[artemiscloud#651] Use security secrets to serialize ActiveMQArtemisS…

…ecurity CRs (cherry picked from commit cc7e4ed) downstream: ENTMQBR-8208
brusdev · Jul 21, 2023 · 8c4103f · 8c4103f
1 parent b7c6d72
commit 8c4103f
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 20 deletions.
diff --git a/controllers/activemqartemis_reconciler.go b/controllers/activemqartemis_reconciler.go
@@ -1783,6 +1783,14 @@ func (reconciler *ActiveMQArtemisReconcilerImpl) NewPodTemplateSpecForCR(customR
 		if len(handlerCmds) > 0 {
 			clog.Info("appending to initCmd array...")
 			brokerHandlerCmds = append(brokerHandlerCmds, handlerCmds...)
+
+			securitySecretVolumeName := "secret-security-" + brokerConfigHandler.GetCRName()
+			securitySecretVolume := volumes.MakeVolume(securitySecretVolumeName)
+			podSpec.Volumes = append(podSpec.Volumes, securitySecretVolume)
+
+			securitySecretVoluneMountName := securitySecretVolumeName + "-volume"
+			securitySecretVoluneMount := volumes.MakeVolumeMount(securitySecretVoluneMountName)
+			podSpec.InitContainers[0].VolumeMounts = append(podSpec.InitContainers[0].VolumeMounts, securitySecretVoluneMount)
 		}
 	}
 

diff --git a/controllers/activemqartemissecurity_controller.go b/controllers/activemqartemissecurity_controller.go
@@ -115,8 +115,18 @@ func (r *ActiveMQArtemisSecurityReconciler) Reconcile(ctx context.Context, reque
 		reqLogger.Error(merr, "failed to marshal cr")
 	}
 
+	instanceWithPasswords := newHandler.processCrPasswords()
+
+	// remove superfluous data that can trip up the shell
+	instanceWithPasswords.ObjectMeta = metav1.ObjectMeta{}
+
+	data, err := yaml.Marshal(instanceWithPasswords)
+	if err != nil {
+		reqLogger.Error(merr, "failed to marshal cr with passwords")
+	}
+
 	lsrcrs.StoreLastSuccessfulReconciledCR(instance, instance.Name, instance.Namespace, "security",
-		crstr, "", instance.ResourceVersion, getLabels(instance), r.Client, r.Scheme)
+		crstr, string(data), instance.ResourceVersion, getLabels(instance), r.Client, r.Scheme)
 
 	return ctrl.Result{RequeueAfter: common.GetReconcileResyncPeriod()}, nil
 }
@@ -133,6 +143,10 @@ func getLabels(cr *brokerv1beta1.ActiveMQArtemisSecurity) map[string]string {
 	return labelBuilder.Labels()
 }
 
+func (r *ActiveMQArtemisSecurityConfigHandler) GetCRName() string {
+	return r.SecurityCR.Name
+}
+
 func (r *ActiveMQArtemisSecurityConfigHandler) IsApplicableFor(brokerNamespacedName types.NamespacedName) bool {
 	reqLogger := ctrl.Log.WithValues("IsApplicableFor", brokerNamespacedName)
 
@@ -252,15 +266,11 @@ func (r *ActiveMQArtemisSecurityConfigHandler) getPassword(secretName string, ke
 
 func (r *ActiveMQArtemisSecurityConfigHandler) Config(initContainers []corev1.Container, outputDirRoot string, yacfgProfileVersion string, yacfgProfileName string) (value []string) {
 	ctrl.Log.Info("Reconciling ActiveMQArtemisSecurity", "cr", r.SecurityCR)
-	result := r.processCrPasswords()
 	outputDir := outputDirRoot + "/security"
 	var configCmds = []string{"echo \"making dir " + outputDir + "\"", "mkdir -p " + outputDir}
 	filePath := outputDir + "/security-config.yaml"
-	cmdPersistCRAsYaml, err := r.persistCR(filePath, result)
-	if err != nil {
-		slog.Error(err, "Error marshalling security CR", "cr", r.SecurityCR)
-		return nil
-	}
+	securitySecretVolumeName := "secret-security-" + r.SecurityCR.Name + "-volume"
+	cmdPersistCRAsYaml := "cp /etc/" + securitySecretVolumeName + "/Data " + filePath
 	slog.Info("get the command", "value", cmdPersistCRAsYaml)
 	configCmds = append(configCmds, cmdPersistCRAsYaml)
 	configCmds = append(configCmds, "/opt/amq-broker/script/cfg/config-security.sh")
@@ -292,19 +302,6 @@ func (r *ActiveMQArtemisSecurityConfigHandler) Config(initContainers []corev1.Co
 	return configCmds
 }
 
