From ce5a94ecb8b3d3deddf92e22e80d834b1b96e4b4 Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Thu, 11 Apr 2024 18:03:36 +0200 Subject: [PATCH 01/20] Optionally retrieve secrets from a seed Secret --- api/v1alpha1/common_types.go | 15 +++++++++-- api/v1alpha1/zz_generated.deepcopy.go | 20 ++++++++++++++ pkg/resource_builders/pod/environment.go | 11 ++++++-- pkg/resource_builders/pod/environment_test.go | 27 +++++++++++++++++++ 4 files changed, 69 insertions(+), 4 deletions(-) diff --git a/api/v1alpha1/common_types.go b/api/v1alpha1/common_types.go index d278aac5..a2093282 100644 --- a/api/v1alpha1/common_types.go +++ b/api/v1alpha1/common_types.go @@ -37,6 +37,8 @@ const ( // AnnotationsDomain is a common prefix for all "rollout triggering" // annotation keys AnnotationsDomain string = "saas.3scale.net" + // The name for the default seed Secret + DefaultSeedSecret string = "saas-seed" ) var ( @@ -567,6 +569,11 @@ type SecretReference struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // +optional Override *string `json:"override,omitempty"` + // FromSeed will try to retrieve the secret value from + // the default seed Secret. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +optional + FromSeed *SeedSecretReference `json:"fromSeed,omitempty"` } // VaultSecretReference is a reference to a secret stored in @@ -580,8 +587,12 @@ type VaultSecretReference struct { Key string `json:"key"` } -func (spec *VaultSecretReference) Default() { -} +func (spec *VaultSecretReference) Default() {} + +// SeedSecretReference represents options to +// retrieve the secret value from the default seed Secret. +// There are no configurable options at this point. +type SeedSecretReference struct{} // ExternalSecretSecretStoreReferenceSpec is a reference to a secret store type ExternalSecretSecretStoreReferenceSpec struct { diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index f2902046..cc0a2c2f 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2557,6 +2557,11 @@ func (in *SecretReference) DeepCopyInto(out *SecretReference) { *out = new(string) **out = **in } + if in.FromSeed != nil { + in, out := &in.FromSeed, &out.FromSeed + *out = new(SeedSecretReference) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretReference. @@ -2569,6 +2574,21 @@ func (in *SecretReference) DeepCopy() *SecretReference { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SeedSecretReference) DeepCopyInto(out *SeedSecretReference) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SeedSecretReference. +func (in *SeedSecretReference) DeepCopy() *SeedSecretReference { + if in == nil { + return nil + } + out := new(SeedSecretReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SegmentSpec) DeepCopyInto(out *SegmentSpec) { *out = *in diff --git a/pkg/resource_builders/pod/environment.go b/pkg/resource_builders/pod/environment.go index 92ab1bed..c9825e0c 100644 --- a/pkg/resource_builders/pod/environment.go +++ b/pkg/resource_builders/pod/environment.go @@ -28,8 +28,15 @@ type Option struct { set bool } -func (o *Option) IntoEnvvar(e string) *Option { o.envVariable = e; return o } -func (o *Option) AsSecretRef(s string) *Option { o.secretName = s; return o } +func (o *Option) IntoEnvvar(e string) *Option { o.envVariable = e; return o } +func (o *Option) AsSecretRef(s string) *Option { + if o.secretValue != nil && o.secretValue.FromSeed != nil { + o.secretName = saasv1alpha1.DefaultSeedSecret + } else { + o.secretName = s + } + return o +} func (o *Option) EmptyIf(empty bool) *Option { if empty { o.secretValue = nil diff --git a/pkg/resource_builders/pod/environment_test.go b/pkg/resource_builders/pod/environment_test.go index d8fda453..1820e326 100644 --- a/pkg/resource_builders/pod/environment_test.go +++ b/pkg/resource_builders/pod/environment_test.go @@ -236,6 +236,33 @@ func TestOptions_BuildEnvironment(t *testing.T) { Value: "100", }}, }, + { + name: "SecretReference from seed", + opts: func() *Options { + o := &Options{} + o.Unpack(saasv1alpha1.SecretReference{Override: util.Pointer("value1")}).IntoEnvvar("envvar1") + o.Unpack(saasv1alpha1.SecretReference{FromSeed: &saasv1alpha1.SeedSecretReference{}}).IntoEnvvar("envvar2").AsSecretRef("some-secret") + return o + }(), + args: args{extra: []corev1.EnvVar{}}, + want: []corev1.EnvVar{ + { + Name: "envvar1", + Value: "value1", + }, + { + Name: "envvar2", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: saasv1alpha1.DefaultSeedSecret, + }, + Key: "envvar2", + }, + }, + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { From 4c739db4ff8dc1ec59744ef0140f25aaa165eef4 Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Fri, 12 Apr 2024 18:57:28 +0200 Subject: [PATCH 02/20] Optionally load secrets from a seed Secret --- .../crd/bases/saas.3scale.net_backends.yaml | 24 ++++ .../bases/saas.3scale.net_corsproxies.yaml | 4 + .../saas.3scale.net_mappingservices.yaml | 4 + config/crd/bases/saas.3scale.net_systems.yaml | 88 ++++++++++++++ config/crd/bases/saas.3scale.net_zyncs.yaml | 16 +++ pkg/generators/backend/config/cron_options.go | 9 +- .../backend/config/listener_options.go | 17 ++- pkg/generators/backend/config/types.go | 11 ++ .../backend/config/worker_options.go | 17 ++- pkg/generators/corsproxy/config/options.go | 13 ++- .../mappingservice/config/options.go | 13 ++- pkg/generators/seed/types.go | 43 +++++++ pkg/generators/system/config/options.go | 106 +++++++++++++---- pkg/generators/zync/config/api_options.go | 18 ++- pkg/generators/zync/config/que_options.go | 13 ++- pkg/generators/zync/config/types.go | 9 ++ pkg/resource_builders/pod/environment.go | 92 ++++++++------- pkg/resource_builders/pod/environment_test.go | 110 ++++++++++++------ pkg/resource_builders/pod/seed.go | 1 + 19 files changed, 489 insertions(+), 119 deletions(-) create mode 100644 pkg/generators/backend/config/types.go create mode 100644 pkg/generators/seed/types.go create mode 100644 pkg/generators/zync/config/types.go create mode 100644 pkg/resource_builders/pod/seed.go diff --git a/config/crd/bases/saas.3scale.net_backends.yaml b/config/crd/bases/saas.3scale.net_backends.yaml index ce5f2758..5aee1f62 100644 --- a/config/crd/bases/saas.3scale.net_backends.yaml +++ b/config/crd/bases/saas.3scale.net_backends.yaml @@ -42,6 +42,10 @@ spec: description: A reference to the secret holding the backend-error-monitoring key properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -65,6 +69,10 @@ spec: description: A reference to the secret holding the backend-error-monitoring service properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -107,6 +115,10 @@ spec: description: A reference to the secret holding the backend-internal-api password properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -130,6 +142,10 @@ spec: description: A reference to the secret holding the backend-internal-api user properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -166,6 +182,10 @@ spec: description: A reference to the secret holding the backend-system-events-hook password properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -189,6 +209,10 @@ spec: description: A reference to the secret holding the backend-system-events-hook URL properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault diff --git a/config/crd/bases/saas.3scale.net_corsproxies.yaml b/config/crd/bases/saas.3scale.net_corsproxies.yaml index 9b715376..bc1e95b2 100644 --- a/config/crd/bases/saas.3scale.net_corsproxies.yaml +++ b/config/crd/bases/saas.3scale.net_corsproxies.yaml @@ -60,6 +60,10 @@ spec: systemDatabaseDSN: description: System database connection string properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault diff --git a/config/crd/bases/saas.3scale.net_mappingservices.yaml b/config/crd/bases/saas.3scale.net_mappingservices.yaml index 570a80af..7cc52237 100644 --- a/config/crd/bases/saas.3scale.net_mappingservices.yaml +++ b/config/crd/bases/saas.3scale.net_mappingservices.yaml @@ -70,6 +70,10 @@ spec: description: A reference to the secret holding the system admin token properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault diff --git a/config/crd/bases/saas.3scale.net_systems.yaml b/config/crd/bases/saas.3scale.net_systems.yaml index 09b5dea7..d839d2db 100644 --- a/config/crd/bases/saas.3scale.net_systems.yaml +++ b/config/crd/bases/saas.3scale.net_systems.yaml @@ -657,6 +657,10 @@ spec: accessCode: description: AccessCode to protect admin urls properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -683,6 +687,10 @@ spec: accessKey: description: AWS access key properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -714,6 +722,10 @@ spec: secretKey: description: AWS secret access key properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -749,6 +761,10 @@ spec: internalAPIPassword: description: Internal API password properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -771,6 +787,10 @@ spec: internalAPIUser: description: Internal API user properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -809,6 +829,10 @@ spec: apiKey: description: API key properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -841,6 +865,10 @@ spec: databaseDSN: description: DSN of system's main database properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -864,6 +892,10 @@ spec: description: DatabaseSecret is a site key stored off-database for improved more secure password hashing See https://github.com/3scale/porta/blob/ae498814cef3d856613f60d29330882fa870271d/config/initializers/site_keys.rb#L2-L19 properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -887,6 +919,10 @@ spec: description: EventsSharedSecret is a password that protects System's event hooks endpoint. properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -934,6 +970,10 @@ spec: clientID: description: Client ID properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -956,6 +996,10 @@ spec: clientSecret: description: Client secret properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -982,6 +1026,10 @@ spec: mappingServiceAccessToken: description: Mapping Service access token properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1031,6 +1079,10 @@ spec: privateKey: description: Private key properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1053,6 +1105,10 @@ spec: publicKey: description: Public key properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1082,6 +1138,10 @@ spec: clientID: description: Client ID properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1104,6 +1164,10 @@ spec: clientSecret: description: Client secret properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1161,6 +1225,10 @@ spec: description: 'SecretKeyBase: https://api.rubyonrails.org/classes/Rails/Application.html#method-i-secret_key_base You can generate one random key using ''bundle exec rake secret''' properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1186,6 +1254,10 @@ spec: deletionToken: description: Deletion token properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1211,6 +1283,10 @@ spec: writeKey: description: Write key properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1250,6 +1326,10 @@ spec: password: description: Password properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1282,6 +1362,10 @@ spec: user: description: User properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1325,6 +1409,10 @@ spec: authToken: description: Zync authentication token properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault diff --git a/config/crd/bases/saas.3scale.net_zyncs.yaml b/config/crd/bases/saas.3scale.net_zyncs.yaml index e318297d..f2e62521 100644 --- a/config/crd/bases/saas.3scale.net_zyncs.yaml +++ b/config/crd/bases/saas.3scale.net_zyncs.yaml @@ -579,6 +579,10 @@ spec: apiKey: description: API key properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -607,6 +611,10 @@ spec: databaseDSN: description: A reference to the secret holding the database DSN properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -670,6 +678,10 @@ spec: secretKeyBase: description: A reference to the secret holding the secret-key-base properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -693,6 +705,10 @@ spec: description: A reference to the secret holding the zync authentication token properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault diff --git a/pkg/generators/backend/config/cron_options.go b/pkg/generators/backend/config/cron_options.go index cf724805..86bbbd34 100644 --- a/pkg/generators/backend/config/cron_options.go +++ b/pkg/generators/backend/config/cron_options.go @@ -2,6 +2,7 @@ package config import ( saasv1alpha1 "github.com/3scale-ops/saas-operator/api/v1alpha1" + "github.com/3scale-ops/saas-operator/pkg/generators/seed" "github.com/3scale-ops/saas-operator/pkg/resource_builders/pod" ) @@ -16,8 +17,12 @@ func NewCronOptions(spec saasv1alpha1.BackendSpec) pod.Options { opts.Unpack(spec.Config.RedisQueuesDSN).IntoEnvvar("CONFIG_QUEUES_MASTER_NAME") opts.Unpack("").IntoEnvvar("CONFIG_QUEUES_SENTINEL_HOSTS") opts.Unpack("").IntoEnvvar("CONFIG_QUEUES_SENTINEL_ROLE") - opts.Unpack(spec.Config.ErrorMonitoringService).IntoEnvvar("CONFIG_HOPTOAD_SERVICE").AsSecretRef("backend-error-monitoring") - opts.Unpack(spec.Config.ErrorMonitoringKey).IntoEnvvar("CONFIG_HOPTOAD_API_KEY").AsSecretRef("backend-error-monitoring") + opts.Unpack(spec.Config.ErrorMonitoringService).IntoEnvvar("CONFIG_HOPTOAD_SERVICE"). + AsSecretRef(BackendErrorMonitoringSecret). + WithSeedKey(seed.BackendErrorMonitoringService) + opts.Unpack(spec.Config.ErrorMonitoringKey).IntoEnvvar("CONFIG_HOPTOAD_API_KEY"). + AsSecretRef(BackendErrorMonitoringSecret). + WithSeedKey(seed.BackendErrorMonitoringApiKey) return opts } diff --git a/pkg/generators/backend/config/listener_options.go b/pkg/generators/backend/config/listener_options.go index 834b04bb..6a195ca4 100644 --- a/pkg/generators/backend/config/listener_options.go +++ b/pkg/generators/backend/config/listener_options.go @@ -2,6 +2,7 @@ package config import ( saasv1alpha1 "github.com/3scale-ops/saas-operator/api/v1alpha1" + "github.com/3scale-ops/saas-operator/pkg/generators/seed" "github.com/3scale-ops/saas-operator/pkg/resource_builders/pod" ) @@ -22,10 +23,18 @@ func NewListenerOptions(spec saasv1alpha1.BackendSpec) pod.Options { opts.Unpack(spec.Listener.Config.ListenerWorkers).IntoEnvvar("LISTENER_WORKERS") opts.Unpack(spec.Listener.Config.LegacyReferrerFilters).IntoEnvvar("CONFIG_LEGACY_REFERRER_FILTERS") opts.Unpack("true").IntoEnvvar("CONFIG_LISTENER_PROMETHEUS_METRICS_ENABLED") - opts.Unpack(spec.Config.InternalAPIUser).IntoEnvvar("CONFIG_INTERNAL_API_USER").AsSecretRef("backend-internal-api") - opts.Unpack(spec.Config.InternalAPIPassword).IntoEnvvar("CONFIG_INTERNAL_API_PASSWORD").AsSecretRef("backend-internal-api") - opts.Unpack(spec.Config.ErrorMonitoringService).IntoEnvvar("CONFIG_HOPTOAD_SERVICE").AsSecretRef("backend-error-monitoring") - opts.Unpack(spec.Config.ErrorMonitoringKey).IntoEnvvar("CONFIG_HOPTOAD_API_KEY").AsSecretRef("backend-error-monitoring") + opts.Unpack(spec.Config.InternalAPIUser).IntoEnvvar("CONFIG_INTERNAL_API_USER"). + AsSecretRef(BackendInternalApiSecret). + WithSeedKey(seed.BackendInternalApiUser) + opts.Unpack(spec.Config.InternalAPIPassword).IntoEnvvar("CONFIG_INTERNAL_API_PASSWORD"). + AsSecretRef(BackendInternalApiSecret). + WithSeedKey(seed.BackendInternalApiPassword) + opts.Unpack(spec.Config.ErrorMonitoringService).IntoEnvvar("CONFIG_HOPTOAD_SERVICE"). + AsSecretRef(BackendErrorMonitoringSecret). + WithSeedKey(seed.BackendErrorMonitoringService) + opts.Unpack(spec.Config.ErrorMonitoringKey).IntoEnvvar("CONFIG_HOPTOAD_API_KEY"). + AsSecretRef(BackendErrorMonitoringSecret). + WithSeedKey(seed.BackendErrorMonitoringApiKey) return opts } diff --git a/pkg/generators/backend/config/types.go b/pkg/generators/backend/config/types.go new file mode 100644 index 00000000..007769cf --- /dev/null +++ b/pkg/generators/backend/config/types.go @@ -0,0 +1,11 @@ +package config + +type Secret string + +func (s Secret) String() string { return string(s) } + +const ( + BackendInternalApiSecret Secret = "backend-internal-api" + BackendErrorMonitoringSecret Secret = "backend-error-monitoring" + BackendSystemEventsSecret Secret = "backend-system-events-hook" +) diff --git a/pkg/generators/backend/config/worker_options.go b/pkg/generators/backend/config/worker_options.go index 1a49bec6..f211eaa2 100644 --- a/pkg/generators/backend/config/worker_options.go +++ b/pkg/generators/backend/config/worker_options.go @@ -2,6 +2,7 @@ package config import ( saasv1alpha1 "github.com/3scale-ops/saas-operator/api/v1alpha1" + "github.com/3scale-ops/saas-operator/pkg/generators/seed" "github.com/3scale-ops/saas-operator/pkg/resource_builders/pod" ) @@ -21,10 +22,18 @@ func NewWorkerOptions(spec saasv1alpha1.BackendSpec) pod.Options { opts.Unpack(spec.Worker.Config.LogFormat).IntoEnvvar("CONFIG_WORKERS_LOGGER_FORMATTER") opts.Unpack("true").IntoEnvvar("CONFIG_WORKER_PROMETHEUS_METRICS_ENABLED") opts.Unpack("9421").IntoEnvvar("CONFIG_WORKER_PROMETHEUS_METRICS_PORT") - opts.Unpack(spec.Config.SystemEventsHookURL).IntoEnvvar("CONFIG_EVENTS_HOOK").AsSecretRef("backend-system-events-hook") - opts.Unpack(spec.Config.SystemEventsHookPassword).IntoEnvvar("CONFIG_EVENTS_HOOK_SHARED_SECRET").AsSecretRef("backend-system-events-hook") - opts.Unpack(spec.Config.ErrorMonitoringService).IntoEnvvar("CONFIG_HOPTOAD_SERVICE").AsSecretRef("backend-error-monitoring") - opts.Unpack(spec.Config.ErrorMonitoringKey).IntoEnvvar("CONFIG_HOPTOAD_API_KEY").AsSecretRef("backend-error-monitoring") + opts.Unpack(spec.Config.SystemEventsHookURL).IntoEnvvar("CONFIG_EVENTS_HOOK"). + AsSecretRef(BackendSystemEventsSecret). + WithSeedKey(seed.SystemEventsHookURL) + opts.Unpack(spec.Config.SystemEventsHookPassword).IntoEnvvar("CONFIG_EVENTS_HOOK_SHARED_SECRET"). + AsSecretRef(BackendSystemEventsSecret). + WithSeedKey(seed.SystemEventsHookSharedSecret) + opts.Unpack(spec.Config.ErrorMonitoringService).IntoEnvvar("CONFIG_HOPTOAD_SERVICE"). + AsSecretRef(BackendErrorMonitoringSecret). + WithSeedKey(seed.BackendErrorMonitoringService) + opts.Unpack(spec.Config.ErrorMonitoringKey).IntoEnvvar("CONFIG_HOPTOAD_API_KEY"). + AsSecretRef(BackendErrorMonitoringSecret). + WithSeedKey(seed.BackendErrorMonitoringApiKey) return