Cinco de hacko

openstack-k8s-operators · May 5, 2023 · bd00da5 · bd00da5
1 parent 4dcc8a7
commit bd00da5
Show file tree

Hide file tree

Showing 7 changed files with 162 additions and 29 deletions.
diff --git a/api/v1beta1/barbican_types.go b/api/v1beta1/barbican_types.go
@@ -84,6 +84,9 @@ type BarbicanStatus struct {
 
 	// TransportURLSecret - Secret containing RabbitMQ transportURL
 	TransportURLSecret string `json:"transportURLSecret,omitempty"`
+
+	// Barbican Database Hostname
+	DatabaseHostname string `json:"databaseHostname,omitempty"`
 }
 
 //+kubebuilder:object:root=true
@@ -113,6 +116,21 @@ type BarbicanList struct {
 	Items           []Barbican `json:"items"`
 }
 
+// RbacConditionsSet - set the conditions for the rbac object
+func (instance Barbican) RbacConditionsSet(c *condition.Condition) {
+	instance.Status.Conditions.Set(c)
+}
+
+// RbacNamespace - return the namespace
+func (instance Barbican) RbacNamespace() string {
+	return instance.Namespace
+}
+
+// RbacResourceName - return the name to be used for rbac objects (serviceaccount, role, rolebinding)
+func (instance Barbican) RbacResourceName() string {
+	return "barbican-" + instance.Name
+}
+
 func init() {
 	SchemeBuilder.Register(&Barbican{}, &BarbicanList{})
 }
diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
@@ -43,6 +43,10 @@ type BarbicanTemplate struct {
 	// actual action pod gets started with sleep infinity
 	// TODO(dmendiza): Do we need this?
 	Debug BarbicanDebug `json:"debug,omitempty"`
+
+	// +kubebuilder:validation:Required
+	// ServiceAccount - service account name used internally to provide Barbican services the default SA name
+	ServiceAccount string `json:"serviceAccount"`
 }
 
 // BarbicanComponentTemplate - Variables used by every component of Barbican

diff --git a/controllers/barbican_controller.go b/controllers/barbican_controller.go
@@ -121,6 +121,10 @@ func (r *BarbicanReconciler) Reconcile(ctx context.Context, req ctrl.Request) (r
 			condition.UnknownCondition(barbicanv1beta1.BarbicanWorkerReadyCondition, condition.InitReason, barbicanv1beta1.BarbicanWorkerReadyInitMessage),
 			condition.UnknownCondition(condition.DeploymentReadyCondition, condition.InitReason, condition.DeploymentReadyInitMessage),
 			condition.UnknownCondition(condition.NetworkAttachmentsReadyCondition, condition.InitReason, condition.NetworkAttachmentsReadyInitMessage),
+			// service account, role, rolebinding conditions
+			condition.UnknownCondition(condition.ServiceAccountReadyCondition, condition.InitReason, condition.ServiceAccountReadyInitMessage),
+			condition.UnknownCondition(condition.RoleReadyCondition, condition.InitReason, condition.RoleReadyInitMessage),
+			condition.UnknownCondition(condition.RoleBindingReadyCondition, condition.InitReason, condition.RoleBindingReadyInitMessage),
 		)
 
 		instance.Status.Conditions.Init(&cl)
@@ -357,6 +361,27 @@ func (r *BarbicanReconciler) reconcileInit(
 ) (ctrl.Result, error) {
 	r.Log.Info(fmt.Sprintf("Reconciling Service '%s' init", instance.Name))
 
+	// Service account, role, binding
+	rbacRules := []rbacv1.PolicyRule{
+		{
+			APIGroups:     []string{"security.openshift.io"},
+			ResourceNames: []string{"anyuid", "privileged"},
+			Resources:     []string{"securitycontextconstraints"},
+			Verbs:         []string{"use"},
+		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"pods"},
+			Verbs:     []string{"create", "get", "list", "watch", "update", "patch", "delete"},
+		},
+	}
+	rbacResult, err := common_rbac.ReconcileRbac(ctx, helper, instance, rbacRules)
+	if err != nil {
+		return rbacResult, err
+	} else if (rbacResult != ctrl.Result{}) {
+		return rbacResult, nil
+	}
+
 	//
 	// create service DB instance
 	//

diff --git a/pkg/barbican/const.go b/pkg/barbican/const.go
@@ -1,5 +1,7 @@
 package barbican
 
 const (
-	ServiceName = "barbican"
+	ServiceName       = "barbican"
+	DatabaseName      = "barbican"
+	KollaConfigDbSync = "/var/lib/config-data/merged/db-sync-config.json"
 )
diff --git a/pkg/barbican/dbsync.go b/pkg/barbican/dbsync.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/openstack-k8s-operators/lib-common/modules/common"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
+	"github.com/openstack-k8s-operators/lib-common/modules/storage"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -15,11 +16,13 @@ const (
 	DBSyncCommand = "/usr/local/bin/kolla_set_configs && su -s /bin/sh -c \"barbican-manage db upgrade\""
 )
 
