Add secret cleanup after reconcile context cancel

Author: kabicin

common/secret.go

@@ -0,0 +1,53 @@
+package common
+
+import (
+	"context"
+	"sync"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type SecretResource struct {
+	secret *corev1.Secret
+	once   sync.Once
+}
+
+// Creates a Secret that clears it's data when recCtx is canceled
+func NewSecret(recCtx context.Context, name, namespace string) *corev1.Secret {
+	secretResource := NewSecretResource(name, namespace)
+	go func() {
+		<-recCtx.Done()
+		secretResource.Clear()
+	}()
+	return secretResource.GetSecret()
+}
+
+func NewSecretResource(name, namespace string) *SecretResource {
+	resource := &SecretResource{
+		secret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+		},
+	}
+	return resource
+}
+
+func (r *SecretResource) GetSecret() *corev1.Secret {
+	return r.secret
+}
+
+func (r *SecretResource) Clear() {
+	if r.secret == nil {
+		return
+	}
+
+	r.once.Do(func() {
+		for secretKey, secretValue := range r.secret.Data {
+			clear(secretValue)
+			delete(r.secret.Data, secretKey)
+		}
+	})
+}

internal/controller/runtimecomponent_controller.go

@@ -101,6 +101,11 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		ns = r.watchNamespaces[0]
 	}
 
+	// This reconcile context is cancelled right before the Reconcile function terminates or when the parent context ctx is cancelled (such as in operator leader election), whichever happens first.
+	// Resources that require cleanup may use this context to hook into program execution before a function return.
+	recCtx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
 	configMap, err := r.GetOpConfigMap(OperatorName, ns)
 	if err != nil {
 		reqLogger.Info("Failed to find runtime-component-operator config map")
@@ -238,7 +243,7 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		if serviceAccountName == "" {
 			serviceAccount := &corev1.ServiceAccount{ObjectMeta: defaultMeta}
 			err = r.CreateOrUpdate(serviceAccount, instance, func() error {
-				return appstacksutils.CustomizeServiceAccount(serviceAccount, instance, r.GetClient())
+				return appstacksutils.CustomizeServiceAccount(recCtx, serviceAccount, instance, r.GetClient())
 			})
 			if err != nil {
 				reqLogger.Error(err, "Failed to reconcile ServiceAccount")
@@ -257,7 +262,7 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 
 	// Check if the ServiceAccount has a valid pull secret before creating the deployment/statefulset
 	// or setting up knative. Otherwise the pods can go into an ImagePullBackOff loop
-	saErr := appstacksutils.ServiceAccountPullSecretExists(instance, r.GetClient())
+	saErr := appstacksutils.ServiceAccountPullSecretExists(recCtx, instance, r.GetClient())
 	if saErr != nil {
 		return r.ManageError(saErr, common.StatusConditionTypeReconciled, instance)
 	}
@@ -319,7 +324,7 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		}
 	}
 
-	useCertmanager, err := r.GenerateSvcCertSecret(ba, "rco", "Runtime Component Operator", "runtime-component-operator")
+	useCertmanager, err := r.GenerateSvcCertSecret(recCtx, ba, "rco", "Runtime Component Operator", "runtime-component-operator")
 	if err != nil {
 		reqLogger.Error(err, "Failed to reconcile CertManager Certificate")
 		return r.ManageError(err, common.StatusConditionTypeReconciled, instance)
@@ -365,7 +370,7 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		}
 	}
 
