[openstackclient] Update controller to watch named input resources

Adds watches for name secret and configmap resources from the OpenStackClient CRD. This allows to watch the specific resources when they change. Also adds EnvTest for OpenstackClient being created by the OpenstackControlPlane controller. Depends-On: openstack-k8s-operators/lib-common#428
stuggi · Jan 10, 2024 · da81248 · da81248
1 parent c9e7520
commit da81248
Show file tree

Hide file tree

Showing 14 changed files with 314 additions and 88 deletions.
diff --git a/apis/bases/client.openstack.org_openstackclients.yaml b/apis/bases/client.openstack.org_openstackclients.yaml
@@ -36,7 +36,7 @@ spec:
             type: object
           spec:
             properties:
-              caSecretName:
+              caBundleSecretName:
                 type: string
               containerImage:
                 type: string

diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -6432,6 +6432,33 @@ spec:
                         type: object
                       secret:
                         type: string
+                      tls:
+                        properties:
+                          api:
+                            properties:
+                              disabled:
+                                type: boolean
+                              endpoint:
+                                additionalProperties:
+                                  properties:
+                                    secretName:
+                                      type: string
+                                  type: object
+                                type: object
+                            type: object
+                          caBundleSecretName:
+                            type: string
+                          db:
+                            properties:
+                              disabled:
+                                type: boolean
+                            type: object
+                          messaging:
+                            properties:
+                              disabled:
+                                type: boolean
+                            type: object
+                        type: object
                       trustFlushArgs:
                         default: ""
                         type: string
@@ -10257,7 +10284,7 @@ spec:
                 properties:
                   template:
                     properties:
-                      caSecretName:
+                      caBundleSecretName:
                         type: string
                       containerImage:
                         type: string
@@ -15915,7 +15942,7 @@ spec:
                     public:
                       enabled: true
                 properties:
-                  caSecretName:
+                  caBundleSecretName:
                     type: string
                   endpoint:
                     additionalProperties:

diff --git a/apis/go.mod b/apis/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240104150635-c4ffc51e0752
 	github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240104144719-8030e9e8c962
 	github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240104144437-5355d932c316
-	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240108143014-3f12c3253835
+	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240110131857-e70e1dec4d14
 	github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240104144719-72b9a4ab968c
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240104162634-fe72003c6343
 	github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240104150349-c082ca19cafe
@@ -45,7 +45,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
@@ -70,7 +70,7 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/openshift/api v3.9.0+incompatible // indirect
 	github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240104154954-dc504be0d9be //indirect
-	github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240104154954-dc504be0d9be
+	github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240106101723-5f7aa263457f
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_golang v1.16.0 // indirect
 	github.com/prometheus/client_model v0.4.0 // indirect
@@ -83,7 +83,7 @@ require (
 	golang.org/x/term v0.15.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect

diff --git a/apis/go.sum b/apis/go.sum
@@ -21,8 +21,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/emicklei/go-restful/v3 v3.10.2 h1:hIovbnmBTLjHXkqEBUz3HGpXZdM7ZrE9fJIZIqlJLqE=
-github.com/emicklei/go-restful/v3 v3.10.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -148,12 +148,12 @@ github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240104144719-8
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240104144719-8030e9e8c962/go.mod h1:H6BuZ52u+Dq/vWJgpGIJLttRTnPPH3xdVeqhI99QE/k=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240104144437-5355d932c316 h1:IwTuIoC78bbp3awd8P0tWeknCe2jNLB1FCJDIwI/2Pg=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240104144437-5355d932c316/go.mod h1:qx+z+k0RMK8Vcl5Nug6bOScEg7ROSxEV4FFy0gjcQDQ=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240108143014-3f12c3253835 h1:+FYUZiEc3ZE2TgpPhhLS8YOcdKBqk7rAi3kXvimhCKQ=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240108143014-3f12c3253835/go.mod h1:ov4lAbniNUsLqZCBp1RTixpqXc8JlzA5B+yTcCkJXQg=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240110131857-e70e1dec4d14 h1:8batipIElAHscbsVUJz8w/2NOvu+pRi8ixF1XUP6WiQ=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240110131857-e70e1dec4d14/go.mod h1:ov4lAbniNUsLqZCBp1RTixpqXc8JlzA5B+yTcCkJXQg=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240104154954-dc504be0d9be h1:DuW+qO6nZFeJMDvLvhoP1a0+ynHTzNvUDwngizejgDo=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240104154954-dc504be0d9be/go.mod h1:NcWtgGX7OhEID9BtvAMNB/rlsqw9yA2OoYIjWRYP1HY=
-github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240104154954-dc504be0d9be h1:gFSUckhjuCEae4NjZqspBPYwf7NJXg3hvrabZ6ZTxg4=
-github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240104154954-dc504be0d9be/go.mod h1:TI+VN4M3mVJy2QbnqFG0+7jHEkPXJn4LgYJjVP57pdE=
+github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240106101723-5f7aa263457f h1:b9fpRkubG+tk6uKGCNz/kuTWYtpUFsm3d/jECF1AmAs=
+github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240106101723-5f7aa263457f/go.mod h1:MwShIB0G7riRDWXS2JQfcdETm+yutb3qpdnxu/yg+Xk=
 github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240104144719-72b9a4ab968c h1:Nuo4tls05ws3FoK/6IZajPzz9LdWmFJZ7IxM0Rnu5oY=
 github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240104144719-72b9a4ab968c/go.mod h1:AIdqCEAycRS/78wgnLhAjRkgkt7gygVmakvOp//vlz0=
 github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240104162634-fe72003c6343 h1:KrzABqo34PVd4kGxVwTZj/j4ZbTmH/vE/TL13t/ojGA=
@@ -307,8 +307,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc=
-gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
+gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
+gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=