+// DbsyncPropagation keeps track of the DBSync Service Propagation Type
+var DbsyncPropagation = []storage.PropagationType{storage.DBSync}
+
 // DbSyncJob func
 func DbSyncJob(instance *barbicanv1beta1.Barbican, labels map[string]string, annotations map[string]string) *batchv1.Job {
 
-	dbSyncExtraMounts := []barbicanv1beta1.BarbicanExtraVolMounts{}
-
+	secretNames := []string{}
 	args := []string{"-c"}
 	if instance.Spec.Debug.DBSync {
 		args = append(args, common.DebugCommand)
@@ -46,7 +49,7 @@ func DbSyncJob(instance *barbicanv1beta1.Barbican, labels map[string]string, ann
 				},
 				Spec: corev1.PodSpec{
 					RestartPolicy:      corev1.RestartPolicyOnFailure,
-					ServiceAccountName: ServiceAccount,
+					ServiceAccountName: instance.RbacResourceName(),
 					Containers: []corev1.Container{
 						{
 							Name: instance.Name + "-db-sync",
@@ -59,15 +62,21 @@ func DbSyncJob(instance *barbicanv1beta1.Barbican, labels map[string]string, ann
 								RunAsUser: &runAsUser,
 							},
 							Env:          env.MergeEnvs([]corev1.EnvVar{}, envVars),
-							VolumeMounts: GetVolumeMounts(false, dbSyncExtraMounts, DbsyncPropagation),
+							VolumeMounts: GetVolumeMounts(secretNames, DbsyncPropagation),
 						},
 					},
-					Volumes: GetVolumes(instance.Name, false, dbSyncExtraMounts, DbsyncPropagation),
 				},
 			},
 		},
 	}
 
+	job.Spec.Template.Spec.Volumes = GetVolumes(
+		instance.Name,
+		ServiceName,
+		secretNames,
+		DbsyncPropagation,
+	)
+
 	initContainerDetails := APIDetails{
 		ContainerImage:       instance.Spec.BarbicanAPI.ContainerImage,
 		DatabaseHost:         instance.Status.DatabaseHostname,
@@ -76,8 +85,7 @@ func DbSyncJob(instance *barbicanv1beta1.Barbican, labels map[string]string, ann
 		OSPSecret:            instance.Spec.Secret,
 		DBPasswordSelector:   instance.Spec.PasswordSelectors.Database,
 		UserPasswordSelector: instance.Spec.PasswordSelectors.Service,
-		VolumeMounts:         GetInitVolumeMounts(dbSyncExtraMounts, DbsyncPropagation),
-		Debug:                instance.Spec.Debug.DBInitContainer,
+		VolumeMounts:         GetInitVolumeMounts(secretNames, DbsyncPropagation),
 	}
 	job.Spec.Template.Spec.InitContainers = InitContainer(initContainerDetails)
 

