Beefing up SecretScope

api/v1alpha1/dbfsblock_types_test.go

@@ -54,7 +54,7 @@ var _ = Describe("DbfsBlock", func() {
 		It("should create an object successfully", func() {
 
 			key = types.NamespacedName{
-				Name:      "foo"+ RandomString(5),
+				Name:      "foo" + RandomString(5),
 				Namespace: "default",
 			}
 			created = &DbfsBlock{

api/v1alpha1/secretscope_types.go

@@ -37,7 +37,8 @@ type SecretScopeSpec struct {
 type SecretScopeStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
-	SecretScope *dbmodels.SecretScope `json:"secretscope,omitempty"`
+	SecretScope              *dbmodels.SecretScope `json:"secretscope,omitempty"`
+	SecretInClusterAvailable bool                  `json:"secretinclusteravailable,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -51,6 +52,11 @@ type SecretScope struct {
 	Status SecretScopeStatus `json:"status,omitempty"`
 }
 
+// IsSecretAvailable returns true if secret in cluster is available
+func (ss *SecretScope) IsSecretAvailable() bool {
+	return ss.Status.SecretInClusterAvailable
+}
+
 // IsSubmitted returns true if the item has been submitted to DataBricks
 func (ss *SecretScope) IsSubmitted() bool {
 	return ss.Status.SecretScope != nil

config/crd/bases/databricks.microsoft.com_secretscopes.yaml

@@ -72,6 +72,8 @@ spec:
         status:
           description: SecretScopeStatus defines the observed state of SecretScope
           properties:
+            secretinclusteravailable:
+              type: boolean
             secretscope:
               description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
                 of cluster Important: Run "make" to regenerate code after modifying

controllers/secretscope_controller.go

@@ -47,7 +47,6 @@ type SecretScopeReconciler struct {
 
 // Reconcile implements the reconciliation loop for the operator
 func (r *SecretScopeReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
-	_ = context.Background()
 	_ = r.Log.WithValues("secretscope", req.NamespacedName)
 
 	// your logic here
@@ -84,16 +83,31 @@ func (r *SecretScopeReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error)
 		return ctrl.Result{}, nil
 	}
 
+	if !instance.IsSecretAvailable() {
+		if err = r.checkSecrets(instance); err != nil {
+			r.Recorder.Event(instance, corev1.EventTypeWarning, "Failed", err.Error())
+			return ctrl.Result{RequeueAfter: 30 * time.Second}, fmt.Errorf("error when submitting secret scope to the API: %v", err)
+		}
+		r.Recorder.Event(instance, corev1.EventTypeNormal, "Passed", "Secrets are available")
+		return ctrl.Result{}, nil
+	}
+
 	if !instance.IsSubmitted() {
-		err = r.submit(instance)
+		var requeue bool
+		requeue, err = r.submit(instance)
 		if err != nil {
-			r.Recorder.Event(instance, corev1.EventTypeWarning, "Submitting object", fmt.Sprintf("Failed to submit object: %s", err))
-			return ctrl.Result{}, fmt.Errorf("error when submitting secret scope to the API: %v", err)
+			r.Recorder.Event(instance, corev1.EventTypeWarning, "Failed", fmt.Sprintf("Failed to submit object: %s", err))
+			if requeue {
+				return ctrl.Result{RequeueAfter: 30 * time.Second}, fmt.Errorf("error when submitting secret scope to the API: %v", err)
+			}
+			return ctrl.Result{}, nil
 		}
 		r.Recorder.Event(instance, corev1.EventTypeNormal, "Submitted", "Object is submitted")
+		return ctrl.Result{}, nil
 	}
 
-	return ctrl.Result{RequeueAfter: 30 * time.Second}, nil
+	r.Recorder.Event(instance, corev1.EventTypeNormal, "Completed", "Object has completed")
+	return ctrl.Result{}, nil
 }
 
 // SetupWithManager adds the controller manager

controllers/secretscope_controller_databricks.go

@@ -44,6 +44,7 @@ func (r *SecretScopeReconciler) get(scope string) (*dbmodels.SecretScope, error)
 	if (dbmodels.SecretScope{}) == matchingScope {
 		return nil, fmt.Errorf("get for secret scope failed. scope not found: %s", scope)
 	}
+
 	return &matchingScope, nil
 }
 
@@ -109,6 +110,7 @@ func (r *SecretScopeReconciler) getSecretValueFrom(namespace string, scopeSecret
 		value := string(secret.Data[scopeSecret.ValueFrom.SecretKeyRef.Key])
 		return value, nil
 	}
+
 	return "", fmt.Errorf("No ValueFrom present to extract secret")
 }
 
@@ -150,32 +152,53 @@ func (r *SecretScopeReconciler) submitACLs(instance *databricksv1alpha1.SecretSc
 	return nil
 }
 
-func (r *SecretScopeReconciler) submit(instance *databricksv1alpha1.SecretScope) error {
+// checkSecrets checks if referenced secret is present in k8s or not.
+func (r *SecretScopeReconciler) checkSecrets(instance *databricksv1alpha1.SecretScope) error {
+	namespace := instance.Namespace
+
+	// if secret in cluster is reference, see if secret exists.
+	for _, secret := range instance.Spec.SecretScopeSecrets {
+		if secret.ValueFrom != nil {
+			if _, err := r.getSecretValueFrom(namespace, secret); err != nil {
+				return err
+			}
+		}
+	}
+
+	instance.Status.SecretInClusterAvailable = true
+	return r.Update(context.Background(), instance)
+}
+
+func (r *SecretScopeReconciler) submit(instance *databricksv1alpha1.SecretScope) (requeue bool, err error) {
 	scope := instance.ObjectMeta.Name
 	initialManagePrincipal := instance.Spec.InitialManagePrincipal
 
-	err := r.APIClient.Secrets().CreateSecretScope(scope, initialManagePrincipal)
+	err = r.APIClient.Secrets().CreateSecretScope(scope, initialManagePrincipal)
 	if err != nil {
-		return err
+		return
 	}
 
 	err = r.submitSecrets(instance)
 	if err != nil {
-		return err
+		requeue = true
+		return
 	}
 
-	err = r.submitACLs(instance)
-	if err != nil {
-		return err
+	if instance.Spec.SecretScopeACLs != nil {
+		err = r.submitACLs(instance)
+		if err != nil {
+			return
+		}
 	}
 
 	remoteScope, err := r.get(scope)
 	if err != nil {
-		return err
+		requeue = true
+		return
 	}
 
 	instance.Status.SecretScope = remoteScope
-	return r.Update(context.Background(), instance)
+	return true, r.Update(context.Background(), instance)
 }
 
 func (r *SecretScopeReconciler) delete(instance *databricksv1alpha1.SecretScope) error {