fixup! Migrate Bucket controller to runtime/secrets

cappyzawa · cappyzawa · commit 1cfd157cfdcd · 2025-07-23T04:31:53.000+09:00
Signed-off-by: cappyzawa &lt;cappyzawa@gmail.com&gt;
diff --git a/internal/controller/bucket_controller.go b/internal/controller/bucket_controller.go
@@ -155,6 +155,15 @@ type BucketProvider interface {
 	Close(context.Context)
 }
 
+// bucketCredentials contains all credentials and configuration needed for bucket providers.
+type bucketCredentials struct {
+	secret       *corev1.Secret
+	proxyURL     *url.URL
+	tlsConfig    *tls.Config
+	stsSecret    *corev1.Secret
+	stsTLSConfig *tls.Config
+}
+
 // bucketReconcileFunc is the function type for all the v1.Bucket
 // (sub)reconcile functions. The type implementations are grouped and
 // executed serially to perform the complete reconcile of the object.
@@ -421,14 +430,14 @@ func (r *BucketReconciler) reconcileStorage(ctx context.Context, sp *patch.Seria
 // the provider. If this fails, it records v1.FetchFailedCondition=True on
 // the object and returns early.
 func (r *BucketReconciler) reconcileSource(ctx context.Context, sp *patch.SerialPatcher, obj *sourcev1.Bucket, index *index.Digester, dir string) (sreconcile.Result, error) {
-	secret, proxyURL, tlsConfig, stsSecret, stsTLSConfig, err := r.setupCredentials(ctx, obj)
+	creds, err := r.setupCredentials(ctx, obj)
 	if err != nil {
 		e := serror.NewGeneric(err, sourcev1.AuthenticationFailedReason)
 		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 
-	provider, err := r.createBucketProvider(ctx, obj, secret, proxyURL, tlsConfig, stsSecret, stsTLSConfig)
+	provider, err := r.createBucketProvider(ctx, obj, creds)
 	if err != nil {
 		var stallingErr *serror.Stalling
 		var genericErr *serror.Generic
@@ -751,8 +760,8 @@ func fetchIndexFiles(ctx context.Context, provider BucketProvider, obj *sourcev1
 }
 
 // setupCredentials retrieves and validates secrets for authentication, TLS configuration, and proxy settings.
-// It returns the primary secret, proxy URL, TLS config, STS secret, and STS TLS config.
-func (r *BucketReconciler) setupCredentials(ctx context.Context, obj *sourcev1.Bucket) (*corev1.Secret, *url.URL, *tls.Config, *corev1.Secret, *tls.Config, error) {
+// It returns all credentials needed for bucket providers.
+func (r *BucketReconciler) setupCredentials(ctx context.Context, obj *sourcev1.Bucket) (*bucketCredentials, error) {
 	var secret *corev1.Secret
 	if obj.Spec.SecretRef != nil {
 		secretName := types.NamespacedName{
@@ -761,7 +770,7 @@ func (r *BucketReconciler) setupCredentials(ctx context.Context, obj *sourcev1.B
 		}
 		secret = &corev1.Secret{}
 		if err := r.Get(ctx, secretName, secret); err != nil {
-			return nil, nil, nil, nil, nil, fmt.Errorf("failed to get secret: %w", err)
+			return nil, fmt.Errorf("failed to get secret: %w", err)
 		}
 	}
 
@@ -773,7 +782,7 @@ func (r *BucketReconciler) setupCredentials(ctx context.Context, obj *sourcev1.B
 		}
 		stsSecret = &corev1.Secret{}
 		if err := r.Get(ctx, secretName, stsSecret); err != nil {
-			return nil, nil, nil, nil, nil, fmt.Errorf("failed to get STS secret:%w", err)
+			return nil, fmt.Errorf("failed to get STS secret:%w", err)
 		}
 	}
 
@@ -791,7 +800,7 @@ func (r *BucketReconciler) setupCredentials(ctx context.Context, obj *sourcev1.B
 		}
 		proxyURL, err = secrets.ProxyURLFromSecretRef(ctx, r.Client, secretRef)
 		if err != nil {
-			return nil, nil, nil, nil, nil, fmt.Errorf("failed to get proxy URL: %w", err)
+			return nil, fmt.Errorf("failed to get proxy URL: %w", err)
 		}
 	}
 
@@ -802,7 +811,7 @@ func (r *BucketReconciler) setupCredentials(ctx context.Context, obj *sourcev1.B
 		}
 		tlsConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, obj.Spec.Endpoint, obj.Spec.Insecure)
 		if err != nil {
-			return nil, nil, nil, nil, nil, fmt.Errorf("failed to get TLS config: %w", err)
+			return nil, fmt.Errorf("failed to get TLS config: %w", err)
 		}
 	}
 