diff --git a/config/crd/bases/client.openstack.org_openstackclients.yaml b/config/crd/bases/client.openstack.org_openstackclients.yaml
@@ -36,7 +36,7 @@ spec:
             type: object
           spec:
             properties:
-              caSecretName:
+              caBundleSecretName:
                 type: string
               containerImage:
                 type: string

diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -6432,6 +6432,33 @@ spec:
                         type: object
                       secret:
                         type: string
+                      tls:
+                        properties:
+                          api:
+                            properties:
+                              disabled:
+                                type: boolean
+                              endpoint:
+                                additionalProperties:
+                                  properties:
+                                    secretName:
+                                      type: string
+                                  type: object
+                                type: object
+                            type: object
+                          caBundleSecretName:
+                            type: string
+                          db:
+                            properties:
+                              disabled:
+                                type: boolean
+                            type: object
+                          messaging:
+                            properties:
+                              disabled:
+                                type: boolean
+                            type: object
+                        type: object
                       trustFlushArgs:
                         default: ""
                         type: string
@@ -10257,7 +10284,7 @@ spec:
                 properties:
                   template:
                     properties:
-                      caSecretName:
+                      caBundleSecretName:
                         type: string
                       containerImage:
                         type: string
@@ -15915,7 +15942,7 @@ spec:
                     public:
                       enabled: true
                 properties:
-                  caSecretName:
+                  caBundleSecretName:
                     type: string
                   endpoint:
                     additionalProperties:

diff --git a/controllers/client/openstackclient_controller.go b/controllers/client/openstackclient_controller.go
@@ -26,14 +26,21 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/lib-common/modules/common"
@@ -42,6 +49,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
 	helper "github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	common_rbac "github.com/openstack-k8s-operators/lib-common/modules/common/rbac"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
@@ -232,8 +240,15 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	}
 	configVars[*instance.Spec.OpenStackConfigSecret] = env.SetValue(secretHash)
 
-	if instance.Spec.CaSecretName != "" {
-		_, secretHash, err := secret.GetSecret(ctx, helper, instance.Spec.CaSecretName, instance.Namespace)
+	if instance.Spec.CaBundleSecretName != "" {
+		secretHash, ctrlResult, err := tls.ValidateCACertSecret(
+			ctx,
+			helper.GetClient(),
+			types.NamespacedName{
+				Name:      instance.Spec.CaBundleSecretName,
+				Namespace: instance.Namespace,
+			},
+		)
 		if err != nil {
 			if k8s_errors.IsNotFound(err) {
 				instance.Status.Conditions.Set(condition.FalseCondition(
@@ -250,8 +265,16 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 				clientv1.OpenStackClientReadyErrorMessage,
 				err.Error()))
 			return ctrl.Result{}, err
+		} else if (ctrlResult != ctrl.Result{}) {
+			instance.Status.Conditions.Set(condition.FalseCondition(
+				clientv1.OpenStackClientReadyCondition,
+				condition.RequestedReason,
+				condition.SeverityInfo,
+				clientv1.OpenStackClientSecretWaitingMessage))
+			return ctrlResult, nil
 		}
-		configVars[instance.Spec.CaSecretName] = env.SetValue(secretHash)
+
+		configVars[instance.Spec.CaBundleSecretName] = env.SetValue(secretHash)
 	}
 
 	configVarsHash, err := util.HashOfInputHashes(configVars)
@@ -269,12 +292,7 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	op, err := controllerutil.CreateOrPatch(ctx, r.Client, osclient, func() error {
 		isPodUpdate := !osclient.ObjectMeta.CreationTimestamp.IsZero()
 		if !isPodUpdate {
-			spec, err := openstackclient.ClientPodSpec(ctx, instance, helper, clientLabels, configVarsHash)
-			if err != nil {
-				return err
-			}
-
-			osclient.Spec = *spec
+			osclient.Spec = openstackclient.ClientPodSpec(ctx, instance, helper, clientLabels, configVarsHash)
 		} else {
 			hashupdate := false
 