opts } diff --git a/pkg/generators/corsproxy/config/options.go b/pkg/generators/corsproxy/config/options.go index ac5aaee0..f8733f04 100644 --- a/pkg/generators/corsproxy/config/options.go +++ b/pkg/generators/corsproxy/config/options.go @@ -2,12 +2,23 @@ package config import ( saasv1alpha1 "github.com/3scale-ops/saas-operator/api/v1alpha1" + "github.com/3scale-ops/saas-operator/pkg/generators/seed" "github.com/3scale-ops/saas-operator/pkg/resource_builders/pod" ) +type Secret string + +func (s Secret) String() string { return string(s) } + +const ( + CorsProxySystemDatabaseSecret Secret = "cors-proxy-system-database" +) + // NewOptions returns cors-proxy options the given saasv1alpha1.CORSProxySpec func NewOptions(spec saasv1alpha1.CORSProxySpec) pod.Options { opts := pod.Options{} - opts.Unpack(spec.Config.SystemDatabaseDSN).IntoEnvvar("DATABASE_URL").AsSecretRef("cors-proxy-system-database") + opts.Unpack(spec.Config.SystemDatabaseDSN).IntoEnvvar("DATABASE_URL"). + AsSecretRef(CorsProxySystemDatabaseSecret). + WithSeedKey(seed.SystemDatabaseDsn) return opts } diff --git a/pkg/generators/mappingservice/config/options.go b/pkg/generators/mappingservice/config/options.go index 17bc90b1..6abeadb8 100644 --- a/pkg/generators/mappingservice/config/options.go +++ b/pkg/generators/mappingservice/config/options.go @@ -2,14 +2,25 @@ package config import ( saasv1alpha1 "github.com/3scale-ops/saas-operator/api/v1alpha1" + "github.com/3scale-ops/saas-operator/pkg/generators/seed" "github.com/3scale-ops/saas-operator/pkg/resource_builders/pod" ) +type Secret string + +func (s Secret) String() string { return string(s) } + +const ( + MappingServiceSystemMasterAccessTokenSecret Secret = "mapping-service-system-master-access-token" +) + // NewOptions returns mapping-service options for the given saasv1alpha1.CORSProxySpec func NewOptions(spec saasv1alpha1.MappingServiceSpec) pod.Options { opts := pod.Options{} - opts.Unpack(spec.Config.SystemAdminToken).IntoEnvvar("MASTER_ACCESS_TOKEN").AsSecretRef("mapping-service-system-master-access-token") + opts.Unpack(spec.Config.SystemAdminToken).IntoEnvvar("MASTER_ACCESS_TOKEN"). + AsSecretRef(MappingServiceSystemMasterAccessTokenSecret). + WithSeedKey(seed.SystemMasterAccessToken) opts.Unpack(spec.Config.APIHost).IntoEnvvar("API_HOST") opts.Unpack("lazy").IntoEnvvar("APICAST_CONFIGURATION_LOADER") opts.Unpack(spec.Config.LogLevel).IntoEnvvar("APICAST_LOG_LEVEL") diff --git a/pkg/generators/seed/types.go b/pkg/generators/seed/types.go new file mode 100644 index 00000000..b212bb30 --- /dev/null +++ b/pkg/generators/seed/types.go @@ -0,0 +1,43 @@ +package seed + +type SeedKey string + +func (s SeedKey) String() string { return string(s) } + +const ( + // Backend + BackendInternalApiUser SeedKey = "backend-internal-api-user" + BackendInternalApiPassword SeedKey = "backend-internal-api-password" + BackendErrorMonitoringService SeedKey = "backend-error-monitoring-service" + BackendErrorMonitoringApiKey SeedKey = "backend-error-monitoring-api-key" + // System + SystemDatabaseDsn SeedKey = "system-database-dsn" + SystemRecaptchaPublicKey SeedKey = "system-recaptcha-public-key" + SystemRecaptchaPrivateKey SeedKey = "system-recaptcha-private-key" + SystemEventsHookURL SeedKey = "system-events-url" // this shouldn't be a secret + SystemEventsHookSharedSecret SeedKey = "system-events-shared-secret" + SystemSmtpUser SeedKey = "system-smpt-user" + SystemSmtpPassword SeedKey = "system-smpt-password" + SystemMasterAccessToken SeedKey = "system-master-access-token" + SystemAssetsS3AwsAccessKey SeedKey = "system-assets-s3-aws-access-key" + SystemAssetsS3AwsSecretKey SeedKey = "system-assets-s3-aws-secret-key" + SystemSecretKeyBase SeedKey = "system-secret-key-base" + SystemAccessCode SeedKey = "system-access-code" + SystemSegmentDeletionToken SeedKey = "system-segment-deletion-token" + SystemSegmentDeletionWorkspace SeedKey = "system-segment-deletion-workspace" + SystemSegmentWriteKey SeedKey = "system-segment-write-key" + SystemGithubClientId SeedKey = "system-github-client-id" + SystemGithubClientSecret SeedKey = "system-github-client-secret" + SystemRHCustomerPortalClientId SeedKey = "system-rh-customer-portal-client-id" + SystemRHCustomerPortalClientSecret SeedKey = "system-rh-customer-portal-client-secret" + SystemRHCustomerPortalRealm SeedKey = "system-rh-customer-portal-realm" + SystemBugsnagApiKey SeedKey = "system-bugsnag-api-key" + SystemBugsnagReleaseStage SeedKey = "system-bugsnag-release-stage" + SystemDatabaseSecret SeedKey = "system-database-secret" + + // Zync + ZyncDatabaseUrl SeedKey = "zync-database-url" + ZyncSecretKeyBase SeedKey = "zync-secret-key-base" + ZyncAuthToken SeedKey = "zync-auth-token" + ZyncBugsnagApiKey SeedKey = "zync-bugsnag-api-key" +) diff --git a/pkg/generators/system/config/options.go b/pkg/generators/system/config/options.go index 024f6de8..7dd10137 100644 --- a/pkg/generators/system/config/options.go +++ b/pkg/generators/system/config/options.go @@ -2,9 +2,26 @@ package config import ( saasv1alpha1 "github.com/3scale-ops/saas-operator/api/v1alpha1" + "github.com/3scale-ops/saas-operator/pkg/generators/seed" "github.com/3scale-ops/saas-operator/pkg/resource_builders/pod" ) +type Secret string + +func (s Secret) String() string { return string(s) } + +const ( + SystemDatabaseSecret Secret = "system-database" + SystemRecaptchaSecret Secret = "system-recaptcha" + SystemEventsHookSecret Secret = "system-events-hook" + SystemSmptSecret Secret = "system-smtp" + SystemMasterApicastSecret Secret = "system-master-apicast" + SystemZyncSecret Secret = "system-zync" + SystemBackendSecret Secret = "system-backend" + SystemMultitenantAssetsS3Secret Secret = "system-multitenant-assets-s3" + SystemAppSecret Secret = "system-app" +) + func NewOptions(spec saasv1alpha1.SystemSpec) pod.Options { opts := pod.Options{} @@ -22,14 +39,14 @@ func NewOptions(spec saasv1alpha1.SystemSpec) pod.Options { opts.Unpack(spec.Config.SearchServer.Port).IntoEnvvar("THINKING_SPHINX_PORT") opts.Unpack(spec.Config.SearchServer.BatchSize).IntoEnvvar("THINKING_SPHINX_BATCH_SIZE") - opts.Unpack(spec.Config.DatabaseDSN).IntoEnvvar("DATABASE_URL").AsSecretRef("system-database") + opts.Unpack(spec.Config.DatabaseDSN).IntoEnvvar("DATABASE_URL").AsSecretRef(SystemDatabaseSecret).WithSeedKey(seed.SystemDatabaseDsn) opts.Unpack(spec.Config.MemcachedServers).IntoEnvvar("MEMCACHE_SERVERS") - opts.Unpack(spec.Config.Recaptcha.PublicKey).IntoEnvvar("RECAPTCHA_PUBLIC_KEY").AsSecretRef("system-recaptcha") - opts.Unpack(spec.Config.Recaptcha.PrivateKey).IntoEnvvar("RECAPTCHA_PRIVATE_KEY").AsSecretRef("system-recaptcha") + opts.Unpack(spec.Config.Recaptcha.PublicKey).IntoEnvvar("RECAPTCHA_PUBLIC_KEY").AsSecretRef(SystemRecaptchaSecret).WithSeedKey(seed.SystemRecaptchaPublicKey) + opts.Unpack(spec.Config.Recaptcha.PrivateKey).IntoEnvvar("RECAPTCHA_PRIVATE_KEY").AsSecretRef(SystemRecaptchaSecret).WithSeedKey(seed.SystemRecaptchaPrivateKey) - opts.Unpack(spec.Config.EventsSharedSecret).IntoEnvvar("EVENTS_SHARED_SECRET").AsSecretRef("system-events-hook") + opts.Unpack(spec.Config.EventsSharedSecret).IntoEnvvar("EVENTS_SHARED_SECRET").AsSecretRef(SystemEventsHookSecret).WithSeedKey(seed.SystemEventsHookSharedSecret) opts.Unpack(spec.Config.Redis.QueuesDSN).IntoEnvvar("REDIS_URL") opts.Unpack("").IntoEnvvar("REDIS_NAMESPACE") @@ -37,46 +54,85 @@ func NewOptions(spec saasv1alpha1.SystemSpec) pod.Options { opts.Unpack("").IntoEnvvar("REDIS_SENTINEL_ROLE") opts.Unpack(spec.Config.SMTP.Address).IntoEnvvar("SMTP_ADDRESS") - opts.Unpack(spec.Config.SMTP.User).IntoEnvvar("SMTP_USER_NAME").AsSecretRef("system-smtp") - opts.Unpack(spec.Config.SMTP.Password).IntoEnvvar("SMTP_PASSWORD").AsSecretRef("system-smtp") + opts.Unpack(spec.Config.SMTP.User).IntoEnvvar("SMTP_USER_NAME"). + AsSecretRef(SystemSmptSecret). + WithSeedKey(seed.SystemSmtpUser) + opts.Unpack(spec.Config.SMTP.Password).IntoEnvvar("SMTP_PASSWORD"). + AsSecretRef(SystemSmptSecret). + WithSeedKey(seed.SystemSmtpPassword) opts.Unpack(spec.Config.SMTP.Port).IntoEnvvar("SMTP_PORT") opts.Unpack(spec.Config.SMTP.AuthProtocol).IntoEnvvar("SMTP_AUTHENTICATION") opts.Unpack(spec.Config.SMTP.OpenSSLVerifyMode).IntoEnvvar("SMTP_OPENSSL_VERIFY_MODE") opts.Unpack(spec.Config.SMTP.STARTTLS).IntoEnvvar("SMTP_STARTTLS") opts.Unpack(spec.Config.SMTP.STARTTLSAuto).IntoEnvvar("SMTP_STARTTLS_AUTO") - opts.Unpack(spec.Config.MappingServiceAccessToken).IntoEnvvar("APICAST_ACCESS_TOKEN").AsSecretRef("system-master-apicast") + opts.Unpack(spec.Config.MappingServiceAccessToken).IntoEnvvar("APICAST_ACCESS_TOKEN"). + AsSecretRef(SystemMasterApicastSecret). + WithSeedKey(seed.SystemMasterAccessToken) opts.Unpack(spec.Config.Zync.Endpoint).IntoEnvvar("ZYNC_ENDPOINT") - opts.Unpack(spec.Config.Zync.AuthToken).IntoEnvvar("ZYNC_AUTHENTICATION_TOKEN").AsSecretRef("system-zync") + opts.Unpack(spec.Config.Zync.AuthToken).IntoEnvvar("ZYNC_AUTHENTICATION_TOKEN"). + AsSecretRef(SystemZyncSecret). + WithSeedKey(seed.ZyncAuthToken) opts.Unpack(spec.Config.Backend.RedisDSN).IntoEnvvar("BACKEND_REDIS_URL") opts.Unpack("").IntoEnvvar("BACKEND_REDIS_SENTINEL_HOSTS") opts.Unpack("").IntoEnvvar("BACKEND_REDIS_SENTINEL_ROLE") opts.Unpack(spec.Config.Backend.InternalEndpoint).IntoEnvvar("BACKEND_URL") opts.Unpack(spec.Config.Backend.ExternalEndpoint).IntoEnvvar("BACKEND_PUBLIC_URL") - opts.Unpack(spec.Config.Backend.InternalAPIUser).IntoEnvvar("CONFIG_INTERNAL_API_USER").AsSecretRef("system-backend") - opts.Unpack(spec.Config.Backend.InternalAPIPassword).IntoEnvvar("CONFIG_INTERNAL_API_PASSWORD").AsSecretRef("system-backend") - - opts.Unpack(spec.Config.Assets.AccessKey).IntoEnvvar("AWS_ACCESS_KEY_ID").AsSecretRef("system-multitenant-assets-s3") - opts.Unpack(spec.Config.Assets.SecretKey).IntoEnvvar("AWS_SECRET_ACCESS_KEY").AsSecretRef("system-multitenant-assets-s3") + opts.Unpack(spec.Config.Backend.InternalAPIUser).IntoEnvvar("CONFIG_INTERNAL_API_USER"). + AsSecretRef(SystemBackendSecret). + WithSeedKey(seed.BackendInternalApiUser) + opts.Unpack(spec.Config.Backend.InternalAPIPassword).IntoEnvvar("CONFIG_INTERNAL_API_PASSWORD"). + AsSecretRef(SystemBackendSecret). + WithSeedKey(seed.BackendInternalApiPassword) + + opts.Unpack(spec.Config.Assets.AccessKey).IntoEnvvar("AWS_ACCESS_KEY_ID"). + AsSecretRef(SystemMultitenantAssetsS3Secret). + WithSeedKey(seed.SystemAssetsS3AwsAccessKey) + opts.Unpack(spec.Config.Assets.SecretKey).IntoEnvvar("AWS_SECRET_ACCESS_KEY"). + AsSecretRef(SystemMultitenantAssetsS3Secret). + WithSeedKey(seed.SystemAssetsS3AwsSecretKey) opts.Unpack(spec.Config.Assets.Bucket).IntoEnvvar("AWS_BUCKET") opts.Unpack(spec.Config.Assets.Region).IntoEnvvar("AWS_REGION") opts.Unpack(spec.Config.Assets.Host).IntoEnvvar("RAILS_ASSET_HOST") - opts.Unpack(spec.Config.SecretKeyBase).IntoEnvvar("SECRET_KEY_BASE").AsSecretRef("system-app") - opts.Unpack(spec.Config.AccessCode).IntoEnvvar("ACCESS_CODE").AsSecretRef("system-app") - opts.Unpack(spec.Config.Segment.DeletionToken).IntoEnvvar("SEGMENT_DELETION_TOKEN").AsSecretRef("system-app") - opts.Unpack(spec.Config.Segment.DeletionWorkspace).IntoEnvvar("SEGMENT_DELETION_WORKSPACE") - opts.Unpack(spec.Config.Segment.WriteKey).IntoEnvvar("SEGMENT_WRITE_KEY").AsSecretRef("system-app") - opts.Unpack(spec.Config.Github.ClientID).IntoEnvvar("GITHUB_CLIENT_ID").AsSecretRef("system-app") - opts.Unpack(spec.Config.Github.ClientSecret).IntoEnvvar("GITHUB_CLIENT_SECRET").AsSecretRef("system-app") - opts.Unpack(spec.Config.RedHatCustomerPortal.ClientID).IntoEnvvar("RH_CUSTOMER_PORTAL_CLIENT_ID").AsSecretRef("system-app") - opts.Unpack(spec.Config.RedHatCustomerPortal.ClientSecret).IntoEnvvar("RH_CUSTOMER_PORTAL_CLIENT_SECRET").AsSecretRef("system-app") - opts.Unpack(spec.Config.RedHatCustomerPortal.Realm).IntoEnvvar("RH_CUSTOMER_PORTAL_REALM") - opts.Unpack(spec.Config.Bugsnag.APIKey).IntoEnvvar("BUGSNAG_API_KEY").AsSecretRef("system-app").EmptyIf(!spec.Config.Bugsnag.Enabled()) + opts.Unpack(spec.Config.SecretKeyBase).IntoEnvvar("SECRET_KEY_BASE"). + AsSecretRef(SystemAppSecret). + WithSeedKey(seed.SystemSecretKeyBase) + opts.Unpack(spec.Config.AccessCode).IntoEnvvar("ACCESS_CODE"). + AsSecretRef(SystemAppSecret). + WithSeedKey(seed.SystemAccessCode) + opts.Unpack(spec.Config.Segment.DeletionToken).IntoEnvvar("SEGMENT_DELETION_TOKEN"). + AsSecretRef(SystemAppSecret). + WithSeedKey(seed.SystemSegmentDeletionToken) + opts.Unpack(spec.Config.Segment.DeletionWorkspace).IntoEnvvar("SEGMENT_DELETION_WORKSPACE"). + WithSeedKey(seed.SystemSegmentDeletionWorkspace) + opts.Unpack(spec.Config.Segment.WriteKey).IntoEnvvar("SEGMENT_WRITE_KEY"). + AsSecretRef(SystemAppSecret). + WithSeedKey(seed.SystemSegmentWriteKey) + opts.Unpack(spec.Config.Github.ClientID).IntoEnvvar("GITHUB_CLIENT_ID"). + AsSecretRef(SystemAppSecret). + WithSeedKey(seed.SystemGithubClientId) + opts.Unpack(spec.Config.Github.ClientSecret).IntoEnvvar("GITHUB_CLIENT_SECRET"). + AsSecretRef(SystemAppSecret). + WithSeedKey(seed.SystemGithubClientSecret) + opts.Unpack(spec.Config.RedHatCustomerPortal.ClientID).IntoEnvvar("RH_CUSTOMER_PORTAL_CLIENT_ID"). + AsSecretRef(SystemAppSecret). + WithSeedKey(seed.SystemRHCustomerPortalClientId) + opts.Unpack(spec.Config.RedHatCustomerPortal.ClientSecret).IntoEnvvar("RH_CUSTOMER_PORTAL_CLIENT_SECRET"). + AsSecretRef(SystemAppSecret). + WithSeedKey(seed.SystemRHCustomerPortalClientSecret) + opts.Unpack(spec.Config.RedHatCustomerPortal.Realm).IntoEnvvar("RH_CUSTOMER_PORTAL_REALM"). + WithSeedKey(seed.SystemRHCustomerPortalRealm) + opts.Unpack(spec.Config.Bugsnag.APIKey).IntoEnvvar("BUGSNAG_API_KEY"). + AsSecretRef(SystemAppSecret). + WithSeedKey(seed.SystemBugsnagApiKey). + EmptyIf(!spec.Config.Bugsnag.Enabled()) opts.Unpack(spec.Config.Bugsnag.ReleaseStage).IntoEnvvar("BUGSNAG_RELEASE_STAGE") - opts.Unpack(spec.Config.DatabaseSecret).IntoEnvvar("DB_SECRET").AsSecretRef("system-app") + opts.Unpack(spec.Config.DatabaseSecret).IntoEnvvar("DB_SECRET"). + AsSecretRef(SystemAppSecret). + WithSeedKey(seed.SystemDatabaseSecret) return opts } diff --git a/pkg/generators/zync/config/api_options.go b/pkg/generators/zync/config/api_options.go index 6eb853bd..d68befbb 100644 --- a/pkg/generators/zync/config/api_options.go +++ b/pkg/generators/zync/config/api_options.go @@ -2,6 +2,7 @@ package config import ( saasv1alpha1 "github.com/3scale-ops/saas-operator/api/v1alpha1" + "github.com/3scale-ops/saas-operator/pkg/generators/seed" "github.com/3scale-ops/saas-operator/pkg/resource_builders/pod" ) @@ -13,10 +14,19 @@ func NewAPIOptions(spec saasv1alpha1.ZyncSpec) pod.Options { opts.Unpack(spec.Config.Rails.LogLevel).IntoEnvvar("RAILS_LOG_LEVEL") opts.Unpack("true").IntoEnvvar("RAILS_LOG_TO_STDOUT") opts.Unpack(spec.Config.Rails.MaxThreads).IntoEnvvar("RAILS_MAX_THREADS") - opts.Unpack(spec.Config.DatabaseDSN).IntoEnvvar("DATABASE_URL").AsSecretRef("zync") - opts.Unpack(spec.Config.SecretKeyBase).IntoEnvvar("SECRET_KEY_BASE").AsSecretRef("zync") - opts.Unpack(spec.Config.ZyncAuthToken).IntoEnvvar("ZYNC_AUTHENTICATION_TOKEN").AsSecretRef("zync") - opts.Unpack(spec.Config.Bugsnag.APIKey).IntoEnvvar("BUGSNAG_API_KEY").AsSecretRef("zync").EmptyIf(!spec.Config.Bugsnag.Enabled()) + opts.Unpack(spec.Config.DatabaseDSN).IntoEnvvar("DATABASE_URL"). + AsSecretRef(ZyncSecret). + WithSeedKey(seed.ZyncDatabaseUrl) + opts.Unpack(spec.Config.SecretKeyBase).IntoEnvvar("SECRET_KEY_BASE"). + AsSecretRef(ZyncSecret). + WithSeedKey(seed.ZyncSecretKeyBase) + opts.Unpack(spec.Config.ZyncAuthToken).IntoEnvvar("ZYNC_AUTHENTICATION_TOKEN"). + AsSecretRef(ZyncSecret). + WithSeedKey(seed.ZyncAuthToken) + opts.Unpack(spec.Config.Bugsnag.APIKey).IntoEnvvar("BUGSNAG_API_KEY"). + AsSecretRef(ZyncSecret). + WithSeedKey(seed.ZyncBugsnagApiKey). + EmptyIf(!spec.Config.Bugsnag.Enabled()) opts.Unpack(spec.Config.Bugsnag.ReleaseStage).IntoEnvvar("BUGSNAG_RELEASE_STAGE") return opts diff --git a/pkg/generators/zync/config/que_options.go b/pkg/generators/zync/config/que_options.go index 85648f4b..91b42d81 100644 --- a/pkg/generators/zync/config/que_options.go +++ b/pkg/generators/zync/config/que_options.go @@ -12,10 +12,15 @@ func NewQueOptions(spec saasv1alpha1.ZyncSpec) pod.Options { opts.Unpack(spec.Config.Rails.Environment).IntoEnvvar("RAILS_ENV") opts.Unpack(spec.Config.Rails.LogLevel).IntoEnvvar("RAILS_LOG_LEVEL") opts.Unpack("true").IntoEnvvar("RAILS_LOG_TO_STDOUT") - opts.Unpack(spec.Config.DatabaseDSN).IntoEnvvar("DATABASE_URL").AsSecretRef("zync") - opts.Unpack(spec.Config.SecretKeyBase).IntoEnvvar("SECRET_KEY_BASE").AsSecretRef("zync") - opts.Unpack(spec.Config.ZyncAuthToken).IntoEnvvar("ZYNC_AUTHENTICATION_TOKEN").AsSecretRef("zync") - opts.Unpack(spec.Config.Bugsnag.APIKey).IntoEnvvar("BUGSNAG_API_KEY").AsSecretRef("zync").EmptyIf(!spec.Config.Bugsnag.Enabled()) + opts.Unpack(spec.Config.DatabaseDSN).IntoEnvvar("DATABASE_URL"). + AsSecretRef(ZyncSecret) + opts.Unpack(spec.Config.SecretKeyBase).IntoEnvvar("SECRET_KEY_BASE"). + AsSecretRef(ZyncSecret) + opts.Unpack(spec.Config.ZyncAuthToken).IntoEnvvar("ZYNC_AUTHENTICATION_TOKEN"). + AsSecretRef(ZyncSecret) + opts.Unpack(spec.Config.Bugsnag.APIKey).IntoEnvvar("BUGSNAG_API_KEY"). + AsSecretRef(ZyncSecret). + EmptyIf(!spec.Config.Bugsnag.Enabled()) opts.Unpack(spec.Config.Bugsnag.ReleaseStage).IntoEnvvar("BUGSNAG_RELEASE_STAGE") return