-	err = r.ReconcileBindings(instance)
+	err = r.ReconcileBindings(recCtx, instance)
 	if err != nil {
 		return r.ManageError(err, common.StatusConditionTypeReconciled, ba)
 	}
@@ -395,7 +400,7 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		err = r.CreateOrUpdate(statefulSet, instance, func() error {
 			appstacksutils.CustomizeStatefulSet(statefulSet, instance)
 			appstacksutils.CustomizePodSpec(&statefulSet.Spec.Template, instance)
-			if err := appstacksutils.CustomizePodWithSVCCertificate(&statefulSet.Spec.Template, instance, r.GetClient()); err != nil {
+			if err := appstacksutils.CustomizePodWithSVCCertificate(recCtx, &statefulSet.Spec.Template, instance, r.GetClient()); err != nil {
 				return err
 			}
 			appstacksutils.CustomizePersistence(statefulSet, instance)
@@ -427,7 +432,7 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		err = r.CreateOrUpdate(deploy, instance, func() error {
 			appstacksutils.CustomizeDeployment(deploy, instance)
 			appstacksutils.CustomizePodSpec(&deploy.Spec.Template, instance)
-			if err := appstacksutils.CustomizePodWithSVCCertificate(&deploy.Spec.Template, instance, r.GetClient()); err != nil {
+			if err := appstacksutils.CustomizePodWithSVCCertificate(recCtx, &deploy.Spec.Template, instance, r.GetClient()); err != nil {
 				return err
 			}
 			return nil
@@ -529,7 +534,7 @@ func (r *RuntimeComponentReconciler) Reconcile(ctx context.Context, req ctrl.Req
 	} else if ok {
 		if instance.Spec.Monitoring != nil && (instance.Spec.CreateKnativeService == nil || !*instance.Spec.CreateKnativeService) {
 			// Validate the monitoring endpoints' configuration before creating/updating the ServiceMonitor
-			if err := appstacksutils.ValidatePrometheusMonitoringEndpoints(instance, r.GetClient(), instance.GetNamespace()); err != nil {
+			if err := appstacksutils.ValidatePrometheusMonitoringEndpoints(recCtx, instance, r.GetClient(), instance.GetNamespace()); err != nil {
 				return r.ManageError(err, common.StatusConditionTypeReconciled, instance)
 			}
 			sm := &prometheusv1.ServiceMonitor{ObjectMeta: defaultMeta}

utils/reconciler.go

@@ -621,14 +621,12 @@ func (r *ReconcilerBase) checkIssuerReady(issuer *certmanagerv1.Issuer) error {
 	return nil
 }
 
-func (r *ReconcilerBase) checkSecretExists(secretName, secretNamespace string) error {
-	secret := &corev1.Secret{}
-	secret.Name = secretName
-	secret.Namespace = secretNamespace
-	return r.GetClient().Get(context.TODO(), types.NamespacedName{Name: secretName, Namespace: secretNamespace}, secret)
+func (r *ReconcilerBase) checkSecretExists(recCtx context.Context, secretName, secretNamespace string) error {
+	secret := common.NewSecret(recCtx, secretName, secretNamespace)
+	return r.GetClient().Get(context.TODO(), types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, secret)
 }
 
-func (r *ReconcilerBase) GenerateCMIssuer(namespace string, prefix string, CACommonName string, operatorName string) error {
+func (r *ReconcilerBase) GenerateCMIssuer(recCtx context.Context, namespace string, prefix string, CACommonName string, operatorName string) error {
 	if ok, err := r.IsGroupVersionSupported(certmanagerv1.SchemeGroupVersion.String(), "Issuer"); err != nil {
 		return err
 	} else if !ok {
@@ -679,21 +677,17 @@ func (r *ReconcilerBase) GenerateCMIssuer(namespace string, prefix string, CACom
 		return err
 	}
 
-	CustomCACert := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{
-		Name:      prefix + "-custom-ca-tls",
-		Namespace: namespace,
-	}}
+	customCACert := common.NewSecret(recCtx, prefix+"-custom-ca-tls", namespace)
 	customCACertFound := false
-	err = r.GetClient().Get(context.Background(), types.NamespacedName{Name: CustomCACert.GetName(),
-		Namespace: CustomCACert.GetNamespace()}, CustomCACert)
+	err = r.GetClient().Get(context.Background(), types.NamespacedName{Name: customCACert.Name, Namespace: customCACert.Namespace}, customCACert)
 	if err == nil {
 		customCACertFound = true
 	} else {
 		// check CA Certificate and it's Secret exist before CA Issuer init
 		if err := r.checkCertificateReady(caCert); err != nil {
 			return err
 		}
-		if err := r.checkSecretExists(caCertSecretName, namespace); err != nil {
+		if err := r.checkSecretExists(recCtx, caCertSecretName, namespace); err != nil {
 			return err
 		}
 	}
@@ -710,8 +704,7 @@ func (r *ReconcilerBase) GenerateCMIssuer(namespace string, prefix string, CACom
 			issuer.Annotations = map[string]string{}
 		}
 		if customCACertFound {
-			issuer.Spec.CA.SecretName = CustomCACert.Name
-
+			issuer.Spec.CA.SecretName = customCACert.Name
 		}
 		return nil
 	})
@@ -730,7 +723,7 @@ func (r *ReconcilerBase) GenerateCMIssuer(namespace string, prefix string, CACom
 	return nil
 }
 
