Dev 24011 integration secret ref sso smtp

README.md

@@ -21,4 +21,49 @@ helm install cnvrg cnvrg/mlops \
  --set registry.user="<CNVRG-USERNAME>" \
  --set registry.password="<CNVRG-PASSWORD>" \
  --set controlPlane.baseConfig.agentCustomTag="<AGENT-CUSTOM-TAG>"
-```
+```
+
+## Using external secret for SMTP server
+It's an option to specify external secret for SMTP server credintials instead setting it in helm chart values or cnvrgapp CRD . 
+The parameter to reference the secret is `controlPlane.smtp.CredentialsSecretRef` and the keys in the secret should be `username` and `password`.
+
+```bash
+helm install cnvrg cnvrg/mlops \
+ --create-namespace -n cnvrg \
+ --set controlPlane.smtp.credentialsSecretRef="SECRET-NAME"
+```
+secret example
+```bash
+apiVersion: v1
+kind: Secret
+metadata:
+  name: SECRET-NAME
+  namespace: cnvrg
+type: Opaque
+data:
+  username: YWRtaW4=
+  password: c2VjcmV0
+```
+
+## Using external secret for OAuth2 client configuration
+
+It's an option to specify external secret for OAuth2 client configuration instead setting it in helm chart values or cnvrgapp CRD. The parameter to reference the secret is `sso.central.credentialsSecretRef` and the keys in the secret should be `clientId`, `clientSecret`
+
+```bash
+helm install cnvrg cnvrg/mlops \
+ --create-namespace -n cnvrg \
+ --set sso.central.credentialsSecretRef="SECRET-NAME"
+```
+
+secret example
+```bash
+apiVersion: v1
+kind: Secret
+metadata:
+  name: SECRET-NAME
+  namespace: cnvrg
+type: Opaque
+data:
+  clientId: YWRtaW4=
+  clientSecret: c2VjcmV0
+```

api/v1/app.go

@@ -122,13 +122,14 @@ type Ldap struct {
 }
 
 type SMTP struct {
-	Server            string `json:"server,omitempty"`
-	Port              int    `json:"port,omitempty"`
-	Username          string `json:"username,omitempty"`
-	Password          string `json:"password,omitempty"`
-	Domain            string `json:"domain,omitempty"`
-	OpensslVerifyMode string `json:"opensslVerifyMode,omitempty"`
-	Sender            string `json:"sender,omitempty"`
+	Server               string `json:"server,omitempty"`
+	Port                 int    `json:"port,omitempty"`
+	CredentialsSecretRef string `json:"credentialsSecretRef,omitempty"`
+	Username             string `json:"username,omitempty"`
+	Password             string `json:"password,omitempty"`
+	Domain               string `json:"domain,omitempty"`
+	OpensslVerifyMode    string `json:"opensslVerifyMode,omitempty"`
+	Sender               string `json:"sender,omitempty"`
 }
 
 type ObjectStorage struct {
@@ -407,6 +408,7 @@ type CentralSSO struct {
 	EmailDomain                      []string          `json:"emailDomain,omitempty"`
 	ClientID                         string            `json:"clientId,omitempty"`
 	ClientSecret                     string            `json:"clientSecret,omitempty"`
+	CredentialsSecretRef             string            `json:"credentialsSecretRef,omitempty"`
 	OidcIssuerURL                    string            `json:"oidcIssuerUrl,omitempty"`
 	ServiceUrl                       string            `json:"serviceUrl,omitempty"`
 	Scope                            string            `json:"scope,omitempty"`

charts/mlops/crds/mlops.cnvrg.io_cnvrgapps.yaml

@@ -267,6 +267,8 @@ spec:
                     type: object
                   smtp:
                     properties:
+                      credentialsSecretRef:
+                        type: string
                       domain:
                         type: string
                       opensslVerifyMode:
@@ -768,6 +770,8 @@ spec:
                         type: string
                       cookieDomain:
                         type: string
+                      credentialsSecretRef:
+                        type: string
                       emailDomain:
                         items:
                           type: string