opts diff --git a/pkg/generators/zync/config/types.go b/pkg/generators/zync/config/types.go new file mode 100644 index 00000000..113c3e94 --- /dev/null +++ b/pkg/generators/zync/config/types.go @@ -0,0 +1,9 @@ +package config + +type Secret string + +func (s Secret) String() string { return string(s) } + +const ( + ZyncSecret Secret = "zync" +) diff --git a/pkg/resource_builders/pod/environment.go b/pkg/resource_builders/pod/environment.go index c9825e0c..4d02642d 100644 --- a/pkg/resource_builders/pod/environment.go +++ b/pkg/resource_builders/pod/environment.go @@ -21,25 +21,30 @@ import ( type Option struct { value *string - rawValue *corev1.EnvVarSource - secretValue *saasv1alpha1.SecretReference + valueFrom *corev1.EnvVarSource + secretRef *saasv1alpha1.SecretReference envVariable string secretName string - set bool + isSet bool } -func (o *Option) IntoEnvvar(e string) *Option { o.envVariable = e; return o } -func (o *Option) AsSecretRef(s string) *Option { - if o.secretValue != nil && o.secretValue.FromSeed != nil { - o.secretName = saasv1alpha1.DefaultSeedSecret - } else { - o.secretName = s +func (o *Option) IntoEnvvar(e string) *Option { o.envVariable = e; return o } +func (o *Option) AsSecretRef(s fmt.Stringer) *Option { o.secretName = s.String(); return o } +func (o *Option) WithSeedKey(key fmt.Stringer) *Option { + if o.secretRef != nil && o.secretRef.FromSeed != nil { + o.valueFrom = &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: saasv1alpha1.DefaultSeedSecret, + }, + Key: key.String(), + }} } return o } func (o *Option) EmptyIf(empty bool) *Option { if empty { - o.secretValue = nil + o.secretRef = nil o.value = util.Pointer("") } return o @@ -58,7 +63,7 @@ func (options *Options) DeepCopy() *Options { // FilterSecretOptions returns a list of options that will generate a Secret resource func (options *Options) FilterSecretOptions() Options { return lo.Filter[*Option](*options, func(item *Option, index int) bool { - return item.secretValue != nil && item.secretValue.Override == nil && item.secretName != "" + return item.secretRef != nil && item.secretRef.Override == nil && item.secretName != "" }) } @@ -99,7 +104,7 @@ func (options *Options) Unpack(o any, params ...string) *Option { if reflect.ValueOf(o).Kind() == reflect.Ptr { if lo.IsNil(o) { // underlying value is nil so option is unset - return &Option{set: false} + return &Option{isSet: false} } else { val = reflect.ValueOf(o).Elem().Interface() } @@ -110,7 +115,7 @@ func (options *Options) Unpack(o any, params ...string) *Option { switch v := val.(type) { case saasv1alpha1.SecretReference: - opt = &Option{secretValue: &v, set: true} + opt = &Option{secretRef: &v, isSet: true} default: var format string @@ -119,7 +124,7 @@ func (options *Options) Unpack(o any, params ...string) *Option { } else { format = "%v" } - opt = &Option{value: util.Pointer(fmt.Sprintf(format, v)), set: true} + opt = &Option{value: util.Pointer(fmt.Sprintf(format, v)), isSet: true} } *options = append(*options, opt) @@ -137,9 +142,9 @@ func (options *Options) WithExtraEnv(extra []corev1.EnvVar) *Options { if exists { o.value = util.Pointer(envvar.Value) - o.rawValue = envvar.ValueFrom - o.secretValue = nil - o.set = true + o.valueFrom = envvar.ValueFrom + o.secretRef = nil + o.isSet = true o.secretName = "" } else { var v *string @@ -148,9 +153,9 @@ func (options *Options) WithExtraEnv(extra []corev1.EnvVar) *Options { } *out = append(*out, &Option{ value: v, - rawValue: envvar.ValueFrom, + valueFrom: envvar.ValueFrom, envVariable: envvar.Name, - set: true, + isSet: true, }) } } @@ -164,40 +169,47 @@ func (opts *Options) BuildEnvironment() []corev1.EnvVar { env := []corev1.EnvVar{} for _, opt := range *opts { - if !opt.set { + if !opt.isSet { continue } - if opt.secretValue != nil { - - if opt.secretValue.Override != nil { - opt.value = opt.secretValue.Override - } else { - env = append(env, corev1.EnvVar{ - Name: opt.envVariable, - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - Key: opt.envVariable, - LocalObjectReference: corev1.LocalObjectReference{ - Name: opt.secretName, - }, - }}}) - continue - } + // STEP1: process the option to produce a Value or a ValueFrom field + + // is a secret with override + if opt.secretRef != nil && opt.secretRef.Override != nil { + opt.value = opt.secretRef.Override + + // is a secret with value from vault + } else if opt.secretRef != nil && opt.secretRef.FromVault != nil { + opt.valueFrom = &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + Key: opt.envVariable, + LocalObjectReference: corev1.LocalObjectReference{ + Name: opt.secretName, + }, + }} + + // is a secret with value from vault } + // STEP2: generate the envvar using the Value or ValueFrom + + // Direct value (if both value and valueFrom are set, value takes precedence and + // valueFrom will be ignored) if opt.value != nil { env = append(env, corev1.EnvVar{ Name: opt.envVariable, Value: *opt.value, }) continue + } - if opt.rawValue != nil { + // ValueFrom + if opt.valueFrom != nil { env = append(env, corev1.EnvVar{ Name: opt.envVariable, - ValueFrom: opt.rawValue, + ValueFrom: opt.valueFrom, }) continue } @@ -217,8 +229,8 @@ func (opts *Options) GenerateExternalSecrets(namespace string, labels map[string data = append(data, externalsecretsv1beta1.ExternalSecretData{ SecretKey: opt.envVariable, RemoteRef: externalsecretsv1beta1.ExternalSecretDataRemoteRef{ - Key: strings.TrimPrefix(opt.secretValue.FromVault.Path, "secret/data/"), - Property: opt.secretValue.FromVault.Key, + Key: strings.TrimPrefix(opt.secretRef.FromVault.Path, "secret/data/"), + Property: opt.secretRef.FromVault.Key, ConversionStrategy: "Default", DecodingStrategy: "None", }, diff --git a/pkg/resource_builders/pod/environment_test.go b/pkg/resource_builders/pod/environment_test.go index 1820e326..7f8d0c79 100644 --- a/pkg/resource_builders/pod/environment_test.go +++ b/pkg/resource_builders/pod/environment_test.go @@ -16,6 +16,14 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client/fake" ) +type TSecret string + +func (s TSecret) String() string { return string(s) } + +type TSeedKey string + +func (s TSeedKey) String() string { return string(s) } + func TestOptions_BuildEnvironment(t *testing.T) { type args struct { extra []corev1.EnvVar @@ -83,7 +91,7 @@ func TestOptions_BuildEnvironment(t *testing.T) { o.Unpack(saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ Path: "path", Key: "key", - }}).IntoEnvvar("envvar").AsSecretRef("secret") + }}).IntoEnvvar("envvar").AsSecretRef(TSecret("secret")) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -106,7 +114,7 @@ func TestOptions_BuildEnvironment(t *testing.T) { o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ Path: "path", Key: "key", - }}).IntoEnvvar("envvar").AsSecretRef("secret") + }}).IntoEnvvar("envvar").AsSecretRef(TSecret("secret")) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -127,7 +135,7 @@ func TestOptions_BuildEnvironment(t *testing.T) { opts: func() *Options { o := &Options{} var v *saasv1alpha1.SecretReference - o.Unpack(v).IntoEnvvar("envvar").AsSecretRef("secret") + o.Unpack(v).IntoEnvvar("envvar").AsSecretRef(TSecret("secret")) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -153,7 +161,7 @@ func TestOptions_BuildEnvironment(t *testing.T) { o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ Path: "path", Key: "key", - }}).IntoEnvvar("envvar").AsSecretRef("secret").EmptyIf(true) + }}).IntoEnvvar("envvar").AsSecretRef(TSecret("secret")).EmptyIf(true) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -169,7 +177,7 @@ func TestOptions_BuildEnvironment(t *testing.T) { o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ Path: "path", Key: "key", - }}).IntoEnvvar("envvar1").AsSecretRef("secret").EmptyIf(true) + }}).IntoEnvvar("envvar1").AsSecretRef(TSecret("secret")).EmptyIf(true) o.Unpack("value2").IntoEnvvar("envvar2") return o }(), @@ -241,7 +249,9 @@ func TestOptions_BuildEnvironment(t *testing.T) { opts: func() *Options { o := &Options{} o.Unpack(saasv1alpha1.SecretReference{Override: util.Pointer("value1")}).IntoEnvvar("envvar1") - o.Unpack(saasv1alpha1.SecretReference{FromSeed: &saasv1alpha1.SeedSecretReference{}}).IntoEnvvar("envvar2").AsSecretRef("some-secret") + o.Unpack(saasv1alpha1.SecretReference{FromSeed: &saasv1alpha1.SeedSecretReference{}}).IntoEnvvar("envvar2"). + AsSecretRef(TSecret("some-secret")). + WithSeedKey(TSeedKey("seed-key")) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -257,6 +267,38 @@ func TestOptions_BuildEnvironment(t *testing.T) { LocalObjectReference: corev1.LocalObjectReference{ Name: saasv1alpha1.DefaultSeedSecret, }, + Key: "seed-key", + }, + }, + }, + }, + }, + { + name: "SecretReference from vault, but with seed configured", + opts: func() *Options { + o := &Options{} + o.Unpack(saasv1alpha1.SecretReference{Override: util.Pointer("value1")}).IntoEnvvar("envvar1") + o.Unpack(saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ + Path: "path", + Key: "key", + }}).IntoEnvvar("envvar2"). + AsSecretRef(TSecret("some-secret")). + WithSeedKey(TSeedKey("seed-key")) + return o + }(), + args: args{extra: []corev1.EnvVar{}}, + want: []corev1.EnvVar{ + { + Name: "envvar1", + Value: "value1", + }, + { + Name: "envvar2", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "some-secret", + }, Key: "envvar2", }, }, @@ -306,15 +348,15 @@ func TestOptions_GenerateExternalSecrets(t *testing.T) { o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ Path: "path1", Key: "key1", - }}).IntoEnvvar("envvar1").AsSecretRef("secret1") + }}).IntoEnvvar("envvar1").AsSecretRef(TSecret("secret1")) o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ Path: "path2", Key: "key2", - }}).IntoEnvvar("envvar2").AsSecretRef("secret1") + }}).IntoEnvvar("envvar2").AsSecretRef(TSecret("secret1")) o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ Path: "path3", Key: "key3", - }}).IntoEnvvar("envvar3").AsSecretRef("secret2") + }}).IntoEnvvar("envvar3").AsSecretRef(TSecret("secret2")) return o }(), args: args{ @@ -400,7 +442,7 @@ func TestOptions_GenerateExternalSecrets(t *testing.T) { name: "Skips secret options with override", opts: func() *Options { o := NewOptions() - o.Unpack(&saasv1alpha1.SecretReference{Override: util.Pointer("override")}).IntoEnvvar("envvar1").AsSecretRef("secret") + o.Unpack(&saasv1alpha1.SecretReference{Override: util.Pointer("override")}).IntoEnvvar("envvar1").AsSecretRef(TSecret("secret")) return o }(), args: args{}, @@ -411,7 +453,7 @@ func TestOptions_GenerateExternalSecrets(t *testing.T) { opts: func() *Options { o := NewOptions() var v *saasv1alpha1.SecretReference - o.Unpack(v).IntoEnvvar("envvar1").AsSecretRef("secret") + o.Unpack(v).IntoEnvvar("envvar1").AsSecretRef(TSecret("secret")) return o }(), args: args{}, @@ -450,12 +492,12 @@ func TestOptions_WithExtraEnv(t *testing.T) { { value: util.Pointer("value1"), envVariable: "envvar1", - set: true, + isSet: true, }, { value: util.Pointer("value2"), envVariable: "envvar2", - set: true, + isSet: true, }, }, args: args{ @@ -472,34 +514,34 @@ func TestOptions_WithExtraEnv(t *testing.T) { { value: util.Pointer("aaaa"), envVariable: "envvar1", - set: true, + isSet: true, }, { value: util.Pointer("value2"), envVariable: "envvar2", - set: true, + isSet: true, }, { value: util.Pointer("bbbb"), envVariable: "envvar3", - set: true, + isSet: true, }, { - rawValue: &corev1.EnvVarSource{FieldRef: &corev1.ObjectFieldSelector{APIVersion: "v1", FieldPath: "metadata.name"}}, + valueFrom: &corev1.EnvVarSource{FieldRef: &corev1.ObjectFieldSelector{APIVersion: "v1", FieldPath: "metadata.name"}}, envVariable: "envvar4", - set: true, + isSet: true, }, }, wantOld: &Options{ { value: util.Pointer("value1"), envVariable: "envvar1", - set: true, + isSet: true, }, { value: util.Pointer("value2"), envVariable: "envvar2", - set: true, + isSet: true, }, }, }, @@ -528,18 +570,18 @@ func TestOptions_ListSecretResourceNames(t *testing.T) { options: func() *Options { o := &Options{} // ok - o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{}}).IntoEnvvar("envvar1").AsSecretRef("secret1") + o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{}}).IntoEnvvar("envvar1").AsSecretRef(TSecret("secret1")) // not ok: not a secret value o.Unpack("value").IntoEnvvar("envvar2") // not ok: secret value with override - o.Unpack(&saasv1alpha1.SecretReference{Override: util.Pointer("value")}).IntoEnvvar("envvar3").AsSecretRef("secret2") + o.Unpack(&saasv1alpha1.SecretReference{Override: util.Pointer("value")}).IntoEnvvar("envvar3").AsSecretRef(TSecret("secret2")) var v *saasv1alpha1.SecretReference // not ok: secret value is nil - o.Unpack(v).IntoEnvvar("envvar1").AsSecretRef("secret3") + o.Unpack(v).IntoEnvvar("envvar1").AsSecretRef(TSecret("secret3")) // ok - o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{}}).IntoEnvvar("envvar2").AsSecretRef("secret1") + o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{}}).IntoEnvvar("envvar2").AsSecretRef(TSecret("secret1")) // ok - o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{}}).IntoEnvvar("envvar3").AsSecretRef("secret2") + o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{}}).IntoEnvvar("envvar3").AsSecretRef(TSecret("secret2")) return o }(), want: []string{"secret1", "secret2"}, @@ -571,29 +613,29 @@ func TestUnion(t *testing.T) { { value: util.Pointer("value1"), envVariable: "ENVVAR1", - set: false, + isSet: false, }, { value: util.Pointer("value2"), envVariable: "ENVVAR2", - set: false, + isSet: false, }, }, { { value: util.Pointer("value1"), envVariable: "ENVVAR1", - set: false, + isSet: false, }, { value: util.Pointer("value3"), envVariable: "ENVVAR3", - set: false, + isSet: false, }, { value: util.Pointer("value4"), envVariable: "ENVVAR4", - set: false, + isSet: false, }, }, }, @@ -602,22 +644,22 @@ func TestUnion(t *testing.T) { { value: util.Pointer("value1"), envVariable: "ENVVAR1", - set: false, + isSet: false, }, { value: util.Pointer("value2"), envVariable: "ENVVAR2", - set: false, + isSet: false, }, { value: util.Pointer("value3"), envVariable: "ENVVAR3", - set: false, + isSet: false, }, { value: util.Pointer("value4"), envVariable: "ENVVAR4", - set: false, + isSet: false, }, }, }, diff --git a/pkg/resource_builders/pod/seed.go b/pkg/resource_builders/pod/seed.go new file mode 100644 index 00000000..c75db3d4 --- /dev/null +++ b/pkg/resource_builders/pod/seed.go @@ -0,0 +1 @@ +package pod From 214d48b131150c18a3082e90874c4ff6b44221a9 Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Tue, 16 Apr 2024 15:48:09 +0200 Subject: [PATCH 03/20] A bit of rework so the code makes more sense --- pkg/generators/apicast/config/options.go | 16 +- pkg/generators/autossl/config/options.go | 22 +- pkg/generators/backend/config/cron_options.go | 24 +-- .../backend/config/listener_options.go | 46 ++-- .../backend/config/worker_options.go | 44 ++-- pkg/generators/corsproxy/config/options.go | 5 +- .../mappingservice/config/options.go | 13 +- pkg/generators/seed/types.go | 3 +- pkg/generators/system/config/options.go | 199 ++++++++---------- pkg/generators/zync/config/api_options.go | 32 ++- pkg/generators/zync/config/que_options.go | 26 +-- pkg/resource_builders/pod/environment.go | 189 +++++++++-------- pkg/resource_builders/pod/environment_test.go | 129 ++++++------ pkg/resource_builders/twemproxy/options.go | 8 +- 14 files changed, 377 insertions(+), 379 deletions(-) diff --git a/pkg/generators/apicast/config/options.go b/pkg/generators/apicast/config/options.go index 9a4bca28..5730e03a 100644 --- a/pkg/generators/apicast/config/options.go +++ b/pkg/generators/apicast/config/options.go @@ -8,14 +8,14 @@ import ( func NewEnvOptions(spec saasv1alpha1.ApicastEnvironmentSpec, env string) pod.Options { opts := pod.Options{} - opts.Unpack("lazy").IntoEnvvar("APICAST_CONFIGURATION_LOADER") - opts.Unpack(spec.Config.ConfigurationCache).IntoEnvvar("APICAST_CONFIGURATION_CACHE") - opts.Unpack("true").IntoEnvvar("APICAST_EXTENDED_METRICS") - opts.Unpack(env).IntoEnvvar("THREESCALE_DEPLOYMENT_ENV") - opts.Unpack(spec.Config.ThreescalePortalEndpoint).IntoEnvvar("THREESCALE_PORTAL_ENDPOINT") - opts.Unpack(spec.Config.LogLevel).IntoEnvvar("APICAST_LOG_LEVEL") - opts.Unpack(spec.Config.OIDCLogLevel).IntoEnvvar("APICAST_OIDC_LOG_LEVEL") - opts.Unpack("true").IntoEnvvar("APICAST_RESPONSE_CODES") + opts.AddEnvvar("APICAST_CONFIGURATION_LOADER").Unpack("lazy") + opts.AddEnvvar("APICAST_CONFIGURATION_CACHE").Unpack(spec.Config.ConfigurationCache) + opts.AddEnvvar("APICAST_EXTENDED_METRICS").Unpack("true") + opts.AddEnvvar("THREESCALE_DEPLOYMENT_ENV").Unpack(env) + opts.AddEnvvar("THREESCALE_PORTAL_ENDPOINT").Unpack(spec.Config.ThreescalePortalEndpoint) + opts.AddEnvvar("APICAST_LOG_LEVEL").Unpack(spec.Config.LogLevel) + opts.AddEnvvar("APICAST_OIDC_LOG_LEVEL").Unpack(spec.Config.OIDCLogLevel) + opts.AddEnvvar("APICAST_RESPONSE_CODES").Unpack("true") return opts } diff --git a/pkg/generators/autossl/config/options.go b/pkg/generators/autossl/config/options.go index a29b9283..2c5dfa3d 100644 --- a/pkg/generators/autossl/config/options.go +++ b/pkg/generators/autossl/config/options.go @@ -14,21 +14,21 @@ const ( func NewOptions(spec saasv1alpha1.AutoSSLSpec) pod.Options { opts := pod.Options{} - opts.Unpack(func() string { + opts.AddEnvvar("ACME_STAGING").Unpack(func() string { if *spec.Config.ACMEStaging { return leACMEStagingEndpoint } return "" - }()).IntoEnvvar("ACME_STAGING") - opts.Unpack(spec.Config.ContactEmail).IntoEnvvar("CONTACT_EMAIL") - opts.Unpack(spec.Config.ProxyEndpoint).IntoEnvvar("PROXY_ENDPOINT") - opts.Unpack("redis").IntoEnvvar("STORAGE_ADAPTER") - opts.Unpack(spec.Config.RedisHost).IntoEnvvar("REDIS_HOST") - opts.Unpack(spec.Config.RedisPort).IntoEnvvar("REDIS_PORT") - opts.Unpack(spec.Config.VerificationEndpoint).IntoEnvvar("VERIFICATION_ENDPOINT") - opts.Unpack(spec.Config.LogLevel).IntoEnvvar("LOG_LEVEL") - opts.Unpack(strings.Join(spec.Config.DomainWhitelist, ",")).IntoEnvvar("DOMAIN_WHITELIST") - opts.Unpack(strings.Join(spec.Config.DomainBlacklist, ",")).IntoEnvvar("DOMAIN_BLACKLIST") + }()) + opts.AddEnvvar("CONTACT_EMAIL").Unpack(spec.Config.ContactEmail) + opts.AddEnvvar("PROXY_ENDPOINT").Unpack(spec.Config.ProxyEndpoint) + opts.AddEnvvar("STORAGE_ADAPTER").Unpack("redis") + opts.AddEnvvar("REDIS_HOST").Unpack(spec.Config.RedisHost) + opts.AddEnvvar("REDIS_PORT").Unpack(spec.Config.RedisPort) + opts.AddEnvvar("VERIFICATION_ENDPOINT").Unpack(spec.Config.VerificationEndpoint) + opts.AddEnvvar("LOG_LEVEL").Unpack(spec.Config.LogLevel) + opts.AddEnvvar("DOMAIN_WHITELIST").Unpack(strings.Join(spec.Config.DomainWhitelist, ",")) + opts.AddEnvvar("DOMAIN_BLACKLIST").Unpack(strings.Join(spec.Config.DomainBlacklist, ",")) return opts } diff --git a/pkg/generators/backend/config/cron_options.go b/pkg/generators/backend/config/cron_options.go index 86bbbd34..276ab8fd 100644 --- a/pkg/generators/backend/config/cron_options.go +++ b/pkg/generators/backend/config/cron_options.go @@ -10,19 +10,17 @@ import ( func NewCronOptions(spec saasv1alpha1.BackendSpec) pod.Options { opts := pod.Options{} - opts.Unpack(spec.Config.RackEnv).IntoEnvvar("RACK_ENV") - opts.Unpack(spec.Config.RedisStorageDSN).IntoEnvvar("CONFIG_REDIS_PROXY") - opts.Unpack("").IntoEnvvar("CONFIG_REDIS_SENTINEL_HOSTS") - opts.Unpack("").IntoEnvvar("CONFIG_REDIS_SENTINEL_ROLE") - opts.Unpack(spec.Config.RedisQueuesDSN).IntoEnvvar("CONFIG_QUEUES_MASTER_NAME") - opts.Unpack("").IntoEnvvar("CONFIG_QUEUES_SENTINEL_HOSTS") - opts.Unpack("").IntoEnvvar("CONFIG_QUEUES_SENTINEL_ROLE") - opts.Unpack(spec.Config.ErrorMonitoringService).IntoEnvvar("CONFIG_HOPTOAD_SERVICE"). - AsSecretRef(BackendErrorMonitoringSecret). - WithSeedKey(seed.BackendErrorMonitoringService) - opts.Unpack(spec.Config.ErrorMonitoringKey).IntoEnvvar("CONFIG_HOPTOAD_API_KEY"). - AsSecretRef(BackendErrorMonitoringSecret). - WithSeedKey(seed.BackendErrorMonitoringApiKey) + opts.AddEnvvar("RACK_ENV").Unpack(spec.Config.RackEnv) + opts.AddEnvvar("CONFIG_REDIS_PROXY").Unpack(spec.Config.RedisStorageDSN) + opts.AddEnvvar("CONFIG_REDIS_SENTINEL_HOSTS").Unpack("") + opts.AddEnvvar("CONFIG_REDIS_SENTINEL_ROLE").Unpack("") + opts.AddEnvvar("CONFIG_QUEUES_MASTER_NAME").Unpack(spec.Config.RedisQueuesDSN) + opts.AddEnvvar("CONFIG_QUEUES_SENTINEL_HOSTS").Unpack("") + opts.AddEnvvar("CONFIG_QUEUES_SENTINEL_ROLE").Unpack("") + opts.AddEnvvar("CONFIG_HOPTOAD_SERVICE").AsSecretRef(BackendErrorMonitoringSecret).WithSeedKey(seed.BackendErrorMonitoringService). + Unpack(spec.Config.ErrorMonitoringService) + opts.AddEnvvar("CONFIG_HOPTOAD_API_KEY").AsSecretRef(BackendErrorMonitoringSecret).WithSeedKey(seed.BackendErrorMonitoringApiKey). + Unpack(spec.Config.ErrorMonitoringKey) return opts } diff --git a/pkg/generators/backend/config/listener_options.go b/pkg/generators/backend/config/listener_options.go index 6a195ca4..7575ceae 100644 --- a/pkg/generators/backend/config/listener_options.go +++ b/pkg/generators/backend/config/listener_options.go @@ -10,31 +10,27 @@ import ( func NewListenerOptions(spec saasv1alpha1.BackendSpec) pod.Options { opts := pod.Options{} - opts.Unpack(spec.Config.RackEnv).IntoEnvvar("RACK_ENV") - opts.Unpack(spec.Config.RedisStorageDSN).IntoEnvvar("CONFIG_REDIS_PROXY") - opts.Unpack("").IntoEnvvar("CONFIG_REDIS_SENTINEL_HOSTS") - opts.Unpack("").IntoEnvvar("CONFIG_REDIS_SENTINEL_ROLE") - opts.Unpack(spec.Config.RedisQueuesDSN).IntoEnvvar("CONFIG_QUEUES_MASTER_NAME") - opts.Unpack("").IntoEnvvar("CONFIG_QUEUES_SENTINEL_HOSTS") - opts.Unpack("").IntoEnvvar("CONFIG_QUEUES_SENTINEL_ROLE") - opts.Unpack(spec.Config.MasterServiceID).IntoEnvvar("CONFIG_MASTER_SERVICE_ID") - opts.Unpack(spec.Listener.Config.LogFormat).IntoEnvvar("CONFIG_REQUEST_LOGGERS") - opts.Unpack(spec.Listener.Config.RedisAsync).IntoEnvvar("CONFIG_REDIS_ASYNC") - opts.Unpack(spec.Listener.Config.ListenerWorkers).IntoEnvvar("LISTENER_WORKERS") - opts.Unpack(spec.Listener.Config.LegacyReferrerFilters).IntoEnvvar("CONFIG_LEGACY_REFERRER_FILTERS") - opts.Unpack("true").IntoEnvvar("CONFIG_LISTENER_PROMETHEUS_METRICS_ENABLED") - opts.Unpack(spec.Config.InternalAPIUser).IntoEnvvar("CONFIG_INTERNAL_API_USER"). - AsSecretRef(BackendInternalApiSecret). - WithSeedKey(seed.BackendInternalApiUser) - opts.Unpack(spec.Config.InternalAPIPassword).IntoEnvvar("CONFIG_INTERNAL_API_PASSWORD"). - AsSecretRef(BackendInternalApiSecret). - WithSeedKey(seed.BackendInternalApiPassword) - opts.Unpack(spec.Config.ErrorMonitoringService).IntoEnvvar("CONFIG_HOPTOAD_SERVICE"). - AsSecretRef(BackendErrorMonitoringSecret). - WithSeedKey(seed.BackendErrorMonitoringService) - opts.Unpack(spec.Config.ErrorMonitoringKey).IntoEnvvar("CONFIG_HOPTOAD_API_KEY"). - AsSecretRef(BackendErrorMonitoringSecret). - WithSeedKey(seed.BackendErrorMonitoringApiKey) + opts.AddEnvvar("RACK_ENV").Unpack(spec.Config.RackEnv) + opts.AddEnvvar("CONFIG_REDIS_PROXY").Unpack(spec.Config.RedisStorageDSN) + opts.AddEnvvar("CONFIG_REDIS_SENTINEL_HOSTS").Unpack("") + opts.AddEnvvar("CONFIG_REDIS_SENTINEL_ROLE").Unpack("") + opts.AddEnvvar("CONFIG_QUEUES_MASTER_NAME").Unpack(spec.Config.RedisQueuesDSN) + opts.AddEnvvar("CONFIG_QUEUES_SENTINEL_HOSTS").Unpack("") + opts.AddEnvvar("CONFIG_QUEUES_SENTINEL_ROLE").Unpack("") + opts.AddEnvvar("CONFIG_MASTER_SERVICE_ID").Unpack(spec.Config.MasterServiceID) + opts.AddEnvvar("CONFIG_REQUEST_LOGGERS").Unpack(spec.Listener.Config.LogFormat) + opts.AddEnvvar("CONFIG_REDIS_ASYNC").Unpack(spec.Listener.Config.RedisAsync) + opts.AddEnvvar("LISTENER_WORKERS").Unpack(spec.Listener.Config.ListenerWorkers) + opts.AddEnvvar("CONFIG_LEGACY_REFERRER_FILTERS").Unpack(spec.Listener.Config.LegacyReferrerFilters) + opts.AddEnvvar("CONFIG_LISTENER_PROMETHEUS_METRICS_ENABLED").Unpack("true") + opts.AddEnvvar("CONFIG_INTERNAL_API_USER").AsSecretRef(BackendInternalApiSecret).WithSeedKey(seed.BackendInternalApiUser). + Unpack(spec.Config.InternalAPIUser) + opts.AddEnvvar("CONFIG_INTERNAL_API_PASSWORD").AsSecretRef(BackendInternalApiSecret).WithSeedKey(seed.BackendInternalApiPassword). + Unpack(spec.Config.InternalAPIPassword) + opts.AddEnvvar("CONFIG_HOPTOAD_SERVICE").AsSecretRef(BackendErrorMonitoringSecret).WithSeedKey(seed.BackendErrorMonitoringService). + Unpack(spec.Config.ErrorMonitoringService) + opts.AddEnvvar("CONFIG_HOPTOAD_API_KEY").AsSecretRef(BackendErrorMonitoringSecret).WithSeedKey(seed.BackendErrorMonitoringApiKey). + Unpack(spec.Config.ErrorMonitoringKey) return opts } diff --git a/pkg/generators/backend/config/worker_options.go b/pkg/generators/backend/config/worker_options.go index f211eaa2..4701777a 100644 --- a/pkg/generators/backend/config/worker_options.go +++ b/pkg/generators/backend/config/worker_options.go @@ -10,30 +10,26 @@ import ( func NewWorkerOptions(spec saasv1alpha1.BackendSpec) pod.Options { opts := pod.Options{} - opts.Unpack(spec.Config.RackEnv).IntoEnvvar("RACK_ENV") - opts.Unpack(spec.Config.RedisStorageDSN).IntoEnvvar("CONFIG_REDIS_PROXY") - opts.Unpack("").IntoEnvvar("CONFIG_REDIS_SENTINEL_HOSTS") - opts.Unpack("").IntoEnvvar("CONFIG_REDIS_SENTINEL_ROLE") - opts.Unpack(spec.Config.RedisQueuesDSN).IntoEnvvar("CONFIG_QUEUES_MASTER_NAME") - opts.Unpack("").IntoEnvvar("CONFIG_QUEUES_SENTINEL_HOSTS") - opts.Unpack("").IntoEnvvar("CONFIG_QUEUES_SENTINEL_ROLE") - opts.Unpack(spec.Config.MasterServiceID).IntoEnvvar("CONFIG_MASTER_SERVICE_ID") - opts.Unpack(spec.Worker.Config.RedisAsync).IntoEnvvar("CONFIG_REDIS_ASYNC") - opts.Unpack(spec.Worker.Config.LogFormat).IntoEnvvar("CONFIG_WORKERS_LOGGER_FORMATTER") - opts.Unpack("true").IntoEnvvar("CONFIG_WORKER_PROMETHEUS_METRICS_ENABLED") - opts.Unpack("9421").IntoEnvvar("CONFIG_WORKER_PROMETHEUS_METRICS_PORT") - opts.Unpack(spec.Config.SystemEventsHookURL).IntoEnvvar("CONFIG_EVENTS_HOOK"). - AsSecretRef(BackendSystemEventsSecret). - WithSeedKey(seed.SystemEventsHookURL) - opts.Unpack(spec.Config.SystemEventsHookPassword).IntoEnvvar("CONFIG_EVENTS_HOOK_SHARED_SECRET"). - AsSecretRef(BackendSystemEventsSecret). - WithSeedKey(seed.SystemEventsHookSharedSecret) - opts.Unpack(spec.Config.ErrorMonitoringService).IntoEnvvar("CONFIG_HOPTOAD_SERVICE"). - AsSecretRef(BackendErrorMonitoringSecret). - WithSeedKey(seed.BackendErrorMonitoringService) - opts.Unpack(spec.Config.ErrorMonitoringKey).IntoEnvvar("CONFIG_HOPTOAD_API_KEY"). - AsSecretRef(BackendErrorMonitoringSecret). - WithSeedKey(seed.BackendErrorMonitoringApiKey) + opts.AddEnvvar("RACK_ENV").Unpack(spec.Config.RackEnv) + opts.AddEnvvar("CONFIG_REDIS_PROXY").Unpack(spec.Config.RedisStorageDSN) + opts.AddEnvvar("CONFIG_REDIS_SENTINEL_HOSTS").Unpack("") + opts.AddEnvvar("CONFIG_REDIS_SENTINEL_ROLE").Unpack("") + opts.AddEnvvar("CONFIG_QUEUES_MASTER_NAME").Unpack(spec.Config.RedisQueuesDSN) + opts.AddEnvvar("CONFIG_QUEUES_SENTINEL_HOSTS").Unpack("") + opts.AddEnvvar("CONFIG_QUEUES_SENTINEL_ROLE").Unpack("") + opts.AddEnvvar("CONFIG_MASTER_SERVICE_ID").Unpack(spec.Config.MasterServiceID) + opts.AddEnvvar("CONFIG_REDIS_ASYNC").Unpack(spec.Worker.Config.RedisAsync) + opts.AddEnvvar("CONFIG_WORKERS_LOGGER_FORMATTER").Unpack(spec.Worker.Config.LogFormat) + opts.AddEnvvar("CONFIG_WORKER_PROMETHEUS_METRICS_ENABLED").Unpack("true") + opts.AddEnvvar("CONFIG_WORKER_PROMETHEUS_METRICS_PORT").Unpack("9421") + opts.AddEnvvar("CONFIG_EVENTS_HOOK").AsSecretRef(BackendSystemEventsSecret).WithSeedKey(seed.SystemEventsHookURL). + Unpack(spec.Config.SystemEventsHookURL) + opts.AddEnvvar("CONFIG_EVENTS_HOOK_SHARED_SECRET").AsSecretRef(BackendSystemEventsSecret).WithSeedKey(seed.SystemEventsHookSharedSecret). + Unpack(spec.Config.SystemEventsHookPassword) + opts.AddEnvvar("CONFIG_HOPTOAD_SERVICE").AsSecretRef(BackendErrorMonitoringSecret).WithSeedKey(seed.BackendErrorMonitoringService). + Unpack(spec.Config.ErrorMonitoringService) + opts.AddEnvvar("CONFIG_HOPTOAD_API_KEY").AsSecretRef(BackendErrorMonitoringSecret).WithSeedKey(seed.BackendErrorMonitoringApiKey). + Unpack(spec.Config.ErrorMonitoringKey) return opts } diff --git a/pkg/generators/corsproxy/config/options.go b/pkg/generators/corsproxy/config/options.go index f8733f04..9e741a5b 100644 --- a/pkg/generators/corsproxy/config/options.go +++ b/pkg/generators/corsproxy/config/options.go @@ -17,8 +17,7 @@ const ( // NewOptions returns cors-proxy options the given saasv1alpha1.CORSProxySpec func NewOptions(spec saasv1alpha1.CORSProxySpec) pod.Options { opts := pod.Options{} - opts.Unpack(spec.Config.SystemDatabaseDSN).IntoEnvvar("DATABASE_URL"). - AsSecretRef(CorsProxySystemDatabaseSecret). - WithSeedKey(seed.SystemDatabaseDsn) + opts.AddEnvvar("DATABASE_URL").AsSecretRef(CorsProxySystemDatabaseSecret).WithSeedKey(seed.SystemDatabaseDsn). + Unpack(spec.Config.SystemDatabaseDSN) return opts } diff --git a/pkg/generators/mappingservice/config/options.go b/pkg/generators/mappingservice/config/options.go index 6abeadb8..927bb3a2 100644 --- a/pkg/generators/mappingservice/config/options.go +++ b/pkg/generators/mappingservice/config/options.go @@ -18,13 +18,12 @@ const ( func NewOptions(spec saasv1alpha1.MappingServiceSpec) pod.Options { opts := pod.Options{} - opts.Unpack(spec.Config.SystemAdminToken).IntoEnvvar("MASTER_ACCESS_TOKEN"). - AsSecretRef(MappingServiceSystemMasterAccessTokenSecret). - WithSeedKey(seed.SystemMasterAccessToken) - opts.Unpack(spec.Config.APIHost).IntoEnvvar("API_HOST") - opts.Unpack("lazy").IntoEnvvar("APICAST_CONFIGURATION_LOADER") - opts.Unpack(spec.Config.LogLevel).IntoEnvvar("APICAST_LOG_LEVEL") - opts.Unpack(spec.Config.PreviewBaseDomain).IntoEnvvar("PREVIEW_BASE_DOMAIN") + opts.AddEnvvar("MASTER_ACCESS_TOKEN").AsSecretRef(MappingServiceSystemMasterAccessTokenSecret).WithSeedKey(seed.SystemMasterAccessToken). + Unpack(spec.Config.SystemAdminToken) + opts.AddEnvvar("API_HOST").Unpack(spec.Config.APIHost) + opts.AddEnvvar("APICAST_CONFIGURATION_LOADER").Unpack("lazy") + opts.AddEnvvar("APICAST_LOG_LEVEL").Unpack(spec.Config.LogLevel) + opts.AddEnvvar("PREVIEW_BASE_DOMAIN").Unpack(spec.Config.PreviewBaseDomain) return opts } diff --git a/pkg/generators/seed/types.go b/pkg/generators/seed/types.go index b212bb30..6ec584e4 100644 --- a/pkg/generators/seed/types.go +++ b/pkg/generators/seed/types.go @@ -10,6 +10,7 @@ const ( BackendInternalApiPassword SeedKey = "backend-internal-api-password" BackendErrorMonitoringService SeedKey = "backend-error-monitoring-service" BackendErrorMonitoringApiKey SeedKey = "backend-error-monitoring-api-key" + // System SystemDatabaseDsn SeedKey = "system-database-dsn" SystemRecaptchaPublicKey SeedKey = "system-recaptcha-public-key" @@ -30,9 +31,7 @@ const ( SystemGithubClientSecret SeedKey = "system-github-client-secret" SystemRHCustomerPortalClientId SeedKey = "system-rh-customer-portal-client-id" SystemRHCustomerPortalClientSecret SeedKey = "system-rh-customer-portal-client-secret" - SystemRHCustomerPortalRealm SeedKey = "system-rh-customer-portal-realm" SystemBugsnagApiKey SeedKey = "system-bugsnag-api-key" - SystemBugsnagReleaseStage SeedKey = "system-bugsnag-release-stage" SystemDatabaseSecret SeedKey = "system-database-secret" // Zync diff --git a/pkg/generators/system/config/options.go b/pkg/generators/system/config/options.go index 7dd10137..b3da083b 100644 --- a/pkg/generators/system/config/options.go +++ b/pkg/generators/system/config/options.go @@ -25,114 +25,97 @@ const ( func NewOptions(spec saasv1alpha1.SystemSpec) pod.Options { opts := pod.Options{} - opts.Unpack(spec.Config.ForceSSL).IntoEnvvar("FORCE_SSL") - opts.Unpack(spec.Config.ThreescaleProviderPlan).IntoEnvvar("PROVIDER_PLAN") - opts.Unpack(spec.Config.SSLCertsDir).IntoEnvvar("SSL_CERT_DIR") - opts.Unpack(spec.Config.SandboxProxyOpensslVerifyMode).IntoEnvvar("THREESCALE_SANDBOX_PROXY_OPENSSL_VERIFY_MODE") - opts.Unpack(spec.Config.ThreescaleSuperdomain).IntoEnvvar("THREESCALE_SUPERDOMAIN") - - opts.Unpack(spec.Config.Rails.Environment).IntoEnvvar("RAILS_ENV") - opts.Unpack(spec.Config.Rails.LogLevel).IntoEnvvar("RAILS_LOG_LEVEL") - opts.Unpack("true").IntoEnvvar("RAILS_LOG_TO_STDOUT") - - opts.Unpack(spec.Config.SearchServer.Host).IntoEnvvar("THINKING_SPHINX_ADDRESS") - opts.Unpack(spec.Config.SearchServer.Port).IntoEnvvar("THINKING_SPHINX_PORT") - opts.Unpack(spec.Config.SearchServer.BatchSize).IntoEnvvar("THINKING_SPHINX_BATCH_SIZE") - - opts.Unpack(spec.Config.DatabaseDSN).IntoEnvvar("DATABASE_URL").AsSecretRef(SystemDatabaseSecret).WithSeedKey(seed.SystemDatabaseDsn) - - opts.Unpack(spec.Config.MemcachedServers).IntoEnvvar("MEMCACHE_SERVERS") - - opts.Unpack(spec.Config.Recaptcha.PublicKey).IntoEnvvar("RECAPTCHA_PUBLIC_KEY").AsSecretRef(SystemRecaptchaSecret).WithSeedKey(seed.SystemRecaptchaPublicKey) - opts.Unpack(spec.Config.Recaptcha.PrivateKey).IntoEnvvar("RECAPTCHA_PRIVATE_KEY").AsSecretRef(SystemRecaptchaSecret).WithSeedKey(seed.SystemRecaptchaPrivateKey) - - opts.Unpack(spec.Config.EventsSharedSecret).IntoEnvvar("EVENTS_SHARED_SECRET").AsSecretRef(SystemEventsHookSecret).WithSeedKey(seed.SystemEventsHookSharedSecret) - - opts.Unpack(spec.Config.Redis.QueuesDSN).IntoEnvvar("REDIS_URL") - opts.Unpack("").IntoEnvvar("REDIS_NAMESPACE") - opts.Unpack("").IntoEnvvar("REDIS_SENTINEL_HOSTS") - opts.Unpack("").IntoEnvvar("REDIS_SENTINEL_ROLE") - - opts.Unpack(spec.Config.SMTP.Address).IntoEnvvar("SMTP_ADDRESS") - opts.Unpack(spec.Config.SMTP.User).IntoEnvvar("SMTP_USER_NAME"). - AsSecretRef(SystemSmptSecret). - WithSeedKey(seed.SystemSmtpUser) - opts.Unpack(spec.Config.SMTP.Password).IntoEnvvar("SMTP_PASSWORD"). - AsSecretRef(SystemSmptSecret). - WithSeedKey(seed.SystemSmtpPassword) - opts.Unpack(spec.Config.SMTP.Port).IntoEnvvar("SMTP_PORT") - opts.Unpack(spec.Config.SMTP.AuthProtocol).IntoEnvvar("SMTP_AUTHENTICATION") - opts.Unpack(spec.Config.SMTP.OpenSSLVerifyMode).IntoEnvvar("SMTP_OPENSSL_VERIFY_MODE") - opts.Unpack(spec.Config.SMTP.STARTTLS).IntoEnvvar("SMTP_STARTTLS") - opts.Unpack(spec.Config.SMTP.STARTTLSAuto).IntoEnvvar("SMTP_STARTTLS_AUTO") - - opts.Unpack(spec.Config.MappingServiceAccessToken).IntoEnvvar("APICAST_ACCESS_TOKEN"). - AsSecretRef(SystemMasterApicastSecret). - WithSeedKey(seed.SystemMasterAccessToken) - - opts.Unpack(spec.Config.Zync.Endpoint).IntoEnvvar("ZYNC_ENDPOINT") - opts.Unpack(spec.Config.Zync.AuthToken).IntoEnvvar("ZYNC_AUTHENTICATION_TOKEN"). - AsSecretRef(SystemZyncSecret). - WithSeedKey(seed.ZyncAuthToken) - - opts.Unpack(spec.Config.Backend.RedisDSN).IntoEnvvar("BACKEND_REDIS_URL") - opts.Unpack("").IntoEnvvar("BACKEND_REDIS_SENTINEL_HOSTS") - opts.Unpack("").IntoEnvvar("BACKEND_REDIS_SENTINEL_ROLE") - opts.Unpack(spec.Config.Backend.InternalEndpoint).IntoEnvvar("BACKEND_URL") - opts.Unpack(spec.Config.Backend.ExternalEndpoint).IntoEnvvar("BACKEND_PUBLIC_URL") - opts.Unpack(spec.Config.Backend.InternalAPIUser).IntoEnvvar("CONFIG_INTERNAL_API_USER"). - AsSecretRef(SystemBackendSecret). - WithSeedKey(seed.BackendInternalApiUser) - opts.Unpack(spec.Config.Backend