GT-239 Fix License handling in case of broken license secret

Author: jwierzbo

CHANGELOG.md

@@ -20,6 +20,7 @@
 - (Bugfix) Move Agency CommitIndex log message to Trace
 - (Feature) Force delete Pods which are stuck in init phase
 - (Bugfix) Do not tolerate False Bootstrap condition in UpToDate evaluation
+- (Bugfix) Fix License handling in case of broken license secret
 
 ## [1.2.20](https://github.com/arangodb/kube-arangodb/tree/1.2.20) (2022-10-25)
 - (Feature) Add action progress

pkg/deployment/deployment_inspector.go

@@ -273,11 +273,6 @@ func (d *Deployment) inspectDeploymentWithError(ctx context.Context, lastInterva
 		return minInspectionInterval, errors.Wrapf(err, "Secret hash validation failed")
 	}
 
-	// Check for LicenseKeySecret
-	if err := d.resources.ValidateLicenseKeySecret(d.GetCachedStatus()); err != nil {
-		return minInspectionInterval, errors.Wrapf(err, "License Key Secret invalid")
-	}
-
 	// Is the deployment in a good state?
 	if status.Conditions.IsTrue(api.ConditionTypeSecretsChanged) {
 		return minInspectionInterval, errors.Newf("Secrets changed")

pkg/deployment/reconcile/action_set_license.go

@@ -52,10 +52,9 @@ func (a *actionLicenseSet) Start(ctx context.Context) (bool, error) {
 		return true, nil
 	}
 
-	l, ok := k8sutil.GetLicenseFromSecret(a.actionCtx.ACS().CurrentClusterCache(), spec.License.GetSecretName())
-
-	if !ok {
-		return true, nil
+	l, err := k8sutil.GetLicenseFromSecret(a.actionCtx.ACS().CurrentClusterCache(), spec.License.GetSecretName())
+	if err != nil {
+		return true, err
 	}
 
 	if !l.V2.IsV2Set() {

pkg/deployment/reconcile/plan_builder_license.go

@@ -38,14 +38,14 @@ func (r *Reconciler) updateClusterLicense(ctx context.Context, apiObject k8sutil
 		return nil
 	}
 
-	l, ok := k8sutil.GetLicenseFromSecret(context.ACS().CurrentClusterCache(), spec.License.GetSecretName())
-	if !ok {
-		r.log.Str("secret", spec.Authentication.GetJWTSecretName()).Trace("Unable to find license secret key")
+	l, err := k8sutil.GetLicenseFromSecret(context.ACS().CurrentClusterCache(), spec.License.GetSecretName())
+	if err != nil {
+		r.log.Err(err).Error("License secret error")
 		return nil
 	}
 
 	if !l.V2.IsV2Set() {
-		r.log.Str("secret", spec.Authentication.GetJWTSecretName()).Trace("V2 License key is not set")
+		r.log.Str("secret", spec.License.GetSecretName()).Error("V2 License key is not set")
 		return nil
 	}
 

pkg/deployment/resources/license.go

@@ -26,6 +26,7 @@ import (
 
 	"github.com/arangodb/kube-arangodb/pkg/util"
 	"github.com/arangodb/kube-arangodb/pkg/util/constants"
+	"github.com/arangodb/kube-arangodb/pkg/util/errors"
 	"github.com/arangodb/kube-arangodb/pkg/util/k8sutil/inspector/secret"
 )
 
@@ -44,10 +45,10 @@ type LicenseSecret struct {
 	V2 License
 }
 
-func GetLicenseFromSecret(secret secret.Inspector, name string) (LicenseSecret, bool) {
+func GetLicenseFromSecret(secret secret.Inspector, name string) (LicenseSecret, error) {
 	s, ok := secret.Secret().V1().GetSimple(name)
 	if !ok {
-		return LicenseSecret{}, false
+		return LicenseSecret{}, errors.Newf("Secret %s not found", name)
 	}
 
 	var l LicenseSecret
@@ -70,9 +71,12 @@ func GetLicenseFromSecret(secret secret.Inspector, name string) (LicenseSecret,
 		} else {
 			l.V2 = License(v2)
 		}
+	} else {
+		return LicenseSecret{}, errors.Newf("Key (%s, %s or %s) is missing in the license secret (%s)",
+			constants.SecretKeyToken, constants.SecretKeyV2License, constants.SecretKeyV2Token, name)
 	}
 
-	return l, true
+	return l, nil
 }
 
 func isJSONBytes(s []byte) bool {

pkg/util/k8sutil/license.go

@@ -98,8 +98,8 @@ func getLicenseFromSecret(t *testing.T, raw, encoded string) {
 
 			require.NoError(t, i.Refresh(context.Background()))
 
-			license, ok := GetLicenseFromSecret(i, n)
-			require.True(t, ok)
+			license, err := GetLicenseFromSecret(i, n)
+			require.NoError(t, err)
 
 			require.Empty(t, license.V1)
 			require.NotEmpty(t, license.V2)
@@ -111,8 +111,8 @@ func getLicenseFromSecret(t *testing.T, raw, encoded string) {
 
 			require.NoError(t, i.Refresh(context.Background()))
 
-			license, ok := GetLicenseFromSecret(i, n)
-			require.True(t, ok)
+			license, err := GetLicenseFromSecret(i, n)
+			require.NoError(t, err)
 
 			require.Empty(t, license.V1)
 			require.NotEmpty(t, license.V2)
@@ -126,8 +126,8 @@ func getLicenseFromSecret(t *testing.T, raw, encoded string) {
 
 			require.NoError(t, i.Refresh(context.Background()))
 
-			license, ok := GetLicenseFromSecret(i, n)
-			require.True(t, ok)
+			license, err := GetLicenseFromSecret(i, n)
+			require.NoError(t, err)
 
 			require.Empty(t, license.V1)
 			require.NotEmpty(t, license.V2)
@@ -139,12 +139,27 @@ func getLicenseFromSecret(t *testing.T, raw, encoded string) {
 
 			require.NoError(t, i.Refresh(context.Background()))
 
-			license, ok := GetLicenseFromSecret(i, n)
-			require.True(t, ok)
+			license, err := GetLicenseFromSecret(i, n)
+			require.NoError(t, err)
 
 			require.Empty(t, license.V1)
 			require.NotEmpty(t, license.V2)
 			require.EqualValues(t, encoded, license.V2)
 		})
+
+		t.Run("Non existing Secret license", func(t *testing.T) {
+			require.NoError(t, i.Refresh(context.Background()))
+
+			_, err := GetLicenseFromSecret(i, "non-existing-secret")
+			require.Error(t, err)
+		})
+		t.Run("Non existing license secret key", func(t *testing.T) {
+			n := createLicenseSecret(t, c, "wrong-key", raw)
+
+			require.NoError(t, i.Refresh(context.Background()))
+
+			_, err := GetLicenseFromSecret(i, n)
+			require.Error(t, err)
+		})
 	})
 }