diff --git a/api/bases/octavia.openstack.org_octaviaapis.yaml b/api/bases/octavia.openstack.org_octaviaapis.yaml index a639e445..6537a9e0 100644 --- a/api/bases/octavia.openstack.org_octaviaapis.yaml +++ b/api/bases/octavia.openstack.org_octaviaapis.yaml @@ -372,6 +372,9 @@ spec: default: octavia description: ServiceUser - service user name type: string + transportURLSecret: + description: TransportURLSecret - Secret containing RabbitMQ transportURL + type: string required: - containerImage - databaseInstance diff --git a/api/bases/octavia.openstack.org_octavias.yaml b/api/bases/octavia.openstack.org_octavias.yaml index a377e416..919203ea 100644 --- a/api/bases/octavia.openstack.org_octavias.yaml +++ b/api/bases/octavia.openstack.org_octavias.yaml @@ -428,6 +428,9 @@ spec: default: octavia description: ServiceUser - service user name type: string + transportURLSecret: + description: TransportURLSecret - Secret containing RabbitMQ transportURL + type: string required: - containerImage - databaseInstance diff --git a/api/v1beta1/octaviaapi_types.go b/api/v1beta1/octaviaapi_types.go index a3dbdc86..df407ef9 100644 --- a/api/v1beta1/octaviaapi_types.go +++ b/api/v1beta1/octaviaapi_types.go @@ -110,6 +110,10 @@ type OctaviaAPISpec struct { // TODO: -> implement DefaultConfigOverwrite map[string]string `json:"defaultConfigOverwrite,omitempty"` + // +kubebuilder:validation:Optional + // TransportURLSecret - Secret containing RabbitMQ transportURL + TransportURLSecret string `json:"transportURLSecret,omitempty"` + // +kubebuilder:validation:Optional // Resources - Compute Resources required by this service (Limits/Requests). // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ diff --git a/config/crd/bases/octavia.openstack.org_octaviaapis.yaml b/config/crd/bases/octavia.openstack.org_octaviaapis.yaml index a639e445..6537a9e0 100644 --- a/config/crd/bases/octavia.openstack.org_octaviaapis.yaml +++ b/config/crd/bases/octavia.openstack.org_octaviaapis.yaml @@ -372,6 +372,9 @@ spec: default: octavia description: ServiceUser - service user name type: string + transportURLSecret: + description: TransportURLSecret - Secret containing RabbitMQ transportURL + type: string required: - containerImage - databaseInstance diff --git a/config/crd/bases/octavia.openstack.org_octavias.yaml b/config/crd/bases/octavia.openstack.org_octavias.yaml index a377e416..919203ea 100644 --- a/config/crd/bases/octavia.openstack.org_octavias.yaml +++ b/config/crd/bases/octavia.openstack.org_octavias.yaml @@ -428,6 +428,9 @@ spec: default: octavia description: ServiceUser - service user name type: string + transportURLSecret: + description: TransportURLSecret - Secret containing RabbitMQ transportURL + type: string required: - containerImage - databaseInstance diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index e3b67ece..2cec8e05 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -269,6 +269,15 @@ rules: - patch - update - watch +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + - hostmount-anyuid + resources: + - securitycontextconstraints + verbs: + - use - apiGroups: - security.openshift.io resourceNames: diff --git a/controllers/amphoracontroller_controller.go b/controllers/amphoracontroller_controller.go index bf2d32b2..699ff541 100644 --- a/controllers/amphoracontroller_controller.go +++ b/controllers/amphoracontroller_controller.go @@ -34,6 +34,7 @@ import ( "github.com/openstack-k8s-operators/lib-common/modules/common/util" keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1" + oko_secret "github.com/openstack-k8s-operators/lib-common/modules/common/secret" octaviav1 "github.com/openstack-k8s-operators/octavia-operator/api/v1beta1" "github.com/openstack-k8s-operators/octavia-operator/pkg/amphoracontrollers" "github.com/openstack-k8s-operators/octavia-operator/pkg/octavia" @@ -188,7 +189,27 @@ func (r *OctaviaAmphoraControllerReconciler) reconcileNormal(ctx context.Context // Handle config map configMapVars := make(map[string]env.Setter) - err := r.generateServiceConfigMaps(ctx, instance, helper, &configMapVars) + transportURLSecret, hash, err := oko_secret.GetSecret(ctx, helper, instance.Spec.TransportURLSecret, instance.Namespace) + if err != nil { + if k8s_errors.IsNotFound(err) { + instance.Status.Conditions.Set(condition.FalseCondition( + condition.InputReadyCondition, + condition.RequestedReason, + condition.SeverityInfo, + condition.InputReadyWaitingMessage)) + return ctrl.Result{RequeueAfter: time.Duration(10) * time.Second}, fmt.Errorf("TransportURL secret %s not found", instance.Spec.TransportURLSecret) + } + instance.Status.Conditions.Set(condition.FalseCondition( + condition.InputReadyCondition, + condition.ErrorReason, + condition.SeverityWarning, + condition.InputReadyErrorMessage, + err.Error())) + return ctrl.Result{}, err + } + configMapVars[transportURLSecret.Name] = env.SetValue(hash) + + err = r.generateServiceConfigMaps(ctx, instance, helper, &configMapVars) if err != nil { instance.Status.Conditions.Set(condition.FalseCondition( condition.ServiceConfigReadyCondition, @@ -199,6 +220,8 @@ func (r *OctaviaAmphoraControllerReconciler) reconcileNormal(ctx context.Context return ctrl.Result{}, err } + instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage) + // // create hash over all the different input resources to identify if any those changed // and a restart/recreate is required. diff --git a/controllers/octavia_controller.go b/controllers/octavia_controller.go index 2763f741..62db03ef 100644 --- a/controllers/octavia_controller.go +++ b/controllers/octavia_controller.go @@ -748,6 +748,7 @@ func (r *OctaviaReconciler) apiDeploymentCreateOrUpdate(instance *octaviav1.Octa deployment.Spec.DatabaseHostname = instance.Status.DatabaseHostname deployment.Spec.DatabaseUser = instance.Spec.DatabaseUser deployment.Spec.ServiceUser = instance.Spec.ServiceUser + deployment.Spec.TransportURLSecret = instance.Status.TransportURLSecret deployment.Spec.Secret = instance.Spec.Secret deployment.Spec.ServiceAccount = instance.RbacResourceName() if len(deployment.Spec.NodeSelector) == 0 { diff --git a/controllers/octaviaapi_controller.go b/controllers/octaviaapi_controller.go index dbae38e4..109594f9 100644 --- a/controllers/octaviaapi_controller.go +++ b/controllers/octaviaapi_controller.go @@ -77,6 +77,8 @@ type OctaviaAPIReconciler struct { // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=ovn.openstack.org,resources=ovndbclusters,verbs=get;list;watch; // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch +// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid;hostmount-anyuid,resources=securitycontextconstraints,verbs=use +// +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. @@ -450,6 +452,26 @@ func (r *OctaviaAPIReconciler) reconcileNormal(ctx context.Context, instance *oc } configMapVars[ospSecret.Name] = env.SetValue(hash) + transportURLSecret, hash, err := oko_secret.GetSecret(ctx, helper, instance.Spec.TransportURLSecret, instance.Namespace) + if err != nil { + if k8s_errors.IsNotFound(err) { + instance.Status.Conditions.Set(condition.FalseCondition( + condition.InputReadyCondition, + condition.RequestedReason, + condition.SeverityInfo, + condition.InputReadyWaitingMessage)) + return ctrl.Result{RequeueAfter: time.Duration(10) * time.Second}, fmt.Errorf("TransportURL secret %s not found", instance.Spec.TransportURLSecret) + } + instance.Status.Conditions.Set(condition.FalseCondition( + condition.InputReadyCondition, + condition.ErrorReason, + condition.SeverityWarning, + condition.InputReadyErrorMessage, + err.Error())) + return ctrl.Result{}, err + } + configMapVars[transportURLSecret.Name] = env.SetValue(hash) + instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage) // run check OpenStack secret - end diff --git a/pkg/amphoracontrollers/deployment.go b/pkg/amphoracontrollers/deployment.go index 60115860..8b060c45 100644 --- a/pkg/amphoracontrollers/deployment.go +++ b/pkg/amphoracontrollers/deployment.go @@ -131,6 +131,7 @@ func Deployment( DatabaseUser: instance.Spec.DatabaseUser, DatabaseName: octavia.DatabaseName, OSPSecret: instance.Spec.Secret, + TransportURLSecret: instance.Spec.TransportURLSecret, DBPasswordSelector: instance.Spec.PasswordSelectors.Database, UserPasswordSelector: instance.Spec.PasswordSelectors.Service, VolumeMounts: octavia.GetInitVolumeMounts(), diff --git a/pkg/octaviaapi/deployment.go b/pkg/octaviaapi/deployment.go index 65a669b5..cd122a01 100644 --- a/pkg/octaviaapi/deployment.go +++ b/pkg/octaviaapi/deployment.go @@ -168,6 +168,7 @@ func Deployment( DatabaseUser: instance.Spec.DatabaseUser, DatabaseName: octavia.DatabaseName, OSPSecret: instance.Spec.Secret, + TransportURLSecret: instance.Spec.TransportURLSecret, DBPasswordSelector: instance.Spec.PasswordSelectors.Database, UserPasswordSelector: instance.Spec.PasswordSelectors.Service, VolumeMounts: initVolumeMounts, diff --git a/templates/octavia/bin/init.sh b/templates/octavia/bin/init.sh index e89afcab..783e8c49 100755 --- a/templates/octavia/bin/init.sh +++ b/templates/octavia/bin/init.sh @@ -41,11 +41,9 @@ for dir in /var/lib/config-data/default; do merge_config_dir ${dir} done -# set secrets - # set secrets if [ -n "$TRANSPORTURL" ]; then - crudini --set /var/lib/config-data/merged/neutron.conf DEFAULT transport_url $TRANSPORTURL + crudini --set /var/lib/config-data/merged/octavia.conf DEFAULT transport_url $TRANSPORTURL fi crudini --set ${SVC_CFG_MERGED} database connection mysql+pymysql://${DBUSER}:${DBPASSWORD}@${DBHOST}/${DB} crudini --set ${SVC_CFG_MERGED} keystone_authtoken password $PASSWORD diff --git a/templates/octaviaamphoracontroller/bin/init.sh b/templates/octaviaamphoracontroller/bin/init.sh index 2bca6c5a..4c412b7a 100755 --- a/templates/octaviaamphoracontroller/bin/init.sh +++ b/templates/octaviaamphoracontroller/bin/init.sh @@ -24,6 +24,7 @@ export DBHOST=${DatabaseHost:?"Please specify a DatabaseHost variable."} export DBUSER=${DatabaseUser:?"Please specify a DatabaseUser variable."} export DBPASSWORD=${DatabasePassword:?"Please specify a DatabasePassword variable."} export DB=${DatabaseName:-"octavia"} +export TRANSPORTURL=${TransportURL:-""} SVC_CFG=/etc/octavia/octavia.conf SVC_CFG_MERGED=/var/lib/config-data/merged/octavia.conf @@ -40,6 +41,10 @@ for dir in /var/lib/config-data/default; do merge_config_dir ${dir} done +# set secrets +if [ -n "$TRANSPORTURL" ]; then + crudini --set /var/lib/config-data/merged/octavia.conf DEFAULT transport_url $TRANSPORTURL +fi # set secrets crudini --set ${SVC_CFG_MERGED} database connection mysql+pymysql://${DBUSER}:${DBPASSWORD}@${DBHOST}/${DB} crudini --set ${SVC_CFG_MERGED} keystone_authtoken password $PASSWORD diff --git a/templates/octaviaapi/bin/init.sh b/templates/octaviaapi/bin/init.sh index 2bca6c5a..4c412b7a 100755 --- a/templates/octaviaapi/bin/init.sh +++ b/templates/octaviaapi/bin/init.sh @@ -24,6 +24,7 @@ export DBHOST=${DatabaseHost:?"Please specify a DatabaseHost variable."} export DBUSER=${DatabaseUser:?"Please specify a DatabaseUser variable."} export DBPASSWORD=${DatabasePassword:?"Please specify a DatabasePassword variable."} export DB=${DatabaseName:-"octavia"} +export TRANSPORTURL=${TransportURL:-""} SVC_CFG=/etc/octavia/octavia.conf SVC_CFG_MERGED=/var/lib/config-data/merged/octavia.conf @@ -40,6 +41,10 @@ for dir in /var/lib/config-data/default; do merge_config_dir ${dir} done +# set secrets +if [ -n "$TRANSPORTURL" ]; then + crudini --set /var/lib/config-data/merged/octavia.conf DEFAULT transport_url $TRANSPORTURL +fi # set secrets crudini --set ${SVC_CFG_MERGED} database connection mysql+pymysql://${DBUSER}:${DBPASSWORD}@${DBHOST}/${DB} crudini --set ${SVC_CFG_MERGED} keystone_authtoken password $PASSWORD diff --git a/tests/kuttl/common/assert_sample_deployment.yaml b/tests/kuttl/common/assert_sample_deployment.yaml index 24f42bf6..f5e44908 100644 --- a/tests/kuttl/common/assert_sample_deployment.yaml +++ b/tests/kuttl/common/assert_sample_deployment.yaml @@ -177,6 +177,11 @@ spec: secretKeyRef: key: OctaviaPassword name: osp-secret + - name: TransportURL + valueFrom: + secretKeyRef: + key: transport_url + name: rabbitmq-transport-url-octavia-octavia-transport - name: DatabaseHost value: openstack - name: DatabaseName