Merge pull request #370 from gthiemonge/fix_creds_in_env

Pass credentials via volumes instead of env
openstack-k8s-operators · Sep 11, 2024 · 336fe2d · 336fe2d
2 parents d049901 + a8eb2ce
commit 336fe2d
Show file tree

Hide file tree

Showing 16 changed files with 169 additions and 303 deletions.
diff --git a/controllers/amphoracontroller_controller.go b/controllers/amphoracontroller_controller.go
@@ -260,74 +260,15 @@ func (r *OctaviaAmphoraControllerReconciler) reconcileNormal(ctx context.Context
 		common.AppSelector: instance.ObjectMeta.Name,
 	}
 
-	// Handle config map
-	configMapVars := make(map[string]env.Setter)
-
-	ospSecret, hash, err := oko_secret.GetSecret(ctx, helper, instance.Spec.Secret, instance.Namespace)
-	if err != nil {
-		if k8s_errors.IsNotFound(err) {
-			Log.Info(fmt.Sprintf("OpenStack secret %s not found", instance.Spec.Secret))
-			instance.Status.Conditions.Set(condition.FalseCondition(
-				condition.InputReadyCondition,
-				condition.RequestedReason,
-				condition.SeverityInfo,
-				condition.InputReadyWaitingMessage))
-			return ctrl.Result{RequeueAfter: time.Duration(10) * time.Second}, nil
-		}
-		instance.Status.Conditions.Set(condition.FalseCondition(
-			condition.InputReadyCondition,
-			condition.ErrorReason,
-			condition.SeverityWarning,
-			condition.InputReadyErrorMessage,
-			err.Error()))
-		return ctrl.Result{}, err
-	}
-	configMapVars[ospSecret.Name] = env.SetValue(hash)
-
-	transportURLSecret, hash, err := oko_secret.GetSecret(ctx, helper, instance.Spec.TransportURLSecret, instance.Namespace)
-	if err != nil {
-		if k8s_errors.IsNotFound(err) {
-			Log.Info(fmt.Sprintf("TransportURL secret %s not found", instance.Spec.TransportURLSecret))
-			instance.Status.Conditions.Set(condition.FalseCondition(
-				condition.InputReadyCondition,
-				condition.RequestedReason,
-				condition.SeverityInfo,
-				condition.InputReadyWaitingMessage))
-			return ctrl.Result{RequeueAfter: time.Duration(10) * time.Second}, nil
-		}
-		instance.Status.Conditions.Set(condition.FalseCondition(
-			condition.InputReadyCondition,
-			condition.ErrorReason,
-			condition.SeverityWarning,
-			condition.InputReadyErrorMessage,
-			err.Error()))
-		return ctrl.Result{}, err
-	}
-	configMapVars[transportURLSecret.Name] = env.SetValue(hash)
+	// Handle secrets
+	secretsVars := make(map[string]env.Setter)
 
 	defaultFlavorID, err := amphoracontrollers.EnsureFlavors(ctx, instance, &r.Log, helper)
 	if err != nil {
 		return ctrl.Result{}, err
 	}
 	r.Log.Info(fmt.Sprintf("Using default flavor \"%s\"", defaultFlavorID))
 
-	templateVars := OctaviaTemplateVars{
-		LbMgmtNetworkID:        instance.Spec.LbMgmtNetworkID,
-		AmphoraDefaultFlavorID: defaultFlavorID,
-		LbSecurityGroupID:      instance.Spec.LbSecurityGroupID,
-	}
-
-	err = r.generateServiceConfigMaps(ctx, instance, helper, &configMapVars, templateVars, ospSecret)
-	if err != nil {
-		instance.Status.Conditions.Set(condition.FalseCondition(
-			condition.ServiceConfigReadyCondition,
-			condition.ErrorReason,
-			condition.SeverityWarning,
-			condition.ServiceConfigReadyErrorMessage,
-			err.Error()))
-		return ctrl.Result{}, err
-	}
-
 	instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)
 
 	//
@@ -362,17 +303,34 @@ func (r *OctaviaAmphoraControllerReconciler) reconcileNormal(ctx context.Context
 		}
 
 		if hash != "" {
-			configMapVars[tls.CABundleKey] = env.SetValue(hash)
+			secretsVars[tls.CABundleKey] = env.SetValue(hash)
 		}
 	}
 	// all cert input checks out so report InputReady
 	instance.Status.Conditions.MarkTrue(condition.TLSInputReadyCondition, condition.InputReadyMessage)
 
+	templateVars := OctaviaTemplateVars{
+		LbMgmtNetworkID:        instance.Spec.LbMgmtNetworkID,
+		AmphoraDefaultFlavorID: defaultFlavorID,
+		LbSecurityGroupID:      instance.Spec.LbSecurityGroupID,
+	}
+
+	err = r.generateServiceSecrets(ctx, instance, helper, &secretsVars, templateVars)
+	if err != nil {
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			condition.ServiceConfigReadyCondition,
+			condition.ErrorReason,
+			condition.SeverityWarning,
+			condition.ServiceConfigReadyErrorMessage,
+			err.Error()))
+		return ctrl.Result{}, err
+	}
+
 	//
 	// create hash over all the different input resources to identify if any those changed
 	// and a restart/recreate is required.
 	//
-	inputHash, err := r.createHashOfInputHashes(instance, configMapVars)
+	inputHash, err := r.createHashOfInputHashes(instance, secretsVars)
 	if err != nil {
 		return ctrl.Result{}, err
 	}
@@ -476,16 +434,58 @@ func (r *OctaviaAmphoraControllerReconciler) reconcileNormal(ctx context.Context
 	return ctrl.Result{}, nil
 }
 
