From 623a3b207dd2c111ffcd6493714ff34421ae548f Mon Sep 17 00:00:00 2001 From: Joel Takvorian Date: Fri, 8 Sep 2023 15:27:44 +0200 Subject: [PATCH] Remove ConfigOrSecret API, replaced with the newer FileReference (#411) This only impacts SASL config which is not supported product-wise --- api/v1beta1/flowcollector_types.go | 34 +--- api/v1beta1/zz_generated.deepcopy.go | 18 +- .../flows.netobserv.io_flowcollectors.yaml | 127 +++++++++---- .../flows.netobserv.io_flowcollectors.yaml | 127 +++++++++---- controllers/ebpf/agent_controller.go | 13 +- ...wcollector_controller_certificates_test.go | 27 ++- .../flowcollector_controller_iso_test.go | 11 +- .../flowlogspipeline/flp_common_objects.go | 8 +- .../flowlogspipeline/flp_reconciler.go | 9 +- docs/FlowCollector.md | 172 ++++++++++++++---- pkg/volumes/builder.go | 5 +- pkg/watchers/object_ref.go | 10 +- pkg/watchers/watcher.go | 12 +- pkg/watchers/watcher_test.go | 15 +- 14 files changed, 398 insertions(+), 190 deletions(-) diff --git a/api/v1beta1/flowcollector_types.go b/api/v1beta1/flowcollector_types.go index bf9260b58..3aa6877ba 100644 --- a/api/v1beta1/flowcollector_types.go +++ b/api/v1beta1/flowcollector_types.go @@ -716,19 +716,19 @@ const ( type FileReference struct { //+kubebuilder:validation:Enum=configmap;secret - // type for the file reference: "configmap" or "secret" + // Type for the file reference: "configmap" or "secret" Type MountableType `json:"type,omitempty"` - // name of the config map or secret containing the file + // Name of the config map or secret containing the file Name string `json:"name,omitempty"` - // namespace of the config map or secret containing the file. If omitted, assumes same namespace as where NetObserv is deployed. + // Namespace of the config map or secret containing the file. If omitted, assumes same namespace as where NetObserv is deployed. // If the namespace is different, the config map or the secret will be copied so that it can be mounted as required. // +optional //+kubebuilder:default:="" Namespace string `json:"namespace,omitempty"` - // file defines the file name within the config map or secret + // File name within the config map or secret File string `json:"file,omitempty"` } @@ -788,29 +788,11 @@ type SASLConfig struct { // Type of SASL authentication to use, or `DISABLED` if SASL is not used Type SASLType `json:"type,omitempty"` - // Reference to the secret or config map containing the client ID and secret - Reference ConfigOrSecret `json:"reference,omitempty"` + // Reference to the secret or config map containing the client ID + ClientIDReference FileReference `json:"clientIDReference,omitempty"` - // Key for client ID within the provided `reference` - ClientIDKey string `json:"clientIDKey,omitempty"` - - // Key for client secret within the provided `reference` - ClientSecretKey string `json:"clientSecretKey,omitempty"` -} - -type ConfigOrSecret struct { - //+kubebuilder:validation:Enum=configmap;secret - // Type for the reference: "configmap" or "secret" - Type MountableType `json:"type,omitempty"` - - // Name of the config map or secret to reference - Name string `json:"name,omitempty"` - - // Namespace of the config map or secret. If omitted, assumes same namespace as where NetObserv is deployed. - // If the namespace is different, the config map or the secret will be copied so that it can be mounted as required. - // +optional - //+kubebuilder:default:="" - Namespace string `json:"namespace,omitempty"` + // Reference to the secret or config map containing the client secret + ClientSecretReference FileReference `json:"clientSecretReference,omitempty"` } // `DebugConfig` allows tweaking some aspects of the internal configuration of the agent and FLP. diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index f436cf91a..7caa6955c 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -74,21 +74,6 @@ func (in *ClusterNetworkOperatorConfig) DeepCopy() *ClusterNetworkOperatorConfig return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ConfigOrSecret) DeepCopyInto(out *ConfigOrSecret) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigOrSecret. -func (in *ConfigOrSecret) DeepCopy() *ConfigOrSecret { - if in == nil { - return nil - } - out := new(ConfigOrSecret) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ConsolePluginPortConfig) DeepCopyInto(out *ConsolePluginPortConfig) { *out = *in @@ -642,7 +627,8 @@ func (in *QuickFilter) DeepCopy() *QuickFilter { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SASLConfig) DeepCopyInto(out *SASLConfig) { *out = *in - out.Reference = in.Reference + out.ClientIDReference = in.ClientIDReference + out.ClientSecretReference = in.ClientSecretReference } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SASLConfig. diff --git a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml index dadacb43d..6a6f1e19a 100644 --- a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml +++ b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml @@ -3245,31 +3245,58 @@ spec: description: SASL authentication configuration. [Unsupported (*)]. properties: - clientIDKey: - description: Key for client ID within the provided `reference` - type: string - clientSecretKey: - description: Key for client secret within the provided - `reference` - type: string - reference: + clientIDReference: description: Reference to the secret or config map containing - the client ID and secret + the client ID properties: + file: + description: File name within the config map or + secret + type: string name: - description: Name of the config map or secret to - reference + description: Name of the config map or secret containing + the file type: string namespace: default: "" - description: Namespace of the config map or secret. - If omitted, assumes same namespace as where NetObserv - is deployed. If the namespace is different, the - config map or the secret will be copied so that - it can be mounted as required. + description: Namespace of the config map or secret + containing the file. If omitted, assumes same + namespace as where NetObserv is deployed. If the + namespace is different, the config map or the + secret will be copied so that it can be mounted + as required. type: string type: - description: 'Type for the reference: "configmap" + description: 'Type for the file reference: "configmap" + or "secret"' + enum: + - configmap + - secret + type: string + type: object + clientSecretReference: + description: Reference to the secret or config map containing + the client secret + properties: + file: + description: File name within the config map or + secret + type: string + name: + description: Name of the config map or secret containing + the file + type: string + namespace: + default: "" + description: Namespace of the config map or secret + containing the file. If omitted, assumes same + namespace as where NetObserv is deployed. If the + namespace is different, the config map or the + secret will be copied so that it can be mounted + as required. + type: string + type: + description: 'Type for the file reference: "configmap" or "secret"' enum: - configmap @@ -3405,29 +3432,55 @@ spec: sasl: description: SASL authentication configuration. [Unsupported (*)]. properties: - clientIDKey: - description: Key for client ID within the provided `reference` - type: string - clientSecretKey: - description: Key for client secret within the provided `reference` - type: string - reference: + clientIDReference: + description: Reference to the secret or config map containing + the client ID + properties: + file: + description: File name within the config map or secret + type: string + name: + description: Name of the config map or secret containing + the file + type: string + namespace: + default: "" + description: Namespace of the config map or secret containing + the file. If omitted, assumes same namespace as where + NetObserv is deployed. If the namespace is different, + the config map or the secret will be copied so that + it can be mounted as required. + type: string + type: + description: 'Type for the file reference: "configmap" + or "secret"' + enum: + - configmap + - secret + type: string + type: object + clientSecretReference: description: Reference to the secret or config map containing - the client ID and secret + the client secret properties: + file: + description: File name within the config map or secret + type: string name: - description: Name of the config map or secret to reference + description: Name of the config map or secret containing + the file type: string namespace: default: "" - description: Namespace of the config map or secret. If - omitted, assumes same namespace as where NetObserv is - deployed. If