Don't clobber secret key

On the start of a new server we do not want to blindly save the cert because that will change the TLS key. Instead only write to k8s on start if there is no secret in k8s. On start of the controller it will sync up if the local file and k8s secret aren't the same
2025-06-04 04:40:14 +00:00 · 2019-11-15 23:13:38 +00:00 · 2019-11-15 23:13:38 +00:00 · ccf76b35ea
commit ccf76b35ea
parent 988d8dd3f4
1 changed files with 13 additions and 3 deletions
--- a/storage/kubernetes/controller.go
+++ b/storage/kubernetes/controller.go
@ -80,9 +80,19 @@ func (s *storage) init(secrets v1controller.SecretController) {
 	})
 	s.secrets = secrets

-	secret, err := s.storage.Get()
-	if err == nil && secret != nil {
-		s.saveInK8s(secret)
+	if secret, err := s.storage.Get(); err == nil && secret != nil && len(secret.Data) > 0 {
+		// just ensure there is a secret in k3s
+		if _, err := s.secrets.Get(s.namespace, s.name, metav1.GetOptions{}); errors.IsNotFound(err) {
+			_, _ = s.secrets.Create(&v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        s.name,
+					Namespace:   s.namespace,
+					Annotations: secret.Annotations,
+				},
+				Type: v1.SecretTypeTLS,
+				Data: secret.Data,
+			})
+		}
 	}
 }