Merge pull request #201 from yossig-aquasec/master_updating_deploymen…

…ts_on_secret_change

Adding support for restart deployments when secret\config map changed.

controllers/aquasecurity/aquastarboard/aquaStarboardHelper.go

@@ -414,6 +414,9 @@ func (enf *AquaStarboardHelper) CreateStarboardDeployment(cr *aquasecurityv1alph
  Template: corev1.PodTemplateSpec{
  ObjectMeta: metav1.ObjectMeta{
  Labels: selectors,
+ Annotations: map[string]string{
+ "ConfigMapChecksum": cr.Spec.ConfigMapChecksum,
+ },
  },
  Spec: corev1.PodSpec{
  //SecurityContext: &corev1.PodSecurityContext{

controllers/aquasecurity/aquastarboard/aquastarboard_controller.go

@@ -142,7 +142,7 @@ func (r *AquaStarboardReconciler) Reconcile(ctx context.Context, req ctrl.Reques
  return reconcile.Result{}, err
  }
 
- return ctrl.Result{Requeue: true}, nil
+ return ctrl.Result{}, nil
 }
 
 // SetupWithManager sets up the controller with the Manager.
@@ -255,7 +255,7 @@ func (r *AquaStarboardReconciler) addStarboardDeployment(cr *aquasecurityv1alpha
 
  // object already exists - don't requeue
  reqLogger.Info("Skip reconcile: Aqua Starboard Deployment Exists", "Deployment.Namespace", found.Namespace, "Deployment.Name", found.Name)
- return reconcile.Result{Requeue: true}, nil
+ return reconcile.Result{}, nil
 }
 
 func (r *AquaStarboardReconciler) updateStarboardServerObject(serviceObject *v1alpha1.AquaService, StarboardImageData *v1alpha1.AquaImage) *v1alpha1.AquaService {
@@ -442,7 +442,7 @@ func (r *AquaStarboardReconciler) addStarboardConfigMap(cr *aquasecurityv1alpha1
  if err != nil {
  return reconcile.Result{}, err
  }
- cr.Spec.ConfigMapChecksum = hash
+ cr.Spec.ConfigMapChecksum += hash
 
  // Set AquaStarboard instance as the owner and controller
  requeue := true
@@ -496,14 +496,20 @@ func (r *AquaStarboardReconciler) addStarboardSecret(cr *aquasecurityv1alpha1.Aq
  "ke-token-secret",
  )
 
+ hash, err := extra.GenerateMD5ForSpec(starboardSecret)
+ if err != nil {
+ return reconcile.Result{}, err
+ }
+ cr.Spec.ConfigMapChecksum += hash
+
  // Set AquaStarboard instance as the owner and controller
  if err := controllerutil.SetControllerReference(cr, starboardSecret, r.Scheme); err != nil {
  return reconcile.Result{}, err
  }
 
  // Check if this object already exists
  found := &corev1.Secret{}
- err := r.Client.Get(context.TODO(), types.NamespacedName{Name: starboardSecret.Name, Namespace: starboardSecret.Namespace}, found)
+ err = r.Client.Get(context.TODO(), types.NamespacedName{Name: starboardSecret.Name, Namespace: starboardSecret.Namespace}, found)
  if err != nil && errors.IsNotFound(err) {
  reqLogger.Info("Aqua Starboard: Creating a New token secret", "Secret.Namespace", starboardSecret.Namespace, "Secret.Name", starboardSecret.Name)
  err = r.Client.Create(context.TODO(), starboardSecret)

controllers/operator/aquacsp/aquacsp_controller.go

@@ -281,35 +281,10 @@ func (r *AquaCspReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
  instance.Status.State = crStatus
  _ = r.Client.Status().Update(context.Background(), instance)
  }
+ return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(0)}, nil
  }
 
- /*if instance.Spec.ScannerService != nil {
- if len(instance.Spec.AdminPassword) > 0 {
- _, err = r.InstallAquaScanner(instance)
- if err != nil {
- return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(0)}, err
- }
-
- if instance.Spec.Scale != nil {
- _, err = r.ScaleScannerCLI(instance)
- if err != nil {
- return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(0)}, err
- }
- }
- } else {
- reqLogger.Info("[Warning] missing admin password can't deploy scanner")
- }
- }
-
- if strings.ToLower(instance.Spec.Infrastructure.Platform) == "openshift" {
- if instance.Spec.Route {
- _, err = r.CreateRoute(instance)
- if err != nil {
- return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(0)}, err
- }
- }
- }*/
- return ctrl.Result{Requeue: true, RequeueAfter: time.Second * 30}, nil
+ return ctrl.Result{}, nil
 }
 
