .Values.target.discord.minimumPriority | quote }} skipExistingOnStartup: {{ .Values.target.discord.skipExistingOnStartup }} {{- with .Values.target.discord.customFields }} @@ -101,6 +105,7 @@ teams: certificate: {{ .Values.target.teams.certificate | quote }} skipTLS: {{ .Values.target.teams.skipTLS }} secretRef: {{ .Values.target.teams.secretRef | quote }} + mountedSecret: {{ .Values.target.teams.mountedSecret | quote }} minimumPriority: {{ .Values.target.teams.minimumPriority | quote }} skipExistingOnStartup: {{ .Values.target.teams.skipExistingOnStartup }} {{- with .Values.target.teams.customFields }} @@ -125,6 +130,7 @@ webhook: certificate: {{ .Values.target.webhook.certificate | quote }} skipTLS: {{ .Values.target.webhook.skipTLS }} secretRef: {{ .Values.target.webhook.secretRef | quote }} + mountedSecret: {{ .Values.target.webhook.mountedSecret | quote }} minimumPriority: {{ .Values.target.webhook.minimumPriority | quote }} skipExistingOnStartup: {{ .Values.target.webhook.skipExistingOnStartup }} {{- with .Values.target.webhook.sources }} @@ -191,6 +197,7 @@ kinesis: accessKeyID: {{ .Values.target.kinesis.accessKeyID }} secretAccessKey: {{ .Values.target.kinesis.secretAccessKey }} secretRef: {{ .Values.target.kinesis.secretRef | quote }} + mountedSecret: {{ .Values.target.kinesis.mountedSecret | quote }} region: {{ .Values.target.kinesis.region }} endpoint: {{ .Values.target.kinesis.endpoint }} streamName: {{ .Values.target.kinesis.streamName }} @@ -218,6 +225,7 @@ securityHub: accessKeyID: {{ .Values.target.securityHub.accessKeyID }} secretAccessKey: {{ .Values.target.securityHub.secretAccessKey }} secretRef: {{ .Values.target.securityHub.secretRef | quote }} + mountedSecret: {{ .Values.target.securityHub.mountedSecret | quote }} region: {{ .Values.target.securityHub.region }} endpoint: {{ .Values.target.securityHub.endpoint }} streamName: {{ .Values.target.securityHub.streamName }} @@ -243,6 +251,7 @@ securityHub: gcs: credentials: {{ .Values.target.gcs.credentials }} secretRef: {{ .Values.target.gcs.secretRef | quote }} + mountedSecret: {{ .Values.target.gcs.mountedSecret | quote }} bucket: {{ .Values.target.gcs.bucket }} prefix: {{ .Values.target.gcs.prefix }} minimumPriority: {{ .Values.target.gcs.minimumPriority | quote }} diff --git a/pkg/kubernetes/secrets/client.go b/pkg/kubernetes/secrets/client.go index a9e5cdf6..d10a304f 100644 --- a/pkg/kubernetes/secrets/client.go +++ b/pkg/kubernetes/secrets/client.go @@ -3,8 +3,11 @@ package secrets import ( "context" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" v1 "k8s.io/client-go/kubernetes/typed/core/v1" + "k8s.io/client-go/util/retry" ) type Values struct { @@ -32,7 +35,33 @@ type k8sClient struct { } func (c *k8sClient) Get(ctx context.Context, name string) (Values, error) { - secret, err := c.client.Get(ctx, name, metav1.GetOptions{}) + var secret *corev1.Secret + + err := retry.OnError(retry.DefaultRetry, func(err error) bool { + if _, ok := err.(errors.APIStatus); !ok { + return true + } + + if ok := errors.IsTimeout(err); ok { + return true + } + + if ok := errors.IsServerTimeout(err); ok { + return true + } + + if ok := errors.IsServiceUnavailable(err); ok { + return true + } + + return false + }, func() error { + var err error + secret, err = c.client.Get(ctx, name, metav1.GetOptions{}) + + return err + }) + values := Values{} if err != nil { return values, err