Invert flag logic

carvel/package.yaml

@@ -67,9 +67,9 @@ spec:
           type: boolean
           description: Specifies whether the Sealed Secrets controller should update the status subresource
           default: true
-        recreate:
+        skip-recreate:
           type: boolean
-          description: Specifies whether the Sealed Secrets controller should recreate removed secrets
+          description: Specifies whether the Sealed Secrets controller should skip recreating removed secrets
           default: false
         keyrenewperiod:
           type: string

cmd/controller/main.go

@@ -47,7 +47,7 @@ func bindControllerFlags(f *controller.Flags, fs *flag.FlagSet) {
 
 	fs.BoolVar(&f.UpdateStatus, "update-status", true, "beta: if true, the controller will update the status sub-resource whenever it processes a sealed secret")
 
-	fs.BoolVar(&f.Recreate, "recreate", true, "if true the controller will listen for secret changes to recreate managed secrets on removal. Helps setting it to false on limited permission environments.")
+	fs.BoolVar(&f.SkipRecreate, "skip-recreate", false, "if true the controller will skip listening for managed secret changes to recreate them. This helps on limited permission environments.")
 
 	fs.DurationVar(&f.KeyRenewPeriod, "rotate-period", defaultKeyRenewPeriod, "")
 	_ = fs.MarkDeprecated("rotate-period", "please use key-renew-period instead")

helm/sealed-secrets/README.md

@@ -92,7 +92,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `createController`                                | Specifies whether the Sealed Secrets controller should be created                    | `true`                              |
 | `secretName`                                      | The name of an existing TLS secret containing the key used to encrypt secrets        | `sealed-secrets-key`                |
 | `updateStatus`                                    | Specifies whether the Sealed Secrets controller should update the status subresource | `true`                              |
-| `recreate  `                                    | Specifies whether the Sealed Secrets controller should recreate removed secrets | `false`                              |
+| `skip-recreate`                                   | Specifies whether the Sealed Secrets controller should skip recreating removed secrets | `false`                              |
 | `keyrenewperiod`                                  | Specifies key renewal period. Default 30 days                                        | `""`                                |
 | `rateLimit`                                       | Number of allowed sustained request per second for verify endpoint                   | `""`                                |
 | `rateLimitBurst`                                  | Number of requests allowed to exceed the rate limit per second for verify endpoint   | `""`                                |

helm/sealed-secrets/templates/deployment.yaml

@@ -71,7 +71,7 @@ spec:
             - --update-status
             {{- end }}
             {{- if .Values.recreate }}
-            - --recreate
+            - --skip-recreate
             {{- end }}
             {{- if .Values.keyrenewperiod }}
             - --key-renew-period

helm/sealed-secrets/values.yaml

@@ -56,12 +56,12 @@ secretName: "sealed-secrets-key"
 ## @param updateStatus Specifies whether the Sealed Secrets controller should update the status subresource
 ##
 updateStatus: true
-## @param recreate Specifies whether the Sealed Secrets controller should recreate removed secrets
-## Setting it to false allows to optionally restore backward compatibility in low previlege
+## @param skip-recreate Specifies whether the Sealed Secrets controller should skip recreating removed secrets
+## Setting it to false allows to optionally restore backward compatibility in low priviledge
 ## environments when old versions of the controller did not require watch permissions on secrets
 ## for secret re-creation.
 ##
-recreate: true
+skip-recreate: false
 ## @param keyrenewperiod Specifies key renewal period. Default 30 days
 ## e.g
 ## keyrenewperiod: "720h30m"

pkg/controller/controller_test.go

@@ -1,11 +1,18 @@
 package controller
 
 import (
+	"context"
+	"crypto/rand"
 	"errors"
 	"fmt"
 	"testing"
 
 	ssv1alpha1 "github.com/bitnami-labs/sealed-secrets/pkg/apis/sealedsecrets/v1alpha1"
+	ssinformers "github.com/bitnami-labs/sealed-secrets/pkg/client/informers/externalversions"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
 )
 