 // SetupWithManager sets up the controller with the Manager.

controllers/operator/aquadatabase/aquadatabase_controller.go

@@ -218,7 +218,7 @@ func (r *AquaDatabaseReconciler) Reconcile(ctx context.Context, req ctrl.Request
  _ = r.Client.Status().Update(context.Background(), instance)
  }
 
- return ctrl.Result{Requeue: true}, nil
+ return ctrl.Result{}, nil
 }
 
 // SetupWithManager sets up the controller with the Manager.
@@ -338,7 +338,7 @@ func (r *AquaDatabaseReconciler) InstallDatabaseDeployment(cr *v1alpha1.AquaData
 
  // Deployment already exists - don't requeue
  reqLogger.Info("Skip reconcile: Aqua Database Deployment Already Exists", "Deployment.Namespace", found.Namespace, "Deployment.Name", found.Name)
- return reconcile.Result{Requeue: true}, nil
+ return reconcile.Result{}, nil
 }
 
 func (r *AquaDatabaseReconciler) InstallDatabaseService(cr *v1alpha1.AquaDatabase, serviceName, app string, servicePort int32) (reconcile.Result, error) {

controllers/operator/aquaenforcer/aquaEnforcerHelper.go

@@ -124,7 +124,7 @@ func (enf *AquaEnforcerHelper) CreateDaemonSet(cr *v1alpha1.AquaEnforcer) *appsv
  "aqua.component": "enforcer",
  }
  annotations := map[string]string{
- "description": "Secret for aqua database password",
+ "description": "Deploy aqua Enforcer",
  "ConfigMapChecksum": cr.Spec.ConfigMapChecksum,
  }
 
@@ -173,6 +173,9 @@ func (enf *AquaEnforcerHelper) CreateDaemonSet(cr *v1alpha1.AquaEnforcer) *appsv
  ObjectMeta: metav1.ObjectMeta{
  Labels: labels,
  Name: fmt.Sprintf(consts.EnforcerDeamonsetName, cr.Name),
+ Annotations: map[string]string{
+ "ConfigMapChecksum": cr.Spec.ConfigMapChecksum,
+ },
  },
  Spec: corev1.PodSpec{
  ServiceAccountName: cr.Spec.Infrastructure.ServiceAccount,

controllers/operator/aquaenforcer/aquaenforcer_controller.go

@@ -76,11 +76,8 @@ func (r *AquaEnforcerReconciler) Reconcile(ctx context.Context, req ctrl.Request
  // Fetch the AquaEnforcer instance
  instance := &operatorv1alpha1.AquaEnforcer{}
  err := r.Client.Get(context.TODO(), req.NamespacedName, instance)
- reqLogger.Info(fmt.Sprintf("Enforcer instance: %v", instance))
  if err != nil {
- reqLogger.Info(fmt.Sprintf("error: %v", err))
  if errors.IsNotFound(err) {
-
  // Request object not found, could have been deleted after reconcile request.
  // Owned objects are automatically garbage collected. For additional cleanup logic use finalizers.
  // Return and don't requeue
@@ -89,11 +86,10 @@ func (r *AquaEnforcerReconciler) Reconcile(ctx context.Context, req ctrl.Request
  // Error reading the object - requeue the request.
  return reconcile.Result{}, err
  }
- reqLogger.Info("Going to updateEnforcerObject")
+
  instance = r.updateEnforcerObject(instance)
  r.Client.Update(context.Background(), instance)
 
- reqLogger.Info(fmt.Sprintf("After update object: %v", instance.Spec.EnforcerService))
  rbacHelper := common.NewAquaRbacHelper(
  instance.Spec.Infrastructure,
  instance.Name,
@@ -113,18 +109,15 @@ func (r *AquaEnforcerReconciler) Reconcile(ctx context.Context, req ctrl.Request
  !reflect.DeepEqual(operatorv1alpha1.AquaEnforcerUpdatePendingApproval, currentStatus) &&
  !reflect.DeepEqual(operatorv1alpha1.AquaEnforcerUpdateInProgress, currentStatus) {
  instance.Status.State = operatorv1alpha1.AquaDeploymentStatePending
- reqLogger.Info(fmt.Sprintf("before update state: instance.Spec.EnforcerService: %v", instance.Spec.EnforcerService))
  _ = r.Client.Status().Update(context.Background(), instance)
  }
- reqLogger.Info(fmt.Sprintf("later: instance.Spec.EnforcerService: %v", instance.Spec.EnforcerService))
 
  if instance.Spec.EnforcerService != nil {
  if len(instance.Spec.Token) != 0 {
  instance.Spec.Secret = &operatorv1alpha1.AquaSecret{
  Name: fmt.Sprintf(consts.EnforcerTokenSecretName, instance.Name),
  Key: consts.EnforcerTokenSecretKey,
  }
- reqLogger.Info(fmt.Sprintf("InstallEnforcerToken: %v", instance))
 