.InternalAPIPassword).IntoEnvvar("CONFIG_INTERNAL_API_PASSWORD"). - AsSecretRef(SystemBackendSecret). - WithSeedKey(seed.BackendInternalApiPassword) - - opts.Unpack(spec.Config.Assets.AccessKey).IntoEnvvar("AWS_ACCESS_KEY_ID"). - AsSecretRef(SystemMultitenantAssetsS3Secret). - WithSeedKey(seed.SystemAssetsS3AwsAccessKey) - opts.Unpack(spec.Config.Assets.SecretKey).IntoEnvvar("AWS_SECRET_ACCESS_KEY"). - AsSecretRef(SystemMultitenantAssetsS3Secret). - WithSeedKey(seed.SystemAssetsS3AwsSecretKey) - opts.Unpack(spec.Config.Assets.Bucket).IntoEnvvar("AWS_BUCKET") - opts.Unpack(spec.Config.Assets.Region).IntoEnvvar("AWS_REGION") - opts.Unpack(spec.Config.Assets.Host).IntoEnvvar("RAILS_ASSET_HOST") - - opts.Unpack(spec.Config.SecretKeyBase).IntoEnvvar("SECRET_KEY_BASE"). - AsSecretRef(SystemAppSecret). - WithSeedKey(seed.SystemSecretKeyBase) - opts.Unpack(spec.Config.AccessCode).IntoEnvvar("ACCESS_CODE"). - AsSecretRef(SystemAppSecret). - WithSeedKey(seed.SystemAccessCode) - opts.Unpack(spec.Config.Segment.DeletionToken).IntoEnvvar("SEGMENT_DELETION_TOKEN"). - AsSecretRef(SystemAppSecret). - WithSeedKey(seed.SystemSegmentDeletionToken) - opts.Unpack(spec.Config.Segment.DeletionWorkspace).IntoEnvvar("SEGMENT_DELETION_WORKSPACE"). - WithSeedKey(seed.SystemSegmentDeletionWorkspace) - opts.Unpack(spec.Config.Segment.WriteKey).IntoEnvvar("SEGMENT_WRITE_KEY"). - AsSecretRef(SystemAppSecret). - WithSeedKey(seed.SystemSegmentWriteKey) - opts.Unpack(spec.Config.Github.ClientID).IntoEnvvar("GITHUB_CLIENT_ID"). - AsSecretRef(SystemAppSecret). - WithSeedKey(seed.SystemGithubClientId) - opts.Unpack(spec.Config.Github.ClientSecret).IntoEnvvar("GITHUB_CLIENT_SECRET"). - AsSecretRef(SystemAppSecret). - WithSeedKey(seed.SystemGithubClientSecret) - opts.Unpack(spec.Config.RedHatCustomerPortal.ClientID).IntoEnvvar("RH_CUSTOMER_PORTAL_CLIENT_ID"). - AsSecretRef(SystemAppSecret). - WithSeedKey(seed.SystemRHCustomerPortalClientId) - opts.Unpack(spec.Config.RedHatCustomerPortal.ClientSecret).IntoEnvvar("RH_CUSTOMER_PORTAL_CLIENT_SECRET"). - AsSecretRef(SystemAppSecret). - WithSeedKey(seed.SystemRHCustomerPortalClientSecret) - opts.Unpack(spec.Config.RedHatCustomerPortal.Realm).IntoEnvvar("RH_CUSTOMER_PORTAL_REALM"). - WithSeedKey(seed.SystemRHCustomerPortalRealm) - opts.Unpack(spec.Config.Bugsnag.APIKey).IntoEnvvar("BUGSNAG_API_KEY"). - AsSecretRef(SystemAppSecret). - WithSeedKey(seed.SystemBugsnagApiKey). - EmptyIf(!spec.Config.Bugsnag.Enabled()) - opts.Unpack(spec.Config.Bugsnag.ReleaseStage).IntoEnvvar("BUGSNAG_RELEASE_STAGE") - opts.Unpack(spec.Config.DatabaseSecret).IntoEnvvar("DB_SECRET"). - AsSecretRef(SystemAppSecret). - WithSeedKey(seed.SystemDatabaseSecret) + opts.AddEnvvar("FORCE_SSL").Unpack(spec.Config.ForceSSL) + opts.AddEnvvar("PROVIDER_PLAN").Unpack(spec.Config.ThreescaleProviderPlan) + opts.AddEnvvar("SSL_CERT_DIR").Unpack(spec.Config.SSLCertsDir) + opts.AddEnvvar("THREESCALE_SANDBOX_PROXY_OPENSSL_VERIFY_MODE").Unpack(spec.Config.SandboxProxyOpensslVerifyMode) + opts.AddEnvvar("THREESCALE_SUPERDOMAIN").Unpack(spec.Config.ThreescaleSuperdomain) + + opts.AddEnvvar("RAILS_ENV").Unpack(spec.Config.Rails.Environment) + opts.AddEnvvar("RAILS_LOG_LEVEL").Unpack(spec.Config.Rails.LogLevel) + opts.AddEnvvar("RAILS_LOG_TO_STDOUT").Unpack("true") + + opts.AddEnvvar("THINKING_SPHINX_ADDRESS").Unpack(spec.Config.SearchServer.Host) + opts.AddEnvvar("THINKING_SPHINX_PORT").Unpack(spec.Config.SearchServer.Port) + opts.AddEnvvar("THINKING_SPHINX_BATCH_SIZE").Unpack(spec.Config.SearchServer.BatchSize) + + opts.AddEnvvar("DATABASE_URL").AsSecretRef(SystemDatabaseSecret).WithSeedKey(seed.SystemDatabaseDsn). + Unpack(spec.Config.DatabaseDSN) + + opts.AddEnvvar("MEMCACHE_SERVERS").Unpack(spec.Config.MemcachedServers) + + opts.AddEnvvar("RECAPTCHA_PUBLIC_KEY").AsSecretRef(SystemRecaptchaSecret).WithSeedKey(seed.SystemRecaptchaPublicKey). + Unpack(spec.Config.Recaptcha.PublicKey) + opts.AddEnvvar("RECAPTCHA_PRIVATE_KEY").AsSecretRef(SystemRecaptchaSecret).WithSeedKey(seed.SystemRecaptchaPrivateKey). + Unpack(spec.Config.Recaptcha.PrivateKey) + + opts.AddEnvvar("EVENTS_SHARED_SECRET").AsSecretRef(SystemEventsHookSecret).WithSeedKey(seed.SystemEventsHookSharedSecret). + Unpack(spec.Config.EventsSharedSecret) + + opts.AddEnvvar("REDIS_URL").Unpack(spec.Config.Redis.QueuesDSN) + opts.AddEnvvar("REDIS_NAMESPACE").Unpack("") + opts.AddEnvvar("REDIS_SENTINEL_HOSTS").Unpack("") + opts.AddEnvvar("REDIS_SENTINEL_ROLE").Unpack("") + + opts.AddEnvvar("SMTP_ADDRESS").Unpack(spec.Config.SMTP.Address) + opts.AddEnvvar("SMTP_USER_NAME").AsSecretRef(SystemSmptSecret).WithSeedKey(seed.SystemSmtpUser). + Unpack(spec.Config.SMTP.User) + opts.AddEnvvar("SMTP_PASSWORD").AsSecretRef(SystemSmptSecret).WithSeedKey(seed.SystemSmtpPassword). + Unpack(spec.Config.SMTP.Password) + opts.AddEnvvar("SMTP_PORT").Unpack(spec.Config.SMTP.Port) + opts.AddEnvvar("SMTP_AUTHENTICATION").Unpack(spec.Config.SMTP.AuthProtocol) + opts.AddEnvvar("SMTP_OPENSSL_VERIFY_MODE").Unpack(spec.Config.SMTP.OpenSSLVerifyMode) + opts.AddEnvvar("SMTP_STARTTLS").Unpack(spec.Config.SMTP.STARTTLS) + opts.AddEnvvar("SMTP_STARTTLS_AUTO").Unpack(spec.Config.SMTP.STARTTLSAuto) + + opts.AddEnvvar("APICAST_ACCESS_TOKEN").AsSecretRef(SystemMasterApicastSecret).WithSeedKey(seed.SystemMasterAccessToken). + Unpack(spec.Config.MappingServiceAccessToken) + + opts.AddEnvvar("ZYNC_ENDPOINT").Unpack(spec.Config.Zync.Endpoint) + opts.AddEnvvar("ZYNC_AUTHENTICATION_TOKEN").AsSecretRef(SystemZyncSecret).WithSeedKey(seed.ZyncAuthToken). + Unpack(spec.Config.Zync.AuthToken) + + opts.AddEnvvar("BACKEND_REDIS_URL").Unpack(spec.Config.Backend.RedisDSN) + opts.AddEnvvar("BACKEND_REDIS_SENTINEL_HOSTS").Unpack("") + opts.AddEnvvar("BACKEND_REDIS_SENTINEL_ROLE").Unpack("") + opts.AddEnvvar("BACKEND_URL").Unpack(spec.Config.Backend.InternalEndpoint) + opts.AddEnvvar("BACKEND_PUBLIC_URL").Unpack(spec.Config.Backend.ExternalEndpoint) + opts.AddEnvvar("CONFIG_INTERNAL_API_USER").AsSecretRef(SystemBackendSecret).WithSeedKey(seed.BackendInternalApiUser). + Unpack(spec.Config.Backend.InternalAPIUser) + opts.AddEnvvar("CONFIG_INTERNAL_API_PASSWORD").AsSecretRef(SystemBackendSecret).WithSeedKey(seed.BackendInternalApiPassword). + Unpack(spec.Config.Backend.InternalAPIPassword) + + opts.AddEnvvar("AWS_ACCESS_KEY_ID").AsSecretRef(SystemMultitenantAssetsS3Secret).WithSeedKey(seed.SystemAssetsS3AwsAccessKey). + Unpack(spec.Config.Assets.AccessKey) + opts.AddEnvvar("AWS_SECRET_ACCESS_KEY").AsSecretRef(SystemMultitenantAssetsS3Secret).WithSeedKey(seed.SystemAssetsS3AwsSecretKey). + Unpack(spec.Config.Assets.SecretKey) + opts.AddEnvvar("AWS_BUCKET").Unpack(spec.Config.Assets.Bucket) + opts.AddEnvvar("AWS_REGION").Unpack(spec.Config.Assets.Region) + opts.AddEnvvar("RAILS_ASSET_HOST").Unpack(spec.Config.Assets.Host) + + opts.AddEnvvar("SECRET_KEY_BASE").AsSecretRef(SystemAppSecret).WithSeedKey(seed.SystemSecretKeyBase). + Unpack(spec.Config.SecretKeyBase) + opts.AddEnvvar("ACCESS_CODE").AsSecretRef(SystemAppSecret).WithSeedKey(seed.SystemAccessCode). + Unpack(spec.Config.AccessCode) + opts.AddEnvvar("SEGMENT_DELETION_TOKEN").AsSecretRef(SystemAppSecret).WithSeedKey(seed.SystemSegmentDeletionToken). + Unpack(spec.Config.Segment.DeletionToken) + opts.AddEnvvar("SEGMENT_DELETION_WORKSPACE").Unpack(spec.Config.Segment.DeletionWorkspace) + opts.AddEnvvar("SEGMENT_WRITE_KEY").AsSecretRef(SystemAppSecret).WithSeedKey(seed.SystemSegmentWriteKey). + Unpack(spec.Config.Segment.WriteKey) + opts.AddEnvvar("GITHUB_CLIENT_ID").AsSecretRef(SystemAppSecret).WithSeedKey(seed.SystemGithubClientId). + Unpack(spec.Config.Github.ClientID) + opts.AddEnvvar("GITHUB_CLIENT_SECRET").AsSecretRef(SystemAppSecret).WithSeedKey(seed.SystemGithubClientSecret). + Unpack(spec.Config.Github.ClientSecret) + opts.AddEnvvar("RH_CUSTOMER_PORTAL_CLIENT_ID").AsSecretRef(SystemAppSecret).WithSeedKey(seed.SystemRHCustomerPortalClientId). + Unpack(spec.Config.RedHatCustomerPortal.ClientID) + opts.AddEnvvar("RH_CUSTOMER_PORTAL_CLIENT_SECRET").AsSecretRef(SystemAppSecret).WithSeedKey(seed.SystemRHCustomerPortalClientSecret). + Unpack(spec.Config.RedHatCustomerPortal.ClientSecret) + opts.AddEnvvar("RH_CUSTOMER_PORTAL_REALM").Unpack(spec.Config.RedHatCustomerPortal.Realm) + opts.AddEnvvar("BUGSNAG_API_KEY").AsSecretRef(SystemAppSecret).WithSeedKey(seed.SystemBugsnagApiKey).EmptyIf(!spec.Config.Bugsnag.Enabled()). + Unpack(spec.Config.Bugsnag.APIKey) + opts.AddEnvvar("BUGSNAG_RELEASE_STAGE").Unpack(spec.Config.Bugsnag.ReleaseStage) + opts.AddEnvvar("DB_SECRET").AsSecretRef(SystemAppSecret).WithSeedKey(seed.SystemDatabaseSecret). + Unpack(spec.Config.DatabaseSecret) return opts } diff --git a/pkg/generators/zync/config/api_options.go b/pkg/generators/zync/config/api_options.go index d68befbb..e9271917 100644 --- a/pkg/generators/zync/config/api_options.go +++ b/pkg/generators/zync/config/api_options.go @@ -10,24 +10,20 @@ import ( func NewAPIOptions(spec saasv1alpha1.ZyncSpec) pod.Options { opts := pod.Options{} - opts.Unpack(spec.Config.Rails.Environment).IntoEnvvar("RAILS_ENV") - opts.Unpack(spec.Config.Rails.LogLevel).IntoEnvvar("RAILS_LOG_LEVEL") - opts.Unpack("true").IntoEnvvar("RAILS_LOG_TO_STDOUT") - opts.Unpack(spec.Config.Rails.MaxThreads).IntoEnvvar("RAILS_MAX_THREADS") - opts.Unpack(spec.Config.DatabaseDSN).IntoEnvvar("DATABASE_URL"). - AsSecretRef(ZyncSecret). - WithSeedKey(seed.ZyncDatabaseUrl) - opts.Unpack(spec.Config.SecretKeyBase).IntoEnvvar("SECRET_KEY_BASE"). - AsSecretRef(ZyncSecret). - WithSeedKey(seed.ZyncSecretKeyBase) - opts.Unpack(spec.Config.ZyncAuthToken).IntoEnvvar("ZYNC_AUTHENTICATION_TOKEN"). - AsSecretRef(ZyncSecret). - WithSeedKey(seed.ZyncAuthToken) - opts.Unpack(spec.Config.Bugsnag.APIKey).IntoEnvvar("BUGSNAG_API_KEY"). - AsSecretRef(ZyncSecret). - WithSeedKey(seed.ZyncBugsnagApiKey). - EmptyIf(!spec.Config.Bugsnag.Enabled()) - opts.Unpack(spec.Config.Bugsnag.ReleaseStage).IntoEnvvar("BUGSNAG_RELEASE_STAGE") + opts.AddEnvvar("RAILS_ENV").Unpack(spec.Config.Rails.Environment) + opts.AddEnvvar("RAILS_LOG_LEVEL").Unpack(spec.Config.Rails.LogLevel) + opts.AddEnvvar("RAILS_LOG_TO_STDOUT").Unpack("true") + opts.AddEnvvar("RAILS_MAX_THREADS").Unpack(spec.Config.Rails.MaxThreads) + opts.AddEnvvar("DATABASE_URL").AsSecretRef(ZyncSecret).WithSeedKey(seed.ZyncDatabaseUrl). + Unpack(spec.Config.DatabaseDSN) + opts.AddEnvvar("SECRET_KEY_BASE").AsSecretRef(ZyncSecret).WithSeedKey(seed.ZyncSecretKeyBase). + Unpack(spec.Config.SecretKeyBase) + opts.AddEnvvar("ZYNC_AUTHENTICATION_TOKEN").AsSecretRef(ZyncSecret).WithSeedKey(seed.ZyncAuthToken). + Unpack(spec.Config.ZyncAuthToken) + opts.AddEnvvar("BUGSNAG_API_KEY").AsSecretRef(ZyncSecret).WithSeedKey(seed.ZyncBugsnagApiKey). + EmptyIf(!spec.Config.Bugsnag.Enabled()). + Unpack(spec.Config.Bugsnag.APIKey) + opts.AddEnvvar("BUGSNAG_RELEASE_STAGE").Unpack(spec.Config.Bugsnag.ReleaseStage) return opts } diff --git a/pkg/generators/zync/config/que_options.go b/pkg/generators/zync/config/que_options.go index 91b42d81..bbdde868 100644 --- a/pkg/generators/zync/config/que_options.go +++ b/pkg/generators/zync/config/que_options.go @@ -2,6 +2,7 @@ package config import ( saasv1alpha1 "github.com/3scale-ops/saas-operator/api/v1alpha1" + "github.com/3scale-ops/saas-operator/pkg/generators/seed" "github.com/3scale-ops/saas-operator/pkg/resource_builders/pod" ) @@ -9,19 +10,18 @@ import ( func NewQueOptions(spec saasv1alpha1.ZyncSpec) pod.Options { opts := pod.Options{} - opts.Unpack(spec.Config.Rails.Environment).IntoEnvvar("RAILS_ENV") - opts.Unpack(spec.Config.Rails.LogLevel).IntoEnvvar("RAILS_LOG_LEVEL") - opts.Unpack("true").IntoEnvvar("RAILS_LOG_TO_STDOUT") - opts.Unpack(spec.Config.DatabaseDSN).IntoEnvvar("DATABASE_URL"). - AsSecretRef(ZyncSecret) - opts.Unpack(spec.Config.SecretKeyBase).IntoEnvvar("SECRET_KEY_BASE"). - AsSecretRef(ZyncSecret) - opts.Unpack(spec.Config.ZyncAuthToken).IntoEnvvar("ZYNC_AUTHENTICATION_TOKEN"). - AsSecretRef(ZyncSecret) - opts.Unpack(spec.Config.Bugsnag.APIKey).IntoEnvvar("BUGSNAG_API_KEY"). - AsSecretRef(ZyncSecret). - EmptyIf(!spec.Config.Bugsnag.Enabled()) - opts.Unpack(spec.Config.Bugsnag.ReleaseStage).IntoEnvvar("BUGSNAG_RELEASE_STAGE") + opts.AddEnvvar("RAILS_ENV").Unpack(spec.Config.Rails.Environment) + opts.AddEnvvar("RAILS_LOG_LEVEL").Unpack(spec.Config.Rails.LogLevel) + opts.AddEnvvar("RAILS_LOG_TO_STDOUT").Unpack("true") + opts.AddEnvvar("DATABASE_URL").AsSecretRef(ZyncSecret).WithSeedKey(seed.ZyncDatabaseUrl). + Unpack(spec.Config.DatabaseDSN) + opts.AddEnvvar("SECRET_KEY_BASE").AsSecretRef(ZyncSecret).WithSeedKey(seed.ZyncSecretKeyBase). + Unpack(spec.Config.SecretKeyBase) + opts.AddEnvvar("ZYNC_AUTHENTICATION_TOKEN").AsSecretRef(ZyncSecret).WithSeedKey(seed.ZyncAuthToken). + Unpack(spec.Config.ZyncAuthToken) + opts.AddEnvvar("BUGSNAG_API_KEY").AsSecretRef(ZyncSecret).EmptyIf(!spec.Config.Bugsnag.Enabled()).WithSeedKey(seed.ZyncBugsnagApiKey). + Unpack(spec.Config.Bugsnag.APIKey) + opts.AddEnvvar("BUGSNAG_RELEASE_STAGE").Unpack(spec.Config.Bugsnag.ReleaseStage) return opts } diff --git a/pkg/resource_builders/pod/environment.go b/pkg/resource_builders/pod/environment.go index 4d02642d..990906c4 100644 --- a/pkg/resource_builders/pod/environment.go +++ b/pkg/resource_builders/pod/environment.go @@ -20,36 +20,117 @@ import ( ) type Option struct { - value *string - valueFrom *corev1.EnvVarSource - secretRef *saasv1alpha1.SecretReference + value *string + valueFrom *corev1.EnvVarSource + // secretRef *saasv1alpha1.SecretReference envVariable string secretName string + seedKey string + vaultKey string + vaultPath string isSet bool + isEmpty bool } -func (o *Option) IntoEnvvar(e string) *Option { o.envVariable = e; return o } -func (o *Option) AsSecretRef(s fmt.Stringer) *Option { o.secretName = s.String(); return o } -func (o *Option) WithSeedKey(key fmt.Stringer) *Option { - if o.secretRef != nil && o.secretRef.FromSeed != nil { - o.valueFrom = &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: saasv1alpha1.DefaultSeedSecret, - }, - Key: key.String(), - }} - } - return o -} +func (o *Option) IntoEnvvar(e string) *Option { o.envVariable = e; return o } +func (o *Option) AsSecretRef(s fmt.Stringer) *Option { o.secretName = s.String(); return o } +func (o *Option) WithSeedKey(key fmt.Stringer) *Option { o.seedKey = key.String(); return o } func (o *Option) EmptyIf(empty bool) *Option { if empty { - o.secretRef = nil - o.value = util.Pointer("") + o.isEmpty = true } return o } +// Unpack retrieves the value specified from the API and adds a matching option to the +// list of options. It handles both values and pointers seamlessly. +// Considers a nil value as an unset option. +// It always unpacks into an string representation of the value so it can be stored as +// an environment variable. +// A parameter indicating the format (as in a call to fmt.Sprintf()) can be optionally passed. +func (opt *Option) Unpack(o any, params ...string) *Option { + if len(params) > 1 { + panic(fmt.Errorf("too many params in call to Unpack")) + } + + if opt.isEmpty { + opt.isSet = true + opt.value = util.Pointer("") + return opt + } + + var val any + + if reflect.ValueOf(o).Kind() == reflect.Ptr { + if lo.IsNil(o) { + // underlying value is nil so option is unset + return &Option{isSet: false} + } else { + val = reflect.ValueOf(o).Elem().Interface() + } + } else { + val = o + } + + switch v := val.(type) { + + case saasv1alpha1.SecretReference: + if opt.envVariable == "" { + panic("AddEnvvar must be invoked to add a new option") + } + opt.isSet = true + + // is a secret with override + if v.Override != nil { + opt.value = v.Override + + // is a secret with value from vault + } else if v.FromVault != nil { + if opt.secretName == "" { + panic("AsSecretRef must be invoked when using 'SecretReference.FromVault'") + } + opt.vaultKey = v.FromVault.Key + opt.vaultPath = v.FromVault.Path + opt.valueFrom = &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + Key: opt.envVariable, + LocalObjectReference: corev1.LocalObjectReference{ + Name: opt.secretName, + }, + }} + + // is a secret retrieved ffom the default seed Secret + } else if v.FromSeed != nil { + if opt.seedKey == "" { + panic("WithSeedKey must be invoked when using 'SecretReference.FromSeed'") + } + opt.valueFrom = &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: saasv1alpha1.DefaultSeedSecret, + }, + Key: opt.seedKey, + }} + } + + default: + opt.isSet = true + opt.value = unpackValue(v, params...) + } + + return opt +} + +func unpackValue(o any, params ...string) *string { + var format string + if len(params) > 0 { + format = params[0] + } else { + format = "%v" + } + return util.Pointer(fmt.Sprintf(format, o)) +} + type Options []*Option func NewOptions() *Options { return &Options{} } @@ -63,7 +144,7 @@ func (options *Options) DeepCopy() *Options { // FilterSecretOptions returns a list of options that will generate a Secret resource func (options *Options) FilterSecretOptions() Options { return lo.Filter[*Option](*options, func(item *Option, index int) bool { - return item.secretRef != nil && item.secretRef.Override == nil && item.secretName != "" + return item.valueFrom != nil && item.valueFrom.SecretKeyRef != nil }) } @@ -87,46 +168,8 @@ func (options *Options) GenerateRolloutTriggers(additionalSecrets ...string) []r return triggers } -// Unpack retrieves the value specified from the API and adds a matching option to the -// list of options. It handles both values and pointers seamlessly. -// Considers a nil value as an unset option. -// It always unpacks into an string representation of the value so it can be stored as -// an environment variable. -// A parameter indicating the format (as in a call to fmt.Sprintf()) can be optionally passed. -func (options *Options) Unpack(o any, params ...string) *Option { - if len(params) > 1 { - panic(fmt.Errorf("too many params in call to Unpack")) - } - - var opt *Option - var val any - - if reflect.ValueOf(o).Kind() == reflect.Ptr { - if lo.IsNil(o) { - // underlying value is nil so option is unset - return &Option{isSet: false} - } else { - val = reflect.ValueOf(o).Elem().Interface() - } - } else { - val = o - } - - switch v := val.