Add posibilities to specify metadata password selector per cell

Now metadata password can be specified per cell using global nova secret. Key should be value of PrefixMetadataCellsSecret + cellName eg. MetadataCellsSecretcell1. If there is no defined MetadataSecret for cell secret from MetadataSecret will be used
openstack-k8s-operators · Jul 3, 2024 · 1751b73 · 1751b73
1 parent b2d7617
commit 1751b73
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 3 deletions.
diff --git a/api/bases/nova.openstack.org_nova.yaml b/api/bases/nova.openstack.org_nova.yaml
@@ -1567,6 +1567,15 @@ spec:
                     description: MetadataSecret - the name of the field to get the
                       metadata secret from the Secret
                     type: string
+                  prefixMetadataCellsSecret:
+                    default: MetadataCellsSecret
+                    description: prefixMetadataCellsSecret - the prefix name of the
+                      field to get the metadata secret from the Secret for cells.
+                      Vale of metadata_proxy_shared_secret information for the nova-metadata
+                      service. This secret is shared between nova and neutron ovn-metadata
+                      inside selected cell and if this is not defined the global metadata_proxy_shared_secret
+                      secret will be used
+                    type: string
                   service:
                     default: NovaPassword
                     description: Service - Selector to get the keystone service user

diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
@@ -87,6 +87,15 @@ type PasswordSelector struct {
 	// MetadataSecret - the name of the field to get the metadata secret from the
 	// Secret
 	MetadataSecret string `json:"metadataSecret"`
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="MetadataCellsSecret"
+	// prefixMetadataCellsSecret - the prefix name of the field to get the metadata secret from the
+	// Secret for cells. Vale of metadata_proxy_shared_secret
+	// information for the nova-metadata service. This secret is shared
+	// between nova and neutron ovn-metadata inside selected cell
+	// and if this is not defined the global metadata_proxy_shared_secret
+	// secret will be used
+	PrefixMetadataCellsSecret string `json:"prefixMetadataCellsSecret"`
 }
 
 type NovaImages struct {

diff --git a/config/crd/bases/nova.openstack.org_nova.yaml b/config/crd/bases/nova.openstack.org_nova.yaml
@@ -1567,6 +1567,15 @@ spec:
                     description: MetadataSecret - the name of the field to get the
                       metadata secret from the Secret
                     type: string
+                  prefixMetadataCellsSecret:
+                    default: MetadataCellsSecret
+                    description: prefixMetadataCellsSecret - the prefix name of the
+                      field to get the metadata secret from the Secret for cells.
+                      Vale of metadata_proxy_shared_secret information for the nova-metadata
+                      service. This secret is shared between nova and neutron ovn-metadata
+                      inside selected cell and if this is not defined the global metadata_proxy_shared_secret
+                      secret will be used
+                    type: string
                   service:
                     default: NovaPassword
                     description: Service - Selector to get the keystone service user

diff --git a/controllers/nova_controller.go b/controllers/nova_controller.go
@@ -1647,7 +1647,12 @@ func (r *NovaReconciler) ensureCellSecret(
 	// If metadata is enabled in the cell then the cell secret needs the
 	// metadata shared secret
 	if *cellTemplate.MetadataServiceTemplate.Enabled {
-		data[MetadataSecretSelector] = string(externalSecret.Data[instance.Spec.PasswordSelectors.MetadataSecret])
+		val, ok := externalSecret.Data[instance.Spec.PasswordSelectors.PrefixMetadataCellsSecret+cellName]
+		if ok {
+			data[MetadataSecretSelector] = string(val)
+		} else {
+			data[MetadataSecretSelector] = string(externalSecret.Data[instance.Spec.PasswordSelectors.MetadataSecret])
+		}
 	}
 
 	// NOTE(gibi): When we switch to immutable secrets then we need to include

diff --git a/test/functional/nova_multicell_test.go b/test/functional/nova_multicell_test.go
@@ -840,7 +840,15 @@ var _ = Describe("Nova multi cell", func() {
 	})
 	When("Nova CR instance is created with metadata per cell", func() {
 		BeforeEach(func() {
-			DeferCleanup(k8sClient.Delete, ctx, CreateNovaSecret(novaNames.NovaName.Namespace, SecretName))
+			novaSecret := th.CreateSecret(
+				types.NamespacedName{Namespace: novaNames.NovaName.Namespace, Name: SecretName},
+				map[string][]byte{
+					"NovaPassword":                         []byte("service-password"),
+					"MetadataSecret":                       []byte("metadata-secret"),
+					"MetadataCellsSecret" + cell1.CellName: []byte("metadata-secret-cell1"),
+				},
+			)
+			DeferCleanup(k8sClient.Delete, ctx, novaSecret)
 			DeferCleanup(k8sClient.Delete, ctx, CreateNovaMessageBusSecret(cell0))
 			DeferCleanup(k8sClient.Delete, ctx, CreateNovaMessageBusSecret(cell1))
 
@@ -935,10 +943,12 @@ var _ = Describe("Nova multi cell", func() {
 
 			cell1Secret := th.GetSecret(cell1.InternalCellSecretName)
 			Expect(cell1Secret.Data).To(
-				HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret")))
+				HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret-cell1")))
 			cell0Secret := th.GetSecret(cell0.InternalCellSecretName)
 			Expect(cell0Secret.Data).NotTo(
 				HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret")))
+			Expect(cell0Secret.Data).NotTo(
+				HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret-cell1")))
 		})
 	})
 })