charts/mlops/templates/cap.yml

@@ -138,6 +138,7 @@ spec:
       port: {{.Values.controlPlane.smtp.port}}
       username: {{.Values.controlPlane.smtp.username}}
       password: {{.Values.controlPlane.smtp.password}}
+      credentialsSecretRef: {{.Values.controlPlane.smtp.credentialsSecretRef}}
       domain: {{.Values.controlPlane.smtp.domain}}
       opensslVerifyMode: {{.Values.controlPlane.smtp.opensslVerifyMode}}
       sender: {{.Values.controlPlane.smtp.sender}}
@@ -338,6 +339,7 @@ spec:
       emailDomain: {{ toJson .Values.sso.central.emailDomain }}
       clientId: {{.Values.sso.central.clientId}}
       clientSecret: {{.Values.sso.central.clientSecret}}
+      credentialsSecretRef: {{.Values.sso.central.credentialsSecretRef}}
       oidcIssuerUrl: {{.Values.sso.central.oidcIssuerUrl}}
       serviceUrl: {{.Values.sso.central.serviceUrl}}
       scope: {{.Values.sso.central.scope}}

charts/mlops/values.yaml

@@ -128,6 +128,7 @@ controlPlane:
     domain: ''
     opensslVerifyMode: ''
     sender: [email protected]
+    credentialsSecretRef: ''
   objectStorage:
     type: minio
     bucket: cnvrg-storage
@@ -323,6 +324,7 @@ sso:
       - "*"
     clientId: ''
     clientSecret: ''
+    credentialsSecretRef: ''
     oidcIssuerUrl: ''
     serviceUrl: ''
     scope: openid email profile

config/crd/bases/mlops.cnvrg.io_cnvrgapps.yaml

@@ -267,6 +267,8 @@ spec:
                     type: object
                   smtp:
                     properties:
+                      credentialsSecretRef:
+                        type: string
                       domain:
                         type: string
                       opensslVerifyMode:
@@ -768,6 +770,8 @@ spec:
                         type: string
                       cookieDomain:
                         type: string
+                      credentialsSecretRef:
+                        type: string
                       emailDomain:
                         items:
                           type: string

pkg/app/controlplane/controlplane.go

@@ -1,12 +1,15 @@
 package controlplane
 
 import (
+	"context"
 	"embed"
 	"fmt"
 	mlopsv1 "github.com/AccessibleAI/cnvrg-operator/api/v1"
 	"github.com/AccessibleAI/cnvrg-operator/pkg/desired"
 	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -51,6 +54,59 @@ func (m *CpStateManager) LoadKiqs(kiqName string, hpa bool) error {
 	return nil
 }
 