(type) { - - case saasv1alpha1.SecretReference: - opt = &Option{secretRef: &v, isSet: true} - - default: - var format string - if len(params) > 0 { - format = params[0] - } else { - format = "%v" - } - opt = &Option{value: util.Pointer(fmt.Sprintf(format, v)), isSet: true} - } - +func (options *Options) AddEnvvar(e string) *Option { + opt := &Option{envVariable: e} *options = append(*options, opt) return opt } @@ -143,7 +186,6 @@ func (options *Options) WithExtraEnv(extra []corev1.EnvVar) *Options { if exists { o.value = util.Pointer(envvar.Value) o.valueFrom = envvar.ValueFrom - o.secretRef = nil o.isSet = true o.secretName = "" } else { @@ -173,27 +215,6 @@ func (opts *Options) BuildEnvironment() []corev1.EnvVar { continue } - // STEP1: process the option to produce a Value or a ValueFrom field - - // is a secret with override - if opt.secretRef != nil && opt.secretRef.Override != nil { - opt.value = opt.secretRef.Override - - // is a secret with value from vault - } else if opt.secretRef != nil && opt.secretRef.FromVault != nil { - opt.valueFrom = &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - Key: opt.envVariable, - LocalObjectReference: corev1.LocalObjectReference{ - Name: opt.secretName, - }, - }} - - // is a secret with value from vault - } - - // STEP2: generate the envvar using the Value or ValueFrom - // Direct value (if both value and valueFrom are set, value takes precedence and // valueFrom will be ignored) if opt.value != nil { @@ -229,8 +250,8 @@ func (opts *Options) GenerateExternalSecrets(namespace string, labels map[string data = append(data, externalsecretsv1beta1.ExternalSecretData{ SecretKey: opt.envVariable, RemoteRef: externalsecretsv1beta1.ExternalSecretDataRemoteRef{ - Key: strings.TrimPrefix(opt.secretRef.FromVault.Path, "secret/data/"), - Property: opt.secretRef.FromVault.Key, + Key: strings.TrimPrefix(opt.vaultPath, "secret/data/"), + Property: opt.vaultKey, ConversionStrategy: "Default", DecodingStrategy: "None", }, diff --git a/pkg/resource_builders/pod/environment_test.go b/pkg/resource_builders/pod/environment_test.go index 7f8d0c79..468e08d2 100644 --- a/pkg/resource_builders/pod/environment_test.go +++ b/pkg/resource_builders/pod/environment_test.go @@ -38,7 +38,7 @@ func TestOptions_BuildEnvironment(t *testing.T) { name: "Text value", opts: func() *Options { o := NewOptions() - o.Unpack("value").IntoEnvvar("envvar") + o.AddEnvvar("envvar").Unpack("value") return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -51,7 +51,7 @@ func TestOptions_BuildEnvironment(t *testing.T) { name: "Text value with custom format", opts: func() *Options { o := NewOptions() - o.Unpack(8080, ":%d").IntoEnvvar("envvar") + o.AddEnvvar("envvar").Unpack(8080, ":%d") return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -64,7 +64,7 @@ func TestOptions_BuildEnvironment(t *testing.T) { name: "Pointer to text value", opts: func() *Options { o := NewOptions() - o.Unpack(util.Pointer("value")).IntoEnvvar("envvar") + o.AddEnvvar("envvar").Unpack(util.Pointer("value")) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -78,7 +78,7 @@ func TestOptions_BuildEnvironment(t *testing.T) { opts: func() *Options { o := NewOptions() var v *string - o.Unpack(v).IntoEnvvar("envvar") + o.AddEnvvar("envvar").Unpack(v) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -88,10 +88,11 @@ func TestOptions_BuildEnvironment(t *testing.T) { name: "SecretReference", opts: func() *Options { o := &Options{} - o.Unpack(saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ - Path: "path", - Key: "key", - }}).IntoEnvvar("envvar").AsSecretRef(TSecret("secret")) + o.AddEnvvar("envvar").AsSecretRef(TSecret("secret")). + Unpack(saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ + Path: "path", + Key: "key", + }}) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -111,10 +112,11 @@ func TestOptions_BuildEnvironment(t *testing.T) { name: "Pointer to SecretReference", opts: func() *Options { o := &Options{} - o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ - Path: "path", - Key: "key", - }}).IntoEnvvar("envvar").AsSecretRef(TSecret("secret")) + o.AddEnvvar("envvar").AsSecretRef(TSecret("secret")). + Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ + Path: "path", + Key: "key", + }}) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -135,7 +137,7 @@ func TestOptions_BuildEnvironment(t *testing.T) { opts: func() *Options { o := &Options{} var v *saasv1alpha1.SecretReference - o.Unpack(v).IntoEnvvar("envvar").AsSecretRef(TSecret("secret")) + o.AddEnvvar("envvar").AsSecretRef(TSecret("secret")).Unpack(v) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -145,7 +147,8 @@ func TestOptions_BuildEnvironment(t *testing.T) { name: "SecretReference with override", opts: func() *Options { o := &Options{} - o.Unpack(saasv1alpha1.SecretReference{Override: util.Pointer("value")}).IntoEnvvar("envvar") + o.AddEnvvar("envvar"). + Unpack(saasv1alpha1.SecretReference{Override: util.Pointer("value")}) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -158,10 +161,11 @@ func TestOptions_BuildEnvironment(t *testing.T) { name: "EmptyIf", opts: func() *Options { o := &Options{} - o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ - Path: "path", - Key: "key", - }}).IntoEnvvar("envvar").AsSecretRef(TSecret("secret")).EmptyIf(true) + o.AddEnvvar("envvar").AsSecretRef(TSecret("secret")).EmptyIf(true). + Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ + Path: "path", + Key: "key", + }}) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -174,11 +178,12 @@ func TestOptions_BuildEnvironment(t *testing.T) { name: "Adds/overwrites extra envvars", opts: func() *Options { o := &Options{} - o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ - Path: "path", - Key: "key", - }}).IntoEnvvar("envvar1").AsSecretRef(TSecret("secret")).EmptyIf(true) - o.Unpack("value2").IntoEnvvar("envvar2") + o.AddEnvvar("envvar1").AsSecretRef(TSecret("secret")).EmptyIf(true). + Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ + Path: "path", + Key: "key", + }}) + o.AddEnvvar("envvar2").Unpack("value2") return o }(), args: args{extra: []corev1.EnvVar{ @@ -222,7 +227,7 @@ func TestOptions_BuildEnvironment(t *testing.T) { name: "bool value", opts: func() *Options { o := NewOptions() - o.Unpack(true).IntoEnvvar("envvar") + o.AddEnvvar("envvar").Unpack(true) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -235,7 +240,7 @@ func TestOptions_BuildEnvironment(t *testing.T) { name: "Pointer to int value", opts: func() *Options { o := NewOptions() - o.Unpack(util.Pointer(100)).IntoEnvvar("envvar") + o.AddEnvvar("envvar").Unpack(util.Pointer(100)) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -248,10 +253,9 @@ func TestOptions_BuildEnvironment(t *testing.T) { name: "SecretReference from seed", opts: func() *Options { o := &Options{} - o.Unpack(saasv1alpha1.SecretReference{Override: util.Pointer("value1")}).IntoEnvvar("envvar1") - o.Unpack(saasv1alpha1.SecretReference{FromSeed: &saasv1alpha1.SeedSecretReference{}}).IntoEnvvar("envvar2"). - AsSecretRef(TSecret("some-secret")). - WithSeedKey(TSeedKey("seed-key")) + o.AddEnvvar("envvar1").Unpack(saasv1alpha1.SecretReference{Override: util.Pointer("value1")}) + o.AddEnvvar("envvar2").AsSecretRef(TSecret("some-secret")).WithSeedKey(TSeedKey("seed-key")). + Unpack(saasv1alpha1.SecretReference{FromSeed: &saasv1alpha1.SeedSecretReference{}}) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -277,13 +281,12 @@ func TestOptions_BuildEnvironment(t *testing.T) { name: "SecretReference from vault, but with seed configured", opts: func() *Options { o := &Options{} - o.Unpack(saasv1alpha1.SecretReference{Override: util.Pointer("value1")}).IntoEnvvar("envvar1") - o.Unpack(saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ - Path: "path", - Key: "key", - }}).IntoEnvvar("envvar2"). - AsSecretRef(TSecret("some-secret")). - WithSeedKey(TSeedKey("seed-key")) + o.AddEnvvar("envvar1").Unpack(saasv1alpha1.SecretReference{Override: util.Pointer("value1")}) + o.AddEnvvar("envvar2").AsSecretRef(TSecret("some-secret")).WithSeedKey(TSeedKey("seed-key")). + Unpack(saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ + Path: "path", + Key: "key", + }}) return o }(), args: args{extra: []corev1.EnvVar{}}, @@ -334,8 +337,8 @@ func TestOptions_GenerateExternalSecrets(t *testing.T) { name: "Does not generate any external secret", opts: func() *Options { o := NewOptions() - o.Unpack("value1").IntoEnvvar("envvar1") - o.Unpack("value2").IntoEnvvar("envvar2") + o.AddEnvvar("envvar1").Unpack("value1") + o.AddEnvvar("envvar2").Unpack("value2") return o }(), args: args{}, @@ -345,18 +348,21 @@ func TestOptions_GenerateExternalSecrets(t *testing.T) { name: "Generates external secrets for the secret options", opts: func() *Options { o := NewOptions() - o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ - Path: "path1", - Key: "key1", - }}).IntoEnvvar("envvar1").AsSecretRef(TSecret("secret1")) - o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ - Path: "path2", - Key: "key2", - }}).IntoEnvvar("envvar2").AsSecretRef(TSecret("secret1")) - o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ - Path: "path3", - Key: "key3", - }}).IntoEnvvar("envvar3").AsSecretRef(TSecret("secret2")) + o.AddEnvvar("envvar1").AsSecretRef(TSecret("secret1")). + Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ + Path: "path1", + Key: "key1", + }}) + o.AddEnvvar("envvar2").AsSecretRef(TSecret("secret1")). + Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ + Path: "path2", + Key: "key2", + }}) + o.AddEnvvar("envvar3").AsSecretRef(TSecret("secret2")). + Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{ + Path: "path3", + Key: "key3", + }}) return o }(), args: args{ @@ -442,7 +448,8 @@ func TestOptions_GenerateExternalSecrets(t *testing.T) { name: "Skips secret options with override", opts: func() *Options { o := NewOptions() - o.Unpack(&saasv1alpha1.SecretReference{Override: util.Pointer("override")}).IntoEnvvar("envvar1").AsSecretRef(TSecret("secret")) + o.AddEnvvar("envvar1").AsSecretRef(TSecret("secret")). + Unpack(&saasv1alpha1.SecretReference{Override: util.Pointer("override")}) return o }(), args: args{}, @@ -453,7 +460,7 @@ func TestOptions_GenerateExternalSecrets(t *testing.T) { opts: func() *Options { o := NewOptions() var v *saasv1alpha1.SecretReference - o.Unpack(v).IntoEnvvar("envvar1").AsSecretRef(TSecret("secret")) + o.AddEnvvar("envvar1").AsSecretRef(TSecret("secret")).Unpack(v) return o }(), args: args{}, @@ -570,18 +577,22 @@ func TestOptions_ListSecretResourceNames(t *testing.T) { options: func() *Options { o := &Options{} // ok - o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{}}).IntoEnvvar("envvar1").AsSecretRef(TSecret("secret1")) + o.AddEnvvar("envvar1").AsSecretRef(TSecret("secret1")). + Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{}}) // not ok: not a secret value - o.Unpack("value").IntoEnvvar("envvar2") + o.AddEnvvar("envvar2").Unpack("value") // not ok: secret value with override - o.Unpack(&saasv1alpha1.SecretReference{Override: util.Pointer("value")}).IntoEnvvar("envvar3").AsSecretRef(TSecret("secret2")) - var v *saasv1alpha1.SecretReference + o.AddEnvvar("envvar3").AsSecretRef(TSecret("secret2")). + Unpack(&saasv1alpha1.SecretReference{Override: util.Pointer("value")}) // not ok: secret value is nil - o.Unpack(v).IntoEnvvar("envvar1").AsSecretRef(TSecret("secret3")) + var v *saasv1alpha1.SecretReference + o.AddEnvvar("envvar1").AsSecretRef(TSecret("secret3")).Unpack(v) // ok - o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{}}).IntoEnvvar("envvar2").AsSecretRef(TSecret("secret1")) + o.AddEnvvar("envvar2").AsSecretRef(TSecret("secret1")). + Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{}}) // ok - o.Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{}}).IntoEnvvar("envvar3").AsSecretRef(TSecret("secret2")) + o.AddEnvvar("envvar3").AsSecretRef(TSecret("secret2")). + Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{}}) return o }(), want: []string{"secret1", "secret2"}, diff --git a/pkg/resource_builders/twemproxy/options.go b/pkg/resource_builders/twemproxy/options.go index 49073e1b..d9369c08 100644 --- a/pkg/resource_builders/twemproxy/options.go +++ b/pkg/resource_builders/twemproxy/options.go @@ -13,10 +13,10 @@ const ( func NewOptions(spec saasv1alpha1.TwemproxySpec) *pod.Options { opts := pod.NewOptions() - opts.Unpack(TwemproxyConfigFile).IntoEnvvar("TWEMPROXY_CONFIG_FILE") - opts.Unpack(spec.Options.MetricsPort, ":%d").IntoEnvvar("TWEMPROXY_METRICS_ADDRESS") - opts.Unpack(spec.Options.StatsInterval.Milliseconds()).IntoEnvvar("TWEMPROXY_STATS_INTERVAL") - opts.Unpack(spec.Options.LogLevel).IntoEnvvar("TWEMPROXY_LOG_LEVEL") + opts.AddEnvvar("TWEMPROXY_CONFIG_FILE").Unpack(TwemproxyConfigFile) + opts.AddEnvvar("TWEMPROXY_METRICS_ADDRESS").Unpack(spec.Options.MetricsPort, ":%d") + opts.AddEnvvar("TWEMPROXY_STATS_INTERVAL").Unpack(spec.Options.StatsInterval.Milliseconds()) + opts.AddEnvvar("TWEMPROXY_LOG_LEVEL").Unpack(spec.Options.LogLevel) return opts } From a3bd4c7847cc6fae9b09677ddec553dab18da8f6 Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Wed, 17 Apr 2024 16:04:28 +0200 Subject: [PATCH 04/20] Add a property to the system CRD to use a custom s3 endpoint --- api/v1alpha1/system_types.go | 4 + api/v1alpha1/zz_generated.deepcopy.go | 5 + config/crd/bases/saas.3scale.net_systems.yaml | 3 + .../local-setup/system-config/amazon_s3.yml | 9 +- config/local-setup/system.yaml | 1 + .../saas-operator.clusterserviceversion.yaml | 148 +++++++++++++++++- pkg/generators/seed/types.go | 18 +++ pkg/generators/system/config/options.go | 1 + pkg/resource_builders/pod/seed.go | 1 - 9 files changed, 180 insertions(+), 10 deletions(-) delete mode 100644 pkg/resource_builders/pod/seed.go diff --git a/api/v1alpha1/system_types.go b/api/v1alpha1/system_types.go index bf70c46e..79e46dc1 100644 --- a/api/v1alpha1/system_types.go +++ b/api/v1alpha1/system_types.go @@ -668,6 +668,10 @@ type AssetsSpec struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // +optional Host *string `json:"host,omitempty"` + // Assets custom S3 endpoint + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +optional + S3Endpoint *string `json:"s3Endpoint,omitempty"` } // SystemRailsSpec configures rails for system components diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index cc0a2c2f..08057c12 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -323,6 +323,11 @@ func (in *AssetsSpec) DeepCopyInto(out *AssetsSpec) { *out = new(string) **out = **in } + if in.S3Endpoint != nil { + in, out := &in.S3Endpoint, &out.S3Endpoint + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AssetsSpec. diff --git a/config/crd/bases/saas.3scale.net_systems.yaml b/config/crd/bases/saas.3scale.net_systems.yaml index d839d2db..ffff7ee2 100644 --- a/config/crd/bases/saas.3scale.net_systems.yaml +++ b/config/crd/bases/saas.3scale.net_systems.yaml @@ -719,6 +719,9 @@ spec: region: description: AWS S3 region type: string + s3Endpoint: + description: Assets custom S3 endpoint + type: string secretKey: description: AWS secret access key properties: diff --git a/config/local-setup/system-config/amazon_s3.yml b/config/local-setup/system-config/amazon_s3.yml index 27070209..02fe1fbf 100644 --- a/config/local-setup/system-config/amazon_s3.yml +++ b/config/local-setup/system-config/amazon_s3.yml @@ -1,17 +1,14 @@ default: &default {} s3: &s3 - # access_key_id: "<%= ENV['AWS_ACCESS_KEY_ID'] %>" -> can't pass custom envvars to System, not supported - access_key_id: admin - # secret_access_key: "<%= ENV['AWS_SECRET_ACCESS_KEY'] %>" -> can't pass custom envvars to System, not supported - secret_access_key: admin123 + access_key_id: "<%= ENV['AWS_ACCESS_KEY_ID'] %>" + secret_access_key: "<%= ENV['AWS_SECRET_ACCESS_KEY'] %>" role_arn: "<%= ENV['AWS_ROLE_ARN'] %>" web_identity_token_file: "<%= ENV['AWS_WEB_IDENTITY_TOKEN_FILE'] %>" role_session_name: <%= ENV['AWS_ROLE_SESSION_NAME'].presence || '3scale-porta' %> bucket: "<%= ENV['AWS_BUCKET'] %>" region: "<%= ENV['AWS_REGION'] %>" - # hostname: "<%= ENV['AWS_HOSTNAME'] %>" -> can't pass custom envvars to System, not supported - hostname: "http://minio.minio.svc.cluster.local:9000" + hostname: "<%= ENV['AWS_S3_HOSTNAME'] %>" protocol: "<%= ENV['AWS_PROTOCOL'] %>" force_path_style: <%= ENV['AWS_PATH_STYLE'].presence || false %> diff --git a/config/local-setup/system.yaml b/config/local-setup/system.yaml index e1626be7..67bd88d0 100644 --- a/config/local-setup/system.yaml +++ b/config/local-setup/system.yaml @@ -32,6 +32,7 @@ spec: override: admin secretKey: override: admin123 + s3Endpoint: http://minio.minio.svc.cluster.local:9000 databaseDSN: override: mysql2://app:password@system-mysql/system_enterprise databaseSecret: diff --git a/config/manifests/bases/saas-operator.clusterserviceversion.yaml b/config/manifests/bases/saas-operator.clusterserviceversion.yaml index f4122de3..2f1aadbd 100644 --- a/config/manifests/bases/saas-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/saas-operator.clusterserviceversion.yaml @@ -849,6 +849,10 @@ spec: key displayName: Error Monitoring Key path: config.errorMonitoringKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.errorMonitoringKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -866,6 +870,10 @@ spec: service displayName: Error Monitoring Service path: config.errorMonitoringService + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.errorMonitoringService.