From d88d6b70a242aa48da20caf1deb9f4d5ccc7e423 Mon Sep 17 00:00:00 2001 From: Kamil Sambor Date: Tue, 2 Jul 2024 13:56:20 +0200 Subject: [PATCH] Add posibilities to specify metadata password selector per cell Now metadata password can be specified per cell using MetadataTemplate. If there is no defined MetadataSecret secret from top nova secret is used --- api/bases/nova.openstack.org_nova.yaml | 15 +++++++++++++ api/bases/nova.openstack.org_novacells.yaml | 7 +++++++ api/v1beta1/novametadata_types.go | 8 +++++++ config/crd/bases/nova.openstack.org_nova.yaml | 15 +++++++++++++ .../bases/nova.openstack.org_novacells.yaml | 7 +++++++ controllers/nova_controller.go | 21 ++++++++++++++++++- test/functional/nova_multicell_test.go | 19 +++++++++++++++-- 7 files changed, 89 insertions(+), 3 deletions(-) diff --git a/api/bases/nova.openstack.org_nova.yaml b/api/bases/nova.openstack.org_nova.yaml index 3f41d982c..e525fee45 100644 --- a/api/bases/nova.openstack.org_nova.yaml +++ b/api/bases/nova.openstack.org_nova.yaml @@ -528,6 +528,14 @@ spec: state until the manually create NovaMetadata CR is deleted manually. type: boolean + metadataSecret: + description: Secret is the name of the Secret instance containing + metadata_proxy_shared_secret information for the nova-metadata + service. This secret is shared between nova and neutron + ovn-metadata inside selected cell and if this is not defined + the global metadata_proxy_shared_secret secret will be + used + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -1296,6 +1304,13 @@ spec: error state until the manually create NovaMetadata CR is deleted manually. type: boolean + metadataSecret: + description: Secret is the name of the Secret instance containing + metadata_proxy_shared_secret information for the nova-metadata + service. This secret is shared between nova and neutron ovn-metadata + inside selected cell and if this is not defined the global metadata_proxy_shared_secret + secret will be used + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network diff --git a/api/bases/nova.openstack.org_novacells.yaml b/api/bases/nova.openstack.org_novacells.yaml index 996b48ea3..a043c6f17 100644 --- a/api/bases/nova.openstack.org_novacells.yaml +++ b/api/bases/nova.openstack.org_novacells.yaml @@ -212,6 +212,13 @@ spec: error state until the manually create NovaMetadata CR is deleted manually. type: boolean + metadataSecret: + description: Secret is the name of the Secret instance containing + metadata_proxy_shared_secret information for the nova-metadata + service. This secret is shared between nova and neutron ovn-metadata + inside selected cell and if this is not defined the global metadata_proxy_shared_secret + secret will be used + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network diff --git a/api/v1beta1/novametadata_types.go b/api/v1beta1/novametadata_types.go index 404934c21..28a3f82aa 100644 --- a/api/v1beta1/novametadata_types.go +++ b/api/v1beta1/novametadata_types.go @@ -84,6 +84,14 @@ type NovaMetadataTemplate struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // TLS - Parameters related to the TLS TLS tls.SimpleService `json:"tls,omitempty"` + + // +kubebuilder:validation:Optional + // Secret is the name of the Secret instance containing metadata_proxy_shared_secret + // information for the nova-metadata service. This secret is shared + // between nova and neutron ovn-metadata inside selected cell + // and if this is not defined the global metadata_proxy_shared_secret + // secret will be used + MetadataSecret string `json:"metadataSecret"` } // MetadataOverrideSpec to override the generated manifest of several child resources. diff --git a/config/crd/bases/nova.openstack.org_nova.yaml b/config/crd/bases/nova.openstack.org_nova.yaml index 3f41d982c..e525fee45 100644 --- a/config/crd/bases/nova.openstack.org_nova.yaml +++ b/config/crd/bases/nova.openstack.org_nova.yaml @@ -528,6 +528,14 @@ spec: state until the manually create NovaMetadata CR is deleted manually. type: boolean + metadataSecret: + description: Secret is the name of the Secret instance containing + metadata_proxy_shared_secret information for the nova-metadata + service. This secret is shared between nova and neutron + ovn-metadata inside selected cell and if this is not defined + the global metadata_proxy_shared_secret secret will be + used + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network @@ -1296,6 +1304,13 @@ spec: error state until the manually create NovaMetadata CR is deleted manually. type: boolean + metadataSecret: + description: Secret is the name of the Secret instance containing + metadata_proxy_shared_secret information for the nova-metadata + service. This secret is shared between nova and neutron ovn-metadata + inside selected cell and if this is not defined the global metadata_proxy_shared_secret + secret will be used + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network diff --git a/config/crd/bases/nova.openstack.org_novacells.yaml b/config/crd/bases/nova.openstack.org_novacells.yaml index 996b48ea3..a043c6f17 100644 --- a/config/crd/bases/nova.openstack.org_novacells.yaml +++ b/config/crd/bases/nova.openstack.org_novacells.yaml @@ -212,6 +212,13 @@ spec: error state until the manually create NovaMetadata CR is deleted manually. type: boolean + metadataSecret: + description: Secret is the name of the Secret instance containing + metadata_proxy_shared_secret information for the nova-metadata + service. This secret is shared between nova and neutron ovn-metadata + inside selected cell and if this is not defined the global metadata_proxy_shared_secret + secret will be used + type: string networkAttachments: description: NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network diff --git a/controllers/nova_controller.go b/controllers/nova_controller.go index af45c9179..470950d0b 100644 --- a/controllers/nova_controller.go +++ b/controllers/nova_controller.go @@ -1647,7 +1647,26 @@ func (r *NovaReconciler) ensureCellSecret( // If metadata is enabled in the cell then the cell secret needs the // metadata shared secret if *cellTemplate.MetadataServiceTemplate.Enabled { - data[MetadataSecretSelector] = string(externalSecret.Data[instance.Spec.PasswordSelectors.MetadataSecret]) + if *&cellTemplate.MetadataServiceTemplate.MetadataSecret != "" { + expectedSelectors := []string{ + instance.Spec.PasswordSelectors.MetadataSecret, + } + + _, _, metadataSecret, err := ensureSecret( + ctx, + types.NamespacedName{Namespace: instance.Namespace, Name: cellTemplate.MetadataServiceTemplate.MetadataSecret}, + expectedSelectors, + h.GetClient(), + &instance.Status.Conditions, + r.RequeueTimeout, + ) + if err != nil { + return "", err + } + data[MetadataSecretSelector] = string(metadataSecret.Data[instance.Spec.PasswordSelectors.MetadataSecret]) + } else { + data[MetadataSecretSelector] = string(externalSecret.Data[instance.Spec.PasswordSelectors.MetadataSecret]) + } } // NOTE(gibi): When we switch to immutable secrets then we need to include diff --git a/test/functional/nova_multicell_test.go b/test/functional/nova_multicell_test.go index 13130e6b1..a4ca443bc 100644 --- a/test/functional/nova_multicell_test.go +++ b/test/functional/nova_multicell_test.go @@ -849,6 +849,18 @@ var _ = Describe("Nova multi cell", func() { DeferCleanup(mariadb.DeleteDBService, mariadb.CreateDBService(cell0.MariaDBDatabaseName.Namespace, cell0.MariaDBDatabaseName.Name, serviceSpec)) DeferCleanup(mariadb.DeleteDBService, mariadb.CreateDBService(cell1.MariaDBDatabaseName.Namespace, cell1.MariaDBDatabaseName.Name, serviceSpec)) + secretMap := map[string][]byte{ + "MetadataSecret": []byte("metadata-secret-cell1"), + } + cell1Metadata := types.NamespacedName{ + Namespace: novaNames.NovaName.Namespace, + Name: novaNames.NovaName.Name + "-" + cell1.CellName + "-metadata", + } + secretMetadataCell1 := th.CreateSecret( + cell1Metadata, + secretMap, + ) + DeferCleanup(k8sClient.Delete, ctx, secretMetadataCell1) spec := GetDefaultNovaSpec() cell0Template := GetDefaultNovaCellTemplate() cell0Template["cellDatabaseInstance"] = cell0.MariaDBDatabaseName.Name @@ -859,7 +871,8 @@ var _ = Describe("Nova multi cell", func() { cell1Template["cellDatabaseAccount"] = cell1.MariaDBAccountName.Name cell1Template["cellMessageBusInstance"] = cell1.TransportURLName.Name cell1Template["metadataServiceTemplate"] = map[string]interface{}{ - "enabled": true, + "enabled": true, + "metadataSecret": secretMetadataCell1.Name, } spec["cellTemplates"] = map[string]interface{}{ @@ -935,10 +948,12 @@ var _ = Describe("Nova multi cell", func() { cell1Secret := th.GetSecret(cell1.InternalCellSecretName) Expect(cell1Secret.Data).To( - HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret"))) + HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret-cell1"))) cell0Secret := th.GetSecret(cell0.InternalCellSecretName) Expect(cell0Secret.Data).NotTo( HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret"))) + Expect(cell0Secret.Data).NotTo( + HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret-cell1"))) }) }) })