the namespace is different, the config - map or the secret will be copied so that it can be mounted - as required. + description: Namespace of the config map or secret containing + the file. If omitted, assumes same namespace as where + NetObserv is deployed. If the namespace is different, + the config map or the secret will be copied so that + it can be mounted as required. type: string type: - description: 'Type for the reference: "configmap" or "secret"' + description: 'Type for the file reference: "configmap" + or "secret"' enum: - configmap - secret @@ -4550,16 +4603,16 @@ spec: description: Reference to the CA file will be ignored properties: file: - description: file defines the file name within - the config map or secret + description: File name within the config map or + secret type: string name: - description: name of the config map or secret + description: Name of the config map or secret containing the file type: string namespace: default: "" - description: namespace of the config map or secret + description: Namespace of the config map or secret containing the file. If omitted, assumes same namespace as where NetObserv is deployed. If the namespace is different, the config map or @@ -4567,7 +4620,7 @@ spec: mounted as required. type: string type: - description: 'type for the file reference: "configmap" + description: 'Type for the file reference: "configmap" or "secret"' enum: - configmap diff --git a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml index 930600153..ee232894d 100644 --- a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml +++ b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml @@ -3232,31 +3232,58 @@ spec: description: SASL authentication configuration. [Unsupported (*)]. properties: - clientIDKey: - description: Key for client ID within the provided `reference` - type: string - clientSecretKey: - description: Key for client secret within the provided - `reference` - type: string - reference: + clientIDReference: description: Reference to the secret or config map containing - the client ID and secret + the client ID properties: + file: + description: File name within the config map or + secret + type: string name: - description: Name of the config map or secret to - reference + description: Name of the config map or secret containing + the file type: string namespace: default: "" - description: Namespace of the config map or secret. - If omitted, assumes same namespace as where NetObserv - is deployed. If the namespace is different, the - config map or the secret will be copied so that - it can be mounted as required. + description: Namespace of the config map or secret + containing the file. If omitted, assumes same + namespace as where NetObserv is deployed. If the + namespace is different, the config map or the + secret will be copied so that it can be mounted + as required. type: string type: - description: 'Type for the reference: "configmap" + description: 'Type for the file reference: "configmap" + or "secret"' + enum: + - configmap + - secret + type: string + type: object + clientSecretReference: + description: Reference to the secret or config map containing + the client secret + properties: + file: + description: File name within the config map or + secret + type: string + name: + description: Name of the config map or secret containing + the file + type: string + namespace: + default: "" + description: Namespace of the config map or secret + containing the file. If omitted, assumes same + namespace as where NetObserv is deployed. If the + namespace is different, the config map or the + secret will be copied so that it can be mounted + as required. + type: string + type: + description: 'Type for the file reference: "configmap" or "secret"' enum: - configmap @@ -3392,29 +3419,55 @@ spec: sasl: description: SASL authentication configuration. [Unsupported (*)]. properties: - clientIDKey: - description: Key for client ID within the provided `reference` - type: string - clientSecretKey: - description: Key for client secret within the provided `reference` - type: string - reference: + clientIDReference: + description: Reference to the secret or config map containing + the client ID + properties: + file: + description: File name within the config map or secret + type: string + name: + description: Name of the config map or