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -899,6 +907,10 @@ spec: - description: A reference to the secret holding the backend-internal-api password displayName: Internal APIPassword path: config.internalAPIPassword + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.internalAPIPassword.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -915,6 +927,10 @@ spec: - description: A reference to the secret holding the backend-internal-api user displayName: Internal APIUser path: config.internalAPIUser + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.internalAPIUser.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -944,6 +960,10 @@ spec: password displayName: System Events Hook Password path: config.systemEventsHookPassword + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.systemEventsHookPassword.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -961,6 +981,10 @@ spec: URL displayName: System Events Hook URL path: config.systemEventsHookURL + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.systemEventsHookURL.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -1481,6 +1505,10 @@ spec: - description: System database connection string displayName: System Database DSN path: config.systemDatabaseDSN + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.systemDatabaseDSN.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -1834,6 +1862,10 @@ spec: - description: A reference to the secret holding the system admin token displayName: System Admin Token path: config.systemAdminToken + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.systemAdminToken.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2335,6 +2367,10 @@ spec: - description: AccessCode to protect admin urls displayName: Access Code path: config.accessCode + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.accessCode.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2351,6 +2387,10 @@ spec: - description: AWS access key displayName: Access Key path: config.assets.accessKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.assets.accessKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2373,9 +2413,16 @@ spec: - description: AWS S3 region displayName: Region path: config.assets.region + - description: Assets custom S3 endpoint + displayName: S3 Endpoint + path: config.assets.s3Endpoint - description: AWS secret access key displayName: Secret Key path: config.assets.secretKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.assets.secretKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2398,6 +2445,10 @@ spec: - description: Internal API password displayName: Internal APIPassword path: config.backend.internalAPIPassword + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.backend.internalAPIPassword.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2414,6 +2465,10 @@ spec: - description: Internal API user displayName: Internal APIUser path: config.backend.internalAPIUser + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.backend.internalAPIUser.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2439,6 +2494,10 @@ spec: - description: API key displayName: APIKey path: config.bugsnag.apiKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.bugsnag.apiKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2462,6 +2521,10 @@ spec: - description: DSN of system's main database displayName: Database DSN path: config.databaseDSN + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.databaseDSN.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2475,9 +2538,14 @@ spec: - description: Override allows to directly specify a string value. displayName: Override path: config.databaseDSN.override - - description: Database secret + - description: DatabaseSecret is a site key stored off-database for improved + more secure password hashing See https://github.com/3scale/porta/blob/ae498814cef3d856613f60d29330882fa870271d/config/initializers/site_keys.rb#L2-L19 displayName: Database Secret path: config.databaseSecret + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.databaseSecret.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2491,9 +2559,14 @@ spec: - description: Override allows to directly specify a string value. displayName: Override path: config.databaseSecret.override - - description: EventsSharedSecret + - description: EventsSharedSecret is a password that protects System's event + hooks endpoint. displayName: Events Shared Secret path: config.eventsSharedSecret + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.eventsSharedSecret.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2533,6 +2606,10 @@ spec: - description: Client ID displayName: Client ID path: config.github.clientID + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.github.clientID.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2549,6 +2626,10 @@ spec: - description: Client secret displayName: Client Secret path: config.github.clientSecret + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.github.clientSecret.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2565,6 +2646,10 @@ spec: - description: Mapping Service access token displayName: Mapping Service Access Token path: config.mappingServiceAccessToken + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.mappingServiceAccessToken.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2599,6 +2684,10 @@ spec: - description: Private key displayName: Private Key path: config.recaptcha.privateKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.recaptcha.privateKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2615,6 +2704,10 @@ spec: - description: Public key displayName: Public Key path: config.recaptcha.publicKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.recaptcha.publicKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2634,6 +2727,10 @@ spec: - description: Client ID displayName: Client ID path: config.redhatCustomerPortal.clientID + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.redhatCustomerPortal.clientID.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2650,6 +2747,10 @@ spec: - description: Client secret displayName: Client Secret path: config.redhatCustomerPortal.clientSecret + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.redhatCustomerPortal.clientSecret.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2687,9 +2788,14 @@ spec: - description: Defines the address port displayName: Port path: config.searchServer.port - - description: SecretKeyBase + - description: 'SecretKeyBase: https://api.rubyonrails.org/classes/Rails/Application.html#method-i-secret_key_base + You can generate one random key using ''bundle exec rake secret''' displayName: Secret Key Base path: config.secretKeyBase + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.secretKeyBase.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2709,6 +2815,10 @@ spec: - description: Deletion token displayName: Deletion Token path: config.segment.deletionToken + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.segment.deletionToken.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2728,6 +2838,10 @@ spec: - description: Write key displayName: Write Key path: config.segment.writeKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.segment.writeKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2756,6 +2870,10 @@ spec: - description: Password displayName: Password path: config.smtp.password + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.smtp.password.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2781,6 +2899,10 @@ spec: - description: User displayName: User path: config.smtp.user + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.smtp.user.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2809,6 +2931,10 @@ spec: - description: Zync authentication token displayName: Auth Token path: config.zync.authToken + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.zync.authToken.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3696,6 +3822,10 @@ spec: - description: API key displayName: APIKey path: config.bugsnag.apiKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.bugsnag.apiKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3715,6 +3845,10 @@ spec: - description: A reference to the secret holding the database DSN displayName: Database DSN path: config.databaseDSN + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.databaseDSN.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3760,6 +3894,10 @@ spec: - description: A reference to the secret holding the secret-key-base displayName: Secret Key Base path: config.secretKeyBase + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.secretKeyBase.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3776,6 +3914,10 @@ spec: - description: A reference to the secret holding the zync authentication token displayName: Zync Auth Token path: config.zyncAuthToken + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.zyncAuthToken.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault diff --git a/pkg/generators/seed/types.go b/pkg/generators/seed/types.go index 6ec584e4..d61ebe88 100644 --- a/pkg/generators/seed/types.go +++ b/pkg/generators/seed/types.go @@ -40,3 +40,21 @@ const ( ZyncAuthToken SeedKey = "zync-auth-token" ZyncBugsnagApiKey SeedKey = "zync-bugsnag-api-key" ) + +// TODO: use this to generate a Secret from some input params +// var AutoGen map[SeedKey]string = map[SeedKey]string{ +// BackendInternalApiUser: "user", +// BackendInternalApiPassword: "", +// SystemDatabaseDsn: "mysql2://app:@:3306/system_enterprise", +// SystemEventsHookURL: "https:///master/events/import", +// SystemEventsHookSharedSecret: "", +// SystemMasterAccessToken: "", +// SystemAssetsS3AwsAccessKey: "", +// SystemAssetsS3AwsSecretKey: "", +// SystemSecretKeyBase: "", +// SystemAccessCode: "", +// SystemDatabaseSecret: "", +// ZyncDatabaseUrl: "postgresql://app:@:5432/zync", +// ZyncSecretKeyBase: "", +// ZyncAuthToken: "", +// } diff --git a/pkg/generators/system/config/options.go b/pkg/generators/system/config/options.go index b3da083b..e7ac44b6 100644 --- a/pkg/generators/system/config/options.go +++ b/pkg/generators/system/config/options.go @@ -91,6 +91,7 @@ func NewOptions(spec saasv1alpha1.SystemSpec) pod.Options { Unpack(spec.Config.Assets.SecretKey) opts.AddEnvvar("AWS_BUCKET").Unpack(spec.Config.Assets.Bucket) opts.AddEnvvar("AWS_REGION").Unpack(spec.Config.Assets.Region) + opts.AddEnvvar("AWS_S3_HOSTNAME").Unpack(spec.Config.Assets.S3Endpoint) opts.AddEnvvar("RAILS_ASSET_HOST").Unpack(spec.Config.Assets.Host) opts.AddEnvvar("SECRET_KEY_BASE").AsSecretRef(SystemAppSecret).WithSeedKey(seed.SystemSecretKeyBase). diff --git a/pkg/resource_builders/pod/seed.go b/pkg/resource_builders/pod/seed.go deleted file mode 100644 index c75db3d4..00000000 --- a/pkg/resource_builders/pod/seed.go +++ /dev/null @@ -1 +0,0 @@ -package pod From f2cf5ca2659dc821d2c0eccbe0accbbc3cfeed4a Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Tue, 23 Apr 2024 18:24:44 +0200 Subject: [PATCH 05/20] Small fixes to the seed secret configuration --- pkg/generators/mappingservice/config/options.go | 2 +- pkg/generators/seed/types.go | 2 +- pkg/generators/system/config/options.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/generators/mappingservice/config/options.go b/pkg/generators/mappingservice/config/options.go index 927bb3a2..0dc09ec4 100644 --- a/pkg/generators/mappingservice/config/options.go +++ b/pkg/generators/mappingservice/config/options.go @@ -18,7 +18,7 @@ const ( func NewOptions(spec saasv1alpha1.MappingServiceSpec) pod.Options { opts := pod.Options{} - opts.AddEnvvar("MASTER_ACCESS_TOKEN").AsSecretRef(MappingServiceSystemMasterAccessTokenSecret).WithSeedKey(seed.SystemMasterAccessToken). + opts.AddEnvvar("MASTER_ACCESS_TOKEN").AsSecretRef(MappingServiceSystemMasterAccessTokenSecret).WithSeedKey(seed.SystemApicastAccessToken). Unpack(spec.Config.SystemAdminToken) opts.AddEnvvar("API_HOST").Unpack(spec.Config.APIHost) opts.AddEnvvar("APICAST_CONFIGURATION_LOADER").Unpack("lazy") diff --git a/pkg/generators/seed/types.go b/pkg/generators/seed/types.go index d61ebe88..4be9964c 100644 --- a/pkg/generators/seed/types.go +++ b/pkg/generators/seed/types.go @@ -20,12 +20,12 @@ const ( SystemSmtpUser SeedKey = "system-smpt-user" SystemSmtpPassword SeedKey = "system-smpt-password" SystemMasterAccessToken SeedKey = "system-master-access-token" + SystemApicastAccessToken SeedKey = "system-apicast-access-token" SystemAssetsS3AwsAccessKey SeedKey = "system-assets-s3-aws-access-key" SystemAssetsS3AwsSecretKey SeedKey = "system-assets-s3-aws-secret-key" SystemSecretKeyBase SeedKey = "system-secret-key-base" SystemAccessCode SeedKey = "system-access-code" SystemSegmentDeletionToken SeedKey = "system-segment-deletion-token" - SystemSegmentDeletionWorkspace SeedKey = "system-segment-deletion-workspace" SystemSegmentWriteKey SeedKey = "system-segment-write-key" SystemGithubClientId SeedKey = "system-github-client-id" SystemGithubClientSecret SeedKey = "system-github-client-secret" diff --git a/pkg/generators/system/config/options.go b/pkg/generators/system/config/options.go index e7ac44b6..d4bff5b3 100644 --- a/pkg/generators/system/config/options.go +++ b/pkg/generators/system/config/options.go @@ -68,7 +68,7 @@ func NewOptions(spec saasv1alpha1.SystemSpec) pod.Options { opts.AddEnvvar("SMTP_STARTTLS").Unpack(spec.Config.SMTP.STARTTLS) opts.AddEnvvar("SMTP_STARTTLS_AUTO").Unpack(spec.Config.SMTP.STARTTLSAuto) - opts.AddEnvvar("APICAST_ACCESS_TOKEN").AsSecretRef(SystemMasterApicastSecret).WithSeedKey(seed.SystemMasterAccessToken). + opts.AddEnvvar("APICAST_ACCESS_TOKEN").AsSecretRef(SystemMasterApicastSecret).WithSeedKey(seed.SystemApicastAccessToken). Unpack(spec.Config.MappingServiceAccessToken) opts.AddEnvvar("ZYNC_ENDPOINT").Unpack(spec.Config.Zync.Endpoint) From a43967816a46bfda073413b24dd204a605c11ce3 Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Tue, 23 Apr 2024 18:25:15 +0200 Subject: [PATCH 06/20] DB setup through a tekton pipeline This avoids having to hardcode values in the Makefile. It's also a more portable approach. The downside is that it requires installation of tekton within kind. --- Makefile | 44 +++-- config/dependencies/tekton/kustomization.yaml | 2 + .../databases/system-mysql/resources.yaml | 20 ++- .../databases/zync-postgresql/resources.yaml | 15 +- config/local-setup/secrets/.gitignore | 4 +- config/local-setup/secrets/kustomization.yaml | 3 +- .../secrets/seed-secret.yaml.envsubst | 47 ++++++ config/local-setup/system.yaml | 120 -------------- .../local-setup/{ => workloads}/apicast.yaml | 2 +- .../local-setup/{ => workloads}/autossl.yaml | 4 +- .../local-setup/{ => workloads}/backend.yaml | 12 +- .../{ => workloads}/configuration.yaml | 9 ++ .../{ => workloads}/corsproxy.yaml | 3 +- .../workloads/db-setup-pipelinerun.yaml | 7 + .../{ => workloads}/discoveryservice.yaml | 0 .../local-setup/{ => workloads}/echoapi.yaml | 0 .../{ => workloads}/kustomization.yaml | 2 +- .../{ => workloads}/mappingservice.yaml | 5 +- .../{ => workloads}/mt-ingress.yaml | 0 .../workloads/replacements/domains.yaml | 72 +++++++++ .../{ => workloads}/replacements/images.yaml | 0 .../system-config/amazon_s3.yml | 0 .../{ => workloads}/system-config/backend.yml | 0 .../system-config/backend_redis.yml | 0 .../system-config/cache_store.yml | 0 .../{ => workloads}/system-config/core.yml | 0 .../{ => workloads}/system-config/cors.yml | 0 .../system-config/currencies.yml | 0 .../system-config/database.yml | 0 .../system-config/features.yml | 0 .../{ => workloads}/system-config/oauth2.yml | 0 .../system-config/paperclip.yml | 0 .../system-config/redhat_customer_portal.yml | 0 .../{ => workloads}/system-config/redis.yml | 0 .../system-config/removed/banned_domains.yml | 0 .../removed/internal_domains.yml | 0 .../system-config/removed/plan_rules.yml | 0 .../system-config/removed/rolling_updates.yml | 0 .../system-config/sandbox_proxy.yml | 0 .../{ => workloads}/system-config/secrets.yml | 0 .../{ => workloads}/system-config/segment.yml | 0 .../system-config/service_discovery.yml | 0 .../system-config/settings.yml | 2 +- .../system-config/sidekiq_schedule.yml | 0 .../{ => workloads}/system-config/smtp.yml | 0 .../system-config/web_hooks.yml | 0 .../{ => workloads}/system-config/zync.yml | 0 config/local-setup/workloads/system.yaml | 150 ++++++++++++++++++ config/local-setup/{ => workloads}/zync.yaml | 9 +- config/manager/kustomization.yaml | 2 +- hack/apply-kustomize.sh | 23 +-- pkg/version/version.go | 2 +- 52 files changed, 370 insertions(+), 189 deletions(-) create mode 100644 config/dependencies/tekton/kustomization.yaml create mode 100644 config/local-setup/secrets/seed-secret.yaml.envsubst delete mode 100644 config/local-setup/system.yaml rename config/local-setup/{ => workloads}/apicast.yaml (97%) rename config/local-setup/{ => workloads}/autossl.yaml (68%) rename config/local-setup/{ => workloads}/backend.yaml (87%) rename config/local-setup/{ => workloads}/configuration.yaml (73%) rename config/local-setup/{ => workloads}/corsproxy.yaml (72%) create mode 100644 config/local-setup/workloads/db-setup-pipelinerun.yaml