-func (r *ReconcilerBase) GenerateSvcCertSecret(ba common.BaseComponent, prefix string, CACommonName string, operatorName string) (bool, error) {
+func (r *ReconcilerBase) GenerateSvcCertSecret(recCtx context.Context, ba common.BaseComponent, prefix string, CACommonName string, operatorName string) (bool, error) {
 	delete(ba.GetStatus().GetReferences(), common.StatusReferenceCertSecretName)
 	cleanup := func() {
 		if ok, err := r.IsGroupVersionSupported(certmanagerv1.SchemeGroupVersion.String(), "Certificate"); err != nil {
@@ -771,7 +764,7 @@ func (r *ReconcilerBase) GenerateSvcCertSecret(ba common.BaseComponent, prefix s
 	} else if ok {
 		bao := ba.(metav1.Object)
 
-		err = r.GenerateCMIssuer(bao.GetNamespace(), prefix, CACommonName, operatorName)
+		err = r.GenerateCMIssuer(recCtx, bao.GetNamespace(), prefix, CACommonName, operatorName)
 		if err != nil {
 			if errors.Is(err, APIVersionNotFoundError) {
 				return false, nil
@@ -834,7 +827,7 @@ func (r *ReconcilerBase) GenerateSvcCertSecret(ba common.BaseComponent, prefix s
 				svcCert.Spec.IssuerRef.Name = customIssuer.Name
 			}
 
-			rVersion, _ := GetIssuerResourceVersion(r.client, svcCert)
+			rVersion, _ := GetIssuerResourceVersion(recCtx, r.client, svcCert)
 			if svcCert.Spec.SecretTemplate == nil {
 				svcCert.Spec.SecretTemplate = &certmanagerv1.CertificateSecretTemplate{
 					Annotations: map[string]string{},

utils/reconciler_test.go

@@ -196,7 +196,7 @@ func TestCreateOrUpdate(t *testing.T) {
 	r := NewReconcilerBase(rcl, cl, s, &rest.Config{}, record.NewFakeRecorder(10))
 
 	err := r.CreateOrUpdate(serviceAccount, runtimecomponent, func() error {
-		CustomizeServiceAccount(serviceAccount, runtimecomponent, r.GetClient())
+		CustomizeServiceAccount(context.TODO(), serviceAccount, runtimecomponent, r.GetClient())
 		return nil
 	})
 

utils/service_binding_reconciler.go

@@ -20,21 +20,16 @@ const (
 )
 
 // ReconcileBindings goes through the reconcile logic for service binding
-func (r *ReconcilerBase) ReconcileBindings(ba common.BaseComponent) error {
-	if err := r.reconcileExpose(ba); err != nil {
+func (r *ReconcilerBase) ReconcileBindings(recCtx context.Context, ba common.BaseComponent) error {
+	if err := r.reconcileExpose(recCtx, ba); err != nil {
 		return err
 	}
 	return nil
 }
 
-func (r *ReconcilerBase) reconcileExpose(ba common.BaseComponent) error {
+func (r *ReconcilerBase) reconcileExpose(recCtx context.Context, ba common.BaseComponent) error {
 	mObj := ba.(metav1.Object)
-	bindingSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      getExposeBindingSecretName(ba),
-			Namespace: mObj.GetNamespace(),
-		},
-	}
+	bindingSecret := common.NewSecret(recCtx, getExposeBindingSecretName(ba), mObj.GetNamespace())
 
 	if ba.GetService() != nil && ba.GetService().GetBindable() != nil && *ba.GetService().GetBindable() {
 		err := r.CreateOrUpdate(bindingSecret, mObj, func() error {
@@ -46,7 +41,7 @@ func (r *ReconcilerBase) reconcileExpose(ba common.BaseComponent) error {
 			// Use content of the 'override' secret as the base secret content
 			bindingSecret.Data = customSecret.Data
 			// Apply default values to the override secret if certain values are not set
-			r.applyDefaultValuesToExpose(bindingSecret, ba)
+			r.applyDefaultValuesToExpose(recCtx, bindingSecret, ba)
 			return nil
 		})
 		if err != nil {
@@ -77,15 +72,15 @@ func (r *ReconcilerBase) getCustomValuesToExpose(secret *corev1.Secret, ba commo
 	return nil
 }
 