secret containing + the file + type: string + namespace: + default: "" + description: Namespace of the config map or secret containing + the file. If omitted, assumes same namespace as where + NetObserv is deployed. If the namespace is different, + the config map or the secret will be copied so that + it can be mounted as required. + type: string + type: + description: 'Type for the file reference: "configmap" + or "secret"' + enum: + - configmap + - secret + type: string + type: object + clientSecretReference: description: Reference to the secret or config map containing - the client ID and secret + the client secret properties: + file: + description: File name within the config map or secret + type: string name: - description: Name of the config map or secret to reference + description: Name of the config map or secret containing + the file type: string namespace: default: "" - description: Namespace of the config map or secret. If - omitted, assumes same namespace as where NetObserv is - deployed. If the namespace is different, the config - map or the secret will be copied so that it can be mounted - as required. + description: Namespace of the config map or secret containing + the file. If omitted, assumes same namespace as where + NetObserv is deployed. If the namespace is different, + the config map or the secret will be copied so that + it can be mounted as required. type: string type: - description: 'Type for the reference: "configmap" or "secret"' + description: 'Type for the file reference: "configmap" + or "secret"' enum: - configmap - secret @@ -4537,16 +4590,16 @@ spec: description: Reference to the CA file will be ignored properties: file: - description: file defines the file name within - the config map or secret + description: File name within the config map or + secret type: string name: - description: name of the config map or secret + description: Name of the config map or secret containing the file type: string namespace: default: "" - description: namespace of the config map or secret + description: Namespace of the config map or secret containing the file. If omitted, assumes same namespace as where NetObserv is deployed. If the namespace is different, the config map or @@ -4554,7 +4607,7 @@ spec: mounted as required. type: string type: - description: 'type for the file reference: "configmap" + description: 'Type for the file reference: "configmap" or "secret"' enum: - configmap diff --git a/controllers/ebpf/agent_controller.go b/controllers/ebpf/agent_controller.go index 48e561965..4a9497af0 100644 --- a/controllers/ebpf/agent_controller.go +++ b/controllers/ebpf/agent_controller.go @@ -3,7 +3,6 @@ package ebpf import ( "context" "fmt" - "path" "strconv" "strings" @@ -304,22 +303,24 @@ func (c *AgentController) envConfig(ctx context.Context, coll *flowslatest.FlowC if helper.UseSASL(&coll.Spec.Kafka.SASL) { sasl := &coll.Spec.Kafka.SASL // Annotate pod with secret reference so that it is reloaded if modified - digest, err := c.Watcher.ProcessSASL(ctx, c.Client, sasl, c.PrivilegedNamespace()) + d1, d2, err := c.Watcher.ProcessSASL(ctx, c.Client, sasl, c.PrivilegedNamespace()) if err != nil { return nil, err } - annots[watchers.Annotation("kafka-sd")] = digest + annots[watchers.Annotation("kafka-sd1")] = d1 + annots[watchers.Annotation("kafka-sd2")] = d2 t := "plain" if coll.Spec.Kafka.SASL.Type == flowslatest.SASLScramSHA512 { t = "scramSHA512" } - basePath := c.volumes.AddVolume(&sasl.Reference, "kafka-sasl") + idPath := c.volumes.AddVolume(&sasl.ClientIDReference, "kafka-sasl-id") + secretPath := c.volumes.AddVolume(&sasl.ClientSecretReference, "kafka-sasl-secret") config = append(config, corev1.EnvVar{Name: envKafkaEnableSASL, Value: "true"}, corev1.EnvVar{Name: envKafkaSASLType, Value: t}, - corev1.EnvVar{Name: envKafkaSASLIDPath, Value: path.Join(basePath, sasl.ClientIDKey)}, - corev1.EnvVar{Name: envKafkaSASLSecretPath, Value: path.Join(basePath, sasl.ClientSecretKey)}, + corev1.EnvVar{Name: envKafkaSASLIDPath, Value: idPath}, + corev1.EnvVar{Name: envKafkaSASLSecretPath, Value: secretPath}, ) } } else { diff --git a/controllers/flowcollector_controller_certificates_test.go b/controllers/flowcollector_controller_certificates_test.go index 3f1543357..376c003b8 100644 --- a/controllers/flowcollector_controller_certificates_test.go +++ b/controllers/flowcollector_controller_certificates_test.go @@ -93,7 +93,8 @@ func flowCollectorCertificatesSpecs() { "password": []byte("azerty"), }, } - expectedKafkaSaslHash, _ := sw.GetDigest(&kafka2Sasl, []string{"username", "password"}) + expectedKafkaSaslHash1, _ := sw.GetDigest(&kafka2Sasl, []string{"username"}) + expectedKafkaSaslHash2, _ := sw.GetDigest(&kafka2Sasl, []string{"password"}) BeforeEach(func() { // Add any setup steps that needs to be executed before each test @@ -115,10 +116,10 @@ func flowCollectorCertificatesSpecs() { cmEmpty, _ := cmw.GetDigest(&v1.ConfigMap{}, []string{"any"}) sEmpty, _ := sw.GetDigest(&v1.Secret{}, []string{"any"}) allKeys := map[string]interface{}{} - for _, hash := range []string{"", cmEmpty, sEmpty, expectedLokiHash, expectedKafkaHash, expectedKafka2Hash, expectedKafkaUserHash, expectedKafkaSaslHash} { + for _, hash := range []string{"", cmEmpty, sEmpty, expectedLokiHash, expectedKafkaHash, expectedKafka2Hash, expectedKafkaUserHash, expectedKafkaSaslHash1, expectedKafkaSaslHash2} { allKeys[hash] = nil } - Expect(allKeys).To(HaveLen(8)) + Expect(allKeys).To(HaveLen(9)) }) }) @@ -187,12 +188,16 @@ func flowCollectorCertificatesSpecs() { }, SASL: flowslatest.SASLConfig{ Type: "PLAIN", - Reference: flowslatest.ConfigOrSecret{ + ClientIDReference: flowslatest.FileReference{ Type: flowslatest.RefTypeSecret, Name: kafka2Sasl.Name, + File: "username", + }, + ClientSecretReference: flowslatest.FileReference{ + Type: flowslatest.RefTypeSecret, + Name: kafka2Sasl.Name, + File: "password", }, - ClientIDKey: "username", - ClientSecretKey: "password", }, }, }}, @@ -281,19 +286,21 @@ func flowCollectorCertificatesSpecs() { return err } return flp.Spec.Template.Spec.Volumes - }, timeout, interval).Should(HaveLen(7)) - Expect(flp.Spec.Template.Annotations).To(HaveLen(7)) + }, timeout, interval).Should(HaveLen(8)) + Expect(flp.Spec.Template.Annotations).To(HaveLen(8)) Expect(flp.Spec.Template.Annotations["flows.netobserv.io/watched-kafka-ca"]).To(Equal(expectedKafkaHash)) Expect(flp.Spec.Template.Annotations["flows.netobserv.io/watched-kafka-user"]).To(Equal(expectedKafkaUserHash)) Expect(flp.Spec.Template.Annotations["flows.netobserv.io/watched-kafka-export-0-ca"]).To(Equal(expectedKafka2Hash)) - Expect(flp.Spec.Template.Annotations["flows.netobserv.io/watched-kafka-export-0-sd"]).To(Equal(expectedKafkaSaslHash)) + Expect(flp.Spec.Template.Annotations["flows.netobserv.io/watched-kafka-export-0-sd1"]).To(Equal(expectedKafkaSaslHash1)) + Expect(flp.Spec.Template.Annotations["flows.netobserv.io/watched-kafka-export-0-sd2"]).To(Equal(expectedKafkaSaslHash2)) Expect(flp.Spec.Template.Spec.Volumes[0].Name).To(Equal("config-volume")) Expect(flp.Spec.Template.Spec.Volumes[1].Name).To(Equal("kafka-cert-ca")) Expect(flp.Spec.Template.Spec.Volumes[2].Name).To(Equal("kafka-cert-user")) Expect(flp.Spec.Template.Spec.Volumes[3].Name).To(Equal("flowlogs-pipeline")) // token Expect(flp.Spec.Template.Spec.Volumes[4].Name).To(Equal("loki-certs-ca")) Expect(flp.Spec.Template.Spec.Volumes[5].Name).To(Equal("kafka-export-0-ca")) - Expect(flp.Spec.Template.Spec.Volumes[6].Name).To(Equal("kafka-export-0-sasl")) + Expect(flp.Spec.Template.Spec.Volumes[6].Name).To(Equal("kafka-export-0-sasl-id")) + Expect(flp.Spec.Template.Spec.Volumes[7].Name).To(Equal("kafka-export-0-sasl-secret")) lastFLPAnnots = flp.Spec.Template.Annotations }) }) diff --git a/controllers/flowcollector_controller_iso_test.go b/controllers/flowcollector_controller_iso_test.go index 97ff3861d..83eb7bd3d 100644 --- a/controllers/flowcollector_controller_iso_test.go +++ b/controllers/flowcollector_controller_iso_test.go @@ -184,13 +184,18 @@ func flowCollectorIsoSpecs() { }, SASL: flowslatest.SASLConfig{ Type: "DISABLED", - Reference: flowslatest.ConfigOrSecret{ + ClientIDReference: flowslatest.FileReference{ Type: "configmap", Name: "", Namespace: "", + File: "", + }, + ClientSecretReference: flowslatest.FileReference{ + Type: "configmap", + Name: "", + Namespace: "", + File: "", }, - ClientIDKey: "", - ClientSecretKey: "", }, }, Exporters: []*flowslatest.FlowCollectorExporter{}, diff --git a/controllers/flowlogspipeline/flp_common_objects.go b/controllers/flowlogspipeline/flp_common_objects.go index a7df8c949..e184ad399 100644 --- a/controllers/flowlogspipeline/flp_common_objects.go +++ b/controllers/flowlogspipeline/flp_common_objects.go @@ -5,7 +5,6 @@ import ( "encoding/json" "fmt" "hash/fnv" - "path" "path/filepath" "strconv" "time" @@ -632,11 +631,12 @@ func (b *builder) getKafkaSASL(sasl *flowslatest.SASLConfig, volumePrefix string if sasl.Type == flowslatest.SASLScramSHA512 { t = "scramSHA512" } - basePath := b.volumes.AddVolume(&sasl.Reference, volumePrefix+"-sasl") + idPath := b.volumes.AddVolume(&sasl.ClientIDReference, volumePrefix+"-sasl-id") + secretPath := b.volumes.AddVolume(&sasl.ClientSecretReference, volumePrefix+"-sasl-secret") return &api.SASLConfig{ Type: t, - ClientIDPath: path.Join(basePath, sasl.ClientIDKey), - ClientSecretPath: path.Join(basePath, sasl.ClientSecretKey), + ClientIDPath: idPath, + ClientSecretPath: secretPath, } } diff --git a/controllers/flowlogspipeline/flp_reconciler.go b/controllers/flowlogspipeline/flp_reconciler.go index be13fd13c..fd7297635 100644 --- a/controllers/flowlogspipeline/flp_reconciler.go +++ b/controllers/flowlogspipeline/flp_reconciler.go @@ -88,12 +88,15 @@ func annotateKafkaCerts(ctx context.Context, info *reconcilers.Common, spec *flo annotations[watchers.Annotation(prefix+"-user")] = userDigest } if helper.UseSASL(&spec.SASL) { - saslDigest, err := info.Watcher.ProcessSASL(ctx, info.Client, &spec.SASL, info.Namespace) + saslDigest1, saslDigest2, err := info.Watcher.ProcessSASL(ctx, info.Client, &spec.SASL, info.Namespace) if err != nil { return err } - if saslDigest != "" { - annotations[watchers.Annotation(prefix+"-sd")] = saslDigest + if saslDigest1 != "" { + annotations[watchers.Annotation(prefix+"-sd1")] = saslDigest1 + } + if saslDigest2 != "" { + annotations[watchers.Annotation(prefix+"-sd2")] = saslDigest2 } } return nil diff --git a/docs/FlowCollector.md b/docs/FlowCollector.md index 1f8adafc2..cfed772fd 100644 --- a/docs/FlowCollector.md +++ b/docs/FlowCollector.md @@ -5667,46 +5667,91 @@ SASL authentication configuration. [Unsupported (*)]. - clientIDKey + clientIDReference + object + + Reference to the secret or config map containing the client ID
+ + false + + clientSecretReference + object + + Reference to the secret or config map containing the client secret
+ + false + + type + enum + + Type of SASL authentication to use, or `DISABLED` if SASL is not used
+
+ Enum: DISABLED, PLAIN, SCRAM-SHA512
+ Default: DISABLED
+ + false + + + + +### FlowCollector.spec.exporters[index].kafka.sasl.clientIDReference +[↩ Parent](#flowcollectorspecexportersindexkafkasasl) + + + +Reference to the secret or config map containing the client ID + + + + + + + + + + + + - + - - + +
NameTypeDescriptionRequired
file string - Key for client ID within the provided `reference`
+ File name within the config map or secret
 false
clientSecretKeyname string - Key for client secret within the provided `reference`
+ Name of the config map or secret containing the file
 false
referenceobjectnamespacestring - Reference to the secret or config map containing the client ID and secret
+ Namespace of the config map or secret containing the file. If omitted, assumes same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required.
+
+ Default:
false
type enum - Type of SASL authentication to use, or `DISABLED` if SASL is not used
+ Type for the file reference: "configmap" or "secret"

- Enum: DISABLED, PLAIN, SCRAM-SHA512
- Default: DISABLED
+ Enum: configmap, secret
 false
-### FlowCollector.spec.exporters[index].kafka.sasl.reference +### FlowCollector.spec.exporters[index].kafka.sasl.clientSecretReference [↩ Parent](#flowcollectorspecexportersindexkafkasasl) -Reference to the secret or config map containing the client ID and secret +Reference to the secret or config map containing the client secret @@ -5718,17 +5763,24 @@ Reference to the secret or config map containing the client ID and secret + + + + + @@ -5737,7 +5789,7 @@ Reference to the secret or config map containing the client ID and secret @@ -5985,46 +6037,91 @@ SASL authentication configuration. [Unsupported (*)]. - + + + + + + + + + + + + + + + +
filestring + File name within the config map or secret
+ 		false
name string - Name of the config map or secret to reference
+ Name of the config map or secret containing the file
 false
namespace string - Namespace of the config map or secret. If omitted, assumes same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required.
