3scale · carlkyrillos · Oct 28, 2024 · Oct 29, 2024 · Nov 5, 2024 · Nov 7, 2024
@@ -1346,6 +1346,123 @@ func (apimanager *APIManager) IsAsyncDisableAnnotationPresent() bool {
 	return asyncDisabledFound
 }
 
+func (a *APIManager) GetApicastHTTPSCertSecretRefs() []*v1.LocalObjectReference {
+	secretRefs := []*v1.LocalObjectReference{}
+
+	if a.Spec.Apicast != nil && a.Spec.Apicast.ProductionSpec != nil && a.Spec.Apicast.ProductionSpec.HTTPSCertificateSecretRef != nil {
+		secretRefs = append(secretRefs, a.Spec.Apicast.ProductionSpec.HTTPSCertificateSecretRef)
+	}
+
+	if a.Spec.Apicast != nil && a.Spec.Apicast.StagingSpec != nil && a.Spec.Apicast.StagingSpec.HTTPSCertificateSecretRef != nil {
+		secretRefs = append(secretRefs, a.Spec.Apicast.StagingSpec.HTTPSCertificateSecretRef)
+	}
+
+	return secretRefs
+}
+
+func (a *APIManager) GetApicastOpenTelemetrySecretRefs() []*v1.LocalObjectReference {
+	secretRefs := []*v1.LocalObjectReference{}
+
+	if a.Spec.Apicast != nil && a.Spec.Apicast.ProductionSpec != nil && a.Spec.Apicast.ProductionSpec.OpenTelemetry != nil && a.Spec.Apicast.ProductionSpec.OpenTelemetry.TracingConfigSecretRef != nil {
+		secretRefs = append(secretRefs, a.Spec.Apicast.ProductionSpec.OpenTelemetry.TracingConfigSecretRef)
+	}
+
+	if a.Spec.Apicast != nil && a.Spec.Apicast.StagingSpec != nil && a.Spec.Apicast.StagingSpec.OpenTelemetry != nil && a.Spec.Apicast.StagingSpec.OpenTelemetry.TracingConfigSecretRef != nil {
+		secretRefs = append(secretRefs, a.Spec.Apicast.StagingSpec.OpenTelemetry.TracingConfigSecretRef)
+	}
+
+	return secretRefs
+}
+
+func (a *APIManager) GetApicastCustomEnvironmentsSecretRefs() []*v1.LocalObjectReference {
+	secretRefs := []*v1.LocalObjectReference{}
+
+	if a.Spec.Apicast.ProductionSpec.CustomEnvironments != nil {
+		for _, env := range a.Spec.Apicast.ProductionSpec.CustomEnvironments {
+			if env.SecretRef != nil {
+				secretRefs = append(secretRefs, env.SecretRef)
+			}
+		}
+	}
+
+	if a.Spec.Apicast.StagingSpec.CustomEnvironments != nil {
+		for _, env := range a.Spec.Apicast.StagingSpec.CustomEnvironments {
+			if env.SecretRef != nil {
+				secretRefs = append(secretRefs, env.SecretRef)
+			}
+		}
+	}
+
+	return secretRefs
+}
+
+func (a *APIManager) GetApicastCustomPoliciesSecretRefs() []*v1.LocalObjectReference {
+	secretRefs := []*v1.LocalObjectReference{}
+
+	if a.Spec.Apicast.ProductionSpec.CustomPolicies != nil {
+		for _, policy := range a.Spec.Apicast.ProductionSpec.CustomPolicies {
+			if policy.SecretRef != nil {
+				secretRefs = append(secretRefs, policy.SecretRef)
+			}
+		}
+	}
+
+	if a.Spec.Apicast.StagingSpec.CustomPolicies != nil {
+		for _, policy := range a.Spec.Apicast.StagingSpec.CustomPolicies {
+			if policy.SecretRef != nil {
+				secretRefs = append(secretRefs, policy.SecretRef)
+			}
+		}
+	}
+
+	return secretRefs
+}
+
+func (apimanager *APIManager) Get3scaleSecretRefs() []*v1.LocalObjectReference {
+	secretRefs := []*v1.LocalObjectReference{}
+
+	// TODO: Add TLS Secrets and ACL Secrets once support for them is implemented
+
+	apicastHTTPSCertSecretRefs := apimanager.GetApicastHTTPSCertSecretRefs()
+	if len(apicastHTTPSCertSecretRefs) > 0 {
+		secretRefs = append(secretRefs, apicastHTTPSCertSecretRefs...)
+	}
+
+	apicastOpenTelemetrySecretRefs := apimanager.GetApicastOpenTelemetrySecretRefs()
+	if len(apicastOpenTelemetrySecretRefs) > 0 {
+		secretRefs = append(secretRefs, apicastOpenTelemetrySecretRefs...)
+	}
+
+	apicastCustomEnvironmentSecretRefs := apimanager.GetApicastCustomEnvironmentsSecretRefs()
+	if len(apicastCustomEnvironmentSecretRefs) > 0 {
+		secretRefs = append(secretRefs, apicastCustomEnvironmentSecretRefs...)
+	}
+
+	apicastCustomPoliciesSecretRefs := apimanager.GetApicastCustomPoliciesSecretRefs()
+	if len(apicastCustomPoliciesSecretRefs) > 0 {
+		secretRefs = append(secretRefs, apicastCustomPoliciesSecretRefs...)
+	}
+
+	secretRefs = removeDuplicateSecretRefs(secretRefs)
+
+	return secretRefs
+}
+
+func removeDuplicateSecretRefs(refs []*v1.LocalObjectReference) []*v1.LocalObjectReference {
+	nameMap := make(map[string]bool)
+	uniqueRefs := make([]*v1.LocalObjectReference, 0)
+
+	for _, ref := range refs {
+		if ref != nil {
+			if _, exists := nameMap[ref.Name]; !exists {
+				nameMap[ref.Name] = true
+				uniqueRefs = append(uniqueRefs, ref)
+			}
+		}
+	}
+	return uniqueRefs
+}
+
 func (apimanager *APIManager) Validate() field.ErrorList {
 	fieldErrors := field.ErrorList{}
 