  _, err = r.InstallEnforcerToken(instance)
  if err != nil {
@@ -153,7 +146,7 @@ func (r *AquaEnforcerReconciler) Reconcile(ctx context.Context, req ctrl.Request
  }
  }
 
- return ctrl.Result{Requeue: true}, nil
+ return ctrl.Result{}, nil
 }
 
 // SetupWithManager sets up the controller with the Manager.
@@ -175,12 +168,11 @@ func (r *AquaEnforcerReconciler) SetupWithManager(mgr ctrl.Manager) error {
 */
 
 func (r *AquaEnforcerReconciler) updateEnforcerObject(cr *operatorv1alpha1.AquaEnforcer) *operatorv1alpha1.AquaEnforcer {
- reqLogger := log.WithValues("Aqua Enforcer updateEnforcerObject Phase", "updateEnforcerObject")
  version := cr.Spec.Infrastructure.Version
  if len(version) == 0 {
  version = consts.LatestVersion
  }
- reqLogger.Info(fmt.Sprintf("before: cr.Spec.EnforcerService: %v", cr.Spec.EnforcerService))
+
  if cr.Spec.EnforcerService == nil {
  cr.Spec.EnforcerService = &operatorv1alpha1.AquaService{
  ImageData: &operatorv1alpha1.AquaImage{
@@ -190,7 +182,6 @@ func (r *AquaEnforcerReconciler) updateEnforcerObject(cr *operatorv1alpha1.AquaE
  PullPolicy: consts.PullPolicy,
  },
  }
- reqLogger.Info(fmt.Sprintf("after: cr.Spec.EnforcerService: %v", cr.Spec.EnforcerService))
  }
 
  cr.Spec.Infrastructure = common.UpdateAquaInfrastructure(cr.Spec.Infrastructure, cr.Name, cr.Namespace)
@@ -285,7 +276,7 @@ func (r *AquaEnforcerReconciler) InstallEnforcerDaemonSet(cr *operatorv1alpha1.A
 
  // DaemonSet already exists - don't requeue
  reqLogger.Info("Skip reconcile: Aqua Enforcer DaemonSet Already Exists", "DaemonSet.Namespace", found.Namespace, "DaemonSet.Name", found.Name)
- return reconcile.Result{Requeue: true}, nil
+ return reconcile.Result{}, nil
 }
 
 func (r *AquaEnforcerReconciler) InstallEnforcerToken(cr *operatorv1alpha1.AquaEnforcer) (reconcile.Result, error) {
@@ -295,17 +286,23 @@ func (r *AquaEnforcerReconciler) InstallEnforcerToken(cr *operatorv1alpha1.AquaE
  // Define a new DaemonSet object
  enforcerHelper := newAquaEnforcerHelper(cr)
  token := enforcerHelper.CreateTokenSecret(cr)
+ // Adding token to the hashed data, for restart pods if token is changed
+ hash, err := extra.GenerateMD5ForSpec(token.Data)
+ if err != nil {
+ return reconcile.Result{}, err
+ }
+ cr.Spec.ConfigMapChecksum += hash
 
  // Set AquaEnforcer instance as the owner and controller
  if err := controllerutil.SetControllerReference(cr, token, r.Scheme); err != nil {
  return reconcile.Result{}, err
  }
 
- // Check if this DaemonSet already exists
+ // Check if this Secret already exists
  found := &corev1.Secret{}
- err := r.Client.Get(context.TODO(), types.NamespacedName{Name: token.Name, Namespace: token.Namespace}, found)
+ err = r.Client.Get(context.TODO(), types.NamespacedName{Name: token.Name, Namespace: token.Namespace}, found)
  if err != nil && errors.IsNotFound(err) {
- reqLogger.Info("Creating a New Aqua Database", "Secret.Namespace", token.Namespace, "Secret.Name", token.Name)
+ reqLogger.Info("Creating a New Enforcer Token Secret", "Secret.Namespace", token.Namespace, "Secret.Name", token.Name)
  err = r.Client.Create(context.TODO(), token)
  if err != nil {
  return reconcile.Result{}, err
@@ -316,9 +313,21 @@ func (r *AquaEnforcerReconciler) InstallEnforcerToken(cr *operatorv1alpha1.AquaE
  return reconcile.Result{}, err
  }
 
