separate cred secrets for azure/gcp/aws

migtools · Nov 20, 2019 · ef897ef · ef897ef
1 parent 15eb9a7
commit ef897ef
Show file tree

Hide file tree

Showing 9 changed files with 146 additions and 51 deletions.
diff --git a/pkg/apis/migration/v1alpha1/migplan_types.go b/pkg/apis/migration/v1alpha1/migplan_types.go
@@ -25,6 +25,7 @@ import (
 	"sort"
 	"strings"
 
+	pvdr "github.com/fusor/mig-controller/pkg/cloudprovider"
 	migref "github.com/fusor/mig-controller/pkg/reference"
 	velero "github.com/heptio/velero/pkg/apis/velero/v1"
 	appsv1 "github.com/openshift/api/apps/v1"
@@ -562,13 +563,13 @@ func (r *MigPlan) GetVSL(client k8sclient.Client) (*velero.VolumeSnapshotLocatio
 	return nil, nil
 }
 
-// Get the cloud credentials secret by labels.
-func (r *MigPlan) GetCloudSecret(client k8sclient.Client) (*kapi.Secret, error) {
+// Get the cloud credentials secret by labels for the provider.
+func (r *MigPlan) GetCloudSecret(client k8sclient.Client, provider pvdr.Provider) (*kapi.Secret, error) {
 	return GetSecret(
 		client,
 		&kapi.ObjectReference{
 			Namespace: VeleroNamespace,
-			Name:      VeleroCloudSecret,
+			Name:      provider.GetVeleroCloudSecretName(),
 		})
 }
 

diff --git a/pkg/apis/migration/v1alpha1/migstorage_types.go b/pkg/apis/migration/v1alpha1/migstorage_types.go
@@ -134,7 +134,7 @@ func (r *MigStorage) BuildBSLCloudSecret() *kapi.Secret {
 		ObjectMeta: metav1.ObjectMeta{
 			Labels:    r.GetCorrelationLabels(),
 			Namespace: VeleroNamespace,
-			Name:      VeleroCloudSecret,
+			Name:      r.GetBackupStorageProvider().GetVeleroCloudSecretName(),
 		},
 	}
 
@@ -147,7 +147,7 @@ func (r *MigStorage) BuildVSLCloudSecret() *kapi.Secret {
 		ObjectMeta: metav1.ObjectMeta{
 			Labels:    r.GetCorrelationLabels(),
 			Namespace: VeleroNamespace,
-			Name:      VeleroCloudSecret,
+			Name:      r.GetVolumeSnapshotProvider().GetVeleroCloudSecretName(),
 		},
 	}
 
@@ -268,6 +268,7 @@ func (r *VolumeSnapshotConfig) GetProvider(name string) pvdr.Provider {
 		provider = &pvdr.AWSProvider{
 			BaseProvider: pvdr.BaseProvider{
 				Role: pvdr.VolumeSnapshot,
+				Name: name,
 			},
 			Region:                  r.AwsRegion,
 			SnapshotCreationTimeout: r.SnapshotCreationTimeout,
@@ -276,6 +277,7 @@ func (r *VolumeSnapshotConfig) GetProvider(name string) pvdr.Provider {
 		provider = &pvdr.AzureProvider{
 			BaseProvider: pvdr.BaseProvider{
 				Role: pvdr.VolumeSnapshot,
+				Name: name,
 			},
 			ResourceGroup:           r.AzureResourceGroup,
 			APITimeout:              r.AzureAPITimeout,
@@ -285,6 +287,7 @@ func (r *VolumeSnapshotConfig) GetProvider(name string) pvdr.Provider {
 		provider = &pvdr.GCPProvider{
 			BaseProvider: pvdr.BaseProvider{
 				Role: pvdr.VolumeSnapshot,
+				Name: name,
 			},
 			SnapshotCreationTimeout: r.SnapshotCreationTimeout,
 		}

diff --git a/pkg/apis/migration/v1alpha1/resource.go b/pkg/apis/migration/v1alpha1/resource.go
@@ -5,9 +5,8 @@ import (
 )
 
 const (
-	TouchAnnotation   = "touch"
-	VeleroNamespace   = "openshift-migration"
-	VeleroCloudSecret = "cloud-credentials"
+	TouchAnnotation = "touch"
+	VeleroNamespace = "openshift-migration"
 )
 
 // Migration application CR.

diff --git a/pkg/cloudprovider/aws.go b/pkg/cloudprovider/aws.go
@@ -23,8 +23,10 @@ import (
 
 // Credentials Secret.
 const (
-	AwsAccessKeyId     = "aws-access-key-id"
-	AwsSecretAccessKey = "aws-secret-access-key"
+	AwsAccessKeyId                = "aws-access-key-id"
+	AwsSecretAccessKey            = "aws-secret-access-key"
+	AwsVeleroCloudSecretName      = "cloud-credentials"
+	AwsVeleroCloudCredentialsPath = "credentials/cloud"
 )
 
 // S3 constants
@@ -63,6 +65,13 @@ func (p *AWSProvider) GetURL() string {
 	return ""
 }
 
