WIP: Secrets Deletion handling

Signed-off-by: Gustavo <gusfcarvalho@gmail.com>

apis/externalsecrets/v1alpha1/pushsecret_types.go

@@ -100,7 +100,7 @@ type PushSecretStatusCondition struct {
 	// +optional
 	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
 }
-type SyncedPushSecretsMap map[string][]PushSecretData
+type SyncedPushSecretsMap map[string]map[string]PushSecretData
 
 // PushSecretStatus indicates the history of the status of PushSecret.
 type PushSecretStatus struct {

apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go

@@ -1172,13 +1172,15 @@ func (in *PushSecretStatus) DeepCopyInto(out *PushSecretStatus) {
 		in, out := &in.SyncedPushSecrets, &out.SyncedPushSecrets
 		*out = make(SyncedPushSecretsMap, len(*in))
 		for key, val := range *in {
-			var outVal []PushSecretData
+			var outVal map[string]PushSecretData
 			if val == nil {
 				(*out)[key] = nil
 			} else {
 				in, out := &val, &outVal
-				*out = make([]PushSecretData, len(*in))
-				copy(*out, *in)
+				*out = make(map[string]PushSecretData, len(*in))
+				for key, val := range *in {
+					(*out)[key] = val
+				}
 			}
 			(*out)[key] = outVal
 		}
@@ -1502,13 +1504,15 @@ func (in SyncedPushSecretsMap) DeepCopyInto(out *SyncedPushSecretsMap) {
 		in := &in
 		*out = make(SyncedPushSecretsMap, len(*in))
 		for key, val := range *in {
-			var outVal []PushSecretData
+			var outVal map[string]PushSecretData
 			if val == nil {
 				(*out)[key] = nil
 			} else {
 				in, out := &val, &outVal
-				*out = make([]PushSecretData, len(*in))
-				copy(*out, *in)
+				*out = make(map[string]PushSecretData, len(*in))
+				for key, val := range *in {
+					(*out)[key] = val
+				}
 			}
 			(*out)[key] = outVal
 		}

config/crds/bases/external-secrets.io_pushsecrets.yaml

@@ -185,7 +185,7 @@ spec:
                 type: string
               syncedPushSecrets:
                 additionalProperties:
-                  items:
+                  additionalProperties:
                     properties:
                       match:
                         description: Match a given Secret Key to be pushed to the
@@ -210,7 +210,7 @@ spec:
                     required:
                     - match
                     type: object
-                  type: array
+                  type: object
                 description: Synced Push Secrets for later deletion. Matches Secret
                   Stores to PushSecretData that was stored to that secretStore.
                 type: object

deploy/crds/bundle.yaml

@@ -3415,7 +3415,7 @@ spec:
                   type: string
                 syncedPushSecrets:
                   additionalProperties:
-                    items:
+                    additionalProperties:
                       properties:
                         match:
                           description: Match a given Secret Key to be pushed to the provider.
@@ -3439,7 +3439,7 @@ spec:
                       required:
                         - match
                       type: object
-                    type: array
+                    type: object
                   description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore.
                   type: object
                 syncedResourceVersion:

pkg/controllers/pushsecret/pushsecret_controller.go

@@ -114,11 +114,48 @@ func (r *Reconciler) SetSyncedSecrets(ps *esapi.PushSecret, status esapi.SyncedP
 	ps.Status.SyncedPushSecrets = status
 }
 
+func (r *Reconciler) DeleteSecretFromProviders(newMap, oldMap esapi.SyncedPushSecretsMap) error {
+	var err error
+	for store, oldData := range oldMap {
+		newData, ok := newMap[store]
+		if !ok {
+			err = r.DeleteAllSecretsFromStore(store, oldData)
+			if err != nil {
+				return err
+			}
+			continue
+		}
+		for oldEntry, oldRef := range oldData {
+			_, ok := newData[oldEntry]
+			if !ok {
+				err = r.DeleteSecretFromStore(store, oldRef)
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func (r *Reconciler) DeleteAllSecretsFromStore(store string, data map[string]esapi.PushSecretData) error {
+	for _, v := range data {
+		err := r.DeleteSecretFromStore(store, v)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *Reconciler) DeleteSecretFromStore(store string, data esapi.PushSecretData) error {
+	return nil
+}
+
 func (r *Reconciler) PushSecretToProviders(ctx context.Context, stores []v1beta1.GenericStore, ps esapi.PushSecret, secret *v1.Secret) (esapi.SyncedPushSecretsMap, error) {
-	// TODO - Delete Secrets from Stores if they no longer exist in spec but still exist in status
 	out := esapi.SyncedPushSecretsMap{}
 	for _, store := range stores {
-		out[store.GetName()] = make([]esapi.PushSecretData, 0)
+		out[store.GetName()] = make(map[string]esapi.PushSecretData)
 		provider, err := v1beta1.GetProvider(store)
 		if err != nil {
 			return out, fmt.Errorf(errGetProviderFailed)
@@ -142,9 +179,8 @@ func (r *Reconciler) PushSecretToProviders(ctx context.Context, stores []v1beta1
 			if err != nil {
 				return out, fmt.Errorf(errSetSecretFailed, ref.Match.SecretKey, store.GetName(), err)
 			}
-			out[store.GetName()] = append(out[store.GetName()], ref)
+			out[store.GetName()][ref.Match.RemoteRef.RemoteKey] = ref
 		}
-		// TODO - for ref in Status.Synced[store], ref not belonging to ps.Spec.Data, remove ref from provider.
 	}
 	return out, nil
 }