-func (r *OctaviaAmphoraControllerReconciler) generateServiceConfigMaps(
+func (r *OctaviaAmphoraControllerReconciler) generateServiceSecrets(
 	ctx context.Context,
 	instance *octaviav1.OctaviaAmphoraController,
 	helper *helper.Helper,
 	envVars *map[string]env.Setter,
 	templateVars OctaviaTemplateVars,
-	ospSecret *corev1.Secret,
 ) error {
-	r.Log.Info(fmt.Sprintf("generating service config map for %s (%s)", instance.Name, instance.Kind))
+	r.Log.Info(fmt.Sprintf("generating service secret for %s (%s)", instance.Name, instance.Kind))
 	cmLabels := labels.GetLabels(instance, labels.GetGroupLabel(instance.ObjectMeta.Name), map[string]string{})
+
+	ospSecret, _, err := oko_secret.GetSecret(ctx, helper, instance.Spec.Secret, instance.Namespace)
+	if err != nil {
+		if k8s_errors.IsNotFound(err) {
+			r.Log.Info(fmt.Sprintf("OpenStack secret %s not found", instance.Spec.Secret))
+			instance.Status.Conditions.Set(condition.FalseCondition(
+				condition.InputReadyCondition,
+				condition.RequestedReason,
+				condition.SeverityInfo,
+				condition.InputReadyWaitingMessage))
+			return err
+		}
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			condition.InputReadyCondition,
+			condition.ErrorReason,
+			condition.SeverityWarning,
+			condition.InputReadyErrorMessage,
+			err.Error()))
+		return err
+	}
+	servicePassword := string(ospSecret.Data[instance.Spec.PasswordSelectors.Service])
+
+	transportURLSecret, _, err := oko_secret.GetSecret(ctx, helper, instance.Spec.TransportURLSecret, instance.Namespace)
+	if err != nil {
+		if k8s_errors.IsNotFound(err) {
+			r.Log.Info(fmt.Sprintf("TransportURL secret %s not found", instance.Spec.TransportURLSecret))
+			instance.Status.Conditions.Set(condition.FalseCondition(
+				condition.InputReadyCondition,
+				condition.RequestedReason,
+				condition.SeverityInfo,
+				condition.InputReadyWaitingMessage))
+			return err
+		}
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			condition.InputReadyCondition,
+			condition.ErrorReason,
+			condition.SeverityWarning,
+			condition.InputReadyErrorMessage,
+			err.Error()))
+		return err
+	}
+	transportURL := string(transportURLSecret.Data["transport_url"])
+
 	db, err := mariadbv1.GetDatabaseByNameAndAccount(ctx, helper, octavia.DatabaseName, instance.Spec.DatabaseAccount, instance.Namespace)
 	if err != nil {
 		return err
@@ -614,7 +614,9 @@ func (r *OctaviaAmphoraControllerReconciler) generateServiceConfigMaps(
 	templateParameters["TenantLogTargetList"] = strings.Join(rsyslogIPAddresses, ",")
 
 	spec := instance.Spec
+	templateParameters["TransportURL"] = transportURL
 	templateParameters["ServiceUser"] = spec.ServiceUser
+	templateParameters["Password"] = servicePassword
 	templateParameters["KeystoneInternalURL"] = keystoneInternalURL
 	templateParameters["KeystonePublicURL"] = keystonePublicURL
 	templateParameters["ServiceRoleName"] = spec.Role
@@ -630,12 +632,10 @@ func (r *OctaviaAmphoraControllerReconciler) generateServiceConfigMaps(
 		// Can't do string(nil)
 		templateParameters["ServerCAKeyPassphrase"] = ""
 	}
-	// TODO(gthiemonge) store keys/passwords/passphrases in a specific config file stored in a secret
 	templateParameters["HeartbeatKey"] = string(ospSecret.Data["OctaviaHeartbeatKey"])
 
 	// TODO(beagles): populate the template parameters
 	cms := []util.Template{
-		// ScriptsConfigMap
 		{
 			Name:               fmt.Sprintf("%s-scripts", instance.Name),
 			Namespace:          instance.Namespace,
@@ -657,11 +657,11 @@ func (r *OctaviaAmphoraControllerReconciler) generateServiceConfigMaps(
 
 	err = oko_secret.EnsureSecrets(ctx, helper, instance, cms, envVars)
 	if err != nil {
-		r.Log.Error(err, "unable to process config map")
+		r.Log.Error(err, "unable to process secrets")
 		return err
 	}
 
