Move default image configuration to operator pod environment variables (#867)

* Move default user updater image to CLI flag

This follows the same path as #858, and allows for easier helm integration

* Set the default image prior ot statefulset reconciliation

* Move CLI flags to env vars instead

Author: coro

api/v1beta1/rabbitmqcluster_types.go

@@ -117,7 +117,6 @@ type VaultSpec struct {
 	// Sidecar container that updates the default user's password in RabbitMQ when it changes in Vault.
 	// Additionally, it updates /var/lib/rabbitmq/.rabbitmqadmin.conf (used by rabbitmqadmin CLI).
 	// Set to empty string to disable the sidecar container.
-	// +kubebuilder:default:="rabbitmqoperator/default-user-credential-updater:1.0.0"
 	DefaultUserUpdaterImage *string      `json:"defaultUserUpdaterImage,omitempty"`
 	TLS                     VaultTLSSpec `json:"tls,omitempty"`
 }
@@ -427,6 +426,10 @@ func (cluster *RabbitmqCluster) VaultEnabled() bool {
 	return cluster.Spec.SecretBackend.Vault != nil
 }
 
+func (cluster *RabbitmqCluster) UsesDefaultUserUpdaterImage() bool {
+	return cluster.VaultEnabled() && cluster.Spec.SecretBackend.Vault.DefaultUserUpdaterImage == nil
+}
+
 func (cluster *RabbitmqCluster) VaultDefaultUserSecretEnabled() bool {
 	return cluster.VaultEnabled() && cluster.Spec.SecretBackend.Vault.DefaultUserSecretEnabled()
 }

api/v1beta1/rabbitmqcluster_types_test.go

@@ -11,7 +11,6 @@ package v1beta1
 import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
-	. "github.com/onsi/gomega/gstruct"
 	"github.com/rabbitmq/cluster-operator/internal/status"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -389,10 +388,6 @@ var _ = Describe("RabbitmqCluster", func() {
 					Expect(fetchedRabbit.Spec.SecretBackend.Vault.DefaultUserSecretEnabled()).To(BeTrue())
 					Expect(fetchedRabbit.VaultTLSEnabled()).To(BeFalse())
 					Expect(fetchedRabbit.Spec.SecretBackend.Vault.TLSEnabled()).To(BeFalse())
-
-					By("setting the default-user-credential-updater image by default")
-					Expect(fetchedRabbit.Spec.SecretBackend.Vault.DefaultUserUpdaterImage).To(
-						PointTo(HavePrefix("rabbitmqoperator/default-user-credential-updater:")))
 				})
 			})
 			When("only TLS is configured", func() {

config/crd/bases/rabbitmq.com_rabbitmqclusters.yaml

@@ -3809,7 +3809,6 @@ spec:
                           description: Path in Vault to access a KV (Key-Value) secret with the fields username and password for the default user. For example "secret/data/rabbitmq/config".
                           type: string
                         defaultUserUpdaterImage:
-                          default: rabbitmqoperator/default-user-credential-updater:1.0.0
                           description: Sidecar container that updates the default user's password in RabbitMQ when it changes in Vault. Additionally, it updates /var/lib/rabbitmq/.rabbitmqadmin.conf (used by rabbitmqadmin CLI). Set to empty string to disable the sidecar container.
                           type: string
                         role:

controllers/rabbitmqcluster_controller.go

@@ -57,13 +57,14 @@ const (
 // RabbitmqClusterReconciler reconciles a RabbitmqCluster object
 type RabbitmqClusterReconciler struct {
 	client.Client
-	Scheme               *runtime.Scheme
-	Namespace            string
-	Recorder             record.EventRecorder
-	ClusterConfig        *rest.Config
-	Clientset            *kubernetes.Clientset
-	PodExecutor          PodExecutor
-	DefaultRabbitmqImage string
+	Scheme                  *runtime.Scheme
+	Namespace               string
+	Recorder                record.EventRecorder
+	ClusterConfig           *rest.Config
+	Clientset               *kubernetes.Clientset
+	PodExecutor             PodExecutor
+	DefaultRabbitmqImage    string
+	DefaultUserUpdaterImage string
 }
 
 // the rbac rule requires an empty row at the end to render
@@ -127,6 +128,19 @@ func (r *RabbitmqClusterReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		}
 	}
 
+	if rabbitmqCluster.UsesDefaultUserUpdaterImage() {
+		rabbitmqCluster.Spec.SecretBackend.Vault.DefaultUserUpdaterImage = &r.DefaultUserUpdaterImage
+		if err = r.Update(ctx, rabbitmqCluster); err != nil {
+			if k8serrors.IsConflict(err) {
+				logger.Info("failed to update image because of conflict; requeueing...",
+					"namespace", rabbitmqCluster.Namespace,
+					"name", rabbitmqCluster.Name)
+				return ctrl.Result{RequeueAfter: 2 * time.Second}, nil
+			}
+			return ctrl.Result{}, err
+		}
+	}
+
 	// Ensure the resource have a deletion marker
 	if err := r.addFinalizerIfNeeded(ctx, rabbitmqCluster); err != nil {
 		return ctrl.Result{}, err

controllers/rabbitmqcluster_controller_test.go

@@ -221,11 +221,16 @@ var _ = Describe("RabbitmqClusterController", func() {
 			Expect(client.Delete(ctx, cluster)).To(Succeed())
 		})
 
