From c019d57fb655ded81850391d0a60ebd083fd1c70 Mon Sep 17 00:00:00 2001
From: Maidul Islam <maidul98@gmail.com>
Date: Wed, 8 Mar 2023 18:49:54 -0800
Subject: [PATCH] allow global defaults for secrets operator

---
 helm-charts/secrets-operator/Chart.yaml       |  2 +-
 .../templates/infisicalsecret-crd.yaml        |  1 -
 .../api/v1alpha1/infisicalsecret_types.go     |  1 -
 ...ecrets.infisical.com_infisicalsecrets.yaml |  1 -
 .../config/samples/infisical-config.yaml      | 12 +++++++
 .../controllers/infisicalsecret_controller.go | 16 +++++++--
 .../controllers/infisicalsecret_helper.go     | 36 +++++++++++++++++++
 .../install-secrets-operator.yaml             |  1 -
 8 files changed, 63 insertions(+), 7 deletions(-)
 create mode 100644 k8-operator/config/samples/infisical-config.yaml

diff --git a/helm-charts/secrets-operator/Chart.yaml b/helm-charts/secrets-operator/Chart.yaml
index 001ae6cc0c..7a390b2694 100644
--- a/helm-charts/secrets-operator/Chart.yaml
+++ b/helm-charts/secrets-operator/Chart.yaml
@@ -18,4 +18,4 @@ version: 0.1.3
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.3"
+appVersion: "0.1.4"
diff --git a/helm-charts/secrets-operator/templates/infisicalsecret-crd.yaml b/helm-charts/secrets-operator/templates/infisicalsecret-crd.yaml
index e3e3517d5a..a3ae93f9e3 100644
--- a/helm-charts/secrets-operator/templates/infisicalsecret-crd.yaml
+++ b/helm-charts/secrets-operator/templates/infisicalsecret-crd.yaml
@@ -36,7 +36,6 @@ spec:
             description: InfisicalSecretSpec defines the desired state of InfisicalSecret
             properties:
               hostAPI:
-                default: https://app.infisical.com/api
                 description: Infisical host to pull secrets from
                 type: string
               managedSecretReference:
diff --git a/k8-operator/api/v1alpha1/infisicalsecret_types.go b/k8-operator/api/v1alpha1/infisicalsecret_types.go
index 8f8fbbed9d..f6027d1da4 100644
--- a/k8-operator/api/v1alpha1/infisicalsecret_types.go
+++ b/k8-operator/api/v1alpha1/infisicalsecret_types.go
@@ -22,7 +22,6 @@ type InfisicalSecretSpec struct {
 	ManagedSecretReference KubeSecretReference `json:"managedSecretReference,omitempty"`
 
 	// Infisical host to pull secrets from
-	// +kubebuilder:default="https://app.infisical.com/api"
 	HostAPI string `json:"hostAPI,omitempty"`
 }
 
diff --git a/k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml b/k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml
index 2f99ef4439..2064d76e88 100644
--- a/k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml
+++ b/k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml
@@ -36,7 +36,6 @@ spec:
             description: InfisicalSecretSpec defines the desired state of InfisicalSecret
             properties:
               hostAPI:
-                default: https://app.infisical.com/api
                 description: Infisical host to pull secrets from
                 type: string
               managedSecretReference:
diff --git a/k8-operator/config/samples/infisical-config.yaml b/k8-operator/config/samples/infisical-config.yaml
new file mode 100644
index 0000000000..90f5e49242
--- /dev/null
+++ b/k8-operator/config/samples/infisical-config.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infisical-operator-system
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: infisical-config
+  namespace: infisical-operator-system
+data:
+  hostAPI: "https://example.com/api"
diff --git a/k8-operator/controllers/infisicalsecret_controller.go b/k8-operator/controllers/infisicalsecret_controller.go
index ba2f6a17b0..bed609b337 100644
--- a/k8-operator/controllers/infisicalsecret_controller.go
+++ b/k8-operator/controllers/infisicalsecret_controller.go
@@ -57,8 +57,20 @@ func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		}, nil
 	}
 
