Set secret names on OIDCProvider status field

We believe this API is more forwards compatible with future secrets management use cases. The implementation is a cry for help, but I was trying to follow the previously established pattern of encapsulating the secret generation functionality to a single group of packages. This commit makes a breaking change to the current OIDCProvider API, but that OIDCProvider API was added after the latest release, so it is technically still in development until we release, and therefore we can continue to thrash on it. I also took this opportunity to make some things private that didn't need to be public. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2026-01-07 14:05:50 +00:00 · 2020-12-15 09:13:01 -05:00
parent 60d4a7beac
commit 82ae98d9d0
28 changed files with 724 additions and 183 deletions
--- a/cmd/pinniped-supervisor/main.go
+++ b/cmd/pinniped-supervisor/main.go
@@ -167,12 +167,14 @@ func startControllers(
 					"pinniped-oidc-provider-hmac-key-",
 					cfg.Labels,
 					rand.Reader,
+					generator.SecretUsageTokenSigningKey,
 					func(oidcProviderIssuer string, symmetricKey []byte) {
 						plog.Debug("setting hmac secret", "issuer", oidcProviderIssuer)
 						secretCache.SetTokenHMACKey(oidcProviderIssuer, symmetricKey)
 					},
 				),
 				kubeClient,
+				pinnipedClient,
 				secretInformer,
 				opInformer,
 				controllerlib.WithInformer,
@@ -185,12 +187,14 @@ func startControllers(
 					"pinniped-oidc-provider-upstream-state-signature-key-",
 					cfg.Labels,
 					rand.Reader,
+					generator.SecretUsageStateSigningKey,
 					func(oidcProviderIssuer string, symmetricKey []byte) {
 						plog.Debug("setting state signature key", "issuer", oidcProviderIssuer)
 						secretCache.SetStateEncoderHashKey(oidcProviderIssuer, symmetricKey)
 					},
 				),
 				kubeClient,
+				pinnipedClient,
 				secretInformer,
 				opInformer,
 				controllerlib.WithInformer,
@@ -203,12 +207,14 @@ func startControllers(
 					"pinniped-oidc-provider-upstream-state-encryption-key-",
 					cfg.Labels,
 					rand.Reader,
+					generator.SecretUsageStateEncryptionKey,
 					func(oidcProviderIssuer string, symmetricKey []byte) {
 						plog.Debug("setting state encryption key", "issuer", oidcProviderIssuer)
 						secretCache.SetStateEncoderBlockKey(oidcProviderIssuer, symmetricKey)
 					},
 				),
 				kubeClient,
+				pinnipedClient,
 				secretInformer,
 				opInformer,
 				controllerlib.WithInformer,