From a4e417860a4d80b67db5c459ab9d05959ac232a8 Mon Sep 17 00:00:00 2001 From: Fabien Boucher Date: Fri, 10 Nov 2023 16:02:35 +0000 Subject: [PATCH] Snipe watch secrets - remove adoption system As we no longer rely on `Owns` facilities we can then remove the adpotion system to simplify the controller. Change-Id: Ib4b4f47e8fce32efeb956098f8035c9e6d9fa68a --- controllers/nodepool.go | 56 +++++++++++++++++------------------------ controllers/utils.go | 23 +++++------------ 2 files changed, 29 insertions(+), 50 deletions(-) diff --git a/controllers/nodepool.go b/controllers/nodepool.go index cb173dc7..3e62b99b 100644 --- a/controllers/nodepool.go +++ b/controllers/nodepool.go @@ -290,40 +290,30 @@ func (r *SFController) ensureNodepoolPromRule(cloudsYaml map[string]interface{}) return true } -func (r *SFController) setProviderSecrets(volumeMount []apiv1.VolumeMount) (apiv1.Secret, []apiv1.VolumeMount, bool) { - // We set a place holder secret to ensure that the Secret is owned by the SoftwareFactory instance (ControllerReference) +func (r *SFController) setProviderSecretsVolumeMounts(volumeMount []apiv1.VolumeMount) (apiv1.Secret, []apiv1.VolumeMount, bool) { var nodepoolProvidersSecrets apiv1.Secret - if !r.GetM(NodepoolProvidersSecretsName, &nodepoolProvidersSecrets) { - r.CreateR(&apiv1.Secret{ - Data: map[string][]byte{}, - ObjectMeta: metav1.ObjectMeta{Name: NodepoolProvidersSecretsName, Namespace: r.ns}}) - } else { - if len(nodepoolProvidersSecrets.GetOwnerReferences()) == 0 { - r.log.V(1).Info("Adopting the providers secret to set the owner reference", "secret", NodepoolProvidersSecretsName) - if !r.UpdateR(&nodepoolProvidersSecrets) { - return nodepoolProvidersSecrets, volumeMount, false - } + if r.GetM(NodepoolProvidersSecretsName, &nodepoolProvidersSecrets) { + if data, ok := nodepoolProvidersSecrets.Data["clouds.yaml"]; ok && len(data) > 0 { + volumeMount = append(volumeMount, apiv1.VolumeMount{ + Name: "nodepool-providers-secrets", + SubPath: "clouds.yaml", + MountPath: "/var/lib/nodepool/.config/openstack/clouds.yaml", + ReadOnly: true, + }) } - } - - if data, ok := nodepoolProvidersSecrets.Data["clouds.yaml"]; ok && len(data) > 0 { - volumeMount = append(volumeMount, apiv1.VolumeMount{ - Name: "nodepool-providers-secrets", - SubPath: "clouds.yaml", - MountPath: "/var/lib/nodepool/.config/openstack/clouds.yaml", - ReadOnly: true, - }) - } - if data, ok := nodepoolProvidersSecrets.Data["kube.config"]; ok && len(data) > 0 { - volumeMount = append(volumeMount, apiv1.VolumeMount{ - Name: "nodepool-providers-secrets", - SubPath: "kube.config", - MountPath: "/var/lib/nodepool/.kube/config", - ReadOnly: true, - }) + if data, ok := nodepoolProvidersSecrets.Data["kube.config"]; ok && len(data) > 0 { + volumeMount = append(volumeMount, apiv1.VolumeMount{ + Name: "nodepool-providers-secrets", + SubPath: "kube.config", + MountPath: "/var/lib/nodepool/.kube/config", + ReadOnly: true, + }) + } + return nodepoolProvidersSecrets, volumeMount, true + } else { + return nodepoolProvidersSecrets, volumeMount, false } - return nodepoolProvidersSecrets, volumeMount, true } func (r *SFController) DeployNodepoolBuilder(statsdExporterVolume apiv1.Volume, nodepoolStatsdMappingConfig string) bool { @@ -423,7 +413,7 @@ func (r *SFController) DeployNodepoolBuilder(statsdExporterVolume