@@ -813,45 +822,51 @@ func (r *BucketReconciler) setupCredentials(ctx context.Context, obj *sourcev1.B
 		}
 		stsTLSConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, obj.Spec.STS.Endpoint, obj.Spec.Insecure)
 		if err != nil {
-			return nil, nil, nil, nil, nil, fmt.Errorf("failed to get STS TLS config: %w", err)
+			return nil, fmt.Errorf("failed to get STS TLS config: %w", err)
 		}
 	}
 
-	return secret, proxyURL, tlsConfig, stsSecret, stsTLSConfig, nil
+	return &bucketCredentials{
+		secret:       secret,
+		proxyURL:     proxyURL,
+		tlsConfig:    tlsConfig,
+		stsSecret:    stsSecret,
+		stsTLSConfig: stsTLSConfig,
+	}, nil
 }
 
 // createBucketProvider creates a provider-specific bucket client using the given credentials and configuration.
 // It handles different bucket providers (AWS, GCP, Azure, generic) and returns the appropriate client.
-func (r *BucketReconciler) createBucketProvider(ctx context.Context, obj *sourcev1.Bucket, secret *corev1.Secret, proxyURL *url.URL, tlsConfig *tls.Config, stsSecret *corev1.Secret, stsTLSConfig *tls.Config) (BucketProvider, error) {
+func (r *BucketReconciler) createBucketProvider(ctx context.Context, obj *sourcev1.Bucket, creds *bucketCredentials) (BucketProvider, error) {
 	switch obj.Spec.Provider {
 	case sourcev1.BucketProviderGoogle:
-		if err := gcp.ValidateSecret(secret); err != nil {
+		if err := gcp.ValidateSecret(creds.secret); err != nil {
 			return nil, err
 		}
 		var opts []gcp.Option
-		if secret != nil {
-			opts = append(opts, gcp.WithSecret(secret))
+		if creds.secret != nil {
+			opts = append(opts, gcp.WithSecret(creds.secret))
 		}
-		if proxyURL != nil {
-			opts = append(opts, gcp.WithProxyURL(proxyURL))
+		if creds.proxyURL != nil {
+			opts = append(opts, gcp.WithProxyURL(creds.proxyURL))
 		}
 		return gcp.NewClient(ctx, opts...)
 
 	case sourcev1.BucketProviderAzure:
-		if err := azure.ValidateSecret(secret); err != nil {
+		if err := azure.ValidateSecret(creds.secret); err != nil {
 			return nil, err
 		}
 		var opts []azure.Option
-		if secret != nil {
-			opts = append(opts, azure.WithSecret(secret))
+		if creds.secret != nil {
+			opts = append(opts, azure.WithSecret(creds.secret))
 		}
-		if proxyURL != nil {
-			opts = append(opts, azure.WithProxyURL(proxyURL))
+		if creds.proxyURL != nil {
+			opts = append(opts, azure.WithProxyURL(creds.proxyURL))
 		}
 		return azure.NewClient(obj, opts...)
 
 	default:
-		if err := minio.ValidateSecret(secret); err != nil {
+		if err := minio.ValidateSecret(creds.secret); err != nil {
 			return nil, err
 		}
 		if sts := obj.Spec.STS; sts != nil {
@@ -861,25 +876,25 @@ func (r *BucketReconciler) createBucketProvider(ctx context.Context, obj *source
 			if _, err := url.Parse(sts.Endpoint); err != nil {
 				return nil, serror.NewStalling(fmt.Errorf("failed to parse STS endpoint '%s': %w", sts.Endpoint, err), sourcev1.URLInvalidReason)
 			}
-			if err := minio.ValidateSTSSecret(sts.Provider, stsSecret); err != nil {
+			if err := minio.ValidateSTSSecret(sts.Provider, creds.stsSecret); err != nil {
 				return nil, serror.NewGeneric(err, sourcev1.AuthenticationFailedReason)
 			}
 		}
 		var opts []minio.Option
-		if secret != nil {
-			opts = append(opts, minio.WithSecret(secret))
+		if creds.secret != nil {
+			opts = append(opts, minio.WithSecret(creds.secret))
 		}
-		if tlsConfig != nil {
-			opts = append(opts, minio.WithTLSConfig(tlsConfig))
+		if creds.tlsConfig != nil {
+			opts = append(opts, minio.WithTLSConfig(creds.tlsConfig))
 		}
-		if proxyURL != nil {
-			opts = append(opts, minio.WithProxyURL(proxyURL))
+		if creds.proxyURL != nil {
+			opts = append(opts, minio.WithProxyURL(creds.proxyURL))
 		}
-		if stsSecret != nil {
-			opts = append(opts, minio.WithSTSSecret(stsSecret))
+		if creds.stsSecret != nil {
+			opts = append(opts, minio.WithSTSSecret(creds.stsSecret))
 		}
-		if stsTLSConfig != nil {
-			opts = append(opts, minio.WithSTSTLSConfig(stsTLSConfig))
+		if creds.stsTLSConfig != nil {
+			opts = append(opts, minio.WithSTSTLSConfig(creds.stsTLSConfig))
 		}
 		return minio.NewClient(obj, opts...)
 	}

