Slightly change spec

2025-04-27 03:20:56 +00:00 · 2022-10-13 22:21:06 +00:00 · 2022-10-13 22:21:06 +00:00 · 673bfcbd56
commit 673bfcbd56
parent 7c6fa7df06
4 changed files with 30 additions and 16 deletions
--- a/api/v1alpha1/sealedvolume_types.go
+++ b/api/v1alpha1/sealedvolume_types.go
@ -25,10 +25,9 @@ import (

 // SealedVolumeSpec defines the desired state of SealedVolume
 type SealedVolumeSpec struct {
-	TPMHash     string      `json:"TPMHash,omitempty"`
-	Label       string      `json:"label,omitempty"`
-	Passphrase  *SecretSpec `json:"passphraseRef,omitempty"`
-	Quarantined bool        `json:"quarantined,omitempty"`
+	TPMHash     string                 `json:"TPMHash,omitempty"`
+	Passphrase  map[string]*SecretSpec `json:"partitionSecrets,omitempty"`
+	Quarantined bool                   `json:"quarantined,omitempty"`
 }

 type SecretSpec struct {
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@ -89,8 +89,18 @@ func (in *SealedVolumeSpec) DeepCopyInto(out *SealedVolumeSpec) {
 	*out = *in
 	if in.Passphrase != nil {
 		in, out := &in.Passphrase, &out.Passphrase
-		*out = new(SecretSpec)
-		**out = **in
+		*out = make(map[string]*SecretSpec, len(*in))
+		for key, val := range *in {
+			var outVal *SecretSpec
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(SecretSpec)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
 	}
 }

--- a/examples/sealedvolume.yaml
+++ b/examples/sealedvolume.yaml
@ -15,8 +15,8 @@ metadata:
    namespace: default
 spec:
  TPMHash: "something"
-  label: "label"
-  passphraseRef: 
-   name: mysecret
-   path: pass
+  partitionSecrets:
+    LABEL:
+      name: mysecret
+      path: pass
  quarantined: false
--- a/pkg/challenger/challenger.go
+++ b/pkg/challenger/challenger.go
@ -87,10 +87,16 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr

 			found := false
 			var volume keyserverv1alpha1.SealedVolume
+			var passsecret *keyserverv1alpha1.SecretSpec
 			for _, v := range volumeList.Items {
-				if hashEncoded == v.Spec.TPMHash && v.Spec.Label == label {
-					found = true
-					volume = v
+				if hashEncoded == v.Spec.TPMHash {
+					for l, secretRef := range v.Spec.Passphrase {
+						if l == label {
+							found = true
+							volume = v
+							passsecret = secretRef
+						}
+					}
 				}
 			}

@ -119,11 +125,10 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 			writer, _ := conn.NextWriter(websocket.BinaryMessage)

 			if !volume.Spec.Quarantined {
-				secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, volume.Spec.Passphrase.Name, v1.GetOptions{})
+				secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, passsecret.Name, v1.GetOptions{})
 				if err == nil {
-					passphrase := secret.Data[volume.Spec.Passphrase.Path]
+					passphrase := secret.Data[passsecret.Path]
 					json.NewEncoder(writer).Encode(map[string]string{"passphrase": string(passphrase)})
-
 				}
 			} else {
 				conn.Close()