-		It("does not expose DefaultUser or its Binding as status", func() {
+		It("applies the Vault configuration", func() {
+			By("not exposing DefaultUser or its Binding as status")
 			Expect(cluster).NotTo(BeNil())
 			Expect(cluster.Status).NotTo(BeNil())
 			Expect(cluster.Status.DefaultUser).To(BeNil())
 			Expect(cluster.Status.Binding).To(BeNil())
+			By("setting the default user updater image to the controller default")
+			fetchedCluster := &rabbitmqv1beta1.RabbitmqCluster{}
+			Expect(client.Get(ctx, types.NamespacedName{Name: "rabbitmq-vault", Namespace: defaultNamespace}, fetchedCluster)).To(Succeed())
+			Expect(fetchedCluster.Spec.SecretBackend.Vault.DefaultUserUpdaterImage).To(PointTo(Equal(defaultUserUpdaterImage)))
 		})
 	})
 

controllers/suite_test.go

@@ -34,8 +34,9 @@ import (
 )
 
 const (
-	controllerName       = "rabbitmqcluster-controller"
-	defaultRabbitmqImage = "default-rabbit-image:stable"
+	controllerName          = "rabbitmqcluster-controller"
+	defaultRabbitmqImage    = "default-rabbit-image:stable"
+	defaultUserUpdaterImage = "default-UU-image:unstable"
 )
 
 var (
@@ -85,13 +86,14 @@ var _ = BeforeSuite(func() {
 
 	fakeExecutor = &fakePodExecutor{}
 	err = (&controllers.RabbitmqClusterReconciler{
-		Client:               mgr.GetClient(),
-		Scheme:               mgr.GetScheme(),
-		Recorder:             mgr.GetEventRecorderFor(controllerName),
-		Namespace:            "rabbitmq-system",
-		Clientset:            clientSet,
-		PodExecutor:          fakeExecutor,
-		DefaultRabbitmqImage: defaultRabbitmqImage,
+		Client:                  mgr.GetClient(),
+		Scheme:                  mgr.GetScheme(),
+		Recorder:                mgr.GetEventRecorderFor(controllerName),
+		Namespace:               "rabbitmq-system",
+		Clientset:               clientSet,
+		PodExecutor:             fakeExecutor,
+		DefaultRabbitmqImage:    defaultRabbitmqImage,
+		DefaultUserUpdaterImage: defaultUserUpdaterImage,
 	}).SetupWithManager(mgr)
 	Expect(err).ToNot(HaveOccurred())
 

main.go

@@ -44,12 +44,12 @@ func init() {
 
 func main() {
 	var (
-		metricsAddr          string
-		defaultRabbitmqImage string
+		metricsAddr             string
+		defaultRabbitmqImage    = "rabbitmq:3.8.21-management"
+		defaultUserUpdaterImage = "rabbitmqoperator/default-user-credential-updater:1.0.0"
 	)
 
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":9782", "The address the metric endpoint binds to.")
-	flag.StringVar(&defaultRabbitmqImage, "default-rabbitmq-image", "rabbitmq:3.8.21-management", "The default image to use in RabbitmqClusters when not specified in the rabbitmqcluster.spec.image")
 
 	opts := zap.Options{}
 	opts.BindFlags(flag.CommandLine)
@@ -67,6 +67,14 @@ func main() {
 	// If the environment variable is not set Getenv returns an empty string which ctrl.Options.Namespace takes to mean all namespaces should be watched
 	operatorScopeNamespace := os.Getenv("OPERATOR_SCOPE_NAMESPACE")
 
+	if configuredDefaultRabbitmqImage, ok := os.LookupEnv("DEFAULT_RABBITMQ_IMAGE"); ok {
+		defaultRabbitmqImage = configuredDefaultRabbitmqImage
+	}
+
+	if configuredDefaultUserUpdaterImage, ok := os.LookupEnv("DEFAULT_USER_UPDATER_IMAGE"); ok {
+		defaultUserUpdaterImage = configuredDefaultUserUpdaterImage
+	}
+
 	options := ctrl.Options{
 		Scheme:                  scheme,
 		MetricsBindAddress:      metricsAddr,
@@ -110,14 +118,15 @@ func main() {
 	}
 
 	err = (&controllers.RabbitmqClusterReconciler{
-		Client:               mgr.GetClient(),
-		Scheme:               mgr.GetScheme(),
-		Recorder:             mgr.GetEventRecorderFor(controllerName),
-		Namespace:            operatorNamespace,
-		ClusterConfig:        clusterConfig,
-		Clientset:            kubernetes.NewForConfigOrDie(clusterConfig),
-		PodExecutor:          controllers.NewPodExecutor(),
-		DefaultRabbitmqImage: defaultRabbitmqImage,
+		Client:                  mgr.GetClient(),
+		Scheme:                  mgr.GetScheme(),
+		Recorder:                mgr.GetEventRecorderFor(controllerName),
+		Namespace:               operatorNamespace,
+		ClusterConfig:           clusterConfig,
+		Clientset:               kubernetes.NewForConfigOrDie(clusterConfig),
+		PodExecutor:             controllers.NewPodExecutor(),
+		DefaultRabbitmqImage:    defaultRabbitmqImage,
+		DefaultUserUpdaterImage: defaultUserUpdaterImage,
 	}).SetupWithManager(mgr)
 	if err != nil {
 		log.Error(err, "unable to create controller", controllerName)