@@ -7,6 +7,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 
 	"github.com/3scale/3scale-operator/version"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -162,3 +163,171 @@ func minimumAPIManagerTest() *APIManager {
 		},
 	}
 }
+
+func TestRemoveDuplicateSecretRefs(t *testing.T) {
+	type args struct {
+		refs []*v1.LocalObjectReference
+	}
+	tests := []struct {
+		name string
+		args args
+		want []*v1.LocalObjectReference
+	}{
+		{
+			name: "SecretRefs is nil",
+			args: args{
+				refs: nil,
+			},
+			want: []*v1.LocalObjectReference{},
+		},
+		{
+			name: "SecretRefs is empty",
+			args: args{
+				refs: []*v1.LocalObjectReference{},
+			},
+			want: []*v1.LocalObjectReference{},
+		},
+		{
+			name: "SecretRefs has duplicates",
+			args: args{
+				refs: []*v1.LocalObjectReference{
+					{
+						Name: "ref1",
+					},
+					{
+						Name: "ref1",
+					},
+					{
+						Name: "ref2",
+					},
+				},
+			},
+			want: []*v1.LocalObjectReference{
+				{
+					Name: "ref1",
+				},
+				{
+					Name: "ref2",
+				},
+			},
+		},
+		{
+			name: "SecretRefs does not have duplicates",
+			args: args{
+				refs: []*v1.LocalObjectReference{
+					{
+						Name: "ref1",
+					},
+					{
+						Name: "ref2",
+					},
+				},
+			},
+			want: []*v1.LocalObjectReference{
+				{
+					Name: "ref1",
+				},
+				{
+					Name: "ref2",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := removeDuplicateSecretRefs(tt.args.refs); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("RemoveDuplicateSecretRefs() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestAPIManager_Get3scaleSecretRefs(t *testing.T) {
+	type fields struct {
+		Spec APIManagerSpec
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   []*v1.LocalObjectReference
+	}{
+		{
+			name: "No secret refs to gather",
+			fields: fields{
+				Spec: APIManagerSpec{
+					Apicast: &ApicastSpec{
+						ProductionSpec: &ApicastProductionSpec{},
+						StagingSpec:    &ApicastStagingSpec{},
+					},
+				},
+			},
+			want: []*v1.LocalObjectReference{},
+		},
+		{
+			name: "Apicast has secret refs",
+			fields: fields{
+				Spec: APIManagerSpec{
+					Apicast: &ApicastSpec{
+						ProductionSpec: &ApicastProductionSpec{
+							HTTPSCertificateSecretRef: &v1.LocalObjectReference{
+								Name: "https-cert-secret",
+							},
+							OpenTelemetry: &OpenTelemetrySpec{
+								TracingConfigSecretRef: &v1.LocalObjectReference{
+									Name: "otel-secret",
+								},
+							},
+							CustomEnvironments: []CustomEnvironmentSpec{
+								{
+									SecretRef: &v1.LocalObjectReference{
+										Name: "custom-env-1-secret",
+									},
+								},
+							},
+						},
+						StagingSpec: &ApicastStagingSpec{
+							CustomEnvironments: []CustomEnvironmentSpec{
+								{
+									SecretRef: &v1.LocalObjectReference{
+										Name: "custom-env-1-secret",
+									},
+								},
+							},
+							CustomPolicies: []CustomPolicySpec{
+								{
+									SecretRef: &v1.LocalObjectReference{
+										Name: "custom-policy-1-secret",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			want: []*v1.LocalObjectReference{
+				{
+					Name: "https-cert-secret",
+				},
+				{
+					Name: "otel-secret",
+				},
+				{
+					Name: "custom-env-1-secret",
+				},
+				{
+					Name: "custom-policy-1-secret",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			apimanager := &APIManager{
+				Spec: tt.fields.Spec,
+			}
+			if got := apimanager.Get3scaleSecretRefs(); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("Get3scaleSecretRefs() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
@@ -19,6 +19,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"github.com/3scale/3scale-operator/pkg/3scale/amp/component"
 	"time"
 
