From a8eb2ceb95c13921d878044d72587fa0ecf9fa04 Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Thu, 5 Sep 2024 18:17:20 +0000 Subject: [PATCH] Pass credentials via volumes instead of env Pass TransportURL and ServicePassword directly in the config file instead of using container environment variables. Clean up unused environmnet variables (DatabaseHost, DatabaseName) Rename incorrect variable and function names that referred to ConfigMaps instead of Secrets OSPRH-9908 --- controllers/amphoracontroller_controller.go | 140 +++++++++--------- controllers/octavia_controller.go | 32 ++-- controllers/octaviaapi_controller.go | 137 +++++++++-------- controllers/octaviarsyslog_controller.go | 10 +- pkg/amphoracontrollers/daemonset.go | 9 +- pkg/octavia/dbsync.go | 9 +- pkg/octavia/initcontainer.go | 49 +----- pkg/octaviaapi/deployment.go | 9 +- templates/octavia/bin/init.sh | 10 -- templates/octavia/config/octavia.conf | 1 - .../octaviaamphoracontroller/bin/init.sh | 12 -- .../config/octavia.conf | 6 +- templates/octaviaapi/bin/init.sh | 12 -- templates/octaviaapi/config/octavia.conf | 6 +- .../common/assert_sample_deployment.yaml | 15 -- tests/kuttl/tests/octavia_tls/02-assert.yaml | 15 -- 16 files changed, 169 insertions(+), 303 deletions(-) diff --git a/controllers/amphoracontroller_controller.go b/controllers/amphoracontroller_controller.go index 4f533b6c..d633f74d 100644 --- a/controllers/amphoracontroller_controller.go +++ b/controllers/amphoracontroller_controller.go @@ -260,50 +260,8 @@ func (r *OctaviaAmphoraControllerReconciler) reconcileNormal(ctx context.Context common.AppSelector: instance.ObjectMeta.Name, } - // Handle config map - configMapVars := make(map[string]env.Setter) - - ospSecret, hash, err := oko_secret.GetSecret(ctx, helper, instance.Spec.Secret, instance.Namespace) - if err != nil { - if k8s_errors.IsNotFound(err) { - Log.Info(fmt.Sprintf("OpenStack secret %s not found", instance.Spec.Secret)) - instance.Status.Conditions.Set(condition.FalseCondition( - condition.InputReadyCondition, - condition.RequestedReason, - condition.SeverityInfo, - condition.InputReadyWaitingMessage)) - return ctrl.Result{RequeueAfter: time.Duration(10) * time.Second}, nil - } - instance.Status.Conditions.Set(condition.FalseCondition( - condition.InputReadyCondition, - condition.ErrorReason, - condition.SeverityWarning, - condition.InputReadyErrorMessage, - err.Error())) - return ctrl.Result{}, err - } - configMapVars[ospSecret.Name] = env.SetValue(hash) - - transportURLSecret, hash, err := oko_secret.GetSecret(ctx, helper, instance.Spec.TransportURLSecret, instance.Namespace) - if err != nil { - if k8s_errors.IsNotFound(err) { - Log.Info(fmt.Sprintf("TransportURL secret %s not found", instance.Spec.TransportURLSecret)) - instance.Status.Conditions.Set(condition.FalseCondition( - condition.InputReadyCondition, - condition.RequestedReason, - condition.SeverityInfo, - condition.InputReadyWaitingMessage)) - return ctrl.Result{RequeueAfter: time.Duration(10) * time.Second}, nil - } - instance.Status.Conditions.Set(condition.FalseCondition( - condition.InputReadyCondition, - condition.ErrorReason, - condition.SeverityWarning, - condition.InputReadyErrorMessage, - err.Error())) - return ctrl.Result{}, err - } - configMapVars[transportURLSecret.Name] = env.SetValue(hash) + // Handle secrets + secretsVars := make(map[string]env.Setter) defaultFlavorID, err := amphoracontrollers.EnsureFlavors(ctx, instance, &r.Log, helper) if err != nil { @@ -311,23 +269,6 @@ func (r *OctaviaAmphoraControllerReconciler) reconcileNormal(ctx context.Context } r.Log.Info(fmt.Sprintf("Using default flavor \"%s\"", defaultFlavorID)) - templateVars := OctaviaTemplateVars{ - LbMgmtNetworkID: instance.Spec.LbMgmtNetworkID, - AmphoraDefaultFlavorID: defaultFlavorID, - LbSecurityGroupID: instance.Spec.LbSecurityGroupID, - } - - err = r.generateServiceConfigMaps(ctx, instance, helper, &configMapVars, templateVars, ospSecret) - if err != nil { - instance.Status.Conditions.Set(condition.FalseCondition( - condition.ServiceConfigReadyCondition, - condition.ErrorReason, - condition.SeverityWarning, - condition.ServiceConfigReadyErrorMessage, - err.Error())) - return ctrl.Result{}, err - } - instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage) // @@ -356,17 +297,34 @@ func (r *OctaviaAmphoraControllerReconciler) reconcileNormal(ctx context.Context } if hash != "" { - configMapVars[tls.CABundleKey] = env.SetValue(hash) + secretsVars[tls.CABundleKey] = env.SetValue(hash) } } // all cert input checks out so report InputReady instance.Status.Conditions.MarkTrue(condition.TLSInputReadyCondition, condition.InputReadyMessage) + templateVars := OctaviaTemplateVars{ + LbMgmtNetworkID: instance.Spec.LbMgmtNetworkID, + AmphoraDefaultFlavorID: defaultFlavorID, + LbSecurityGroupID: instance.Spec.LbSecurityGroupID, + } + + err = r.generateServiceSecrets(ctx, instance, helper, &secretsVars, templateVars) + if err != nil { + instance.Status.Conditions.Set(condition.FalseCondition( + condition.ServiceConfigReadyCondition, + condition.ErrorReason, + condition.SeverityWarning, + condition.ServiceConfigReadyErrorMessage, + err.Error())) + return ctrl.Result{}, err + } + // // create hash over all the different input resources to identify if any those changed // and a restart/recreate is required. // - inputHash, err := r.createHashOfInputHashes(instance, configMapVars) + inputHash, err := r.createHashOfInputHashes(instance, secretsVars) if err != nil { return ctrl.Result{}, err } @@ -470,16 +428,58 @@ func (r *OctaviaAmphoraControllerReconciler) reconcileNormal(ctx context.Context return ctrl.Result{}, nil } -func (r *OctaviaAmphoraControllerReconciler) generateServiceConfigMaps( +func (r *OctaviaAmphoraControllerReconciler) generateServiceSecrets( ctx context.Context, instance *octaviav1.OctaviaAmphoraController, helper *helper.Helper, envVars *map[string]env.Setter, templateVars OctaviaTemplateVars, - ospSecret *corev1.Secret, ) error { - r.Log.Info(fmt.Sprintf("generating service config map for %s (%s)", instance.Name, instance.Kind)) + r.Log.Info(fmt.Sprintf("generating service secret for %s (%s)", instance.Name, instance.Kind)) cmLabels := labels.GetLabels(instance, labels.GetGroupLabel(instance.ObjectMeta.Name), map[string]string{}) + + ospSecret, _, err := oko_secret.GetSecret(ctx, helper, instance.Spec.Secret, instance.Namespace) + if err != nil { + if k8s_errors.IsNotFound(err) { + r.Log.Info(fmt.Sprintf("OpenStack secret %s not found", instance.Spec.Secret)) + instance.Status.Conditions.Set(condition.FalseCondition( + condition.InputReadyCondition, + condition.RequestedReason, + condition.SeverityInfo, + condition.InputReadyWaitingMessage)) + return err + } + instance.Status.Conditions.Set(condition.FalseCondition( + condition.InputReadyCondition, + condition.ErrorReason, + condition.SeverityWarning, + condition.InputReadyErrorMessage, + err.Error())) + return err + } + servicePassword := string(ospSecret.Data[instance.Spec.PasswordSelectors.Service]) + + transportURLSecret, _, err := oko_secret.GetSecret(ctx, helper, instance.Spec.TransportURLSecret, instance.Namespace) + if err != nil { + if k8s_errors.IsNotFound(err) { + r.Log.Info(fmt.Sprintf("TransportURL secret %s not found", instance.Spec.TransportURLSecret)) + instance.Status.Conditions.Set(condition.FalseCondition( + condition.InputReadyCondition, + condition.RequestedReason, + condition.SeverityInfo, + condition.InputReadyWaitingMessage)) + return err + } + instance.Status.Conditions.Set(condition.FalseCondition( + condition.InputReadyCondition, + condition.ErrorReason, + condition.SeverityWarning, + condition.InputReadyErrorMessage, + err.Error())) + return err + } + transportURL := string(transportURLSecret.Data["transport_url"]) + db, err := mariadbv1.GetDatabaseByNameAndAccount(ctx, helper, octavia.DatabaseName, instance.Spec.DatabaseAccount, instance.Namespace) if err != nil { return err @@ -608,7 +608,9 @@ func (r *OctaviaAmphoraControllerReconciler) generateServiceConfigMaps( templateParameters["TenantLogTargetList"] = strings.Join(rsyslogIPAddresses, ",") spec := instance.Spec + templateParameters["TransportURL"] = transportURL templateParameters["ServiceUser"] = spec.ServiceUser + templateParameters["Password"] = servicePassword templateParameters["KeystoneInternalURL"] = keystoneInternalURL templateParameters["KeystonePublicURL"] = keystonePublicURL templateParameters["ServiceRoleName"] = spec.Role @@ -624,12 +626,10 @@ func (r *OctaviaAmphoraControllerReconciler) generateServiceConfigMaps( // Can't do string(nil) templateParameters["ServerCAKeyPassphrase"] = "" } - // TODO(gthiemonge) store keys/passwords/passphrases in a specific config file stored in a secret templateParameters["HeartbeatKey"] = string(ospSecret.Data["OctaviaHeartbeatKey"]) // TODO(beagles): populate