@@ -367,14 +385,113 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 
 }
 
+// fields to index to reconcile when change
+const (
+	caBundleSecretNameField    = ".spec.caBundleSecretName"
+	openStackConfigMapField    = ".spec.openStackConfigMap"
+	openStackConfigSecretField = ".spec.openStackConfigSecret"
+)
+
+var (
+	allWatchFields = []string{
+		caBundleSecretNameField,
+		openStackConfigMapField,
+		openStackConfigSecretField,
+	}
+)
+
 // SetupWithManager sets up the controller with the Manager.
 func (r *OpenStackClientReconciler) SetupWithManager(mgr ctrl.Manager) error {
 
+	// index caBundleSecretNameField
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &clientv1.OpenStackClient{}, caBundleSecretNameField, func(rawObj client.Object) []string {
+		// Extract the secret name from the spec, if one is provided
+		cr := rawObj.(*clientv1.OpenStackClient)
+		if cr.Spec.CaBundleSecretName == "" {
+			return nil
+		}
+		return []string{cr.Spec.CaBundleSecretName}
+	}); err != nil {
+		return err
+	}
+	// index openStackConfigMap
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &clientv1.OpenStackClient{}, openStackConfigMapField, func(rawObj client.Object) []string {
+		// Extract the configmap name from the spec, if one is provided
+		cr := rawObj.(*clientv1.OpenStackClient)
+		if cr.Spec.OpenStackConfigMap == nil {
+			return nil
+		}
+		if *cr.Spec.OpenStackConfigMap == "" {
+			return nil
+		}
+		return []string{*cr.Spec.OpenStackConfigMap}
+	}); err != nil {
+		return err
+	}
+	// index openStackConfigSecret
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &clientv1.OpenStackClient{}, openStackConfigSecretField, func(rawObj client.Object) []string {
+		// Extract the configmap name from the spec, if one is provided
+		cr := rawObj.(*clientv1.OpenStackClient)
+		if cr.Spec.OpenStackConfigSecret == nil {
+			return nil
+		}
+		if *cr.Spec.OpenStackConfigSecret == "" {
+			return nil
+		}
+		return []string{*cr.Spec.OpenStackConfigSecret}
+	}); err != nil {
+		return err
+	}
+
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&clientv1.OpenStackClient{}).
 		Owns(&corev1.Pod{}).
 		Owns(&corev1.ServiceAccount{}).
 		Owns(&rbacv1.Role{}).
 		Owns(&rbacv1.RoleBinding{}).
+		Watches(
+			&source.Kind{Type: &corev1.Secret{}},
+			handler.EnqueueRequestsFromMapFunc(r.findObjectsForSrc),
+			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
+		).
+		Watches(
+			&source.Kind{Type: &corev1.ConfigMap{}},
+			handler.EnqueueRequestsFromMapFunc(r.findObjectsForSrc),
+			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
+		).
+		Watches(
+			&source.Kind{Type: &corev1.Secret{}},
+			handler.EnqueueRequestsFromMapFunc(r.findObjectsForSrc),
+			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
+		).
 		Complete(r)
 }
+
+func (r *OpenStackClientReconciler) findObjectsForSrc(src client.Object) []reconcile.Request {
+	requests := []reconcile.Request{}
+
+	for _, field := range allWatchFields {
+		crList := &clientv1.OpenStackClientList{}
+		listOps := &client.ListOptions{
+			FieldSelector: fields.OneTermEqualSelector(field, src.GetName()),
+			Namespace:     src.GetNamespace(),
+		}
+		err := r.List(context.TODO(), crList, listOps)
+		if err != nil {
+			return []reconcile.Request{}
+		}
+
+		for _, item := range crList.Items {
+			requests = append(requests,
+				reconcile.Request{
+					NamespacedName: types.NamespacedName{
+						Name:      item.GetName(),
+						Namespace: item.GetNamespace(),
+					},
+				},
+			)
+		}
+	}
+
+	return requests
+}