+ Namespace of the config map or secret containing the file. If omitted, assumes same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required.

Default:
type enum - Type for the reference: "configmap" or "secret"
+ Type for the file reference: "configmap" or "secret"

Enum: configmap, secret
clientIDKeyclientIDReferenceobject + Reference to the secret or config map containing the client ID
+ 		false
clientSecretReferenceobject + Reference to the secret or config map containing the client secret
+ 		false
typeenum + Type of SASL authentication to use, or `DISABLED` if SASL is not used
+
+ Enum: DISABLED, PLAIN, SCRAM-SHA512
+ Default: DISABLED
+ 		false
+ + +### FlowCollector.spec.kafka.sasl.clientIDReference +[↩ Parent](#flowcollectorspeckafkasasl) + + + +Reference to the secret or config map containing the client ID + + + + + + + + + + + + - + - - + +
NameTypeDescriptionRequired
file string - Key for client ID within the provided `reference`
+ File name within the config map or secret
 false
clientSecretKeyname string - Key for client secret within the provided `reference`
+ Name of the config map or secret containing the file
 false
referenceobjectnamespacestring - Reference to the secret or config map containing the client ID and secret
+ Namespace of the config map or secret containing the file. If omitted, assumes same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required.
+
+ Default:
false
type enum - Type of SASL authentication to use, or `DISABLED` if SASL is not used
+ Type for the file reference: "configmap" or "secret"

- Enum: DISABLED, PLAIN, SCRAM-SHA512
- Default: DISABLED
+ Enum: configmap, secret
 false
-### FlowCollector.spec.kafka.sasl.reference +### FlowCollector.spec.kafka.sasl.clientSecretReference [↩ Parent](#flowcollectorspeckafkasasl) -Reference to the secret or config map containing the client ID and secret +Reference to the secret or config map containing the client secret @@ -6036,17 +6133,24 @@ Reference to the secret or config map containing the client ID and secret + + + + + @@ -6055,7 +6159,7 @@ Reference to the secret or config map containing the client ID and secret @@ -8085,21 +8189,21 @@ Reference to the CA file will be ignored @@ -8108,7 +8212,7 @@ Reference to the CA file will be ignored diff --git a/pkg/volumes/builder.go b/pkg/volumes/builder.go index d93d6542e..305b1538b 100644 --- a/pkg/volumes/builder.go +++ b/pkg/volumes/builder.go @@ -2,6 +2,7 @@ package volumes import ( "fmt" + "path" corev1 "k8s.io/api/core/v1" @@ -45,10 +46,10 @@ func (b *Builder) AddCertificate(ref *flowslatest.CertificateReference, volumeNa return } -func (b *Builder) AddVolume(config *flowslatest.ConfigOrSecret, volumeName string) string { +func (b *Builder) AddVolume(config *flowslatest.FileReference, volumeName string) string { vol, vm := buildVolumeAndMount(config.Type, config.Name, volumeName) b.info = append(b.info, VolumeInfo{Volume: vol, Mount: vm}) - return "/var/" + volumeName + return path.Join("var", volumeName, config.File) } // AddToken will add a volume + volume mount for a service account token if defined diff --git a/pkg/watchers/object_ref.go b/pkg/watchers/object_ref.go index 93a337820..1eb4f925f 100644 --- a/pkg/watchers/object_ref.go +++ b/pkg/watchers/object_ref.go @@ -11,16 +11,16 @@ type objectRef struct { keys []string } -func (w *Watcher) refFromConfigOrSecret(cos *flowslatest.ConfigOrSecret, keys []string) objectRef { - ns := cos.Namespace +func (w *Watcher) refFromFile(fr *flowslatest.FileReference) objectRef { + ns := fr.Namespace if ns == "" { ns = w.defaultNamespace } return objectRef{ - kind: cos.Type, - name: cos.Name, + kind: fr.Type, + name: fr.Name, namespace: ns, - keys: keys, + keys: []string{fr.File}, } } diff --git