Generation handling of SSO secret

defenseunicorns / uds-core

A secure runtime platform for mission-critical capabilities

https://uds.defenseunicorns.com

Apache License 2.0

36 stars 13 forks source link

Generation handling of SSO secret #535

Open mjnagel opened 2 days ago

mjnagel commented 2 days ago

          @mjnagel - per our convo, perhaps we ought to do [something similar to what is done with netpols](https://github.com/defenseunicorns/uds-core/blob/main/src/pepr/operator/controllers/network/policies.ts#L95)  with generation

_Originally posted by @MxNxPx in https://github.com/defenseunicorns/uds-core/pull/511#discussion_r1662846086_

mjnagel commented 2 days ago

Updating with more context...

Currently we generate a secret as part of the sso flow in the operator. My current understanding is that if someone changed the secretName we would not be cleaning up the previous secret. To handle this we can probably add the generation label and filter to delete orphaned secrets similar to what we do for network policies.

For other cases:

the client is updated but secret name stays the same, secret is updated, no need to cleanup
client is deleted, ownership linking will cleanup the secret for us

mjnagel commented 2 days ago

Specific behavior we can mimic here (links for network policies):

Add generation label to secret: https://github.com/defenseunicorns/uds-core/blob/main/src/pepr/operator/controllers/network/policies.ts#L95
Filter/delete any older generation secrets: https://github.com/defenseunicorns/uds-core/blob/main/src/pepr/operator/controllers/network/policies.ts#L114-L129