From 79c59a7618e27c391abec0d8a1254e914fc1e935 Mon Sep 17 00:00:00 2001
From: Umanga Chapagain <uchapaga@redhat.com>
Date: Wed, 3 Jul 2024 15:12:34 +0530
Subject: [PATCH] reconcile exchanged secrets

Signed-off-by: Umanga Chapagain <uchapaga@redhat.com>
---
 addons/blue_secret_controller.go  | 30 ++++++++++++++++++++
 addons/green_secret_controller.go | 38 ++++++++++++++++++++++++-
 addons/manager.go                 |  2 ++
 addons/s3_controller.go           | 47 ++++++++++++++++++++++++++++++-
 4 files changed, 115 insertions(+), 2 deletions(-)

diff --git a/addons/blue_secret_controller.go b/addons/blue_secret_controller.go
index 383543f5..f88daa3f 100644
--- a/addons/blue_secret_controller.go
+++ b/addons/blue_secret_controller.go
@@ -4,12 +4,15 @@ import (
 	"context"
 	"log/slog"
 
+	"github.com/red-hat-storage/odf-multicluster-orchestrator/controllers/utils"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/cluster"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -19,6 +22,7 @@ import (
 // BlueSecretReconciler reconciles a MirrorPeer object
 type BlueSecretReconciler struct {
 	Scheme           *runtime.Scheme
+	HubCluster       cluster.Cluster
 	HubClient        client.Client
 	SpokeClient      client.Client
 	SpokeClusterName string
@@ -46,12 +50,38 @@ func (r *BlueSecretReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		},
 	}
 
+	isBlueSecretOnHub := func(obj client.Object) bool {
+		if s, ok := obj.(*corev1.Secret); ok {
+			if s.Labels[utils.SecretLabelTypeKey] == string(utils.SourceLabel) {
+				return true
+			}
+		}
+		return false
+	}
+
+	blueSecretHubPredicate := predicate.Funcs{
+		CreateFunc: func(e event.CreateEvent) bool {
+			return false
+		},
+		DeleteFunc: func(e event.DeleteEvent) bool {
+			return isBlueSecretOnHub(e.Object)
+		},
+		UpdateFunc: func(e event.UpdateEvent) bool {
+			return isBlueSecretOnHub(e.ObjectNew) || isBlueSecretOnHub(e.ObjectOld)
+		},
+		GenericFunc: func(_ event.GenericEvent) bool {
+			return false
+		},
+	}
+
 	r.Logger.Info("Setting up controller with manager")
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named("bluesecret_controller").
 		Watches(&corev1.Secret{}, &handler.EnqueueRequestForObject{},
 			builder.WithPredicates(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}, blueSecretPredicate)).
+		WatchesRawSource(source.Kind(r.HubCluster.GetCache(), &corev1.Secret{}), &handler.EnqueueRequestForObject{},
+			builder.WithPredicates(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}, blueSecretHubPredicate)).
 		Complete(r)
 }
 
diff --git a/addons/green_secret_controller.go b/addons/green_secret_controller.go
index 9bd3dc7e..13a1cd9e 100644
--- a/addons/green_secret_controller.go
+++ b/addons/green_secret_controller.go
@@ -5,11 +5,13 @@ import (
 	"fmt"
 	"log/slog"
 
+	"github.com/red-hat-storage/odf-multicluster-orchestrator/addons/setup"
 	"github.com/red-hat-storage/odf-multicluster-orchestrator/controllers/utils"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -17,6 +19,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"
 )
 
@@ -55,12 +58,45 @@ func (r *GreenSecretReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		},
 	}
 
+	greebSecretSpokePredicate := predicate.Funcs{
+		CreateFunc: func(e event.CreateEvent) bool {
+			return false
+		},
+		DeleteFunc: func(e event.DeleteEvent) bool {
+			return true
+		},
+		UpdateFunc: func(e event.UpdateEvent) bool {
+			return true
+		},
+		GenericFunc: func(_ event.GenericEvent) bool {
+			return false
+		},
+	}
+
+	mapSecretToGreenSecret := func(ctx context.Context, obj client.Object) []reconcile.Request {
+		if s, ok := obj.(*corev1.Secret); ok {
+			if s.Labels[utils.CreatedByLabelKey] == setup.TokenExchangeName {
+				return []reconcile.Request{
+					{
+						NamespacedName: types.NamespacedName{
+							Namespace: r.SpokeClusterName,
+							Name:      s.Name,
+						},
+					},
+				}
+			}
+		}
+		return []reconcile.Request{}
+	}
+
 	r.Logger.Info("Setting up controller with manager")
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named("greensecret_controller").
+		Watches(&corev1.Secret{}, handler.EnqueueRequestsFromMapFunc(mapSecretToGreenSecret),
+			builder.WithPredicates(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}, greebSecretSpokePredicate)).
 		WatchesRawSource(source.Kind(r.HubCluster.GetCache(), &corev1.Secret{}), &handler.EnqueueRequestForObject{},
-			builder.WithPredicates(predicate.GenerationChangedPredicate{}, greenSecretPredicate)).
+			builder.WithPredicates(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}, greenSecretPredicate)).
 		Complete(r)
 }
 