+ if !equality.Semantic.DeepDerivative(token.Data, found.Data) {
+ found = token
+ log.Info("Aqua Enforcer: Updating Enforcer Token Secret", "Secret.Namespace", found.Namespace, "Secret.Name", found.Name)
+ err := r.Client.Update(context.TODO(), found)
+ if err != nil {
+ log.Error(err, "Failed to update Enforcer Token Secret", "Secret.Namespace", found.Namespace, "Secret.Name", found.Name)
+ return reconcile.Result{}, err
+ }
+
+ return reconcile.Result{Requeue: true}, nil
+ }
+
  // Secret already exists - don't requeue
  reqLogger.Info("Skip reconcile: Aqua Enforcer Token Secret Already Exists", "Secret.Namespace", found.Namespace, "Secret.Name", found.Name)
- return reconcile.Result{Requeue: true}, nil
+ return reconcile.Result{}, nil
 }
 
 func (r *AquaEnforcerReconciler) addEnforcerConfigMap(cr *operatorv1alpha1.AquaEnforcer) (reconcile.Result, error) {
@@ -330,11 +339,12 @@ func (r *AquaEnforcerReconciler) addEnforcerConfigMap(cr *operatorv1alpha1.AquaE
  enforcerHelper := newAquaEnforcerHelper(cr)
 
  configMap := enforcerHelper.CreateConfigMap(cr)
+ // Adding configmap to the hashed data, for restart pods if token is changed
  hash, err := extra.GenerateMD5ForSpec(configMap.Data)
  if err != nil {
  return reconcile.Result{}, err
  }
- cr.Spec.ConfigMapChecksum = hash
+ cr.Spec.ConfigMapChecksum += hash
 
  // Set AquaScanner instance as the owner and controller
  if err := controllerutil.SetControllerReference(cr, configMap, r.Scheme); err != nil {

controllers/operator/aquagateway/aquagateway_controller.go

@@ -144,7 +144,7 @@ func (r *AquaGatewayReconciler) Reconcile(ctx context.Context, req ctrl.Request)
  }
  }
 
- return ctrl.Result{Requeue: true}, nil
+ return ctrl.Result{}, nil
 }
 
 // SetupWithManager sets up the controller with the Manager.
@@ -265,7 +265,7 @@ func (r *AquaGatewayReconciler) InstallGatewayDeployment(cr *operatorv1alpha1.Aq
 
  // Deployment already exists - don't requeue
  reqLogger.Info("Skip reconcile: Aqua Gateway Deployment Already Exists", "Deployment.Namespace", found.Namespace, "Deployment.Name", found.Name)
- return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(0)}, nil
+ return reconcile.Result{}, nil
 }
 
 func (r *AquaGatewayReconciler) InstallGatewayService(cr *operatorv1alpha1.AquaGateway) (reconcile.Result, error) {

controllers/operator/aquakubeenforcer/aquaKubeEnforcerHelper.go

@@ -644,6 +644,9 @@ func (enf *AquaKubeEnforcerHelper) CreateKEDeployment(cr *operatorv1alpha1.AquaK
  Template: corev1.PodTemplateSpec{
  ObjectMeta: metav1.ObjectMeta{
  Labels: selectors,
+ Annotations: map[string]string{
+ "ConfigMapChecksum": cr.Spec.ConfigMapChecksum,
+ },
  },
  Spec: corev1.PodSpec{
  SecurityContext: &corev1.PodSecurityContext{

controllers/operator/aquakubeenforcer/aquakubeenforcer_controller.go

@@ -250,7 +250,7 @@ func (r *AquaKubeEnforcerReconciler) Reconcile(ctx context.Context, req ctrl.Req
  r.installAquaStarboard(instance)
  }
 
- return ctrl.Result{Requeue: true}, nil
+ return ctrl.Result{}, nil
 }
 
 // SetupWithManager sets up the controller with the Manager.
@@ -505,7 +505,7 @@ func (r *AquaKubeEnforcerReconciler) addKEDeployment(cr *operatorv1alpha1.AquaKu
 