-	r.Log.Info("Service config map generated")
+	r.Log.Info("Service secrets generated")
 
 	return nil
 }

diff --git a/controllers/octavia_controller.go b/controllers/octavia_controller.go
@@ -303,8 +303,8 @@ func (r *OctaviaReconciler) reconcileInit(
 	Log := r.GetLogger(ctx)
 	Log.Info("Reconciling Service init")
 
-	// ConfigMap
-	configMapVars := make(map[string]env.Setter)
+	// Secrets
+	secretsVars := make(map[string]env.Setter)
 
 	//
 	// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
@@ -328,7 +328,7 @@ func (r *OctaviaReconciler) reconcileInit(
 			err.Error()))
 		return ctrl.Result{}, err
 	}
-	configMapVars[ospSecret.Name] = env.SetValue(hash)
+	secretsVars[ospSecret.Name] = env.SetValue(hash)
 
 	transportURLSecret, hash, err := oko_secret.GetSecret(ctx, helper, instance.Status.TransportURLSecret, instance.Namespace)
 	if err != nil {
@@ -349,7 +349,7 @@ func (r *OctaviaReconciler) reconcileInit(
 			err.Error()))
 		return ctrl.Result{}, err
 	}
-	configMapVars[transportURLSecret.Name] = env.SetValue(hash)
+	secretsVars[transportURLSecret.Name] = env.SetValue(hash)
 
 	octaviaDb, persistenceDb, result, err := r.ensureDB(ctx, helper, instance)
 	if err != nil {
@@ -359,12 +359,11 @@ func (r *OctaviaReconciler) reconcileInit(
 	}
 
 	//
-	// create Configmap required for octavia input
-	// - %-scripts configmap holding scripts to e.g. bootstrap the service
-	// - %-config configmap holding minimal octavia config required to get the service up, user can add additional files to be added to the service
-	// - parameters which has passwords gets added from the OpenStack secret via the init container
+	// create Secrets required for octavia input
+	// - %-scripts secret holding scripts to e.g. bootstrap the service
+	// - %-config secret holding minimal octavia config required to get the service up, user can add additional files to be added to the service
 	//
-	err = r.generateServiceConfigMaps(ctx, instance, helper, &configMapVars, octaviaDb, persistenceDb)
+	err = r.generateServiceSecrets(ctx, instance, helper, &secretsVars, octaviaDb, persistenceDb)
 	if err != nil {
 		instance.Status.Conditions.Set(condition.FalseCondition(
 			condition.ServiceConfigReadyCondition,
@@ -379,7 +378,7 @@ func (r *OctaviaReconciler) reconcileInit(
 	// create hash over all the different input resources to identify if any those changed
 	// and a restart/recreate is required.
 	//
-	_, hashChanged, err := r.createHashOfInputHashes(ctx, instance, configMapVars)
+	_, hashChanged, err := r.createHashOfInputHashes(ctx, instance, secretsVars)
 	if err != nil {
 		return ctrl.Result{}, err
 	} else if hashChanged {
@@ -1296,9 +1295,9 @@ func (r *OctaviaReconciler) getLocalImageURLs(
 	return ret, nil
 }
 
-// generateServiceConfigMaps - create create configmaps which hold scripts and service configuration
+// generateServiceSecrets - create secrets which hold scripts and service configuration
 // TODO add DefaultConfigOverwrite
-func (r *OctaviaReconciler) generateServiceConfigMaps(
+func (r *OctaviaReconciler) generateServiceSecrets(
 	ctx context.Context,
 	instance *octaviav1.Octavia,
 	h *helper.Helper,
@@ -1307,10 +1306,9 @@ func (r *OctaviaReconciler) generateServiceConfigMaps(
 	persistenceDb *mariadbv1.Database,
 ) error {
 	//
-	// create Configmap/Secret required for octavia input
-	// - %-scripts configmap holding scripts to e.g. bootstrap the service
-	// - %-config configmap holding minimal octavia config required to get the service up, user can add additional files to be added to the service
-	// - parameters which has passwords gets added from the ospSecret via the init container
+	// create Secret required for octavia input
+	// - %-scripts secret holding scripts to e.g. bootstrap the service
+	// - %-config secret holding minimal octavia config required to get the service up, user can add additional files to be added to the service
 	//
 
 	cmLabels := labels.GetLabels(instance, labels.GetGroupLabel(octavia.ServiceName), map[string]string{})
@@ -1357,7 +1355,6 @@ func (r *OctaviaReconciler) generateServiceConfigMaps(
 	templateParameters["ServiceUser"] = instance.Spec.ServiceUser
 
 	cms := []util.Template{
-		// ScriptsConfigMap
 		{
 			Name:               fmt.Sprintf("%s-scripts", instance.Name),
 			Namespace:          instance.Namespace,
@@ -1366,7 +1363,6 @@ func (r *OctaviaReconciler) generateServiceConfigMaps(
 			AdditionalTemplate: map[string]string{"common.sh": "/common/common.sh"},
 			Labels:             cmLabels,
 		},
-		// ConfigMap
 		{
 			Name:          fmt.Sprintf("%s-config-data", instance.Name),
 			Namespace:     instance.Namespace,