From 1751b73f952c96ba4bdb96ee7f116de05dbb5767 Mon Sep 17 00:00:00 2001 From: Kamil Sambor Date: Wed, 3 Jul 2024 10:43:10 +0200 Subject: [PATCH] Add posibilities to specify metadata password selector per cell Now metadata password can be specified per cell using global nova secret. Key should be value of PrefixMetadataCellsSecret + cellName eg. MetadataCellsSecretcell1. If there is no defined MetadataSecret for cell secret from MetadataSecret will be used --- api/bases/nova.openstack.org_nova.yaml | 9 +++++++++ api/v1beta1/common_types.go | 9 +++++++++ config/crd/bases/nova.openstack.org_nova.yaml | 9 +++++++++ controllers/nova_controller.go | 7 ++++++- test/functional/nova_multicell_test.go | 14 ++++++++++++-- 5 files changed, 45 insertions(+), 3 deletions(-) diff --git a/api/bases/nova.openstack.org_nova.yaml b/api/bases/nova.openstack.org_nova.yaml index 3f41d982c..25ef59931 100644 --- a/api/bases/nova.openstack.org_nova.yaml +++ b/api/bases/nova.openstack.org_nova.yaml @@ -1567,6 +1567,15 @@ spec: description: MetadataSecret - the name of the field to get the metadata secret from the Secret type: string + prefixMetadataCellsSecret: + default: MetadataCellsSecret + description: prefixMetadataCellsSecret - the prefix name of the + field to get the metadata secret from the Secret for cells. + Vale of metadata_proxy_shared_secret information for the nova-metadata + service. This secret is shared between nova and neutron ovn-metadata + inside selected cell and if this is not defined the global metadata_proxy_shared_secret + secret will be used + type: string service: default: NovaPassword description: Service - Selector to get the keystone service user diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go index 3047158be..aeb243445 100644 --- a/api/v1beta1/common_types.go +++ b/api/v1beta1/common_types.go @@ -87,6 +87,15 @@ type PasswordSelector struct { // MetadataSecret - the name of the field to get the metadata secret from the // Secret MetadataSecret string `json:"metadataSecret"` + // +kubebuilder:validation:Optional + // +kubebuilder:default="MetadataCellsSecret" + // prefixMetadataCellsSecret - the prefix name of the field to get the metadata secret from the + // Secret for cells. Vale of metadata_proxy_shared_secret + // information for the nova-metadata service. This secret is shared + // between nova and neutron ovn-metadata inside selected cell + // and if this is not defined the global metadata_proxy_shared_secret + // secret will be used + PrefixMetadataCellsSecret string `json:"prefixMetadataCellsSecret"` } type NovaImages struct { diff --git a/config/crd/bases/nova.openstack.org_nova.yaml b/config/crd/bases/nova.openstack.org_nova.yaml index 3f41d982c..25ef59931 100644 --- a/config/crd/bases/nova.openstack.org_nova.yaml +++ b/config/crd/bases/nova.openstack.org_nova.yaml @@ -1567,6 +1567,15 @@ spec: description: MetadataSecret - the name of the field to get the metadata secret from the Secret type: string + prefixMetadataCellsSecret: + default: MetadataCellsSecret + description: prefixMetadataCellsSecret - the prefix name of the + field to get the metadata secret from the Secret for cells. + Vale of metadata_proxy_shared_secret information for the nova-metadata + service. This secret is shared between nova and neutron ovn-metadata + inside selected cell and if this is not defined the global metadata_proxy_shared_secret + secret will be used + type: string service: default: NovaPassword description: Service - Selector to get the keystone service user diff --git a/controllers/nova_controller.go b/controllers/nova_controller.go index af45c9179..d9ea4d32c 100644 --- a/controllers/nova_controller.go +++ b/controllers/nova_controller.go @@ -1647,7 +1647,12 @@ func (r *NovaReconciler) ensureCellSecret( // If metadata is enabled in the cell then the cell secret needs the // metadata shared secret if *cellTemplate.MetadataServiceTemplate.Enabled { - data[MetadataSecretSelector] = string(externalSecret.Data[instance.Spec.PasswordSelectors.MetadataSecret]) + val, ok := externalSecret.Data[instance.Spec.PasswordSelectors.PrefixMetadataCellsSecret+cellName] + if ok { + data[MetadataSecretSelector] = string(val) + } else { + data[MetadataSecretSelector] = string(externalSecret.Data[instance.Spec.PasswordSelectors.MetadataSecret]) + } } // NOTE(gibi): When we switch to immutable secrets then we need to include diff --git a/test/functional/nova_multicell_test.go b/test/functional/nova_multicell_test.go index 13130e6b1..4698e4a0f 100644 --- a/test/functional/nova_multicell_test.go +++ b/test/functional/nova_multicell_test.go @@ -840,7 +840,15 @@ var _ = Describe("Nova multi cell", func() { }) When("Nova CR instance is created with metadata per cell", func() { BeforeEach(func() { - DeferCleanup(k8sClient.Delete, ctx, CreateNovaSecret(novaNames.NovaName.Namespace, SecretName)) + novaSecret := th.CreateSecret( + types.NamespacedName{Namespace: novaNames.NovaName.Namespace, Name: SecretName}, + map[string][]byte{ + "NovaPassword": []byte("service-password"), + "MetadataSecret": []byte("metadata-secret"), + "MetadataCellsSecret" + cell1.CellName: []byte("metadata-secret-cell1"), + }, + ) + DeferCleanup(k8sClient.Delete, ctx, novaSecret) DeferCleanup(k8sClient.Delete, ctx, CreateNovaMessageBusSecret(cell0)) DeferCleanup(k8sClient.Delete, ctx, CreateNovaMessageBusSecret(cell1)) @@ -935,10 +943,12 @@ var _ = Describe("Nova multi cell", func() { cell1Secret := th.GetSecret(cell1.InternalCellSecretName) Expect(cell1Secret.Data).To( - HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret"))) + HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret-cell1"))) cell0Secret := th.GetSecret(cell0.InternalCellSecretName) Expect(cell0Secret.Data).NotTo( HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret"))) + Expect(cell0Secret.Data).NotTo( + HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret-cell1"))) }) }) })