diff --git a/pkg/barbican/initcontainer.go b/pkg/barbican/initcontainer.go
@@ -0,0 +1,93 @@
+package barbican
+
+import (
+	corev1 "k8s.io/api/core/v1"
+)
+
+// APIDetails information
+type APIDetails struct {
+	ContainerImage       string
+	DatabaseHost         string
+	DatabaseUser         string
+	DatabaseName         string
+	TransportURL         string
+	OSPSecret            string
+	DBPasswordSelector   string
+	UserPasswordSelector string
+	VolumeMounts         []corev1.VolumeMount
+}
+
+const (
+	InitContainerCommand = "/usr/local/bin/container-scripts/init.sh"
+)
+
+// InitContainer - init container for barbican api pods
+func InitContainer(init APIDetails) []corev1.Container {
+	runAsUser := int64(0)
+
+	args := []string{
+		"-c",
+		InitContainerCommand,
+	}
+
+	envs := []corev1.EnvVar{}
+	/*
+		envVars := map[string]env.Setter{}
+		envVars["DatabaseHost"] = env.SetValue(init.DatabaseHost)
+		envVars["DatabaseUser"] = env.SetValue(init.DatabaseUser)
+		envVars["DatabaseName"] = env.SetValue(init.DatabaseName)
+
+		envs := []corev1.EnvVar{
+			{
+				Name: "DatabasePassword",
+				ValueFrom: &corev1.EnvVarSource{
+					SecretKeyRef: &corev1.SecretKeySelector{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: init.OSPSecret,
+						},
+						Key: init.DBPasswordSelector,
+					},
+				},
+			},
+			{
+				Name: "GlancePassword",
+				ValueFrom: &corev1.EnvVarSource{
+					SecretKeyRef: &corev1.SecretKeySelector{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: init.OSPSecret,
+						},
+						Key: init.UserPasswordSelector,
+					},
+				},
+			},
+			// TODO
+			// {
+			// 	Name: "TransportUrl",
+			// 	ValueFrom: &corev1.EnvVarSource{
+			// 		SecretKeyRef: &corev1.SecretKeySelector{
+			// 			LocalObjectReference: corev1.LocalObjectReference{
+			// 				Name: init.OSPSecret,
+			// 			},
+			// 			Key: "TransportUrl",
+			// 		},
+			// 	},
+			// },
+		}
+		envs = env.MergeEnvs(envs, envVars)
+	*/
+	return []corev1.Container{
+		{
+			Name:  "init",
+			Image: init.ContainerImage,
+			SecurityContext: &corev1.SecurityContext{
+				RunAsUser: &runAsUser,
+			},
+			Command: []string{
+				"/bin/bash",
+			},
+			Args:         args,
+			Env:          envs,
+			VolumeMounts: init.VolumeMounts,
+		},
+	}
+}
diff --git a/pkg/barbican/volumes.go b/pkg/barbican/volumes.go
@@ -3,14 +3,12 @@ package barbican
 import (
 	"strconv"
 
-	barbicanv1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1"
-
 	"github.com/openstack-k8s-operators/lib-common/modules/storage"
 	corev1 "k8s.io/api/core/v1"
 )
 
 // GetVolumes - service volumes
-func GetVolumes(name string, pvcName string, secretNames []string, extraVol []barbicanv1.BarbicanExtraVolMounts, svc []storage.PropagationType) []corev1.Volume {
+func GetVolumes(name string, pvcName string, secretNames []string, svc []storage.PropagationType) []corev1.Volume {
 	var scriptsVolumeDefaultMode int32 = 0755
 	var config0640AccessMode int32 = 0640
 
@@ -53,18 +51,13 @@ func GetVolumes(name string, pvcName string, secretNames []string, extraVol []ba
 		},
 	}
 
-	for _, exv := range extraVol {
-		for _, vol := range exv.Propagate(svc) {
-			vm = append(vm, vol.Volumes...)
-		}
-	}
 	secretConfig, _ := GetConfigSecretVolumes(secretNames)
 	vm = append(vm, secretConfig...)
 	return vm
 }
 
-// getInitVolumeMounts - general init task VolumeMounts
-func getInitVolumeMounts(secretNames []string, extraVol []barbicanv1.BarbicanExtraVolMounts, svc []storage.PropagationType) []corev1.VolumeMount {
+// GetInitVolumeMounts - general init task VolumeMounts
+func GetInitVolumeMounts(secretNames []string, svc []storage.PropagationType) []corev1.VolumeMount {
 	vm := []corev1.VolumeMount{
 		{
 			Name:      "scripts",
@@ -83,18 +76,13 @@ func getInitVolumeMounts(secretNames []string, extraVol []barbicanv1.BarbicanExt
 		},
 	}
 
-	for _, exv := range extraVol {
-		for _, vol := range exv.Propagate(svc) {
-			vm = append(vm, vol.Mounts...)
-		}
-	}
 	_, secretConfig := GetConfigSecretVolumes(secretNames)
 	vm = append(vm, secretConfig...)
 	return vm
 }
 
 // GetVolumeMounts - general VolumeMounts
-func GetVolumeMounts(secretNames []string, extraVol []barbicanv1.BarbicanExtraVolMounts, svc []storage.PropagationType) []corev1.VolumeMount {
+func GetVolumeMounts(secretNames []string, svc []storage.PropagationType) []corev1.VolumeMount {
 
 	vm := []corev1.VolumeMount{
 		{
@@ -114,11 +102,6 @@ func GetVolumeMounts(secretNames []string, extraVol []barbicanv1.BarbicanExtraVo
 		},
 	}
 
-	for _, exv := range extraVol {
-		for _, vol := range exv.Propagate(svc) {
-			vm = append(vm, vol.Mounts...)
-		}
-	}
 	_, secretConfig := GetConfigSecretVolumes(secretNames)
 	vm = append(vm, secretConfig...)
 	return vm