remove irrelevant fields for Secret of type `kubernetes.io/service-ac…

…count-token`

Signed-off-by: Amir Alavi <[email protected]>

pkg/resourceinterpreter/default/native/prune/prune.go

@@ -29,10 +29,11 @@ import (
 )
 
 // pruneIrrelevantField is the function that prune irrelevant fields from Work Object.
-type irrelevantFieldPruneFunc func(workload *unstructured.Unstructured) error
+type irrelevantFieldPruneFunc func(*unstructured.Unstructured) error
 
 var kindIrrelevantFieldPruners = map[string]irrelevantFieldPruneFunc{
 	util.JobKind:            removeJobIrrelevantField,
+	util.SecretKind:         removeSecretIrrelevantField,
 	util.ServiceAccountKind: removeServiceAccountIrrelevantField,
 	util.ServiceKind:        removeServiceIrrelevantField,
 }
@@ -180,3 +181,12 @@ func removeServiceIrrelevantField(workload *unstructured.Unstructured) error {
 	}
 	return nil
 }
+
+// removeSecretIrrelevantField removes the data and service-account uid annotation from service-account token secrets managed by member-cluster controller-manager
+func removeSecretIrrelevantField(workload *unstructured.Unstructured) error {
+	if secretType, exists, _ := unstructured.NestedString(workload.Object, "type"); exists && secretType == string(corev1.SecretTypeServiceAccountToken) {
+		unstructured.RemoveNestedField(workload.Object, "metadata", "annotations", corev1.ServiceAccountUIDKey)
+		_ = unstructured.SetNestedField(workload.Object, nil, "data")
+	}
+	return nil
+}

pkg/resourceinterpreter/default/native/prune/prune_test.go

@@ -21,6 +21,7 @@ import (
 	"strings"
 	"testing"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
 	"github.com/karmada-io/karmada/pkg/util"
@@ -181,6 +182,46 @@ func TestRemoveIrrelevantField(t *testing.T) {
 				return false
 			},
 		},
+		{
+			name: "remove service-account token secret irrelevant fields",
+			workload: &unstructured.Unstructured{
+				Object: map[string]interface{}{
+					"kind": util.SecretKind,
+					"metadata": map[string]interface{}{
+						corev1.ServiceAccountUIDKey: "123",
+					},
+					"type": string(corev1.SecretTypeServiceAccountToken),
+					"data": map[string]interface{}{
+						corev1.ServiceAccountTokenKey: "abc",
+					},
+				},
+			},
+			unexpectedFields: []field{
+				{"metadata", "annotations", corev1.ServiceAccountUIDKey},
+				{"data", corev1.ServiceAccountTokenKey},
+			},
+		},
+		{
+			name: "retains secret basic-auth fields",
+			workload: &unstructured.Unstructured{
+				Object: map[string]interface{}{
+					"kind": util.SecretKind,
+					"metadata": map[string]interface{}{
+						"foo": "bar",
+					},
+					"type": string(corev1.SecretTypeBasicAuth),
+					"data": map[string]interface{}{
+						corev1.BasicAuthUsernameKey: "foo",
+						corev1.BasicAuthPasswordKey: "bar",
+					},
+				},
+			},
+			shouldNotRemoveFields: []field{
+				{"metadata", "foo"},
+				{"data", corev1.BasicAuthUsernameKey},
+				{"data", corev1.BasicAuthPasswordKey},
+			},
+		},
 	}
 
 	for _, tt := range tests {

pkg/resourceinterpreter/default/native/retain.go

@@ -164,7 +164,7 @@ func retainWorkloadReplicas(desired, observed *unstructured.Unstructured) (*unst
 }
 
 func retainSecretServiceAccountToken(desired *unstructured.Unstructured, observed *unstructured.Unstructured) (retained *unstructured.Unstructured, err error) {
-	if desired.Object["type"] == string(corev1.SecretTypeServiceAccountToken) {
+	if secretType, exists, _ := unstructured.NestedString(desired.Object, "type"); exists && secretType == string(corev1.SecretTypeServiceAccountToken) {
 		// retain service-account.uid which is a unique per cluster
 		serviceAccountUIDPath := []string{"metadata", "annotations", corev1.ServiceAccountUIDKey}
 		uid, _, err := unstructured.NestedString(observed.Object, serviceAccountUIDPath...)