Original file line number	Diff line number	Diff line change
`@@ -155,6 +155,15 @@ type BucketProvider interface {`
`155`	`155`	`Close(context.Context)`
`156`	`156`	`}`
`157`	`157`
	`158`	`+// bucketCredentials contains all credentials and configuration needed for bucket providers.`
	`159`	`+type bucketCredentials struct {`
	`160`	`+ secret *corev1.Secret`
	`161`	`+ proxyURL *url.URL`
	`162`	`+ tlsConfig *tls.Config`
	`163`	`+ stsSecret *corev1.Secret`
	`164`	`+ stsTLSConfig *tls.Config`
	`165`	`+}`
	`166`	`+`
`158`	`167`	`// bucketReconcileFunc is the function type for all the v1.Bucket`
`159`	`168`	`// (sub)reconcile functions. The type implementations are grouped and`
`160`	`169`	`// executed serially to perform the complete reconcile of the object.`
`@@ -421,14 +430,14 @@ func (r BucketReconciler) reconcileStorage(ctx context.Context, sp patch.Seria`
`421`	`430`	`// the provider. If this fails, it records v1.FetchFailedCondition=True on`
`422`	`431`	`// the object and returns early.`
`423`	`432`	`func (r BucketReconciler) reconcileSource(ctx context.Context, sp patch.SerialPatcher, obj sourcev1.Bucket, index index.Digester, dir string) (sreconcile.Result, error) {`
`424`		`- secret, proxyURL, tlsConfig, stsSecret, stsTLSConfig, err := r.setupCredentials(ctx, obj)`
	`433`	`+ creds, err := r.setupCredentials(ctx, obj)`
`425`	`434`	`if err != nil {`
`426`	`435`	`e := serror.NewGeneric(err, sourcev1.AuthenticationFailedReason)`
`427`	`436`	`conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)`
`428`	`437`	`return sreconcile.ResultEmpty, e`
`429`	`438`	`}`
`430`	`439`
`431`		`- provider, err := r.createBucketProvider(ctx, obj, secret, proxyURL, tlsConfig, stsSecret, stsTLSConfig)`
	`440`	`+ provider, err := r.createBucketProvider(ctx, obj, creds)`
`432`	`441`	`if err != nil {`
`433`	`442`	`var stallingErr *serror.Stalling`
`434`	`443`	`var genericErr *serror.Generic`
`@@ -751,8 +760,8 @@ func fetchIndexFiles(ctx context.Context, provider BucketProvider, obj *sourcev1`
`751`	`760`	`}`
`752`	`761`
`753`	`762`	`// setupCredentials retrieves and validates secrets for authentication, TLS configuration, and proxy settings.`
`754`		`-// It returns the primary secret, proxy URL, TLS config, STS secret, and STS TLS config.`
`755`		`-func (r BucketReconciler) setupCredentials(ctx context.Context, obj sourcev1.Bucket) (corev1.Secret, url.URL, tls.Config, corev1.Secret, *tls.Config, error) {`
	`763`	`+// It returns all credentials needed for bucket providers.`
	`764`	`+func (r BucketReconciler) setupCredentials(ctx context.Context, obj sourcev1.Bucket) (*bucketCredentials, error) {`
`756`	`765`	`var secret *corev1.Secret`
`757`	`766`	`if obj.Spec.SecretRef != nil {`
`758`	`767`	`secretName := types.NamespacedName{`
`@@ -761,7 +770,7 @@ func (r BucketReconciler) setupCredentials(ctx context.Context, obj sourcev1.B`
`761`	`770`	`}`
`762`	`771`	`secret = &corev1.Secret{}`
`763`	`772`	`if err := r.Get(ctx, secretName, secret); err != nil {`
`764`		`- return nil, nil, nil, nil, nil, fmt.Errorf("failed to get secret: %w", err)`
	`773`	`+ return nil, fmt.Errorf("failed to get secret: %w", err)`
`765`	`774`	`}`
`766`	`775`	`}`
`767`	`776`