-func (r *ReconcilerBase) applyDefaultValuesToExpose(secret *corev1.Secret, ba common.BaseComponent) {
+func (r *ReconcilerBase) applyDefaultValuesToExpose(recCtx context.Context, secret *corev1.Secret, ba common.BaseComponent) {
 	mObj := ba.(metav1.Object)
 	secret.Labels = ba.GetLabels()
 	secret.Annotations = MergeMaps(secret.Annotations, ba.GetAnnotations())
 
-	secretData := secret.Data
-	if secretData == nil {
-		secretData = map[string][]byte{}
+	if secret.Data == nil {
+		secret.Data = map[string][]byte{}
 	}
+	secretData := secret.Data
 	var host, protocol, basePath, port []byte
 	var found bool
 	if host, found = secretData["host"]; !found {
@@ -126,26 +121,24 @@ func (r *ReconcilerBase) applyDefaultValuesToExpose(secret *corev1.Secret, ba co
 	}
 
 	if _, found = secretData["certificates"]; !found && ba.GetStatus().GetReferences()[common.StatusReferenceCertSecretName] != "" {
-
-		certSecret := &corev1.Secret{}
-		err := r.GetClient().Get(context.TODO(), types.NamespacedName{Name: ba.GetStatus().GetReferences()[common.StatusReferenceCertSecretName], Namespace: mObj.GetNamespace()}, certSecret)
+		certSecret := common.NewSecret(recCtx, ba.GetStatus().GetReferences()[common.StatusReferenceCertSecretName], mObj.GetNamespace())
+		err := r.GetClient().Get(context.TODO(), types.NamespacedName{Name: certSecret.Name, Namespace: certSecret.Namespace}, certSecret)
 		if err == nil {
 			caCert := certSecret.Data["ca.crt"]
 			tlsCrt := certSecret.Data["tls.crt"]
-			chain := string(tlsCrt) + string(caCert)
-			if chain != "" {
-				secretData["certificates"] = []byte(chain)
+			chainedCerts := make([]byte, len(caCert)+len(tlsCrt))
+			nCount := copy(chainedCerts, tlsCrt)
+			nCount += copy(chainedCerts[len(tlsCrt):], caCert)
+			if nCount > 0 {
+				secretData["certificates"] = chainedCerts
 			}
 		}
 	}
 
 	if _, found = secretData["ingress-uri"]; !found && ba.GetExpose() != nil && *ba.GetExpose() {
-
 		host, path, protocol := r.GetIngressInfo(ba)
 		secretData["ingress-uri"] = []byte(fmt.Sprintf("%s://%s%s%s", protocol, host, path, string(basePath)))
-
 	}
-	secret.Data = secretData
 }
 
 func (r *ReconcilerBase) updateBindingStatus(bindingSecretName string, ba common.BaseComponent) {

utils/utils.go

@@ -846,7 +846,7 @@ func CustomizePersistence(statefulSet *appsv1.StatefulSet, ba common.BaseCompone
 }
 
 // CustomizeServiceAccount ...
-func CustomizeServiceAccount(sa *corev1.ServiceAccount, ba common.BaseComponent, client client.Client) error {
+func CustomizeServiceAccount(recCtx context.Context, sa *corev1.ServiceAccount, ba common.BaseComponent, client client.Client) error {
 	sa.Labels = ba.GetLabels()
 	sa.Annotations = MergeMaps(sa.Annotations, ba.GetAnnotations())
 
@@ -1111,7 +1111,7 @@ func secretShouldExist(secretKeySelector corev1.SecretKeySelector) bool {
 }
 