+func (m *CpStateManager) renderSmtpConfigs() error {
+	assets := []string{"secret-smtp.tpl"}
+	f := &desired.LoadFilter{AssetName: assets}
+	smtp := desired.NewAssetsGroup(fs, m.RootPath()+"/conf/smtp", m.Log(), f)
+	if err := smtp.LoadAssets(); err != nil {
+		return err
+	}
+
+	configData, err := m.smtpCfgData()
+	if err != nil {
+		return err
+	}
+
+	if err = smtp.Render(configData); err != nil {
+		return err
+	}
+
+	m.AddToState(smtp)
+
+	return nil
+}
+
+func (m *CpStateManager) smtpCfgData() (map[string]interface{}, error) {
+	var userName, password string
+
+	if m.app.Spec.ControlPlane.SMTP.CredentialsSecretRef != "" {
+		secret := &corev1.Secret{}
+		if err := m.C.Get(context.Background(), types.NamespacedName{Name: m.app.Spec.ControlPlane.SMTP.CredentialsSecretRef, Namespace: m.app.Namespace}, secret); err != nil {
+			return nil, err
+		}
+		userName = string(secret.Data["username"])
+		password = string(secret.Data["password"])
+	} else {
+		userName = m.app.Spec.ControlPlane.SMTP.Username
+		password = m.app.Spec.ControlPlane.SMTP.Password
+	}
+
+	d := map[string]interface{}{
+		"Namespace":         m.app.Namespace,
+		"Annotations":       m.app.Spec.Annotations,
+		"Labels":            m.app.Spec.Labels,
+		"Server":            m.app.Spec.ControlPlane.SMTP.Server,
+		"Port":              m.app.Spec.ControlPlane.SMTP.Port,
+		"Username":          userName,
+		"Password":          password,
+		"Domain":            m.app.Spec.ControlPlane.SMTP.Domain,
+		"Sender":            m.app.Spec.ControlPlane.SMTP.Sender,
+		"OpensslVerifyMode": m.app.Spec.ControlPlane.SMTP.OpensslVerifyMode,
+	}
+
+	return d, nil
+}
+
 func (m *CpStateManager) Load() error {
 	f := &desired.LoadFilter{DefaultLoader: true}
 
@@ -122,6 +178,10 @@ func (m *CpStateManager) Load() error {
 }
 
 func (m *CpStateManager) Apply() error {
+	if err := m.renderSmtpConfigs(); err != nil {
+		return err
+	}
+
 	if err := m.Load(); err != nil {
 		return err
 	}

pkg/app/controlplane/tmpl/conf/smtp/secret-smtp.tpl

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cp-smtp
+  namespace: {{ .Namespace }}
+  annotations:
+    mlops.cnvrg.io/default-loader: "true"
+    mlops.cnvrg.io/own: "true"
+    mlops.cnvrg.io/updatable: "true"
+    {{- range $k, $v := .Annotations }}
+    {{$k}}: "{{$v}}"
+    {{- end }}
+  labels:
+    {{- range $k, $v := .Labels }}
+    {{$k}}: "{{$v}}"
+    {{- end }}
+data:
+  SMTP_SERVER: {{ .Server | b64enc }}
+  SMTP_PORT: {{ .Port | toString | b64enc }}
+  SMTP_USERNAME: {{ .Username | b64enc }}
+  SMTP_PASSWORD: {{ .Password | b64enc}}
+  SMTP_DOMAIN: {{ .Domain | b64enc}}
+  SMTP_OPENSSL_VERIFY_MODE: {{ .OpensslVerifyMode | b64enc }}
+  SMTP_SENDER: {{ .Sender | b64enc }}

pkg/app/controlplane/tmpl/crds/mlops.cnvrg.io_cnvrgapps.yaml

@@ -270,6 +270,8 @@ spec:
                     type: object
                   smtp:
                     properties:
+                      credentialsSecretRef:
+                        type: string
                       domain:
                         type: string
                       opensslVerifyMode:
@@ -771,6 +773,8 @@ spec:
                         type: string
                       cookieDomain:
                         type: string
+                      credentialsSecretRef:
+                        type: string
                       emailDomain:
                         items:
                           type: string

pkg/app/controlplane/tmpl/crds/mlops.cnvrg.io_cnvrgthirdparties.yaml

@@ -96,6 +96,12 @@ metadata:
     mlops.cnvrg.io/default-loader: "true"
     mlops.cnvrg.io/own: "false"
     mlops.cnvrg.io/updatable: "true"
+    mlops.cnvrg.io/default-loader: "true"
+    mlops.cnvrg.io/own: "false"
+    mlops.cnvrg.io/updatable: "true"
+    mlops.cnvrg.io/default-loader: "true"
+    mlops.cnvrg.io/own: "false"
+    mlops.cnvrg.io/updatable: "true"
     controller-gen.kubebuilder.io/version: v0.9.2
   creationTimestamp: null
   name: cnvrgthirdparties.mlops.cnvrg.io