OpenStack: Add cloud provider secret key #216

dgoodwin · 2020-07-07T17:26:56Z

Please add some comments here for the differences between the two keys, as this is definitely going to be confusing.

dgoodwin · 2020-07-07T17:33:04Z

What's going to happen on a 4.5 to 4.6 upgrade here, presumably this key will not be populated, will all cred requests start failing?

-Original file line number
+Diff line change
@@ Expand Up / @@ -35,7 +35,8 @@ import ( @@
     )
     const (
-    	rootOpenStackCredsSecretKey = "clouds.yaml"
+    	rootOpenStackCredsSecretKey          = "clouds.yaml"
+    	cloudProviderOpenStackCredsSecretKey = "clouds.conf"
     )
     type OpenStackActuator struct {
@@ Expand Down Expand Up @@
     	logger := a.getLogger(cr)
     	logger.Debug("running sync")
-    	clouds, err := a.getRootCloudCredentialsSecretData(ctx, logger)
+    	// Get the base secret
+    	cloudCredSecret := &corev1.Secret{}
+    	if err := a.Client.Get(ctx, a.GetCredentialsRootSecretLocation(), cloudCredSecret); err != nil {
+    		msg := "unable to fetch root cloud cred secret"
+    		logger.WithError(err).Error(msg)
+    		return &actuatoriface.ActuatorError{
+    			ErrReason: minterv1.CredentialsProvisionFailure,
+    			Message:   fmt.Sprintf("%v: %v", msg, err),
+    		}
+    	}
+    	cloudsYAML, err := a.getCloudCredentialsSecretData(cloudCredSecret, rootOpenStackCredsSecretKey, logger)
+    	if err != nil {
+    		logger.WithError(err).Error("issue with cloud credentials secret")
+    		return err
+    	}
+    	cloudsCONF, err := a.getCloudCredentialsSecretData(cloudCredSecret, cloudProviderOpenStackCredsSecretKey, logger)
     	if err != nil {
     		logger.WithError(err).Error("issue with cloud credentials secret")
     		return err
@@ Expand All @@
     		return err
     	}
-    	err = a.syncCredentialSecret(cr, clouds, existingSecret, "", logger)
+    	err = a.syncCredentialSecret(cr, cloudsYAML, cloudsCONF, existingSecret, "", logger)
     	if err != nil {
     		msg := "error creating/updating secret"
     		logger.WithError(err).Error(msg)
@@ Expand All @@
     	return nil
     }
-    func (a *OpenStackActuator) syncCredentialSecret(cr *minterv1.CredentialsRequest, clouds string, existingSecret *corev1.Secret, userPolicy string, logger log.FieldLogger) error {
+    func (a *OpenStackActuator) syncCredentialSecret(cr *minterv1.CredentialsRequest, cloudsYAML, cloudsCONF string, existingSecret *corev1.Secret, userPolicy string, logger log.FieldLogger) error {
     	sLog := logger.WithFields(log.Fields{
     		"targetSecret": fmt.Sprintf("%s/%s", cr.Spec.SecretRef.Namespace, cr.Spec.SecretRef.Name),
     		"cr":           fmt.Sprintf("%s/%s", cr.Namespace, cr.Name),
     	})
     	if existingSecret == nil || existingSecret.Name == "" {
-    		if clouds == "" {
+    		if cloudsYAML == "" || cloudsCONF == "" {
     			msg := "new access key secret needed but no key data provided"
     			sLog.Error(msg)
     			return &actuatoriface.ActuatorError{
@@ Expand All @@
     					minterv1.AnnotationCredentialsRequest: fmt.Sprintf("%s/%s", cr.Namespace, cr.Name),
     				},
     			},
-    			Data: map[string][]byte{rootOpenStackCredsSecretKey: []byte(clouds)},
+    			Data: map[string][]byte{
+    				rootOpenStackCredsSecretKey:          []byte(cloudsYAML),
+    				cloudProviderOpenStackCredsSecretKey: []byte(cloudsCONF),
+    			},
     		}
     		err := a.Client.Create(context.TODO(), secret)
@@ Expand All @@