apiv1.Volume, }, } - nodepoolProvidersSecrets, volumeMount, ready := r.setProviderSecrets(volumeMount) + nodepoolProvidersSecrets, volumeMount, ready := r.setProviderSecretsVolumeMounts(volumeMount) if !ready { return false } @@ -578,7 +568,7 @@ func (r *SFController) DeployNodepoolLauncher(statsdExporterVolume apiv1.Volume, configScriptVolumeMount, } - nodepoolProvidersSecrets, volumeMount, ready := r.setProviderSecrets(volumeMount) + nodepoolProvidersSecrets, volumeMount, ready := r.setProviderSecretsVolumeMounts(volumeMount) if !ready { return false } @@ -665,7 +655,7 @@ func (r *SFController) DeployNodepool() map[string]bool { // We need to initialize the providers secrets early var v []apiv1.VolumeMount - var nodepoolProvidersSecrets, _, ready = r.setProviderSecrets(v) + var nodepoolProvidersSecrets, _, ready = r.setProviderSecretsVolumeMounts(v) if !ready { deployments[launcherIdent] = false deployments[builderIdent] = false diff --git a/controllers/utils.go b/controllers/utils.go index a9edb905..685b5c12 100644 --- a/controllers/utils.go +++ b/controllers/utils.go @@ -296,13 +296,13 @@ func (r *SFUtilContext) ensureHTTPSRoute( name string, host string, serviceName string, path string, port int, annotations map[string]string, fqdn string, le *sfv1.LetsEncryptSpec) bool { - var tlsDataReady bool + tlsDataReady := true var sslCA, sslCrt, sslKey []byte if le == nil { // Letsencrypt config has not been set so we check the `customSSLSecretName` Secret // for any custom TLS data to setup the Route - tlsDataReady, sslCA, sslCrt, sslKey = r.extractStaticTLSFromSecret(name, host) + sslCA, sslCrt, sslKey = r.extractStaticTLSFromSecret(name, host) } else { // Letsencrypt config has been set so we ensure we set a Certificate via the // cert-manager Issuer and then we'll setup the Route based on the Certificate's Secret @@ -471,27 +471,16 @@ func GetCustomRouteSSLSecretName(host string) string { return host + "-ssl-cert" } -func (r *SFUtilContext) extractStaticTLSFromSecret(name string, host string) (bool, []byte, []byte, []byte) { +func (r *SFUtilContext) extractStaticTLSFromSecret(name string, host string) ([]byte, []byte, []byte) { var customSSLSecret apiv1.Secret customSSLSecretName := GetCustomRouteSSLSecretName(host) - // We set a place holder secret to ensure that the Secret is owned (ControllerReference) - // Or we adopt the existing secret if !r.GetM(customSSLSecretName, &customSSLSecret) { - r.CreateR(&apiv1.Secret{ - Data: map[string][]byte{}, - ObjectMeta: metav1.ObjectMeta{Name: customSSLSecretName, Namespace: r.ns}}) - return false, nil, nil, nil + return nil, nil, nil } else { - if len(customSSLSecret.GetOwnerReferences()) == 0 { - r.log.V(1).Info("Adopting the route secret to set the owner reference", "secret", customSSLSecretName, "route name", name) - if !r.UpdateR(&customSSLSecret) { - return false, nil, nil, nil - } - } + // Fetching secret expected TLS Keys content + return customSSLSecret.Data["CA"], customSSLSecret.Data["crt"], customSSLSecret.Data["key"] } - // Fetching secret expected TLS Keys content - return true, customSSLSecret.Data["CA"], customSSLSecret.Data["crt"], customSSLSecret.Data["key"] } func (r *SFUtilContext) extractTLSFromLECertificateSecret(name string, host string, fqdn string, le sfv1.LetsEncryptSpec) (bool, []byte, []byte, []byte) {