diff --git a/addons/manager.go b/addons/manager.go
index 88823dcb..20aa8666 100644
--- a/addons/manager.go
+++ b/addons/manager.go
@@ -216,6 +216,7 @@ func (o *AddonAgentOptions) RunAgent(ctx context.Context) {
 
 	if err = (&BlueSecretReconciler{
 		Scheme:           mgr.GetScheme(),
+		HubCluster:       hubCluster,
 		HubClient:        hubCluster.GetClient(),
 		SpokeClient:      mgr.GetClient(),
 		SpokeClusterName: o.SpokeClusterName,
@@ -227,6 +228,7 @@ func (o *AddonAgentOptions) RunAgent(ctx context.Context) {
 
 	if err = (&S3SecretReconciler{
 		Scheme:           mgr.GetScheme(),
+		HubCluster:       hubCluster,
 		HubClient:        hubCluster.GetClient(),
 		SpokeClient:      mgr.GetClient(),
 		SpokeClusterName: o.SpokeClusterName,
diff --git a/addons/s3_controller.go b/addons/s3_controller.go
index e833ced8..567850cf 100644
--- a/addons/s3_controller.go
+++ b/addons/s3_controller.go
@@ -2,6 +2,7 @@ package addons
 
 import (
 	"context"
+	"encoding/json"
 	"log/slog"
 	"os"
 	"strings"
@@ -10,19 +11,25 @@ import (
 	obv1alpha1 "github.com/kube-object-storage/lib-bucket-provisioner/pkg/apis/objectbucket.io/v1alpha1"
 	"github.com/red-hat-storage/odf-multicluster-orchestrator/controllers/utils"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/cluster"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 )
 
 // S3SecretReconciler reconciles a MirrorPeer object
 type S3SecretReconciler struct {
 	Scheme           *runtime.Scheme
+	HubCluster       cluster.Cluster
 	HubClient        client.Client
 	SpokeClient      client.Client
 	SpokeClusterName string
@@ -57,12 +64,50 @@ func (r *S3SecretReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		},
 	}
 
+	s3SecretHubPredicate := predicate.Funcs{
+		CreateFunc: func(e event.CreateEvent) bool {
+			return false
+		},
+		DeleteFunc: func(e event.DeleteEvent) bool {
+			return true
+		},
+		UpdateFunc: func(e event.UpdateEvent) bool {
+			return true
+		},
+		GenericFunc: func(_ event.GenericEvent) bool {
+			return false
+		},
+	}
+
+	mapSecretToOBC := func(ctx context.Context, obj client.Object) []reconcile.Request {
+		if s, ok := obj.(*corev1.Secret); ok {
+			if s.Labels[utils.SecretLabelTypeKey] == string(utils.InternalLabel) {
+				data := make(map[string][]byte)
+				if err := json.Unmarshal(s.Data[utils.SecretDataKey], &data); err != nil {
+					r.Logger.Error("Failed to map S3 secret on hub to OBC in spoke cluster. Not requeueing request", "secret", s.Name, "error", err)
+					return []reconcile.Request{}
+				}
+				return []reconcile.Request{
+					{
+						NamespacedName: types.NamespacedName{
+							Namespace: string(s.Data[utils.NamespaceKey]),
+							Name:      string(data[utils.S3BucketName]),
+						},
+					},
+				}
+			}
+		}
+		return []reconcile.Request{}
+	}
+
 	r.Logger.Info("Setting up controller with manager")
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named("s3secret_controller").
 		Watches(&obv1alpha1.ObjectBucketClaim{}, &handler.EnqueueRequestForObject{},
-			builder.WithPredicates(predicate.GenerationChangedPredicate{}, s3BucketPredicate)).
+			builder.WithPredicates(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}, s3BucketPredicate)).
+		WatchesRawSource(source.Kind(r.HubCluster.GetCache(), &corev1.Secret{}), handler.EnqueueRequestsFromMapFunc(mapSecretToOBC),
+			builder.WithPredicates(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}, s3SecretHubPredicate)).
 		Complete(r)
 }