a/pkg/watchers/watcher.go b/pkg/watchers/watcher.go index 60d53ad11..9f2393921 100644 --- a/pkg/watchers/watcher.go +++ b/pkg/watchers/watcher.go @@ -101,8 +101,16 @@ func (w *Watcher) ProcessCACert(ctx context.Context, cl helper.Client, tls *flow return caDigest, nil } -func (w *Watcher) ProcessSASL(ctx context.Context, cl helper.Client, sasl *flowslatest.SASLConfig, targetNamespace string) (string, error) { - return w.reconcile(ctx, cl, w.refFromConfigOrSecret(&sasl.Reference, []string{sasl.ClientIDKey, sasl.ClientSecretKey}), targetNamespace) +func (w *Watcher) ProcessSASL(ctx context.Context, cl helper.Client, sasl *flowslatest.SASLConfig, targetNamespace string) (idDigest string, secretDigest string, err error) { + idDigest, err = w.reconcile(ctx, cl, w.refFromFile(&sasl.ClientIDReference), targetNamespace) + if err != nil { + return "", "", err + } + secretDigest, err = w.reconcile(ctx, cl, w.refFromFile(&sasl.ClientSecretReference), targetNamespace) + if err != nil { + return "", "", err + } + return idDigest, secretDigest, nil } func (w *Watcher) reconcile(ctx context.Context, cl helper.Client, ref objectRef, destNamespace string) (string, error) { diff --git a/pkg/watchers/watcher_test.go b/pkg/watchers/watcher_test.go index 129a55168..85058866b 100644 --- a/pkg/watchers/watcher_test.go +++ b/pkg/watchers/watcher_test.go @@ -97,12 +97,16 @@ var kafkaSaslSecret = corev1.Secret{ }, } var kafkaSaslConfig = flowslatest.SASLConfig{ - Reference: flowslatest.ConfigOrSecret{ + ClientIDReference: flowslatest.FileReference{ Type: flowslatest.RefTypeSecret, Name: kafkaSaslSecret.Name, + File: "id", + }, + ClientSecretReference: flowslatest.FileReference{ + Type: flowslatest.RefTypeSecret, + Name: kafkaSaslSecret.Name, + File: "token", }, - ClientIDKey: "id", - ClientSecretKey: "token", } func TestGenDigests(t *testing.T) { @@ -136,9 +140,10 @@ func TestGenDigests(t *testing.T) { assert.Equal("bNKS0Q==", dig2) // Different output for sasl via watcher.Process - dig1, err = watcher.ProcessSASL(context.Background(), cl, &kafkaSaslConfig, baseNamespace) + dig1, dig2, err = watcher.ProcessSASL(context.Background(), cl, &kafkaSaslConfig, baseNamespace) assert.NoError(err) - assert.Equal("8aAMRw==", dig1) + assert.Equal("DTk0Pg==", dig1) // for client ID + assert.Equal("ItNuCg==", dig2) // for client secret // Update object, verify the digest has changed caCopy := lokiCA
filestring + File name within the config map or secret
+ 		false
name string - Name of the config map or secret to reference
+ Name of the config map or secret containing the file
 false
namespace string - Namespace of the config map or secret. If omitted, assumes same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required.
+ Namespace of the config map or secret containing the file. If omitted, assumes same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required.

Default:
type enum - Type for the reference: "configmap" or "secret"
+ Type for the file reference: "configmap" or "secret"

Enum: configmap, secret
file string - file defines the file name within the config map or secret
+ File name within the config map or secret
 false
name string - name of the config map or secret containing the file
+ Name of the config map or secret containing the file
 false
namespace string - namespace of the config map or secret containing the file. If omitted, assumes same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required.
+ Namespace of the config map or secret containing the file. If omitted, assumes same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required.

Default:
type enum - type for the file reference: "configmap" or "secret"
+ Type for the file reference: "configmap" or "secret"

Enum: configmap, secret