  // object already exists - don't requeue
  reqLogger.Info("Skip reconcile: Aqua KubeEnforcer Deployment Exists", "Deployment.Namespace", found.Namespace, "Deployment.Name", found.Name)
- return reconcile.Result{Requeue: true}, nil
+ return reconcile.Result{}, nil
 }
 
 func (r *AquaKubeEnforcerReconciler) addKubeEnforcerClusterRole(cr *operatorv1alpha1.AquaKubeEnforcer) (reconcile.Result, error) {
@@ -855,11 +855,12 @@ func (r *AquaKubeEnforcerReconciler) addKEConfigMap(cr *operatorv1alpha1.AquaKub
  cr.Spec.Config.GatewayAddress,
  cr.Spec.Config.ClusterName,
  deployStarboard)
+ // Adding configmap to the hashed data, for restart pods if token is changed
  hash, err := extra.GenerateMD5ForSpec(configMap.Data)
  if err != nil {
  return reconcile.Result{}, err
  }
- cr.Spec.ConfigMapChecksum = hash
+ cr.Spec.ConfigMapChecksum += hash
 
  // Set AquaKubeEnforcer instance as the owner and controller
  if err := controllerutil.SetControllerReference(cr, configMap, r.Scheme); err != nil {
@@ -909,6 +910,12 @@ func (r *AquaKubeEnforcerReconciler) addKESecretToken(cr *operatorv1alpha1.AquaK
  "aqua-kube-enforcer-token",
  "ke-token-secret",
  cr.Spec.Token)
+ // Adding secret to the hashed data, for restart pods if token is changed
+ hash, err := extra.GenerateMD5ForSpec(tokenSecret.Data)
+ if err != nil {
+ return reconcile.Result{}, err
+ }
+ cr.Spec.ConfigMapChecksum += hash
 
  // Set AquaKubeEnforcer instance as the owner and controller
  if err := controllerutil.SetControllerReference(cr, tokenSecret, r.Scheme); err != nil {
@@ -917,7 +924,7 @@ func (r *AquaKubeEnforcerReconciler) addKESecretToken(cr *operatorv1alpha1.AquaK
 
  // Check if this object already exists
  found := &corev1.Secret{}
- err := r.Client.Get(context.TODO(), types.NamespacedName{Name: tokenSecret.Name, Namespace: tokenSecret.Namespace}, found)
+ err = r.Client.Get(context.TODO(), types.NamespacedName{Name: tokenSecret.Name, Namespace: tokenSecret.Namespace}, found)
  if err != nil && errors.IsNotFound(err) {
  reqLogger.Info("Aqua KubeEnforcer: Creating a New token secret", "Secret.Namespace", tokenSecret.Namespace, "Secret.Name", tokenSecret.Name)
  err = r.Client.Create(context.TODO(), tokenSecret)
@@ -930,6 +937,18 @@ func (r *AquaKubeEnforcerReconciler) addKESecretToken(cr *operatorv1alpha1.AquaK
  return reconcile.Result{}, err
  }
 
+ if !equality.Semantic.DeepDerivative(tokenSecret.Data, found.Data) {
+ found = tokenSecret
+ log.Info("Aqua Enforcer: Updating KubeEnforcer Token Secret", "Secret.Namespace", found.Namespace, "Secret.Name", found.Name)
+ err := r.Client.Update(context.TODO(), found)
+ if err != nil {
+ log.Error(err, "Failed to update KubeEnforcer Token Secret", "Secret.Namespace", found.Namespace, "Secret.Name", found.Name)
+ return reconcile.Result{}, err
+ }
+
+ return reconcile.Result{Requeue: true}, nil
+ }
+
  // object already exists - don't requeue
  reqLogger.Info("Skip reconcile: Aqua KubeEnforcer Token Secret Exists", "Secret.Namespace", found.Namespace, "Secret.Name", found.Name)
  return reconcile.Result{Requeue: true}, nil

controllers/operator/aquascanner/aquaScannerHelper.go

@@ -152,6 +152,9 @@ func (as *AquaScannerHelper) newDeployment(cr *v1alpha1.AquaScanner) *appsv1.Dep
  ObjectMeta: metav1.ObjectMeta{
  Labels: labels,
  Name: fmt.Sprintf(consts.ScannerDeployName, cr.Name),
+ Annotations: map[string]string{
+ "ConfigMapChecksum": cr.Spec.ConfigMapChecksum,
+ },
  },
  Spec: corev1.PodSpec{
  ServiceAccountName: cr.Spec.Infrastructure.ServiceAccount,