[installer]: deprecate the experimental message bus password

gitpod-io · Jan 23, 2023 · a707f57 · a707f57
1 parent 7794e19
commit a707f57
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 56 deletions.
diff --git a/install/installer/cmd/testdata/render/message-bus-password/config.yaml b/install/installer/cmd/testdata/render/message-bus-password/config.yaml
@@ -4,6 +4,7 @@
 
 apiVersion: v1
 domain: gitpod.example.com
-experimental:
-  common:
-    staticMessagebusPassword: pa55w0rd
+messageBus:
+  credentials:
+    kind: secret
+    name: message-bus-password
diff --git a/install/installer/cmd/testdata/render/message-bus-password/output.golden b/install/installer/cmd/testdata/render/message-bus-password/output.golden
diff --git a/install/installer/pkg/common/render.go b/install/installer/pkg/common/render.go
@@ -66,7 +66,6 @@ type GeneratedValues struct {
 	InternalRegistryUsername     string
 	InternalRegistryPassword     string
 	InternalRegistrySharedSecret string
-	MessageBusPassword           string
 	ServerAdminLoginKey          string
 }
 
@@ -158,18 +157,6 @@ func (r *RenderContext) generateValues() error {
 	}
 	r.Values.InternalRegistrySharedSecret = internalRegistrySharedSecret
 
-	messageBusPassword := ""
-	_ = r.WithExperimental(func(cfg *experimental.Config) error {
-		if cfg.Common != nil {
-			messageBusPassword = cfg.Common.StaticMessagebusPassword
-		}
-		return nil
-	})
-	if messageBusPassword == "" {
-		messageBusPassword = "uq4KxOLtrA-QsDTfuwQ-"
-	}
-	r.Values.MessageBusPassword = messageBusPassword
-
 	serverAdminLoginKey, err := RandomString(20)
 	if err != nil {
 		return err

diff --git a/install/installer/pkg/common/render_test.go b/install/installer/pkg/common/render_test.go
@@ -19,7 +19,6 @@ import (
 	"github.com/gitpod-io/gitpod/installer/pkg/components/dashboard"
 	"github.com/gitpod-io/gitpod/installer/pkg/components/server"
 	config "github.com/gitpod-io/gitpod/installer/pkg/config/v1"
-	"github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental"
 	"github.com/gitpod-io/gitpod/installer/pkg/config/versions"
 )
 
@@ -181,32 +180,6 @@ func TestResourceRequirements(t *testing.T) {
 	}
 }
 
-func TestStaticMessagebusPassword(t *testing.T) {
-	const expectedPassword = "some-password"
-
-	ctx, err := common.NewRenderContext(config.Config{
-		Experimental: &experimental.Config{
-			Common: &experimental.CommonConfig{
-				StaticMessagebusPassword: expectedPassword,
-			},
-		},
-	}, versions.Manifest{}, "test_namespace")
-	require.NoError(t, err)
-
-	actualPassword := ctx.Values.MessageBusPassword
-
-	require.Equal(t, expectedPassword, actualPassword)
-}
-
-func TestDynamicMessagebusPassword(t *testing.T) {
-	ctx, err := common.NewRenderContext(config.Config{}, versions.Manifest{}, "test_namespace")
-	require.NoError(t, err)
-
-	actualPassword := ctx.Values.MessageBusPassword
-
-	require.NotEmpty(t, actualPassword)
-}
-
 func TestRepoName(t *testing.T) {
 	type Expectation struct {
 		Result string

diff --git a/install/installer/pkg/components/rabbitmq/secret.go b/install/installer/pkg/components/rabbitmq/secret.go
@@ -8,6 +8,7 @@ import (
 	_ "embed"
 
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	"github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -62,9 +63,28 @@ func secrets(ctx *common.RenderContext) ([]runtime.Object, error) {
 					"username": []byte(rabbitMQUsername),
 				}
 
-				if ctx.Config.MessageBus == nil || ctx.Config.MessageBus.Credentials == nil {
+				// The password may be set three ways:
+				// 1. deprecated experimental config (add to this map)
+				// 2. default method here (add to this map)
+				// 3. a secret (don't add to this map)
+				password := ""
+
+				// @deprecated Pull message bus password from experimental config
+				_ = ctx.WithExperimental(func(cfg *experimental.Config) error {
+					if cfg.Common != nil {
+						password = cfg.Common.StaticMessagebusPassword
+					}
+					return nil
+				})
+
+				if password == "" && (ctx.Config.MessageBus == nil || ctx.Config.MessageBus.Credentials == nil) {
 					// If not providing message bus secret, use the default creds
-					data["rabbitmq-password"] = []byte(ctx.Values.MessageBusPassword)
+					// This service is not accessible externally, so setting a default password is an acceptable compromise
+					password = "uq4KxOLtrA-QsDTfuwQ-"
+				}
+
+				if password != "" {
+					data["rabbitmq-password"] = []byte(password)
 				}
 
 				return data

diff --git a/install/installer/pkg/config/v1/deprecations.go b/install/installer/pkg/config/v1/deprecations.go
@@ -58,6 +58,13 @@ var deprecatedFields = map[string]deprecatedField{
 			return nil
 		},
 	},
+	// No MapValue can exist as this requires a secret rather than passing in the value
+	"experimental.common.staticMessagebusPassword": {
+		Selector: func(cfg *Config) (bool, any) {
+			val := cfg.Experimental.Common.StaticMessagebusPassword
+			return val != "", "***" // Redact the password
+		},
+	},
 	"experimental.common.usePodSecurityPolicies": {
 		Selector: func(cfg *Config) (bool, any) {
 			usePSPs := cfg.Experimental.Common.UsePodSecurityPolicies

diff --git a/install/installer/pkg/config/v1/experimental/experimental.go b/install/installer/pkg/config/v1/experimental/experimental.go
@@ -42,8 +42,9 @@ type TelemetryConfig struct {
 
 type CommonConfig struct {
 	// @deprecated
-	PodConfig                map[string]*PodConfig `json:"podConfig,omitempty"`
-	StaticMessagebusPassword string                `json:"staticMessagebusPassword"`
+	PodConfig map[string]*PodConfig `json:"podConfig,omitempty"`
+	// @deprecated use a secret instead in messageBus.credentials
+	StaticMessagebusPassword string `json:"staticMessagebusPassword"`
 	// @deprecated PodSecurityPolicies are deprecated in k8s 1.21 and removed in 1.25
 	UsePodSecurityPolicies bool `json:"usePodSecurityPolicies"`
 }