splunk · akondur · Aug 7, 2020
diff --git a/pkg/splunk/controller/secret.go b/pkg/splunk/controller/secret.go
@@ -35,12 +35,14 @@ func ApplySecret(client splcommon.ControllerClient, secret *corev1.Secret) (*cor
 
 	err := client.Get(context.TODO(), namespacedName, &current)
 	if err == nil {
-		// found existing Secret: do nothing
-		scopedLog.Info("Found existing Secret")
+		scopedLog.Info("Updating existing Secret")
+		err = UpdateResource(client, secret)
 	} else {
+		scopedLog.Info("Creating a new Secret")
 		err = CreateResource(client, secret)
-		result = secret
 	}
 
+	result = secret
+
 	return result, err
 }
diff --git a/pkg/splunk/enterprise/configuration.go b/pkg/splunk/enterprise/configuration.go
@@ -544,10 +544,10 @@ func updateSplunkPodTemplateWithConfig(podTemplateSpec *corev1.PodTemplateSpec,
 	// prepare defaults variable
 	splunkDefaults := "/mnt/splunk-secrets/default.yml"
 	if spec.DefaultsURL != "" {
-		splunkDefaults = fmt.Sprintf("%s,%s", splunkDefaults, spec.DefaultsURL)
+		splunkDefaults = fmt.Sprintf("%s,%s", spec.DefaultsURL, splunkDefaults)
 	}
 	if spec.Defaults != "" {
-		splunkDefaults = fmt.Sprintf("%s,%s", splunkDefaults, "/mnt/splunk-defaults/default.yml")
+		splunkDefaults = fmt.Sprintf("%s,%s", "/mnt/splunk-defaults/default.yml", splunkDefaults)
 	}
 
 	// prepare container env variables
@@ -557,6 +557,7 @@ func updateSplunkPodTemplateWithConfig(podTemplateSpec *corev1.PodTemplateSpec,
 		{Name: "SPLUNK_DEFAULTS_URL", Value: splunkDefaults},
 		{Name: "SPLUNK_HOME_OWNERSHIP_ENFORCEMENT", Value: "false"},
 		{Name: "SPLUNK_ROLE", Value: instanceType.ToRole()},
+		{Name: "SPLUNK_DECLARATVE_ADMIN_PASSWORD", Value: "true"},
 	}
 
 	// update variables for licensing, if configured

diff --git a/pkg/splunk/enterprise/util.go b/pkg/splunk/enterprise/util.go
@@ -19,6 +19,7 @@ import (
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -33,10 +34,60 @@ import (
 // kubernetes logger used by splunk.enterprise package
 var log = logf.Log.WithName("splunk.enterprise")
 
+// ApplyCommonSecretObject creates/updates the namespace scoped "splunk-secrets" K8S secret object
+func ApplyCommonSecretObject(client splcommon.ControllerClient, cr splcommon.MetaObject) error {
+	var current corev1.Secret
+
+	// Types of Splunk Secret Tokens
+	tokenTypes := []string{"hec_token", "password", "pass4symmkey", "idxc_secret", "shc_secret"}
+
+	// Check if a K8S secrets object "splunk-secrets" exists in the namespace
+	namespacedName := types.NamespacedName{Namespace: cr.GetNamespace(), Name: "splunk-secrets"}
+	err := client.Get(context.TODO(), namespacedName, &current)
+	if err != nil {
+		// Not found, generate random strings as values for all types of tokens
+		secretData := make(map[string][]byte)
+		for _, tokenType := range tokenTypes {
+			secretData[tokenType] = splcommon.GenerateSecret(secretBytes, 24)
+		}
+
+		result := corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "splunk-secrets",
+				Namespace: cr.GetNamespace(),
+			},
+			Data: secretData,
+		}
+		current = result
+	} else {
+		// Found, generate random strings as values for missing types of tokens
+		for _, tokenType := range tokenTypes {
+			if _, ok := current.Data[tokenType]; !ok {
+				// Splunk secret token not found, Generate Splunk Secret Token
+				current.Data[tokenType] = splcommon.GenerateSecret(secretBytes, 24)
+			}
+		}
+	}
+
+	// Creates/updates the K8S secret object "splunk-secrets" via REST APIs
+	_, err = splctrl.ApplySecret(client, &current)
+	if err != nil {
+		//scopedLog.Error(err, "Failed to update resource")
+	}
+
+	return nil
+}
+
 // ApplySplunkConfig reconciles the state of Kubernetes Secrets, ConfigMaps and other general settings for Splunk Enterprise instances.
 func ApplySplunkConfig(client splcommon.ControllerClient, cr splcommon.MetaObject, spec enterprisev1.CommonSplunkSpec, instanceType InstanceType) (*corev1.Secret, error) {
 	var err error
 
+	// Creates/updates the namespace scoped "splunk-secrets" K8S secret object
+	err = ApplyCommonSecretObject(client, cr)
+	if err != nil {
+		return nil, err
+	}
+
 	// if reference to indexer cluster, extract and re-use idxc.secret
 	// IndexerRef is not relevant for Indexer, and Indexer will use value from LicenseMaster to prevent cyclical dependency
 	var idxcSecret []byte

diff --git a/pkg/splunk/enterprise/util_test.go b/pkg/splunk/enterprise/util_test.go
@@ -48,6 +48,10 @@ func enterpriseObjectCopier(dst, src runtime.Object) bool {
 	return true
 }
 
+func TestApplyCommonSecretObject(t *testing.T) {
+
+}
+
 func TestApplySplunkConfig(t *testing.T) {
 	funcCalls := []spltest.MockFuncCall{
 		{MetaName: "*v1.Secret-test-splunk-stack1-search-head-secrets"},