-	// set the api url based on the CRD
-	api.API_HOST_URL = infisicalSecretCR.Spec.HostAPI
+	// Get modified/default config
+	infisicalConfig, err := r.GetInfisicalConfigMap(ctx)
+	if err != nil {
+		fmt.Printf("unable to fetch infisical-config [err=%s]. Will requeue after [requeueTime=%v]\n", err, requeueTime)
+		return ctrl.Result{
+			RequeueAfter: requeueTime,
+		}, nil
+	}
+
+	if infisicalSecretCR.Spec.HostAPI == "" {
+		api.API_HOST_URL = infisicalConfig["hostAPI"]
+	} else {
+		api.API_HOST_URL = infisicalSecretCR.Spec.HostAPI
+	}
 
 	err = r.ReconcileInfisicalSecret(ctx, infisicalSecretCR)
 	r.SetReadyToSyncSecretsConditions(ctx, &infisicalSecretCR, err)
diff --git a/k8-operator/controllers/infisicalsecret_helper.go b/k8-operator/controllers/infisicalsecret_helper.go
index 8428cbec14..fef8b5a337 100644
--- a/k8-operator/controllers/infisicalsecret_helper.go
+++ b/k8-operator/controllers/infisicalsecret_helper.go
@@ -16,6 +16,42 @@ import (
 
 const INFISICAL_TOKEN_SECRET_KEY_NAME = "infisicalToken"
 const SECRET_VERSION_ANNOTATION = "secrets.infisical.com/version" // used to set the version of secrets via Etag
+const OPERATOR_SETTINGS_CONFIGMAP_NAME = "infisical-config"
+const OPERATOR_SETTINGS_CONFIGMAP_NAMESPACE = "infisical-operator-system"
+const INFISICAL_DOMAIN = "https://app.infisical.com/api"
+
+func (r *InfisicalSecretReconciler) GetInfisicalConfigMap(ctx context.Context) (configMap map[string]string, errToReturn error) {
+	// default key values
+	defaultConfigMapData := make(map[string]string)
+	defaultConfigMapData["hostAPI"] = INFISICAL_DOMAIN
+
+	kubeConfigMap := &corev1.ConfigMap{}
+	err := r.Client.Get(ctx, types.NamespacedName{
+		Namespace: OPERATOR_SETTINGS_CONFIGMAP_NAMESPACE,
+		Name:      OPERATOR_SETTINGS_CONFIGMAP_NAME,
+	}, kubeConfigMap)
+
+	if err != nil {
+		if errors.IsNotFound(err) {
+			kubeConfigMap = nil
+		} else {
+			return nil, fmt.Errorf("GetConfigMapByNamespacedName: unable to fetch config map in [namespacedName=%s] [err=%s]", OPERATOR_SETTINGS_CONFIGMAP_NAMESPACE, err)
+		}
+	}
+
+	if kubeConfigMap == nil {
+		return defaultConfigMapData, nil
+	} else {
+		for key, value := range defaultConfigMapData {
+			_, exists := kubeConfigMap.Data[key]
+			if !exists {
+				kubeConfigMap.Data[key] = value
+			}
+		}
+
+		return kubeConfigMap.Data, nil
+	}
+}
 
 func (r *InfisicalSecretReconciler) GetKubeSecretByNamespacedName(ctx context.Context, namespacedName types.NamespacedName) (*corev1.Secret, error) {
 	kubeSecret := &corev1.Secret{}
diff --git a/k8-operator/kubectl-install/install-secrets-operator.yaml b/k8-operator/kubectl-install/install-secrets-operator.yaml
index 7862fe7c3e..34722bc31c 100644
--- a/k8-operator/kubectl-install/install-secrets-operator.yaml
+++ b/k8-operator/kubectl-install/install-secrets-operator.yaml
@@ -44,7 +44,6 @@ spec:
             description: InfisicalSecretSpec defines the desired state of InfisicalSecret
             properties:
               hostAPI:
-                default: https://app.infisical.com/api
                 description: Infisical host to pull secrets from
                 type: string
               managedSecretReference: