Added cleanup of obsolete access packages

ewoutp · ewoutp · commit 665d98485423 · 2018-05-31T13:50:22.000+02:00
diff --git a/docs/Manual/Deployment/Kubernetes/DeploymentResource.md b/docs/Manual/Deployment/Kubernetes/DeploymentResource.md
@@ -248,6 +248,8 @@ operator containing "access packages". An access package contains those `Secrets
 to access the SyncMasters of this `ArangoDeployment`.
 
 By removing a name from this setting, the corresponding `Secret` is also deleted.
+Note that to remove all access packages, leave an empty array in place (`[]`).
+Completely removing the setting results in not modifying the list.
 
 See [the `ArangoDeploymentReplication` specification](./DeploymentReplicationResource.md) for more information
 on access packages.
diff --git a/pkg/deployment/access_package.go b/pkg/deployment/access_package.go
@@ -36,26 +36,60 @@ import (
 )
 
 const (
-	clientAuthValidFor = time.Hour * 24 * 365 // 1yr
-	clientAuthCurve    = "P256"
+	clientAuthValidFor         = time.Hour * 24 * 365 // 1yr
+	clientAuthCurve            = "P256"
+	labelKeyOriginalDeployment = "original-deployment-name"
 )
 
 // createAccessPackages creates a arangosync access packages specified
 // in spec.sync.externalAccess.accessPackageSecretNames.
 func (d *Deployment) createAccessPackages() error {
+	log := d.deps.Log
 	spec := d.apiObject.Spec
+	secrets := d.deps.KubeCli.CoreV1().Secrets(d.GetNamespace())
 
 	if !spec.Sync.IsEnabled() {
 		// We're only relevant when sync is enabled
 		return nil
 	}
 
+	// Create all access packages that we're asked to build
+	apNameMap := make(map[string]struct{})
 	for _, apSecretName := range spec.Sync.ExternalAccess.AccessPackageSecretNames {
+		apNameMap[apSecretName] = struct{}{}
 		if err := d.ensureAccessPackage(apSecretName); err != nil {
 			return maskAny(err)
 		}
 	}
 
+	// Remove all access packages that we did build, but are no longer needed
+	secretList, err := secrets.List(metav1.ListOptions{})
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to list secrets")
+		return maskAny(err)
+	}
+	for _, secret := range secretList.Items {
+		if d.isOwnerOf(&secret) {
+			if _, found := secret.Data[constants.SecretAccessPackageYaml]; found {
+				// Secret is an access package
+				if _, wanted := apNameMap[secret.GetName()]; !wanted {
+					// We found an obsolete access package secret. Remove it.
+					if err := secrets.Delete(secret.GetName(), &metav1.DeleteOptions{
+						Preconditions: &metav1.Preconditions{UID: &secret.UID},
+					}); err != nil && !k8sutil.IsNotFound(err) {
+						// Not serious enough to stop everything now, just log and create an event
+						log.Warn().Err(err).Msg("Failed to remove obsolete access package secret")
+						d.CreateEvent(k8sutil.NewErrorEvent("Access Package cleanup failed", err, d.apiObject))
+					} else {
+						// Access package removed, notify user
+						log.Info().Str("secret-name", secret.GetName()).Msg("Removed access package Secret")
+						d.CreateEvent(k8sutil.NewAccessPackageDeletedEvent(d.apiObject, secret.GetName()))
+					}
+				}
+			}
+		}
+	}
+
 	return nil
 }
 
@@ -117,7 +151,7 @@ func (d *Deployment) ensureAccessPackage(apSecretName string) error {
 		ObjectMeta: metav1.ObjectMeta{
 			Name: apSecretName + "-auth",
 			Labels: map[string]string{
-				"remote-deployment": d.apiObject.GetName(),
+				labelKeyOriginalDeployment: d.apiObject.GetName(),
 			},
 		},
 		Data: map[string][]byte{
@@ -133,7 +167,7 @@ func (d *Deployment) ensureAccessPackage(apSecretName string) error {
 		ObjectMeta: metav1.ObjectMeta{
 			Name: apSecretName + "-ca",
 			Labels: map[string]string{
-				"remote-deployment": d.apiObject.GetName(),
+				labelKeyOriginalDeployment: d.apiObject.GetName(),
 			},
 		},
 		Data: map[string][]byte{
diff --git a/pkg/util/k8sutil/events.go b/pkg/util/k8sutil/events.go
@@ -135,6 +135,16 @@ func NewAccessPackageCreatedEvent(apiObject APIObject, apSecretName string) *v1.
 	return event
 }
 
+// NewAccessPackageDeletedEvent creates an event indicating that a secret containing an access package
+// has been deleted.
+func NewAccessPackageDeletedEvent(apiObject APIObject, apSecretName string) *v1.Event {
+	event := newDeploymentEvent(apiObject)
+	event.Type = v1.EventTypeNormal
+	event.Reason = "Access package deleted"
+	event.Message = fmt.Sprintf("An access package named %s has been deleted", apSecretName)
+	return event
+}
+
 // NewErrorEvent creates an even of type error.
 func NewErrorEvent(reason string, err error, apiObject APIObject) *v1.Event {
 	event := newDeploymentEvent(apiObject)