the template parameters cms := []util.Template{ - // ScriptsConfigMap { Name: fmt.Sprintf("%s-scripts", instance.Name), Namespace: instance.Namespace, @@ -651,11 +651,11 @@ func (r *OctaviaAmphoraControllerReconciler) generateServiceConfigMaps( err = oko_secret.EnsureSecrets(ctx, helper, instance, cms, envVars) if err != nil { - r.Log.Error(err, "unable to process config map") + r.Log.Error(err, "unable to process secrets") return err } - r.Log.Info("Service config map generated") + r.Log.Info("Service secrets generated") return nil } diff --git a/controllers/octavia_controller.go b/controllers/octavia_controller.go index 5385cda2..10606027 100644 --- a/controllers/octavia_controller.go +++ b/controllers/octavia_controller.go @@ -303,8 +303,8 @@ func (r *OctaviaReconciler) reconcileInit( Log := r.GetLogger(ctx) Log.Info("Reconciling Service init") - // ConfigMap - configMapVars := make(map[string]env.Setter) + // Secrets + secretsVars := make(map[string]env.Setter) // // check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map @@ -328,7 +328,7 @@ func (r *OctaviaReconciler) reconcileInit( err.Error())) return ctrl.Result{}, err } - configMapVars[ospSecret.Name] = env.SetValue(hash) + secretsVars[ospSecret.Name] = env.SetValue(hash) transportURLSecret, hash, err := oko_secret.GetSecret(ctx, helper, instance.Status.TransportURLSecret, instance.Namespace) if err != nil { @@ -349,7 +349,7 @@ func (r *OctaviaReconciler) reconcileInit( err.Error())) return ctrl.Result{}, err } - configMapVars[transportURLSecret.Name] = env.SetValue(hash) + secretsVars[transportURLSecret.Name] = env.SetValue(hash) octaviaDb, persistenceDb, result, err := r.ensureDB(ctx, helper, instance) if err != nil { @@ -359,12 +359,11 @@ func (r *OctaviaReconciler) reconcileInit( } // - // create Configmap required for octavia input - // - %-scripts configmap holding scripts to e.g. bootstrap the service - // - %-config configmap holding minimal octavia config required to get the service up, user can add additional files to be added to the service - // - parameters which has passwords gets added from the OpenStack secret via the init container + // create Secrets required for octavia input + // - %-scripts secret holding scripts to e.g. bootstrap the service + // - %-config secret holding minimal octavia config required to get the service up, user can add additional files to be added to the service // - err = r.generateServiceConfigMaps(ctx, instance, helper, &configMapVars, octaviaDb, persistenceDb) + err = r.generateServiceSecrets(ctx, instance, helper, &secretsVars, octaviaDb, persistenceDb) if err != nil { instance.Status.Conditions.Set(condition.FalseCondition( condition.ServiceConfigReadyCondition, @@ -379,7 +378,7 @@ func (r *OctaviaReconciler) reconcileInit( // create hash over all the different input resources to identify if any those changed // and a restart/recreate is required. // - _, hashChanged, err := r.createHashOfInputHashes(ctx, instance, configMapVars) + _, hashChanged, err := r.createHashOfInputHashes(ctx, instance, secretsVars) if err != nil { return ctrl.Result{}, err } else if hashChanged { @@ -1296,9 +1295,9 @@ func (r *OctaviaReconciler) getLocalImageURLs( return ret, nil } -// generateServiceConfigMaps - create create configmaps which hold scripts and service configuration +// generateServiceSecrets - create secrets which hold scripts and service configuration // TODO add DefaultConfigOverwrite -func (r *OctaviaReconciler) generateServiceConfigMaps( +func (r *OctaviaReconciler) generateServiceSecrets( ctx context.Context, instance *octaviav1.Octavia, h *helper.Helper, @@ -1307,10 +1306,9 @@ func (r *OctaviaReconciler) generateServiceConfigMaps( persistenceDb *mariadbv1.Database, ) error { // - // create Configmap/Secret required for octavia input - // - %-scripts configmap holding scripts to e.g. bootstrap the service - // - %-config configmap holding minimal octavia config required to get the service up, user can add additional files to be added to the service - // - parameters which has passwords gets added from the ospSecret via the init container + // create Secret required for octavia input + // - %-scripts secret holding scripts to e.g. bootstrap the service + // - %-config secret holding minimal octavia config required to get the service up, user can add additional files to be added to the service // cmLabels := labels.GetLabels(instance, labels.GetGroupLabel(octavia.ServiceName), map[string]string{}) @@ -1357,7 +1355,6 @@ func (r *OctaviaReconciler) generateServiceConfigMaps( templateParameters["ServiceUser"] = instance.Spec.ServiceUser cms := []util.Template{ - // ScriptsConfigMap { Name: fmt.Sprintf("%s-scripts", instance.Name), Namespace: instance.Namespace, @@ -1366,7 +1363,6 @@ func (r *OctaviaReconciler) generateServiceConfigMaps( AdditionalTemplate: map[string]string{"common.sh": "/common/common.sh"}, Labels: cmLabels, }, - // ConfigMap { Name: fmt.Sprintf("%s-config-data", instance.Name), Namespace: instance.Namespace, diff --git a/controllers/octaviaapi_controller.go b/controllers/octaviaapi_controller.go index 3a3eb826..101cbb5c 100644 --- a/controllers/octaviaapi_controller.go +++ b/controllers/octaviaapi_controller.go @@ -557,57 +557,8 @@ func (r *OctaviaAPIReconciler) reconcileNormal(ctx context.Context, instance *oc Log := r.GetLogger(ctx) Log.Info("Reconciling Service") - // ConfigMap - configMapVars := make(map[string]env.Setter) - - // - // check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map - // - ospSecret, hash, err := oko_secret.GetSecret(ctx, helper, instance.Spec.Secret, instance.Namespace) - if err != nil { - if k8s_errors.IsNotFound(err) { - Log.Info(fmt.Sprintf("OpenStack secret %s not found", instance.Spec.Secret)) - instance.Status.Conditions.Set(condition.FalseCondition( - condition.InputReadyCondition, - condition.RequestedReason, - condition.SeverityInfo, - condition.InputReadyWaitingMessage)) - return ctrl.Result{RequeueAfter: time.Duration(10) * time.Second}, nil - } - instance.Status.Conditions.Set(condition.FalseCondition( - condition.InputReadyCondition, - condition.ErrorReason, - condition.SeverityWarning, - condition.InputReadyErrorMessage, - err.Error())) - return ctrl.Result{}, err - } - configMapVars[ospSecret.Name] = env.SetValue(hash) - - transportURLSecret, hash, err := oko_secret.GetSecret(ctx, helper, instance.Spec.TransportURLSecret, instance.Namespace) - if err != nil { - if k8s_errors.IsNotFound(err) { - Log.Info(fmt.Sprintf("TransportURL secret %s not found", instance.Spec.TransportURLSecret)) - instance.Status.Conditions.Set(condition.FalseCondition( - condition.InputReadyCondition, - condition.RequestedReason, - condition.SeverityInfo, - condition.InputReadyWaitingMessage)) - return ctrl.Result{RequeueAfter: time.Duration(10) * time.Second}, nil - } - instance.Status.Conditions.Set(condition.FalseCondition( - condition.InputReadyCondition, - condition.ErrorReason, - condition.SeverityWarning, - condition.InputReadyErrorMessage, - err.Error())) - return ctrl.Result{}, err - } - configMapVars[transportURLSecret.Name] = env.SetValue(hash) - - instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage) - - // run check OpenStack secret - end + // Secrets + secretsVars := make(map[string]env.Setter) // // TLS input validation @@ -635,7 +586,7 @@ func (r *OctaviaAPIReconciler) reconcileNormal(ctx context.Context, instance *oc } if hash != "" { - configMapVars[tls.CABundleKey] = env.SetValue(hash) + secretsVars[tls.CABundleKey] = env.SetValue(hash) } // Validate API service certs secrets @@ -652,23 +603,22 @@ func (r *OctaviaAPIReconciler) reconcileNormal(ctx context.Context, instance *oc return ctrlResult, nil } - configMapVars[tls.TLSHashName] = env.SetValue(certsHash) + secretsVars[tls.TLSHashName] = env.SetValue(certsHash) } // all cert input checks out so report InputReady instance.Status.Conditions.MarkTrue(condition.TLSInputReadyCondition, condition.InputReadyMessage) // - // Create ConfigMaps and Secrets required as input for the Service and calculate an overall hash of hashes + // Create Secrets required as input for the Service and calculate an overall hash of hashes // // - // create Configmap required for octavia input - // - %-scripts configmap holding scripts to e.g. bootstrap the service - // - %-config configmap holding minimal octavia config required to get the service up, user can add additional files to be added to the service - // - parameters which has passwords gets added from the OpenStack secret via the init container + // create Secrets required for octavia input + // - %-scripts secret holding scripts to e.g. bootstrap the service + // - %-config secret holding minimal octavia config required to get the service up, user can add additional files to be added to the service // - err = r.generateServiceConfigMaps(ctx, instance, helper, &configMapVars) + err := r.generateServiceSecrets(ctx, instance, helper, &secretsVars) if err != nil { instance.Status.Conditions.Set(condition.FalseCondition( condition.ServiceConfigReadyCondition, @@ -683,7 +633,7 @@ func (r *OctaviaAPIReconciler) reconcileNormal(ctx context.Context, instance *oc // create hash over all the different input resources to identify if any those changed // and a restart/recreate is required. // - inputHash, hashChanged, err := r.createHashOfInputHashes(ctx, instance, configMapVars) + inputHash, hashChanged, err := r.createHashOfInputHashes(ctx, instance, secretsVars) if err != nil { return ctrl.Result{}, err } else if hashChanged { @@ -843,25 +793,69 @@ func (r *OctaviaAPIReconciler) reconcileNormal(ctx context.Context, instance *oc return ctrl.Result{}, nil } -// generateServiceConfigMaps - create create configmaps which hold scripts and service configuration +// generateServiceSecrets - create creates which hold scripts and service configuration // TODO add DefaultConfigOverwrite -func (r *OctaviaAPIReconciler) generateServiceConfigMaps( +func (r *OctaviaAPIReconciler) generateServiceSecrets( ctx context.Context, instance *octaviav1.OctaviaAPI, h *helper.Helper, envVars *map[string]env.Setter, ) error { Log := r.GetLogger(ctx) - Log.Info("Generating service config map") + Log.Info("Generating service secrets") // - // create Configmap/Secret required for octavia input - // - %-scripts configmap holding scripts to e.g. bootstrap the service - // - %-config configmap holding minimal octavia config required to get the service up, user can add additional files to be added to the service - // - parameters which has passwords gets added from the ospSecret via the init container + // create Secret required for octavia input + // - %-scripts secret holding scripts to e.g. bootstrap the service + // - %-config secret holding minimal octavia config required to get the service up, user can add additional files to be added to the service // cmLabels := labels.GetLabels(instance, labels.GetGroupLabel(octavia.ServiceName), map[string]string{}) + // + // check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map + // + ospSecret, _, err := oko_secret.GetSecret(ctx, h, instance.Spec.Secret, instance.Namespace) + if err != nil { + if k8s_errors.IsNotFound(err) { + Log.Info(fmt.Sprintf("OpenStack secret %s not found", instance.Spec.Secret)) + instance.Status.Conditions.Set(condition.FalseCondition( + condition.InputReadyCondition, + condition.RequestedReason, + condition.SeverityInfo, + condition.InputReadyWaitingMessage)) + return err + } + instance.Status.Conditions.Set(condition.FalseCondition( + condition.InputReadyCondition, + condition.ErrorReason, + condition.SeverityWarning, + condition.InputReadyErrorMessage, + err.Error())) + return err + } + servicePassword := string(ospSecret.Data[instance.Spec.PasswordSelectors.Service]) + + transportURLSecret, _, err := oko_secret.GetSecret(ctx, h, instance.Spec.TransportURLSecret, instance.Namespace) + if err != nil { + if k8s_errors.IsNotFound(err) { + Log.Info(fmt.Sprintf("TransportURL secret %s not found", instance.Spec.TransportURLSecret)) + instance.Status.Conditions.Set(condition.FalseCondition( + condition.InputReadyCondition, + condition.RequestedReason, + condition.SeverityInfo, + condition.InputReadyWaitingMessage)) + return err + } + instance.Status.Conditions.Set(condition.FalseCondition( + condition.InputReadyCondition, + condition.ErrorReason, + condition.SeverityWarning, + condition.InputReadyErrorMessage, + err.Error())) + return err + } + transportURL := string(transportURLSecret.Data["transport_url"]) + db, err := mariadbv1.GetDatabaseByNameAndAccount(ctx, h, octavia.DatabaseName, instance.Spec.DatabaseAccount, instance.Namespace) if err != nil { return err @@ -951,6 +945,9 @@ func (r *OctaviaAPIReconciler) generateServiceConfigMaps( ), } + templateParameters["Password"] = servicePassword + templateParameters["TransportURL"] = transportURL + templateParameters["ServiceUser"] = instance.Spec.ServiceUser templateParameters["KeystoneInternalURL"] = keystoneInternalURL templateParameters["KeystonePublicURL"] = keystonePublicURL @@ -981,7 +978,6 @@ func (r *OctaviaAPIReconciler) generateServiceConfigMaps( templateParameters["VHosts"] = httpdVhostConfig cms := []util.Template{ - // ScriptsConfigMap { Name: fmt.Sprintf("%s-scripts", instance.Name), Namespace: instance.Namespace, @@ -990,7 +986,6 @@ func (r *OctaviaAPIReconciler) generateServiceConfigMaps( AdditionalTemplate: map[string]string{"common.sh": "/common/common.sh"}, Labels: cmLabels, }, - // ConfigMap { Name: fmt.Sprintf("%s-config-data", instance.Name), Namespace: instance.Namespace, @@ -1004,10 +999,10 @@ func (r *OctaviaAPIReconciler) generateServiceConfigMaps( err = oko_secret.EnsureSecrets(ctx, h, instance, cms, envVars) if err != nil { - Log.Error(err, "unable to process config map") + Log.Error(err, "unable to process secrets") return err } - Log.Info("Service config map generated") + Log.Info("Service secrets generated") return nil } diff --git a/controllers/octaviarsyslog_controller.go b/controllers/octaviarsyslog_controller.go index ee60ebf6..17b152a3 100644 --- a/controllers/octaviarsyslog_controller.go +++ b/controllers/octaviarsyslog_controller.go @@ -236,10 +236,10 @@ func (r *OctaviaRsyslogReconciler) reconcileNormal(ctx context.Context, instance common.AppSelector: instance.ObjectMeta.Name, } - // Handle config map - configMapVars := make(map[string]env.Setter) + // Handle secrets + secretsVars := make(map[string]env.Setter) - err = r.generateServiceConfigMaps(ctx, instance, helper, &configMapVars) + err = r.generateServiceSecrets(ctx, instance, helper, &secretsVars) if err != nil { instance.Status.Conditions.Set(condition.FalseCondition( condition.ServiceConfigReadyCondition, @@ -256,7 +256,7 @@ func (r *OctaviaRsyslogReconciler) reconcileNormal(ctx context.Context, instance // create hash over all the different input resources to identify if any those changed // and a restart/recreate is required. // - inputHash, err := r.createHashOfInputHashes(instance, configMapVars) + inputHash, err := r.createHashOfInputHashes(instance, secretsVars) if err != nil { return ctrl.Result{}, err } @@ -360,7 +360,7 @@ func (r *OctaviaRsyslogReconciler) reconcileNormal(ctx context.Context, instance return ctrl.Result{}, nil } -func (r *OctaviaRsyslogReconciler) generateServiceConfigMaps( +func (r *OctaviaRsyslogReconciler) generateServiceSecrets( ctx context.Context, instance *octaviav1.OctaviaRsyslog, helper *helper.Helper, diff --git a/pkg/amphoracontrollers/daemonset.go b/pkg/amphoracontrollers/daemonset.go index ce8e8c2d..56693615 100644 --- a/pkg/amphoracontrollers/daemonset.go +++ b/pkg/amphoracontrollers/daemonset.go @@ -162,13 +162,8 @@ func DaemonSet( } initContainerDetails := octavia.APIDetails{ - ContainerImage: instance.Spec.ContainerImage, - DatabaseHost: instance.Spec.DatabaseHostname, - DatabaseName: octavia.DatabaseName, - OSPSecret: instance.Spec.Secret, - TransportURLSecret: instance.Spec.TransportURLSecret, - UserPasswordSelector: instance.Spec.PasswordSelectors.Service, - VolumeMounts: octavia.GetInitVolumeMounts(), + ContainerImage: instance.Spec.ContainerImage, + VolumeMounts: octavia.GetInitVolumeMounts(), } daemonset.Spec.Template.Spec.InitContainers = octavia.InitContainer(initContainerDetails) diff --git a/pkg/octavia/dbsync.go b/pkg/octavia/dbsync.go index c67992bb..426e6928 100644 --- a/pkg/octavia/dbsync.go +++ b/pkg/octavia/dbsync.go @@ -87,13 +87,8 @@ func DbSyncJob( } initContainerDetails := APIDetails{ - ContainerImage: instance.Spec.OctaviaAPI.ContainerImage, - DatabaseHost: instance.Status.DatabaseHostname, - DatabaseName: DatabaseName, - PersistenceDatabaseName: PersistenceDatabaseName, - OSPSecret: instance.Spec.Secret, - UserPasswordSelector: instance.Spec.PasswordSelectors.Service, - VolumeMounts: initVolumeMounts, + ContainerImage: instance.Spec.OctaviaAPI.ContainerImage, + VolumeMounts: initVolumeMounts, } job.Spec.Template.Spec.InitContainers = InitContainer(initContainerDetails) diff --git a/pkg/octavia/initcontainer.go b/pkg/octavia/initcontainer.go index 7cd6d930..96897589 100644 --- a/pkg/octavia/initcontainer.go +++ b/pkg/octavia/initcontainer.go @@ -16,21 +16,13 @@ limitations under the License. package octavia import ( - "github.com/openstack-k8s-operators/lib-common/modules/common/env" - corev1 "k8s.io/api/core/v1" ) // APIDetails information type APIDetails struct { - ContainerImage string - DatabaseHost string - DatabaseName string - PersistenceDatabaseName string - TransportURLSecret string - OSPSecret string - UserPasswordSelector string - VolumeMounts []corev1.VolumeMount + ContainerImage string + VolumeMounts []corev1.VolumeMount } const ( @@ -47,42 +39,6 @@ func InitContainer(init APIDetails) []corev1.Container { InitContainerCommand, } - envVars := map[string]env.Setter{} - envVars["DatabaseHost"] = env.SetValue(init.DatabaseHost) - envVars["DatabaseName"] = env.SetValue(init.DatabaseName) - - envs := []corev1.EnvVar{ - { - Name: "AdminPassword", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: init.OSPSecret, - }, - Key: init.UserPasswordSelector, - }, - }, - }, - } - - // TODO(beagles): should this be conditional? It seems like it should be required. - if init.TransportURLSecret != "" { - envs = append(envs, - corev1.EnvVar{ - Name: "TransportURL", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: init.TransportURLSecret, - }, - Key: "transport_url", - }, - }, - }, - ) - } - envs = env.MergeEnvs(envs, envVars) - return []corev1.Container{ { Name: "init", @@ -94,7 +50,6 @@ func InitContainer(init APIDetails) []corev1.Container { "/bin/bash", }, Args: args, - Env: envs, VolumeMounts: GetInitVolumeMounts(), }, } diff --git a/pkg/octaviaapi/deployment.go b/pkg/octaviaapi/deployment.go index 20449fb8..9f909d2c 100644 --- a/pkg/octaviaapi/deployment.go +++ b/pkg/octaviaapi/deployment.go @@ -197,13 +197,8 @@ func Deployment( } initContainerDetails := octavia.APIDetails{ - ContainerImage: instance.Spec.ContainerImage, - DatabaseHost: instance.Spec.DatabaseHostname, - DatabaseName: octavia.DatabaseName, - OSPSecret: instance.Spec.Secret, - TransportURLSecret: instance.Spec.TransportURLSecret, - UserPasswordSelector: instance.Spec.PasswordSelectors.Service, - VolumeMounts: initVolumeMounts, + ContainerImage: instance.Spec.ContainerImage, + VolumeMounts: initVolumeMounts, } deployment.Spec.Template.Spec.InitContainers = octavia.InitContainer(initContainerDetails) diff --git a/templates/octavia/bin/init.sh b/templates/octavia/bin/init.sh index 2ce24717..759ad0c9 100755 --- a/templates/octavia/bin/init.sh +++ b/templates/octavia/bin/init.sh @@ -17,10 +17,6 @@ set -ex # This script generates the octavia.conf/logging.conf file and # copies the result to the ephemeral /var/lib/config-data/merged volume. -# -# Secrets are obtained from ENV variables. -export PASSWORD=${AdminPassword:?"Please specify a AdminPassword variable."} -export TRANSPORTURL=${TransportURL:-""} SVC_CFG=/etc/octavia/octavia.conf SVC_CFG_MERGED=/var/lib/config-data/merged/octavia.conf @@ -36,9 +32,3 @@ cp -a ${SVC_CFG} ${SVC_CFG_MERGED} for dir in /var/lib/config-data/default; do merge_config_dir ${dir} done - -# set secrets -if [ -n "$TRANSPORTURL" ]; then - crudini --set /var/lib/config-data/merged/octavia.conf DEFAULT transport_url $TRANSPORTURL -fi -crudini --set ${SVC_CFG_MERGED} keystone_authtoken password $PASSWORD diff --git a/templates/octavia/config/octavia.conf b/templates/octavia/config/octavia.conf index 1a3b6df5..c09fa617 100644 --- a/templates/octavia/config/octavia.conf +++ b/templates/octavia/config/octavia.conf @@ -15,7 +15,6 @@ connection = {{ .DatabaseConnection }} [health_manager] health_update_threads=4 stats_update_threads=4 -# heartbeat_key=FIXMEkey1 [keystone_authtoken] username={{ .ServiceUser }} # password=FIXMEpw3 diff --git a/templates/octaviaamphoracontroller/bin/init.sh b/templates/octaviaamphoracontroller/bin/init.sh index a9602eb8..759ad0c9 100755 --- a/templates/octaviaamphoracontroller/bin/init.sh +++ b/templates/octaviaamphoracontroller/bin/init.sh @@ -17,10 +17,6 @@ set -ex # This script generates the octavia.conf/logging.conf file and # copies the result to the ephemeral /var/lib/config-data/merged volume. -# -# Secrets are obtained from ENV variables. -export PASSWORD=${AdminPassword:?"Please specify a AdminPassword variable."} -export TRANSPORTURL=${TransportURL:-""} SVC_CFG=/etc/octavia/octavia.conf SVC_CFG_MERGED=/var/lib/config-data/merged/octavia.conf @@ -36,11 +32,3 @@ cp -a ${SVC_CFG} ${SVC_CFG_MERGED} for dir in /var/lib/config-data/default; do merge_config_dir ${dir} done - -# set secrets -if [ -n "$TRANSPORTURL" ]; then - crudini --set /var/lib/config-data/merged/octavia.conf DEFAULT transport_url $TRANSPORTURL -fi -# set secrets -crudini --set ${SVC_CFG_MERGED} keystone_authtoken password $PASSWORD -crudini --set ${SVC_CFG_MERGED} service_auth password $PASSWORD diff --git a/templates/octaviaamphoracontroller/config/octavia.conf b/templates/octaviaamphoracontroller/config/octavia.conf index f75f279d..c42936af 100644 --- a/templates/octaviaamphoracontroller/config/octavia.conf +++ b/templates/octaviaamphoracontroller/config/octavia.conf @@ -1,5 +1,6 @@ [DEFAULT] debug=True +transport_url={{ .TransportURL }} rpc_response_timeout=60 # Long timeout until jobboard is used # TODO(gthiemonge) This setting must be updated/removed when Jobboard is @@ -14,12 +15,11 @@ health_update_threads=4 stats_update_threads=4 bind_ip=:: controller_ip_port_list={{ .ControllerIPList }} -# heartbeat_key=FIXMEkey1 [keystone_authtoken] www_authenticate_uri={{ .KeystonePublicURL }} auth_url={{ .KeystoneInternalURL }} username={{ .ServiceUser }} -# password=FIXMEpw3 +password={{ .Password }} project_name=service project_domain_name=Default user_domain_name=Default @@ -69,7 +69,7 @@ disable_local_log_storage=False project_domain_name=Default project_name=service user_domain_name=Default -password=FIXMEpw3 +password={{ .Password }} username=octavia auth_type=password auth_url={{ .KeystoneInternalURL }}/v3 diff --git a/templates/octaviaapi/bin/init.sh b/templates/octaviaapi/bin/init.sh index a9602eb8..759ad0c9 100755 --- a/templates/octaviaapi/bin/init.sh +++ b/templates/octaviaapi/bin/init.sh @@ -17,10 +17,6 @@ set -ex # This script generates the octavia.conf/logging.conf file and # copies the result to the ephemeral /var/lib/config-data/merged volume. -# -# Secrets are obtained from ENV variables. -export PASSWORD=${AdminPassword:?"Please specify a AdminPassword variable."} -export TRANSPORTURL=${TransportURL:-""} SVC_CFG=/etc/octavia/octavia.conf SVC_CFG_MERGED=/var/lib/config-data/merged/octavia.conf @@ -36,11 +32,3 @@ cp -a ${SVC_CFG} ${SVC_CFG_MERGED} for dir in /var/lib/config-data/default; do merge_config_dir ${dir} done - -# set secrets -if [ -n "$TRANSPORTURL" ]; then - crudini --set /var/lib/config-data/merged/octavia.conf DEFAULT transport_url $TRANSPORTURL -fi -# set secrets -crudini --set ${SVC_CFG_MERGED} keystone_authtoken password $PASSWORD -crudini --set ${SVC_CFG_MERGED} service_auth password $PASSWORD diff --git a/templates/octaviaapi/config/octavia.conf b/templates/octaviaapi/config/octavia.conf index 5906565a..a0b5128a 100644 --- a/templates/octaviaapi/config/octavia.conf +++ b/templates/octaviaapi/config/octavia.conf @@ -1,5 +1,6 @@ [DEFAULT] debug=True +transport_url={{ .TransportURL }} rpc_response_timeout=60 [api_settings] bind_host=192.168.1.147 @@ -15,12 +16,11 @@ connection = {{ .DatabaseConnection }} [health_manager] health_update_threads=4 stats_update_threads=4 -# heartbeat_key=FIXMEkey1 [keystone_authtoken] www_authenticate_uri={{ .KeystonePublicURL }} auth_url={{ .KeystoneInternalURL }} username={{ .ServiceUser }} -# password=FIXMEpw3 +password={{ .Password }} project_name=service project_domain_name=Default user_domain_name=Default @@ -76,7 +76,7 @@ disable_local_log_storage=False project_domain_name=Default project_name=service user_domain_name=Default -password=FIXMEpw3 +password={{ .Password }} username=octavia auth_type=password auth_url={{ .KeystoneInternalURL }}/v3 diff --git a/tests/kuttl/common/assert_sample_deployment.yaml b/tests/kuttl/common/assert_sample_deployment.yaml index 0d260c57..c073bdaf 100644 --- a/tests/kuttl/common/assert_sample_deployment.yaml +++ b/tests/kuttl/common/assert_sample_deployment.yaml @@ -152,21 +152,6 @@ spec: - /usr/local/bin/container-scripts/init.sh command: - /bin/bash - env: - - name: AdminPassword - valueFrom: - secretKeyRef: - key: OctaviaPassword - name: osp-secret - - name: TransportURL - valueFrom: - secretKeyRef: - key: transport_url - name: rabbitmq-transport-url-octavia-octavia-transport - - name: DatabaseHost - value: openstack.octavia-kuttl-tests.svc - - name: DatabaseName - value: octavia imagePullPolicy: IfNotPresent name: init resources: {} diff --git a/tests/kuttl/tests/octavia_tls/02-assert.yaml b/tests/kuttl/tests/octavia_tls/02-assert.yaml index b3505caa..6479de08 100644 --- a/tests/kuttl/tests/octavia_tls/02-assert.yaml +++ b/tests/kuttl/tests/octavia_tls/02-assert.yaml @@ -220,21 +220,6 @@ spec: - /usr/local/bin/container-scripts/init.sh command: - /bin/bash - env: - - name: AdminPassword - valueFrom: - secretKeyRef: - key: OctaviaPassword - name: osp-secret - - name: TransportURL - valueFrom: - secretKeyRef: - key: transport_url - name: rabbitmq-transport-url-octavia-octavia-transport - - name: DatabaseHost - value: openstack.octavia-kuttl-tests.svc - - name: DatabaseName - value: octavia imagePullPolicy: IfNotPresent name: init resources: {}