From ccf76b35ea31d5a0fdd1427e123c65c7b74d3e96 Mon Sep 17 00:00:00 2001
From: Darren Shepherd <darren@rancher.com>
Date: Fri, 15 Nov 2019 23:13:38 +0000
Subject: [PATCH] Don't clobber secret key

On the start of a new server we do not want to blindly save the
cert because that will change the TLS key.  Instead only write
to k8s on start if there is no secret in k8s.  On start of the
controller it will sync up if the local file and k8s secret aren't
the same
---
 storage/kubernetes/controller.go | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/storage/kubernetes/controller.go b/storage/kubernetes/controller.go
index c08f2e0..0c91e75 100644
--- a/storage/kubernetes/controller.go
+++ b/storage/kubernetes/controller.go
@@ -80,9 +80,19 @@ func (s *storage) init(secrets v1controller.SecretController) {
 	})
 	s.secrets = secrets
 
-	secret, err := s.storage.Get()
-	if err == nil && secret != nil {
-		s.saveInK8s(secret)
+	if secret, err := s.storage.Get(); err == nil && secret != nil && len(secret.Data) > 0 {
+		// just ensure there is a secret in k3s
+		if _, err := s.secrets.Get(s.namespace, s.name, metav1.GetOptions{}); errors.IsNotFound(err) {
+			_, _ = s.secrets.Create(&v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        s.name,
+					Namespace:   s.namespace,
+					Annotations: secret.Annotations,
+				},
+				Type: v1.SecretTypeTLS,
+				Data: secret.Data,
+			})
+		}
 	}
 }