Merge pull request crossplane-contrib#1127 from muvaf/followup-secret

jdotw · Feb 8, 2022 · 1743a73 · 1743a73
2 parents 3859415 + 98b6c53
commit 1743a73
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/package/crds/secretsmanager.aws.crossplane.io_secrets.yaml b/package/crds/secretsmanager.aws.crossplane.io_secrets.yaml
@@ -65,7 +65,8 @@ spec:
                       data will be encoded as binary data to AWS. If key parameter
                       is given, only the value of that key will be used. Otherwise,
                       all data in the Secret will be marshalled into JSON and sent
-                      to AWS.
+                      to AWS. Either StringSecretRef or BinarySecretRef must be set,
+                      but not both.
                     properties:
                       key:
                         description: Key whose value will be used. If not given, the
@@ -169,6 +170,8 @@ spec:
                       data will be sent as string to AWS. If key parameter is given,
                       only the value of that key will be used. Otherwise, all data
                       in the Secret will be marshalled into JSON and sent to AWS.
+                      Either StringSecretRef or BinarySecretRef must be set, but not
+                      both.
                     properties:
                       key:
                         description: Key whose value will be used. If not given, the

diff --git a/pkg/controller/secretsmanager/secret/setup.go b/pkg/controller/secretsmanager/secret/setup.go
@@ -25,6 +25,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/util/workqueue"
@@ -50,7 +51,6 @@ const (
 	errCreateTags           = "failed to create tags for the secret"
 	errRemoveTags           = "failed to remove tags for the secret"
 	errFmtKeyNotFound       = "key %s is not found in referenced Kubernetes secret"
-	errGetSecretFailed      = "failed to get Kubernetes secret"
 	errGetSecretValue       = "cannot get the value of secret from AWS"
 	errGetResourcePolicy    = "cannot get resource policy"
 	errPutResourcePolicy    = "cannot put resource policy"
@@ -122,10 +122,15 @@ type hooks struct {
 }
 
 func (e *hooks) lateInitialize(spec *svcapitypes.SecretParameters, resp *svcsdk.DescribeSecretOutput) error {
-	payload, err := e.getPayload(context.TODO(), spec)
-	if err := client.IgnoreNotFound(err); err != nil || payload == nil {
+	_, err := e.getPayload(context.TODO(), spec)
+	if err := client.IgnoreNotFound(err); err != nil {
 		return err
 	}
+	// Proceed only if the secret does not exist because empty value might be
+	// valid content.
+	if !kerrors.IsNotFound(err) {
+		return nil
+	}
 
 	// If the K8s does not exist, create it with the data from AWS
 	req := &svcsdk.GetSecretValueInput{
@@ -271,7 +276,7 @@ func (e *hooks) getPayload(ctx context.Context, params *svcapitypes.SecretParame
 	}
 	sc := &corev1.Secret{}
 	if err := e.kube.Get(ctx, nn, sc); err != nil {
-		return nil, errors.Wrap(err, errGetSecretFailed)
+		return nil, err
 	}
 
 	if ref.Key != nil {