-func (r *ActiveMQArtemisSecurityConfigHandler) persistCR(filePath string, cr *brokerv1beta1.ActiveMQArtemisSecurity) (value string, err error) {
-
-	// remove superfluous data that can trip up the shell
-	stripped := cr.DeepCopy()
-	stripped.ObjectMeta = metav1.ObjectMeta{}
-
-	data, err := yaml.Marshal(stripped)
-	if err != nil {
-		return "", err
-	}
-	return "echo \"" + string(data) + "\" > " + filePath, nil
-}
-
 // SetupWithManager sets up the controller with the Manager.
 func (r *ActiveMQArtemisSecurityReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).

diff --git a/controllers/activemqartemissecurity_controller_test.go b/controllers/activemqartemissecurity_controller_test.go
@@ -29,6 +29,7 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	"gopkg.in/yaml.v2"
 
 	appsv1 "k8s.io/api/apps/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -93,9 +94,18 @@ var _ = Describe("security controller", func() {
 				return secApplied
 			}, timeout, interval).Should(BeTrue())
 
+			expectedSecuritySecret := corev1.Secret{}
+			expectedSecuritySecretKey := types.NamespacedName{Name: "secret-security-" + createdSecurityCr.Name, Namespace: defaultNamespace}
+
+			By("checking the security secret")
+			Eventually(k8sClient.Get(ctx, expectedSecuritySecretKey, &expectedSecuritySecret) == nil, timeout, interval).Should(BeTrue())
+
 			By("delete the broker cr")
 			CleanResource(createdBrokerCr, createdBrokerCr.Name, defaultNamespace)
 
+			By("checking the security secret")
+			Eventually(k8sClient.Get(ctx, expectedSecuritySecretKey, &expectedSecuritySecret) == nil, timeout, interval).Should(BeTrue())
+
 			By("re-deploy the broker cr")
 			brokerCr, createdBrokerCr = DeployCustomBroker(defaultNamespace, func(candidate *brokerv1beta1.ActiveMQArtemis) {
 				candidate.Name = brokerCr.Name
@@ -196,6 +206,11 @@ var _ = Describe("security controller", func() {
 
 					g.Expect(k8sClient.Get(ctx, key, sfsFound)).Should(Succeed())
 					g.Expect(sfsFound.Status.ReadyReplicas).Should(BeEquivalentTo(1))
+
+					data, err := yaml.Marshal(sfsFound)
+					g.Expect(err).To(BeNil())
+					g.Expect(string(data)).ToNot(ContainSubstring(user1Name))
+					g.Expect(string(data)).ToNot(ContainSubstring(password1))
 				}, existingClusterTimeout, existingClusterInterval).Should(Succeed())
 
 				By("Checking console domain name is applied in artemis.profile " + createdBrokerCr.Name)
@@ -472,6 +487,11 @@ var _ = Describe("security controller", func() {
 				return secApplied
 			}, timeout, interval).Should(BeTrue())
 
+			By("checking the security secret")
+			expectedSecuritySecret := &corev1.Secret{}
+			expectedSecuritySecretKey := types.NamespacedName{Name: "secret-security-" + createdSecCrd.Name, Namespace: defaultNamespace}
+			Eventually(k8sClient.Get(ctx, expectedSecuritySecretKey, expectedSecuritySecret) == nil, timeout, interval).Should(BeTrue())
+
 			if os.Getenv("USE_EXISTING_CLUSTER") == "true" {
 				By("Checking ready on SS")
 				Eventually(func(g Gomega) {

diff --git a/pkg/utils/common/common.go b/pkg/utils/common/common.go
@@ -55,6 +55,7 @@ func GetReconcileResyncPeriod() time.Duration {
 }
 
 type ActiveMQArtemisConfigHandler interface {
+	GetCRName() string
 	IsApplicableFor(brokerNamespacedName types.NamespacedName) bool
 	Config(initContainers []corev1.Container, outputDirRoot string, yacfgProfileVersion string, yacfgProfileName string) (value []string)
 }