+func (p *AWSProvider) GetVeleroCloudSecretName() string {
+	return AwsVeleroCloudSecretName
+}
+
+func (p *AWSProvider) GetVeleroCloudCredentialsPath() string {
+	return AwsVeleroCloudCredentialsPath
+}
 func (p *AWSProvider) UpdateBSL(bsl *velero.BackupStorageLocation) {
 	bsl.Spec.Provider = AWS
 	bsl.Spec.StorageType = velero.StorageType{

diff --git a/pkg/cloudprovider/azure.go b/pkg/cloudprovider/azure.go
@@ -21,7 +21,9 @@ import (
 
 // Credentials secret.
 const (
-	AzureCredentials = "azure-credentials"
+	AzureCredentials                = "azure-credentials"
+	AzureVeleroCloudSecretName      = "azure-cloud-credentials"
+	AzureVeleroCloudCredentialsPath = "credentials-azure/cloud"
 
 	tenantIDKey             = "AZURE_TENANT_ID"
 	subscriptionIDKey       = "AZURE_SUBSCRIPTION_ID"
@@ -46,6 +48,13 @@ type AzureProvider struct {
 	SnapshotCreationTimeout string
 }
 
+func (p *AzureProvider) GetVeleroCloudSecretName() string {
+	return AzureVeleroCloudSecretName
+}
+
+func (p *AzureProvider) GetVeleroCloudCredentialsPath() string {
+	return AzureVeleroCloudCredentialsPath
+}
 func (p *AzureProvider) UpdateBSL(bsl *velero.BackupStorageLocation) {
 	bsl.Spec.Provider = Azure
 	bsl.Spec.StorageType = velero.StorageType{

diff --git a/pkg/cloudprovider/gcp.go b/pkg/cloudprovider/gcp.go
@@ -14,7 +14,9 @@ import (
 
 // Credentials secret.
 const (
-	GcpCredentials = "gcp-credentials"
+	GcpCredentials                = "gcp-credentials"
+	GcpVeleroCloudSecretName      = "gcp-cloud-credentials"
+	GcpVeleroCloudCredentialsPath = "credentials-gcp/cloud"
 )
 
 type GCPProvider struct {
@@ -24,6 +26,14 @@ type GCPProvider struct {
 	SnapshotCreationTimeout string
 }
 
+func (p *GCPProvider) GetVeleroCloudSecretName() string {
+	return GcpVeleroCloudSecretName
+}
+
+func (p *GCPProvider) GetVeleroCloudCredentialsPath() string {
+	return GcpVeleroCloudCredentialsPath
+}
+
 func (p *GCPProvider) UpdateBSL(bsl *velero.BackupStorageLocation) {
 	bsl.Spec.Provider = GCP
 	bsl.Spec.StorageType = velero.StorageType{

diff --git a/pkg/cloudprovider/provider.go b/pkg/cloudprovider/provider.go
@@ -21,6 +21,8 @@ const (
 
 type Provider interface {
 	GetName() string
+	GetVeleroCloudSecretName() string
+	GetVeleroCloudCredentialsPath() string
 	SetRole(role string)
 	UpdateBSL(location *velero.BackupStorageLocation)
 	UpdateVSL(location *velero.VolumeSnapshotLocation)

diff --git a/pkg/controller/migmigration/pod.go b/pkg/controller/migmigration/pod.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	migapi "github.com/fusor/mig-controller/pkg/apis/migration/v1alpha1"
+	pvdr "github.com/fusor/mig-controller/pkg/cloudprovider"
 	"github.com/fusor/mig-controller/pkg/pods"
 	corev1 "k8s.io/api/core/v1"
 	v1beta1 "k8s.io/api/extensions/v1beta1"
@@ -339,45 +340,55 @@ func (t *Task) veleroPodCredSecretPropagated(cluster *migapi.MigCluster) (bool,
 		return false, err
 	}
 	for _, pod := range list {
-		cmd := pods.PodCommand{
-			Args:    []string{"cat", "/credentials/cloud"},
-			RestCfg: restCfg,
-			Pod:     &pod,
-		}
-		err = cmd.Run()
-		if err != nil {
-			exErr, cast := err.(exec.CodeExitError)
-			if cast && exErr.Code == 126 {
-				log.Info(
-					"Pod command failed:",
-					"solution",
-					"https://access.redhat.com/solutions/3734981",
-					"cmd",
-					cmd.Args)
-				return true, nil
-			} else {
-				log.Trace(err)
-				return false, err
-			}
-		}
-		client, err := cluster.GetClient(t.Client)
+		storage, err := t.PlanResources.MigPlan.GetStorage(t.Client)
 		if err != nil {
 			log.Trace(err)
 			return false, err
 		}
-		secret, err := t.PlanResources.MigPlan.GetCloudSecret(client)
-		if err != nil {
-			log.Trace(err)
-			return false, err
-		}
-		if body, found := secret.Data["cloud"]; found {
-			a := string(body)
-			b := cmd.Out.String()
-			if a != b {
+
+		bslProvider := storage.GetBackupStorageProvider()
+		vslProvider := storage.GetVolumeSnapshotProvider()
+		for _, provider := range []pvdr.Provider{bslProvider, vslProvider} {
+			cmd := pods.PodCommand{
+				Args:    []string{"cat", provider.GetVeleroCloudCredentialsPath()},
+				RestCfg: restCfg,
+				Pod:     &pod,
+			}
+			err = cmd.Run()
+			if err != nil {
+				exErr, cast := err.(exec.CodeExitError)
+				if cast && exErr.Code == 126 {
+					log.Info(
+						"Pod command failed:",
+						"solution",
+						"https://access.redhat.com/solutions/3734981",
+						"cmd",
+						cmd.Args)
+					return true, nil
+				} else {
+					log.Trace(err)
+					return false, err
+				}
+			}
+			client, err := cluster.GetClient(t.Client)
+			if err != nil {
+				log.Trace(err)
+				return false, err
+			}
+			secret, err := t.PlanResources.MigPlan.GetCloudSecret(client, provider)
+			if err != nil {
+				log.Trace(err)
+				return false, err
+			}
+			if body, found := secret.Data["cloud"]; found {
+				a := string(body)
+				b := cmd.Out.String()
+				if a != b {
+					return false, nil
+				}
+			} else {
 				return false, nil
 			}
-		} else {
-			return false, nil
 		}
 	}
 