 func TestConvert2SealedSecretBadType(t *testing.T) {
@@ -45,3 +52,50 @@ func TestConvert2SealedSecretPassThrough(t *testing.T) {
 		t.Fatalf("got %v want %v", got, want)
 	}
 }
+
+func TestDefaultConfigDoesNotSkipRecreate(t *testing.T) {
+	ns := "some-namespace"
+	var tweakopts func(*metav1.ListOptions)
+	conf := clusterConfig(t)
+	clientset := clientSetOrDie(conf)
+	ssc := ssclient.NewForConfigOrDie(conf)
+	sinformer := InitSecretInformerFactory(clientset, ns, tweakopts, false /* skip-recreate */)
+	ssinformer := ssinformers.NewFilteredSharedInformerFactory(ssc, 0, ns, tweakopts)
+	keyRegistry := keyRegister(t, context.Background(), clientset, ns)
+
+	_, got := NewController(clientset, ssc, ssinformer, sinformer, keyRegistry)
+	if got != nil {
+		t.Fatalf("got %v want %v", got, nil)
+	}
+
+}
+
+func clusterConfig(t *testing.T) *rest.Config {
+	t.Helper()
+
+	var config *rest.Config
+	var err error
+
+	if *kubeconfig != "" {
+		config, err = clientcmd.BuildConfigFromFlags("", *kubeconfig)
+	}
+	if err != nil {
+		t.Fatalf("failed to setup kubeconfig", err)
+	}
+
+	return config
+}
+
+func keyRegister(t *testing.T, ctx context.Context, clientset *kubernetes.Clientset, ns string) *controller.KeyRegistry {
+	t.Helper()
+
+	keyLabel := controller.SealedSecretsKeyLabel
+	prefix := "test-keys"
+	testKeySize := 4096
+	fmt.Fprintf(GinkgoWriter, "initiating key registry\n")
+	keyRegistry, err := controller.InitKeyRegistry(ctx, clientset, rand.Reader, ns, prefix, keyLabel, testKeySize)
+	if err != nil {
+		t.Fatalf("failed to provision key registry: %v", err)
+	}
+	return keyRegistry
+}

pkg/controller/main.go

@@ -48,7 +48,7 @@ type Flags struct {
 	RateLimitBurst       int
 	OldGCBehavior        bool
 	UpdateStatus         bool
-	Recreate             bool
+	SkipRecreate         bool
 }
 
 func initKeyPrefix(keyPrefix string) (string, error) {
@@ -227,7 +227,7 @@ func Main(f *Flags, version string) error {
 			}
 			if ns != namespace {
 				ssinf = ssinformers.NewFilteredSharedInformerFactory(ssclientset, 0, ns, tweakopts)
-				sinf = InitSecretInformerFactory(clientset, ns, tweakopts, f.Recreate)
+				sinf = InitSecretInformerFactory(clientset, ns, tweakopts, f.SkipRecreate)
 				ctlr, err = NewController(clientset, ssclientset, ssinf, sinf, keyRegistry)
 				if err != nil {
 					return err
@@ -257,9 +257,9 @@ func Main(f *Flags, version string) error {
 	return server.Shutdown(context.Background())
 }
 
-func InitSecretInformerFactory(clientset *kubernetes.Clientset, ns string, tweakopts func(*metav1.ListOptions), recreate bool) informers.SharedInformerFactory {
-	if recreate {
-		return informers.NewFilteredSharedInformerFactory(clientset, 0, ns, tweakopts)
+func InitSecretInformerFactory(clientset *kubernetes.Clientset, ns string, tweakopts func(*metav1.ListOptions), skipRecreate bool) informers.SharedInformerFactory {
+	if skipRecreate {
+		return nil
 	}
-	return nil
+	return informers.NewFilteredSharedInformerFactory(clientset, 0, ns, tweakopts)
 }