Add ability to create secrets

Add state for creating secrets from TLS certs.

Change-Id: Ied8db52428ef812a592a41a3ef89ed87380d8a81
Related-Prod: PROD-27542
diff --git a/kubernetes/control/init.sls b/kubernetes/control/init.sls
index 0469403..a4570d6 100644
--- a/kubernetes/control/init.sls
+++ b/kubernetes/control/init.sls
@@ -6,6 +6,9 @@
   {%- if control.job is defined %}
   - kubernetes.control.job
   {%- endif %}
+  {%- if control.secret is defined %}
+  - kubernetes.control.secret
+  {%- endif %}
   {%- if control.service is defined %}
   - kubernetes.control.service
   {%- endif %}
diff --git a/kubernetes/control/secret.sls b/kubernetes/control/secret.sls
new file mode 100644
index 0000000..10fc58a
--- /dev/null
+++ b/kubernetes/control/secret.sls
@@ -0,0 +1,33 @@
+{% from "kubernetes/map.jinja" import control with context %}
+include:
+  - kubernetes.control
+
+{%- for secret_name, secret in control.secret.items() %}
+  {%- if secret.get('enabled', false) %}
+
+/srv/kubernetes/secrets/{{ secret.namespace }}/{{ secret_name }}.yml:
+  file.managed:
+  - source: salt://kubernetes/files/secret.yml
+  - user: root
+  - group: root
+  - mode: 750
+  - template: jinja
+  - makedirs: true
+  - require:
+    - file: /srv/kubernetes
+  - defaults:
+      secret: {{ secret|yaml }}
+
+    {%- if secret.get('create', false) %}
+  cmd.wait:
+    - name: kubectl apply -f /srv/kubernetes/secrets/{{ secret.namespace }}/{{ secret_name }}.yml
+    - unless: kubectl get secret -o=custom-columns=NAME:.metadata.name --namespace {{ secret.namespace }} | grep -xq {{ secret_name }}
+      {%- if grains.get('noservices') %}
+    - onlyif: /bin/false
+      {%- endif %}
+    - watch:
+      - file: /srv/kubernetes/secrets/{{ secret.namespace }}/{{ secret_name }}.yml
+    {%- endif %}
+
+  {%- endif %}
+{%- endfor %}
\ No newline at end of file
diff --git a/kubernetes/files/secret.yml b/kubernetes/files/secret.yml
new file mode 100644
index 0000000..0ce9505
--- /dev/null
+++ b/kubernetes/files/secret.yml
@@ -0,0 +1,22 @@
+{% from "kubernetes/map.jinja" import control with context %}
+apiVersion: {{ secret.apiVersion }}
+kind: Secret
+metadata:
+  name: {{ secret_name }}
+  namespace: {{ secret.get('namespace', 'default') }}
+type: Opaque
+{%- if secret.data is defined}
+data:
+  {%- if secret.data.type == 'ssl' %}
+    {%- set ca_crt = salt['cmd.shell']('cat {0} | base64'.format(secret.data.ca_crt_file)) %}
+    {%- set tls_crt = salt['cmd.shell']('cat {0} | base64'.format(secret.data.tls_crt_file)) %}
+    {%- set tls_key = salt['cmd.shell']('cat {0} | base64'.format(secret.data.tls_key_file)) %}
+  ca.crt: {{ ca_crt }}
+  tls.crt: {{ tls_crt }}
+  tls.key: {{ tls_key }}
+  {%- else %}
+    {%- for key, value in secret.data.secrets.items() %}
+  {{ key }}: {{ salt['hashutil.base64_b64encode'](value) }}
+    {%- endfor %}
+  {%- endif %}
+{%- endif %}