`@@ -773,7 +782,7 @@ func (r BucketReconciler) setupCredentials(ctx context.Context, obj sourcev1.B`
`773`	`782`	`}`
`774`	`783`	`stsSecret = &corev1.Secret{}`
`775`	`784`	`if err := r.Get(ctx, secretName, stsSecret); err != nil {`
`776`		`- return nil, nil, nil, nil, nil, fmt.Errorf("failed to get STS secret:%w", err)`
	`785`	`+ return nil, fmt.Errorf("failed to get STS secret:%w", err)`
`777`	`786`	`}`
`778`	`787`	`}`
`779`	`788`
`@@ -791,7 +800,7 @@ func (r BucketReconciler) setupCredentials(ctx context.Context, obj sourcev1.B`
`791`	`800`	`}`
`792`	`801`	`proxyURL, err = secrets.ProxyURLFromSecretRef(ctx, r.Client, secretRef)`
`793`	`802`	`if err != nil {`
`794`		`- return nil, nil, nil, nil, nil, fmt.Errorf("failed to get proxy URL: %w", err)`
	`803`	`+ return nil, fmt.Errorf("failed to get proxy URL: %w", err)`
`795`	`804`	`}`
`796`	`805`	`}`
`797`	`806`
`@@ -802,7 +811,7 @@ func (r BucketReconciler) setupCredentials(ctx context.Context, obj sourcev1.B`
`802`	`811`	`}`
`803`	`812`	`tlsConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, obj.Spec.Endpoint, obj.Spec.Insecure)`
`804`	`813`	`if err != nil {`
`805`		`- return nil, nil, nil, nil, nil, fmt.Errorf("failed to get TLS config: %w", err)`
	`814`	`+ return nil, fmt.Errorf("failed to get TLS config: %w", err)`
`806`	`815`	`}`
`807`	`816`	`}`
`808`	`817`
`@@ -813,45 +822,51 @@ func (r BucketReconciler) setupCredentials(ctx context.Context, obj sourcev1.B`
`813`	`822`	`}`
`814`	`823`	`stsTLSConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, obj.Spec.STS.Endpoint, obj.Spec.Insecure)`
`815`	`824`	`if err != nil {`
`816`		`- return nil, nil, nil, nil, nil, fmt.Errorf("failed to get STS TLS config: %w", err)`
	`825`	`+ return nil, fmt.Errorf("failed to get STS TLS config: %w", err)`
`817`	`826`	`}`
`818`	`827`	`}`
`819`	`828`
`820`		`- return secret, proxyURL, tlsConfig, stsSecret, stsTLSConfig, nil`
	`829`	`+ return &bucketCredentials{`
	`830`	`+ secret: secret,`
	`831`	`+ proxyURL: proxyURL,`
	`832`	`+ tlsConfig: tlsConfig,`
	`833`	`+ stsSecret: stsSecret,`
	`834`	`+ stsTLSConfig: stsTLSConfig,`
	`835`	`+ }, nil`
`821`	`836`	`}`
`822`	`837`
`823`	`838`	`// createBucketProvider creates a provider-specific bucket client using the given credentials and configuration.`
`824`	`839`	`// It handles different bucket providers (AWS, GCP, Azure, generic) and returns the appropriate client.`
`825`		`-func (r BucketReconciler) createBucketProvider(ctx context.Context, obj sourcev1.Bucket, secret corev1.Secret, proxyURL url.URL, tlsConfig tls.Config, stsSecret corev1.Secret, stsTLSConfig *tls.Config) (BucketProvider, error) {`
	`840`	`+func (r BucketReconciler) createBucketProvider(ctx context.Context, obj sourcev1.Bucket, creds *bucketCredentials) (BucketProvider, error) {`
`826`	`841`	`switch obj.Spec.Provider {`
`827`	`842`	`case sourcev1.BucketProviderGoogle:`
`828`		`- if err := gcp.ValidateSecret(secret); err != nil {`
	`843`	`+ if err := gcp.ValidateSecret(creds.secret); err != nil {`
`829`	`844`	`return nil, err`
`830`	`845`	`}`
`831`	`846`	`var opts []gcp.Option`
`832`		`- if secret != nil {`
`833`		`- opts = append(opts, gcp.WithSecret(secret))`
	`847`	`+ if creds.secret != nil {`
	`848`	`+ opts = append(opts, gcp.WithSecret(creds.secret))`
`834`	`849`	`}`
`835`		`- if proxyURL != nil {`
`836`		`- opts = append(opts, gcp.WithProxyURL(proxyURL))`
	`850`	`+ if creds.proxyURL != nil {`
	`851`	`+ opts = append(opts, gcp.WithProxyURL(creds.proxyURL))`
`837`	`852`	`}`
`838`	`853`	`return gcp.NewClient(ctx, opts...)`
`839`	`854`
`840`	`855`	`case sourcev1.BucketProviderAzure:`
`841`		`- if err := azure.ValidateSecret(secret); err != nil {`
	`856`	`+ if err := azure.ValidateSecret(creds.secret); err != nil {`
`842`	`857`	`return nil, err`
`843`	`858`	`}`
`844`	`859`	`var opts []azure.Option`
`845`		`- if secret != nil {`
`846`		`- opts = append(opts, azure.WithSecret(secret))`
	`860`	`+ if creds.secret != nil {`
	`861`	`+ opts = append(opts, azure.WithSecret(creds.secret))`
`847`	`862`	`}`
`848`		`- if proxyURL != nil {`
`849`		`- opts = append(opts, azure.WithProxyURL(proxyURL))`
	`863`	`+ if creds.proxyURL != nil {`
	`864`	`+ opts = append(opts, azure.WithProxyURL(creds.proxyURL))`
`850`	`865`	`}`
`851`	`866`	`return azure.NewClient(obj, opts...)`
`852`	`867`
`853`	`868`	`default:`
`854`		`- if err := minio.ValidateSecret(secret); err != nil {`
	`869`	`+ if err := minio.ValidateSecret(creds.secret); err != nil {`
`855`	`870`	`return nil, err`
`856`	`871`	`}`
`857`	`872`	`if sts := obj.Spec.STS; sts != nil {`
`@@ -861,25 +876,25 @@ func (r BucketReconciler) createBucketProvider(ctx context.Context, obj source`
`861`	`876`	`if _, err := url.Parse(sts.Endpoint); err != nil {`
`862`	`877`	`return nil, serror.NewStalling(fmt.Errorf("failed to parse STS endpoint '%s': %w", sts.Endpoint, err), sourcev1.URLInvalidReason)`
`863`	`878`	`}`
`864`		`- if err := minio.ValidateSTSSecret(sts.Provider, stsSecret); err != nil {`
	`879`	`+ if err := minio.ValidateSTSSecret(sts.Provider, creds.stsSecret); err != nil {`
`865`	`880`	`return nil, serror.NewGeneric(err, sourcev1.AuthenticationFailedReason)`
`866`	`881`	`}`
`867`	`882`	`}`
`868`	`883`	`var opts []minio.Option`
`869`		`- if secret != nil {`
`870`		`- opts = append(opts, minio.WithSecret(secret))`
	`884`	`+ if creds.secret != nil {`
	`885`	`+ opts = append(opts, minio.WithSecret(creds.secret))`
`871`	`886`	`}`
`872`		`- if tlsConfig != nil {`
`873`		`- opts = append(opts, minio.WithTLSConfig(tlsConfig))`
	`887`	`+ if creds.tlsConfig != nil {`
	`888`	`+ opts = append(opts, minio.WithTLSConfig(creds.tlsConfig))`
`874`	`889`	`}`
`875`		`- if proxyURL != nil {`
`876`		`- opts = append(opts, minio.WithProxyURL(proxyURL))`
	`890`	`+ if creds.proxyURL != nil {`
	`891`	`+ opts = append(opts, minio.WithProxyURL(creds.proxyURL))`
`877`	`892`	`}`
`878`		`- if stsSecret != nil {`
`879`		`- opts = append(opts, minio.WithSTSSecret(stsSecret))`
	`893`	`+ if creds.stsSecret != nil {`
	`894`	`+ opts = append(opts, minio.WithSTSSecret(creds.stsSecret))`
`880`	`895`	`}`
`881`		`- if stsTLSConfig != nil {`
`882`		`- opts = append(opts, minio.WithSTSTLSConfig(stsTLSConfig))`
	`896`	`+ if creds.stsTLSConfig != nil {`
	`897`	`+ opts = append(opts, minio.WithSTSTLSConfig(creds.stsTLSConfig))`
`883`	`898`	`}`
`884`	`899`	`return minio.NewClient(obj, opts...)`
`885`	`900`	`}`