     		existingSecret.Annotations = map[string]string{}
     	}
     	existingSecret.Annotations[minterv1.AnnotationCredentialsRequest] = fmt.Sprintf("%s/%s", cr.Namespace, cr.Name)
-    	if clouds != "" {
-    		existingSecret.Data[rootOpenStackCredsSecretKey] = []byte(clouds)
+    	if cloudsYAML != "" {
+    		existingSecret.Data[rootOpenStackCredsSecretKey] = []byte(cloudsYAML)
+    	}
+    	if cloudsCONF != "" {
+    		existingSecret.Data[cloudProviderOpenStackCredsSecretKey] = []byte(cloudsCONF)
     	}
     	if !reflect.DeepEqual(existingSecret, origSecret) {
@@ Expand Down Expand Up @@
     	if _, ok := existingSecret.Data[rootOpenStackCredsSecretKey]; !ok {
     		logger.Warning("secret did not have expected key: " + rootOpenStackCredsSecretKey)
     	} else {
-    		logger.Debug("found clouds.yaml in existing secret")
+    		logger.Debugf("found %v in existing secret", rootOpenStackCredsSecretKey)
+    	}
+    	if _, ok := existingSecret.Data[cloudProviderOpenStackCredsSecretKey]; !ok {
+    		logger.Warning("secret did not have expected key: " + cloudProviderOpenStackCredsSecretKey)
+    	} else {
+    		logger.Debugf("found %v in existing secret", cloudProviderOpenStackCredsSecretKey)
     	}
     	return existingSecret, nil
@@ Expand All @@
     	return types.NamespacedName{Namespace: constants.CloudCredSecretNamespace, Name: constants.OpenStackCloudCredsSecretName}
     }
-    func (a *OpenStackActuator) getRootCloudCredentialsSecretData(ctx context.Context, logger log.FieldLogger) (string, error) {
-    	var clouds string
-    	cloudCredSecret := &corev1.Secret{}
-    	if err := a.Client.Get(ctx, a.GetCredentialsRootSecretLocation(), cloudCredSecret); err != nil {
-    		msg := "unable to fetch root cloud cred secret"
-    		logger.WithError(err).Error(msg)
-    		return "", &actuatoriface.ActuatorError{
-    			ErrReason: minterv1.CredentialsProvisionFailure,
-    			Message:   fmt.Sprintf("%v: %v", msg, err),
-    		}
-    	}
-    	keyBytes, ok := cloudCredSecret.Data[rootOpenStackCredsSecretKey]
+    func (a *OpenStackActuator) getCloudCredentialsSecretData(cloudCredSecret *corev1.Secret, key string, logger log.FieldLogger) (string, error) {
+    	keyBytes, ok := cloudCredSecret.Data[key]
     	if !ok {
-    		logger.Warning("secret did not have expected key: " + rootOpenStackCredsSecretKey)
+    		logger.Warning("secret did not have expected key: " + key)
     		return "", &actuatoriface.ActuatorError{
     			ErrReason: minterv1.InsufficientCloudCredentials,
-    			Message:   fmt.Sprintf("secret did not have expected key: %v", rootOpenStackCredsSecretKey),
+    			Message:   fmt.Sprintf("secret did not have expected key: %v", key),
     		}
     	}
+    	logger.Debugf("found %v in target secret", key)
-    	clouds = string(keyBytes)
-    	logger.Debug("found clouds.yaml in target secret")
-    	return clouds, nil
+    	return string(keyBytes), nil
     }
     // Delete credentials
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OpenStack: Add cloud provider secret key #216

Uh oh!

Diff view

Diff view

There are no files selected for viewing

dgoodwin Jul 7, 2020

Uh oh!

dgoodwin Jul 7, 2020

Uh oh!

OpenStack: Add cloud provider secret key #216

Uh oh!

OpenStack: Add cloud provider secret key #216

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

dgoodwin Jul 7, 2020

Choose a reason for hiding this comment

Uh oh!

dgoodwin Jul 7, 2020

Choose a reason for hiding this comment

Uh oh!