From a707f57627c69a6f34aa66310d2b320e3afa3e2c Mon Sep 17 00:00:00 2001 From: Simon Emms Date: Fri, 20 Jan 2023 16:38:11 +0000 Subject: [PATCH] [installer]: deprecate the experimental message bus password --- .../render/message-bus-password/config.yaml | 7 ++--- .../render/message-bus-password/output.golden | 21 ++++++++------- install/installer/pkg/common/render.go | 13 --------- install/installer/pkg/common/render_test.go | 27 ------------------- .../pkg/components/rabbitmq/secret.go | 24 +++++++++++++++-- .../installer/pkg/config/v1/deprecations.go | 7 +++++ .../config/v1/experimental/experimental.go | 5 ++-- 7 files changed, 48 insertions(+), 56 deletions(-) diff --git a/install/installer/cmd/testdata/render/message-bus-password/config.yaml b/install/installer/cmd/testdata/render/message-bus-password/config.yaml index 3380670a87dc06..893f1f5d909c9c 100644 --- a/install/installer/cmd/testdata/render/message-bus-password/config.yaml +++ b/install/installer/cmd/testdata/render/message-bus-password/config.yaml @@ -4,6 +4,7 @@ apiVersion: v1 domain: gitpod.example.com -experimental: - common: - staticMessagebusPassword: pa55w0rd +messageBus: + credentials: + kind: secret + name: message-bus-password diff --git a/install/installer/cmd/testdata/render/message-bus-password/output.golden b/install/installer/cmd/testdata/render/message-bus-password/output.golden index acef3addbc3823..8614cbf89c6d6d 100644 --- a/install/installer/cmd/testdata/render/message-bus-password/output.golden +++ b/install/installer/cmd/testdata/render/message-bus-password/output.golden @@ -1253,7 +1253,6 @@ metadata: # v1/Secret rabbitmq apiVersion: v1 data: - rabbitmq-password: cGE1NXcwcmQ= username: Z2l0cG9k kind: Secret metadata: @@ -1532,6 +1531,10 @@ data: disableDefinitelyGp: true domain: gitpod.example.com kind: Full + messageBus: + credentials: + kind: secret + name: message-bus-password metadata: region: local shortname: default @@ -8573,7 +8576,7 @@ spec: app.kubernetes.io/managed-by: Helm annotations: checksum/config: aca5a97bd1dfe3912d74e61f85bdffcde993310848389fa0c674e2fd8dc0ac27 - gitpod.io/checksum_config: 9bf4bf5d3f27510cd73df849ce505278aac6b8e2cd07e71b13eb26b67c72dc86 + gitpod.io/checksum_config: d106ecde0d368d5bc5cc804bd6f48556049b6916f2db4357c88f2a87e58a08e7 prometheus.io/port: '9419' prometheus.io/scrape: "true" spec: @@ -8600,7 +8603,7 @@ spec: valueFrom: secretKeyRef: key: rabbitmq-password - name: rabbitmq + name: message-bus-password image: docker.io/library/alpine:3.16 name: credential-injector resources: {} @@ -8680,7 +8683,7 @@ spec: - name: RABBITMQ_PASSWORD valueFrom: secretKeyRef: - name: rabbitmq + name: message-bus-password key: rabbitmq-password - name: RABBITMQ_PLUGINS value: "rabbitmq_management, rabbitmq_peer_discovery_k8s, rabbitmq_prometheus" @@ -10736,7 +10739,7 @@ spec: valueFrom: secretKeyRef: key: rabbitmq-password - name: rabbitmq + name: message-bus-password - name: MESSAGEBUS_CA valueFrom: secretKeyRef: @@ -10886,7 +10889,7 @@ spec: valueFrom: secretKeyRef: key: rabbitmq-password - name: rabbitmq + name: message-bus-password - name: MESSAGEBUS_CA valueFrom: secretKeyRef: @@ -11089,7 +11092,7 @@ spec: template: metadata: annotations: - gitpod.io/checksum_config: 93bf7d7fea84b56c9bb1fd7193a03452db0e5b0f2df9e1db82d5f70dea6f90a0 + gitpod.io/checksum_config: e45c0bdd6cd28d358b8310497b1d6220656765e7637af2f4a51bddeabfc844ba creationTimestamp: null labels: app: gitpod @@ -11133,7 +11136,7 @@ spec: valueFrom: secretKeyRef: key: rabbitmq-password - name: rabbitmq + name: message-bus-password - name: MESSAGEBUS_CA valueFrom: secretKeyRef: @@ -11273,7 +11276,7 @@ spec: valueFrom: secretKeyRef: key: rabbitmq-password - name: rabbitmq + name: message-bus-password - name: MESSAGEBUS_CA valueFrom: secretKeyRef: diff --git a/install/installer/pkg/common/render.go b/install/installer/pkg/common/render.go index de591f09ccb8e1..e1dfa854ea9a53 100644 --- a/install/installer/pkg/common/render.go +++ b/install/installer/pkg/common/render.go @@ -66,7 +66,6 @@ type GeneratedValues struct { InternalRegistryUsername string InternalRegistryPassword string InternalRegistrySharedSecret string - MessageBusPassword string ServerAdminLoginKey string } @@ -158,18 +157,6 @@ func (r *RenderContext) generateValues() error { } r.Values.InternalRegistrySharedSecret = internalRegistrySharedSecret - messageBusPassword := "" - _ = r.WithExperimental(func(cfg *experimental.Config) error { - if cfg.Common != nil { - messageBusPassword = cfg.Common.StaticMessagebusPassword - } - return nil - }) - if messageBusPassword == "" { - messageBusPassword = "uq4KxOLtrA-QsDTfuwQ-" - } - r.Values.MessageBusPassword = messageBusPassword - serverAdminLoginKey, err := RandomString(20) if err != nil { return err diff --git a/install/installer/pkg/common/render_test.go b/install/installer/pkg/common/render_test.go index 874b9e83b4d6e5..a84d0b01420176 100644 --- a/install/installer/pkg/common/render_test.go +++ b/install/installer/pkg/common/render_test.go @@ -19,7 +19,6 @@ import ( "github.com/gitpod-io/gitpod/installer/pkg/components/dashboard" "github.com/gitpod-io/gitpod/installer/pkg/components/server" config "github.com/gitpod-io/gitpod/installer/pkg/config/v1" - "github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental" "github.com/gitpod-io/gitpod/installer/pkg/config/versions" ) @@ -181,32 +180,6 @@ func TestResourceRequirements(t *testing.T) { } } -func TestStaticMessagebusPassword(t *testing.T) { - const expectedPassword = "some-password" - - ctx, err := common.NewRenderContext(config.Config{ - Experimental: &experimental.Config{ - Common: &experimental.CommonConfig{ - StaticMessagebusPassword: expectedPassword, - }, - }, - }, versions.Manifest{}, "test_namespace") - require.NoError(t, err) - - actualPassword := ctx.Values.MessageBusPassword - - require.Equal(t, expectedPassword, actualPassword) -} - -func TestDynamicMessagebusPassword(t *testing.T) { - ctx, err := common.NewRenderContext(config.Config{}, versions.Manifest{}, "test_namespace") - require.NoError(t, err) - - actualPassword := ctx.Values.MessageBusPassword - - require.NotEmpty(t, actualPassword) -} - func TestRepoName(t *testing.T) { type Expectation struct { Result string diff --git a/install/installer/pkg/components/rabbitmq/secret.go b/install/installer/pkg/components/rabbitmq/secret.go index a45e8c1aba9d43..fda1237b473189 100644 --- a/install/installer/pkg/components/rabbitmq/secret.go +++ b/install/installer/pkg/components/rabbitmq/secret.go @@ -8,6 +8,7 @@ import ( _ "embed" "github.com/gitpod-io/gitpod/installer/pkg/common" + "github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -62,9 +63,28 @@ func secrets(ctx *common.RenderContext) ([]runtime.Object, error) { "username": []byte(rabbitMQUsername), } - if ctx.Config.MessageBus == nil || ctx.Config.MessageBus.Credentials == nil { + // The password may be set three ways: + // 1. deprecated experimental config (add to this map) + // 2. default method here (add to this map) + // 3. a secret (don't add to this map) + password := "" + + // @deprecated Pull message bus password from experimental config + _ = ctx.WithExperimental(func(cfg *experimental.Config) error { + if cfg.Common != nil { + password = cfg.Common.StaticMessagebusPassword + } + return nil + }) + + if password == "" && (ctx.Config.MessageBus == nil || ctx.Config.MessageBus.Credentials == nil) { // If not providing message bus secret, use the default creds - data["rabbitmq-password"] = []byte(ctx.Values.MessageBusPassword) + // This service is not accessible externally, so setting a default password is an acceptable compromise + password = "uq4KxOLtrA-QsDTfuwQ-" + } + + if password != "" { + data["rabbitmq-password"] = []byte(password) } return data diff --git a/install/installer/pkg/config/v1/deprecations.go b/install/installer/pkg/config/v1/deprecations.go index 67dbd25ba4c283..0d142c9a41dc87 100644 --- a/install/installer/pkg/config/v1/deprecations.go +++ b/install/installer/pkg/config/v1/deprecations.go @@ -58,6 +58,13 @@ var deprecatedFields = map[string]deprecatedField{ return nil }, }, + // No MapValue can exist as this requires a secret rather than passing in the value + "experimental.common.staticMessagebusPassword": { + Selector: func(cfg *Config) (bool, any) { + val := cfg.Experimental.Common.StaticMessagebusPassword + return val != "", "***" // Redact the password + }, + }, "experimental.common.usePodSecurityPolicies": { Selector: func(cfg *Config) (bool, any) { usePSPs := cfg.Experimental.Common.UsePodSecurityPolicies diff --git a/install/installer/pkg/config/v1/experimental/experimental.go b/install/installer/pkg/config/v1/experimental/experimental.go index 42abe031c3e8ef..0ce74627becbfe 100644 --- a/install/installer/pkg/config/v1/experimental/experimental.go +++ b/install/installer/pkg/config/v1/experimental/experimental.go @@ -42,8 +42,9 @@ type TelemetryConfig struct { type CommonConfig struct { // @deprecated - PodConfig map[string]*PodConfig `json:"podConfig,omitempty"` - StaticMessagebusPassword string `json:"staticMessagebusPassword"` + PodConfig map[string]*PodConfig `json:"podConfig,omitempty"` + // @deprecated use a secret instead in messageBus.credentials + StaticMessagebusPassword string `json:"staticMessagebusPassword"` // @deprecated PodSecurityPolicies are deprecated in k8s 1.21 and removed in 1.25 UsePodSecurityPolicies bool `json:"usePodSecurityPolicies"` }