bugfix and improve generate_secrets script

410236a7 · Maarten de Waard · 5fa100e7 · 410236a7
Verified Commit 410236a7 authored 3 years ago by Maarten de Waard
--- a/install/generate_secrets.py
+++ b/install/generate_secrets.py
@@ -59,16 +59,27 @@ def create_variables_secret(app_name, env):
            new_secret_dict = yaml.safe_load(env.from_string(lines).render())
            current_secret_data = get_kubernetes_secret_data(secret_name,
                    secret_namespace)
-            if current_secret_data is not None:
+            if current_secret_data is None:
+                # Create new secret
+                update_secret = False
+            elif current_secret_data.keys() != new_secret_dict['data'].keys():
+                # Update current secret with new keys
+                update_secret = True
                print(f"Secret {secret_name} in namespace {secret_namespace}"
                      " already exists. Merging...")
                # Merge dicts. Values from current_secret_data take precedence
                new_secret_dict['data'] |= current_secret_data
+            else:
+                # Do Nothing
+                print(f"Secret {secret_name} in namespace {secret_namespace}"
+                      " is already in a good state, doing nothing.")
+                return
            print(f"Storing secret {secret_name} in namespace"
                  f" {secret_namespace} in cluster.")
-            store_kubernetes_secret(new_secret_dict, secret_namespace)
+            store_kubernetes_secret(new_secret_dict, secret_namespace,
+                                    update=update_secret)
    else:
-        print(f'File {variables_filename} does not exist.')
+        print(f'File {variables_filename} does not exist, no action needed')


 def create_basic_auth_secret(app_name, env):
@@ -100,7 +111,7 @@ def create_basic_auth_secret(app_name, env):
                print(f"Secret {secret_name} in namespace {secret_namespace}"
                      " already exists. Not generating new secrets.")
    else:
-        print(f'File {basic_auth_filename} does not exist.')
+        print(f'File {basic_auth_filename} does not exist, no action needed')

 def get_secret_metadata(yaml_string):
    """Returns secret name and namespace from metadata field in a yaml string"""
@@ -126,14 +137,28 @@ def get_kubernetes_secret_data(secret_name, namespace):
        return None
    return secret

-def store_kubernetes_secret(secret_dict, namespace):
-    """Converts secret_string into a yaml object and adds it to the cluster"""
+def store_kubernetes_secret(secret_dict, namespace, update=False):
+    """Stores either a new secret in the cluster, or updates an existing one"""
+    api_client = client.api_client.ApiClient()
+    if update:
+        verb = "updated"
+        api_response = patch_kubernetes_secret(secret_dict, namespace)
+    else:
+        verb = "created"
+        api_response = create_from_yaml(
+                api_client,
+                yaml_objects=[secret_dict],
+                namespace=namespace)
+    print(f"Secret {verb} with api response: {api_response}")
+
+def patch_kubernetes_secret(secret_dict, namespace):
+    """Patches secret in the cluster with new data"""
    api_client = client.api_client.ApiClient()
-    api_response = create_from_yaml(
-            api_client,
-            yaml_objects=[secret_dict],
-            namespace=namespace)
-    print(f"Secret created with api response: {api_response}")
+    api_instance = client.CoreV1Api(api_client)
+    name = secret_dict['metadata']['name']
+    body = {}
+    body['data'] = secret_dict['data']
+    return api_instance.patch_namespaced_secret(name, namespace, body)

 def generate_password(length):
    """Generates a password of "length" characters"""