diff --git a/pkg/controller/migplan/storage.go b/pkg/controller/migplan/storage.go
@@ -65,8 +65,15 @@ func (r ReconcileMigPlan) ensureStorage(plan *migapi.MigPlan) error {
 			return err
 		}
 
-		// Cloud Secret
-		err = pl.ensureCloudSecret()
+		// BSL Cloud Secret
+		err = pl.ensureBSLCloudSecret()
+		if err != nil {
+			log.Trace(err)
+			return err
+		}
+
+		// VSL Cloud Secret
+		err = pl.ensureVSLCloudSecret()
 		if err != nil {
 			log.Trace(err)
 			return err
@@ -187,10 +194,14 @@ func (r PlanStorage) ensureVSL() error {
 }
 
 // Create the velero BSL cloud secret has been created.
-func (r PlanStorage) ensureCloudSecret() error {
-	newSecret := r.storage.BuildBSLCloudSecret()
+func (r PlanStorage) ensureBSLCloudSecret() error {
+	newSecret, err := r.BuildBSLCloudSecret()
+	if err != nil {
+		log.Trace(err)
+		return err
+	}
 	newSecret.Labels = r.plan.GetCorrelationLabels()
-	foundSecret, err := r.plan.GetCloudSecret(r.targetClient)
+	foundSecret, err := r.plan.GetCloudSecret(r.targetClient, r.storage.GetBackupStorageProvider())
 	if err != nil {
 		log.Trace(err)
 		return err
@@ -216,6 +227,46 @@ func (r PlanStorage) ensureCloudSecret() error {
 	return nil
 }
 
+// Create the velero VSL cloud secret has been created.
+// If BSL and VSL have the same provider, no action for now
+// since only one secret per provider is supported
+func (r PlanStorage) ensureVSLCloudSecret() error {
+	if r.storage.Spec.VolumeSnapshotProvider == "" ||
+		r.storage.Spec.VolumeSnapshotProvider == r.storage.Spec.BackupStorageProvider {
+		return nil
+	}
+	newSecret, err := r.BuildVSLCloudSecret()
+	if err != nil {
+		log.Trace(err)
+		return err
+	}
+	newSecret.Labels = r.plan.GetCorrelationLabels()
+	foundSecret, err := r.plan.GetCloudSecret(r.targetClient, r.storage.GetVolumeSnapshotProvider())
+	if err != nil {
+		log.Trace(err)
+		return err
+	}
+	if foundSecret == nil {
+		err = r.targetClient.Create(context.TODO(), newSecret)
+		if err != nil {
+			log.Trace(err)
+			return err
+		}
+		return nil
+	}
+	if r.storage.EqualsCloudSecret(foundSecret, newSecret) {
+		return nil
+	}
+	r.UpdateVSLCloudSecret(foundSecret)
+	err = r.targetClient.Update(context.TODO(), foundSecret)
+	if err != nil {
+		log.Trace(err)
+		return err
+	}
+
+	return nil
+}
+
 // Build BSL.
 func (r *PlanStorage) BuildBSL() *velero.BackupStorageLocation {
 	bsl := r.storage.BuildBSL()
@@ -246,7 +297,7 @@ func (r *PlanStorage) UpdateVSL(vsl *velero.VolumeSnapshotLocation) {
 
 // Build BSL cloud secret.
 func (r *PlanStorage) BuildBSLCloudSecret() (*kapi.Secret, error) {
-	secret := r.storage.BuildVSLCloudSecret()
+	secret := r.storage.BuildBSLCloudSecret()
 	err := r.UpdateBSLCloudSecret(secret)
 	if err != nil {
 		log.Trace(err)