 	"github.com/3scale/3scale-operator/pkg/upgrade"
@@ -488,6 +489,12 @@ func (r *APIManagerReconciler) reconcileAPIManagerLogic(cr *appsv1alpha1.APIMana
 		return result, err
 	}
 
+	// Create the hashed secret to track watched secrets' changes
+	result, err = r.reconcileHashedSecret(cr)
+	if err != nil || result.Requeue {
+		return result, err
+	}
+
 	// 3scale 2.14 -> 2.15
 	err = upgrade.DeleteImageStreams(cr.Namespace, r.Client())
 	if err != nil {
@@ -650,3 +657,25 @@ func (r *APIManagerReconciler) setRequirementsAnnotation(apim *appsv1alpha1.APIM
 
 	return nil
 }
+
+func (r *APIManagerReconciler) reconcileHashedSecret(cr *appsv1alpha1.APIManager) (reconcile.Result, error) {
+	secretLabels := map[string]string{
+		"app": *cr.Spec.AppLabel,
+	}
+	secret, err := component.HashedSecret(r.Context(), r.Client(), cr.Get3scaleSecretRefs(), cr.Namespace, secretLabels)
+	if err != nil {
+		r.Logger().Error(err, "failed to generate hashed-secret-data secret")
+		return reconcile.Result{}, err
+	}
+
+	secretMutators := []reconcilers.SecretMutateFn{
+		reconcilers.SecretStringDataMutator,
+	}
+	err = r.ReconcileResource(&v1.Secret{}, secret, reconcilers.DeploymentSecretMutator(secretMutators...))
+	if err != nil {
+		r.Logger().Error(err, "failed to reconcile hashed-secret-data secret")
+		return reconcile.Result{}, err
+	}
+
+	return reconcile.Result{}, nil
+}