 // Returns an error if any user specified non-optional Secret or ConfigMap for Prometheus monitoring does not exist, otherwise return nil.
-func ValidatePrometheusMonitoringEndpoints(ba common.BaseComponent, client client.Client, namespace string) error {
+func ValidatePrometheusMonitoringEndpoints(recCtx context.Context, ba common.BaseComponent, client client.Client, namespace string) error {
 	var basicAuth *prometheusv1.BasicAuth
 	var oauth2 *prometheusv1.OAuth2
 	var bearerTokenSecret corev1.SecretKeySelector
@@ -1158,7 +1158,8 @@ func ValidatePrometheusMonitoringEndpoints(ba common.BaseComponent, client clien
 			}
 			// Error if any Secret is specified but does not exist
 			for _, secretName := range secretNames {
-				if err := client.Get(context.TODO(), types.NamespacedName{Name: secretName, Namespace: namespace}, &corev1.Secret{}); err != nil {
+				secret := common.NewSecret(recCtx, secretName, namespace)
+				if err := client.Get(context.TODO(), types.NamespacedName{Name: secretName, Namespace: namespace}, secret); err != nil {
 					errorMessage := fmt.Sprintf("Could not find Secret '%s' in this namespace.", secretName)
 					return errors.New(errorMessage)
 				}
@@ -1619,7 +1620,7 @@ func (r *ReconcilerBase) toJSONFromRaw(content *runtime.RawExtension) (map[strin
 // Looks for a pull secret in the service account retrieved from the component
 // Returns nil if there is at least one image pull secret, otherwise an error
 // Will always return nil if 'skipPullSecretValidation' is specified in the CR
-func ServiceAccountPullSecretExists(ba common.BaseComponent, client client.Client) error {
+func ServiceAccountPullSecretExists(recCtx context.Context, ba common.BaseComponent, client client.Client) error {
 	obj := ba.(metav1.Object)
 	ns := obj.GetNamespace()
 	saName := obj.GetName()
@@ -1654,7 +1655,8 @@ func ServiceAccountPullSecretExists(ba common.BaseComponent, client client.Clien
 		// if this is our service account there will be one image pull secret
 		// For others there could be more. either way, just use the first?
 		sName := secrets[0].Name
-		err := client.Get(context.TODO(), types.NamespacedName{Name: sName, Namespace: ns}, &corev1.Secret{})
+		pullSecret := common.NewSecret(recCtx, sName, ns)
+		err := client.Get(context.TODO(), types.NamespacedName{Name: pullSecret.Name, Namespace: pullSecret.Namespace}, pullSecret)
 		if err != nil {
 			saErr := errors.New("Service account " + saName + " isn't ready. Reason: " + err.Error())
 			return saErr
@@ -1844,17 +1846,16 @@ func UpdateConfigMap(configMap *corev1.ConfigMap, key string) {
 	data[key] = common.LoadFromConfig(common.Config, key)
 }
 
-func GetIssuerResourceVersion(client client.Client, certificate *certmanagerv1.Certificate) (string, error) {
+func GetIssuerResourceVersion(recCtx context.Context, client client.Client, certificate *certmanagerv1.Certificate) (string, error) {
 	issuer := &certmanagerv1.Issuer{}
 	err := client.Get(context.Background(), types.NamespacedName{Name: certificate.Spec.IssuerRef.Name,
 		Namespace: certificate.Namespace}, issuer)
 	if err != nil {
 		return "", err
 	}
 	if issuer.Spec.CA != nil {
-		caSecret := &corev1.Secret{}
-		err = client.Get(context.Background(), types.NamespacedName{Name: issuer.Spec.CA.SecretName,
-			Namespace: certificate.Namespace}, caSecret)
+		caSecret := common.NewSecret(recCtx, issuer.Spec.CA.SecretName, certificate.Namespace)
+		err = client.Get(context.Background(), types.NamespacedName{Name: caSecret.Name, Namespace: caSecret.Namespace}, caSecret)
 		if err != nil {
 			return "", err
 		} else {

utils/utils_test.go

@@ -1,6 +1,7 @@
 package utils
 
 import (
+	"context"
 	"os"
 	"reflect"
 	"strconv"
@@ -535,13 +536,13 @@ func TestCustomizeServiceAccount(t *testing.T) {
 
 	spec := appstacksv1.RuntimeComponentSpec{PullSecret: &pullSecret}
 	sa, runtime := &corev1.ServiceAccount{}, createRuntimeComponent(name, namespace, spec)
-	CustomizeServiceAccount(sa, runtime, fcl)
+	CustomizeServiceAccount(context.TODO(), sa, runtime, fcl)
 	emptySAIPS := sa.ImagePullSecrets[0].Name
 
 	newSecret := "my-new-secret"
 	spec = appstacksv1.RuntimeComponentSpec{PullSecret: &newSecret}
 	runtime = createRuntimeComponent(name, namespace, spec)
-	CustomizeServiceAccount(sa, runtime, fcl)
+	CustomizeServiceAccount(context.TODO(), sa, runtime, fcl)
 
 	testCSA := []Test{
 		{"ServiceAccount image pull secrets is empty", pullSecret, emptySAIPS},