rename config/local-setup/{ => workloads}/discoveryservice.yaml (100%) rename config/local-setup/{ => workloads}/echoapi.yaml (100%) rename config/local-setup/{ => workloads}/kustomization.yaml (97%) rename config/local-setup/{ => workloads}/mappingservice.yaml (68%) rename config/local-setup/{ => workloads}/mt-ingress.yaml (100%) create mode 100644 config/local-setup/workloads/replacements/domains.yaml rename config/local-setup/{ => workloads}/replacements/images.yaml (100%) rename config/local-setup/{ => workloads}/system-config/amazon_s3.yml (100%) rename config/local-setup/{ => workloads}/system-config/backend.yml (100%) rename config/local-setup/{ => workloads}/system-config/backend_redis.yml (100%) rename config/local-setup/{ => workloads}/system-config/cache_store.yml (100%) rename config/local-setup/{ => workloads}/system-config/core.yml (100%) rename config/local-setup/{ => workloads}/system-config/cors.yml (100%) rename config/local-setup/{ => workloads}/system-config/currencies.yml (100%) rename config/local-setup/{ => workloads}/system-config/database.yml (100%) rename config/local-setup/{ => workloads}/system-config/features.yml (100%) rename config/local-setup/{ => workloads}/system-config/oauth2.yml (100%) rename config/local-setup/{ => workloads}/system-config/paperclip.yml (100%) rename config/local-setup/{ => workloads}/system-config/redhat_customer_portal.yml (100%) rename config/local-setup/{ => workloads}/system-config/redis.yml (100%) rename config/local-setup/{ => workloads}/system-config/removed/banned_domains.yml (100%) rename config/local-setup/{ => workloads}/system-config/removed/internal_domains.yml (100%) rename config/local-setup/{ => workloads}/system-config/removed/plan_rules.yml (100%) rename config/local-setup/{ => workloads}/system-config/removed/rolling_updates.yml (100%) rename config/local-setup/{ => workloads}/system-config/sandbox_proxy.yml (100%) rename config/local-setup/{ => workloads}/system-config/secrets.yml (100%) rename config/local-setup/{ => workloads}/system-config/segment.yml (100%) rename config/local-setup/{ => workloads}/system-config/service_discovery.yml (100%) rename config/local-setup/{ => workloads}/system-config/settings.yml (97%) rename config/local-setup/{ => workloads}/system-config/sidekiq_schedule.yml (100%) rename config/local-setup/{ => workloads}/system-config/smtp.yml (100%) rename config/local-setup/{ => workloads}/system-config/web_hooks.yml (100%) rename config/local-setup/{ => workloads}/system-config/zync.yml (100%) create mode 100644 config/local-setup/workloads/system.yaml rename config/local-setup/{ => workloads}/zync.yaml (59%) diff --git a/Makefile b/Makefile index 7b0d4497..6e7108a6 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ # To re-generate a bundle for another specific version without changing the standard setup, you can: # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) -VERSION ?= 0.22.0 +VERSION ?= 0.23.0-alpha.4 # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") # To re-generate a bundle for other specific channels without changing the standard setup, you can: @@ -283,8 +283,16 @@ kind-refresh-controller: manifests kind docker-build ## Reloads the controller i $(KIND) load docker-image $(IMG) kubectl delete pod -l control-plane=controller-manager +LOCAL_SETUP_SECRETS_PATH=config/local-setup/secrets +$(LOCAL_SETUP_SECRETS_PATH)/seed-secret.yaml: $(LOCAL_SETUP_SECRETS_PATH)/seed.env + source $(@D)/seed.env && envsubst < $@.envsubst > $@ + +kind-deploy-saas-secrets: export KUBECONFIG = $(PWD)/kubeconfig +kind-deploy-saas-secrets: $(LOCAL_SETUP_SECRETS_PATH)/seed-secret.yaml $(LOCAL_SETUP_SECRETS_PATH)/pull-secrets.json + $(KUSTOMIZE) build $(LOCAL_SETUP_SECRETS_PATH) | kubectl apply -f - + kind-deploy-databases: export KUBECONFIG = $(PWD)/kubeconfig -kind-deploy-databases: kind-deploy-controller +kind-deploy-databases: kind-deploy-controller kind-deploy-saas-secrets $(KUSTOMIZE) build config/local-setup/databases | kubectl apply -f - sleep 10 kubectl wait --for condition=ready --timeout=300s pod --all @@ -298,37 +306,25 @@ kind-load-redis-with-ssh: docker build -t $(REDIS_WITH_SSH_IMG) test/assets/redis-with-ssh $(KIND) load docker-image $(REDIS_WITH_SSH_IMG) -kind-deploy-saas: export KUBECONFIG = ${PWD}/kubeconfig -kind-deploy-saas: kind-load-redis-with-ssh ## Deploys a 3scale SaaS dev environment - $(KUSTOMIZE) build config/local-setup | kubectl apply -f - - sleep 5 - kubectl wait --for condition=ready --timeout=300s pod system-console-0 +kind-deploy-saas-workloads: export KUBECONFIG = ${PWD}/kubeconfig +kind-deploy-saas-workloads: kind-deploy-controller kind-deploy-saas-secrets kind-load-redis-with-ssh ## Deploys the 3scale SaaS dev environment workloads + $(KUSTOMIZE) build config/local-setup/workloads | kubectl apply -f - + sleep 10 kubectl get pods --no-headers -o name | grep -v system | xargs kubectl wait --for condition=ready --timeout=300s - kubectl -ti exec system-console-0 -c system-console -- bash -c '\ - MASTER_DOMAIN=multitenant-admin \ - MASTER_ACCESS_TOKEN=mtoken \ - MASTER_PASSWORD=mpass \ - MASTER_USER=admin \ - TENANT_NAME=provider \ - PROVIDER_NAME="3scale SaaS Dev Provider" \ - USER_LOGIN=admin \ - USER_PASSWORD=ppass \ - ADMIN_ACCESS_TOKEN=ptoken \ - USER_EMAIL="admin@cluster.local" \ - DISABLE_DATABASE_ENVIRONMENT_CHECK=1 \ - bundle exec rake db:setup' - kubectl get pods --no-headers -o name | grep system | xargs kubectl wait --for condition=ready --timeout=300s + +kind-deploy-saas-run-db-setup: + kubectl create -f config/local-setup/workloads/db-setup-pipelinerun.yaml kind-cleanup-saas: export KUBECONFIG = ${PWD}/kubeconfig kind-cleanup-saas: + -$(KUSTOMIZE) build config/local-setup/workloads | kubectl delete -f - -$(KUSTOMIZE) build config/local-setup/databases | kubectl delete -f - - -$(KUSTOMIZE) build config/local-setup | kubectl delete -f - -kubectl get pod --no-headers -o name | grep -v saas-operator | xargs kubectl delete --grace-period=0 --force -kubectl get pvc --no-headers -o name | xargs kubectl delete -LOCAL_SETUP_DEPS = metallb cert-manager marin3r prometheus-crds tekton-crds grafana-crds external-secrets-crds minio +LOCAL_SETUP_DEPS = metallb cert-manager marin3r prometheus-crds tekton grafana-crds external-secrets-crds minio kind-local-setup: export KUBECONFIG = ${PWD}/kubeconfig -kind-local-setup: $(foreach elem,$(LOCAL_SETUP_DEPS),install-$(elem)) kind-deploy-controller kind-deploy-databases kind-deploy-saas +kind-local-setup: $(foreach elem,$(LOCAL_SETUP_DEPS),install-$(elem)) kind-deploy-controller kind-deploy-saas-secrets kind-deploy-databases kind-deploy-saas-workloads kind-deploy-saas-run-db-setup ##@ Build Dependencies diff --git a/config/dependencies/tekton/kustomization.yaml b/config/dependencies/tekton/kustomization.yaml new file mode 100644 index 00000000..a9c0a49f --- /dev/null +++ b/config/dependencies/tekton/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.49.0/release.yaml diff --git a/config/local-setup/databases/system-mysql/resources.yaml b/config/local-setup/databases/system-mysql/resources.yaml index 6f314cb0..84e31855 100644 --- a/config/local-setup/databases/system-mysql/resources.yaml +++ b/config/local-setup/databases/system-mysql/resources.yaml @@ -24,13 +24,25 @@ spec: # - --default-authentication-plugin=mysql_native_password env: - name: MYSQL_ROOT_PASSWORD - value: password + valueFrom: + secretKeyRef: + name: saas-seed + key: MYSQL_ROOT_PASSWORD - name: MYSQL_DATABASE - value: system_enterprise + valueFrom: + secretKeyRef: + name: saas-seed + key: MYSQL_DATABASE - name: MYSQL_USER - value: app + valueFrom: + secretKeyRef: + name: saas-seed + key: MYSQL_USER - name: MYSQL_PASSWORD - value: password + valueFrom: + secretKeyRef: + name: saas-seed + key: MYSQL_PASSWORD ports: - name: mysql containerPort: 3306 diff --git a/config/local-setup/databases/zync-postgresql/resources.yaml b/config/local-setup/databases/zync-postgresql/resources.yaml index db90e5a4..96a53bd6 100644 --- a/config/local-setup/databases/zync-postgresql/resources.yaml +++ b/config/local-setup/databases/zync-postgresql/resources.yaml @@ -24,11 +24,20 @@ spec: containerPort: 5432 env: - name: POSTGRES_USER - value: app + valueFrom: + secretKeyRef: + name: saas-seed + key: POSTGRES_USER - name: POSTGRES_PASSWORD - value: password + valueFrom: + secretKeyRef: + name: saas-seed + key: POSTGRES_PASSWORD - name: POSTGRES_DB - value: zync + valueFrom: + secretKeyRef: + name: saas-seed + key: POSTGRES_DB - name: PGDATA value: /var/lib/postgresql/data/pgdata - name: POD_IP diff --git a/config/local-setup/secrets/.gitignore b/config/local-setup/secrets/.gitignore index c491cbed..97ad430d 100644 --- a/config/local-setup/secrets/.gitignore +++ b/config/local-setup/secrets/.gitignore @@ -1 +1,3 @@ -pull-secrets.json \ No newline at end of file +pull-secrets.json +seed.env +seed-secret.yaml diff --git a/config/local-setup/secrets/kustomization.yaml b/config/local-setup/secrets/kustomization.yaml index 968c6e33..adb69ba7 100644 --- a/config/local-setup/secrets/kustomization.yaml +++ b/config/local-setup/secrets/kustomization.yaml @@ -1,7 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default - +resources: +- seed-secret.yaml secretGenerator: - name: pull-secrets behavior: create diff --git a/config/local-setup/secrets/seed-secret.yaml.envsubst b/config/local-setup/secrets/seed-secret.yaml.envsubst new file mode 100644 index 00000000..1b91cc41 --- /dev/null +++ b/config/local-setup/secrets/seed-secret.yaml.envsubst @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: Secret +metadata: + name: saas-seed +type: Opaque +stringData: + # MYSQL + MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD}" + MYSQL_DATABASE: "${MYSQL_DATABASE}" + MYSQL_USER: "${MYSQL_USER}" + MYSQL_PASSWORD: "${MYSQL_PASSWORD}" + # POSTGRESQL + POSTGRES_USER: "${POSTGRES_USER}" + POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}" + POSTGRES_DB: "${POSTGRES_DB}" + # SaaS secret config + backend-internal-api-user: "${BACKEND_INTERNAL_API_USER}" + backend-internal-api-password: "${BACKEND_INTERNAL_API_PASSWORD}" + system-master-user: "${SYSTEM_MASTER_USER}" + system-master-password: "${SYSTEM_MASTER_PASSWORD}" + system-master-access-token: "${SYSTEM_MASTER_ACCESS_TOKEN}" + system-tenant-user: "${SYSTEM_TENANT_USER}" + system-tenant-password: "${SYSTEM_TENANT_PASSWORD}" + system-tenant-token: "${SYSTEM_TENANT_TOKEN}" + system-apicast-access-token: "${SYSTEM_APICAST_TOKEN}" + system-database-dsn: "mysql2://${MYSQL_USER}:${MYSQL_PASSWORD}@system-mysql:3306/${MYSQL_DATABASE}" + system-events-shared-secret: "${SYSTEM_EVENTS_SHARED_SECRET}" + system-assets-s3-aws-access-key: "${SYSTEM_ASSETS_S3_ACCESS_KEY}" + system-assets-s3-aws-secret-key: "${SYSTEM_ASSETS_S3_SECRET_KEY}" + system-secret-key-base: "${SYSTEM_SECRET_KEY_BASE}" + system-database-secret: "${SYSTEM_DATABASE_SECRET}" + system-smpt-user: "${SYSTEM_SMTP_USER}" + system-smpt-password: "${SYSTEM_SMTP_PASSWORD}" + system-access-code: "${SYSTEM_ACCESS_CODE}" + system-segment-deletion-token: "${SYSTEM_SEGMENT_DELETION_TOKEN}" + system-segment-write-key: "${SYSTEM_SEGMENT_WRITE_KEY}" + system-github-client-id: "${SYSTEM_GITHUB_CLIENT_ID}" + system-github-client-secret: "${SYSTEM_GITHUB_CLIENT_SECRET}" + system-rh-customer-portal-client-id: "${SYSTEM_RH_CUSTOMER_PORTAL_CLIENT_ID}" + system-rh-customer-portal-client-secret: "${SYSTEM_RH_CUSTOMER_PORTAL_CLIENT_SECRET}" + system-bugsnag-api-key: "${SYSTEM_BUGSNAG_API_KEY}" + system-recaptcha-public-key: "${SYSTEM_RECAPTCHA_PUBLIC_KEY}" + system-recaptcha-private-key: "${SYSTEM_RECAPTCHA_PRIVATE_KEY}" + zync-database-url: "postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@zync-psql:5432/${POSTGRES_DB}" + zync-secret-key-base: "${ZYNC_SECRET_KEY_BASE}" + zync-auth-token: "${ZYNC_AUTH_TOKEN}" + zync-bugsnag-api-key: "${ZYNC_BUGSNAG_API_KEY}" \ No newline at end of file diff --git a/config/local-setup/system.yaml b/config/local-setup/system.yaml deleted file mode 100644 index 67bd88d0..00000000 --- a/config/local-setup/system.yaml +++ /dev/null @@ -1,120 +0,0 @@ -apiVersion: saas.3scale.net/v1alpha1 -kind: System -metadata: - name: system -spec: - image: - name: REPLACE - tag: REPLACE - pullSecretName: pull-secrets - pullPolicy: Always - config: - configFilesSecret: system-config - threescaleSuperdomain: system-172-27-27-105.nip.io - rails: - console: true - environment: production - logLevel: info - redis: - queuesDSN: "redis://system-redis:6379" - backend: - externalEndpoint: "http://backend-172-27-27-100.nip.io" - internalAPIPassword: - override: backend-internal-api-password - internalAPIUser: - override: backend-internal-api-user - internalEndpoint: "http://backend-listener-internal" - redisDSN: "redis://backend-redis:6379/0" - assets: - bucket: system-assets # check config/amazon_s3.yml for the specific minio configuration (https://github.com/3scale/porta/blob/master/openshift/system/config/amazon_s3.yml) - region: us-east-1 - accessKey: - override: admin - secretKey: - override: admin123 - s3Endpoint: http://minio.minio.svc.cluster.local:9000 - databaseDSN: - override: mysql2://app:password@system-mysql/system_enterprise - databaseSecret: - override: databasesecret - secretKeyBase: - override: 7f3b35479601a66da53071175c4833c888c2630fcafa496dc4046d143ea38666e075116bb4bac3c287b6e5d925815d5958c361786f89dc4211f6ca713ef3487e - eventsSharedSecret: - override: system-events-shared-secret - searchServer: - host: system-searchd - zync: - authToken: - override: zync-auth-token - endpoint: "http://zync:8080" - smtp: - address: smtp.sendgrid.net - authProtocol: plain - opensslVerifyMode: peer - password: - override: "" - port: 587 - starttls: true - starttlsAuto: false - user: - override: "" - github: - clientID: - override: "" - clientSecret: - override: "" - mappingServiceAccessToken: - override: apicast-mtoken - memcachedServers: system-memcached:11211 - recaptcha: - privateKey: - override: "" - publicKey: - override: "" - redhatCustomerPortal: - clientID: - override: "" - clientSecret: - override: "" - realm: "" - segment: - deletionToken: - override: "" - deletionWorkspace: "" - writeKey: - override: "" - app: - hpa: {} - pdb: {} - replicas: 1 - console: {} - searchd: - enabled: true - image: - name: REPLACE - tag: REPLACE - pullSecretName: pull-secrets - pullPolicy: Always - config: - databaseStorageSize: 1Gi - sidekiqBilling: - config: - maxThreads: 5 - hpa: {} - pdb: {} - resources: {} - replicas: 1 - sidekiqDefault: - config: - maxThreads: 5 - hpa: {} - pdb: {} - resources: {} - replicas: 1 - sidekiqLow: - config: - maxThreads: 5 - hpa: {} - pdb: {} - resources: {} - replicas: 1 diff --git a/config/local-setup/apicast.yaml b/config/local-setup/workloads/apicast.yaml similarity index 97% rename from config/local-setup/apicast.yaml rename to config/local-setup/workloads/apicast.yaml index b18f541f..bbfee209 100644 --- a/config/local-setup/apicast.yaml +++ b/config/local-setup/workloads/apicast.yaml @@ -80,7 +80,7 @@ spec: router: routeConfiguration: virtualHosts: - - domains: [policies.staging-172-27-27-102.nip.io] + - domains: [REPLACE] name: policies routes: - match: diff --git a/config/local-setup/autossl.yaml b/config/local-setup/workloads/autossl.yaml similarity index 68% rename from config/local-setup/autossl.yaml rename to config/local-setup/workloads/autossl.yaml index 884bc80a..217f0475 100644 --- a/config/local-setup/autossl.yaml +++ b/config/local-setup/workloads/autossl.yaml @@ -12,9 +12,9 @@ spec: contactEmail: 3scale-operations@redhat.com domainWhitelist: [] logLevel: debug - proxyEndpoint: "https://multitenant-admin.system-172-27-27-105.nip.io" + proxyEndpoint: REPLACE redisHost: autossl-redis - verificationEndpoint: "https://multitenant-admin.system-172-27-27-105.nip.io/swagger/spec.json" + verificationEndpoint: REPLACE endpoint: {dns: []} hpa: {} pdb: {} diff --git a/config/local-setup/backend.yaml b/config/local-setup/workloads/backend.yaml similarity index 87% rename from config/local-setup/backend.yaml rename to config/local-setup/workloads/backend.yaml index 43ebb83e..af2798f3 100644 --- a/config/local-setup/backend.yaml +++ b/config/local-setup/workloads/backend.yaml @@ -11,17 +11,13 @@ spec: pullPolicy: Always config: masterServiceID: 1 - internalAPIPassword: - override: backend-internal-api-password - internalAPIUser: - override: backend-internal-api-user + internalAPIPassword: {fromSeed: {}} + internalAPIUser: {fromSeed: {}} rackEnv: preview redisQueuesDSN: "redis://backend-redis:6379/1" redisStorageDSN: "redis://backend-redis:6379/0" - systemEventsHookPassword: - override: system-events-shared-secret - systemEventsHookURL: - override: "https://system-172-27-27-105.nip.io/master/events/import" + systemEventsHookPassword: {} + systemEventsHookURL: {override: REPLACE } listener: config: listenerWorkers: 1 diff --git a/config/local-setup/configuration.yaml b/config/local-setup/workloads/configuration.yaml similarity index 73% rename from config/local-setup/configuration.yaml rename to config/local-setup/workloads/configuration.yaml index c0a306cb..7331379a 100644 --- a/config/local-setup/configuration.yaml +++ b/config/local-setup/workloads/configuration.yaml @@ -39,3 +39,12 @@ data: # ENVOY CONFIGURATION ENVOY_IMAGE: envoyproxy/envoy:v1.22.11 + + # DOMAIN CONFIGURATION + APICAST_POLICIES_ENDPOINT: policies.staging-172-27-27-102.nip.io + SYSTEM_ENDPOINT: https://multitenant-admin.system-172-27-27-105.nip.io + AUTOSSL_VERIFICATION_ENDPOINT: https://multitenant-admin.system-172-27-27-105.nip.io/swagger/spec.json + SYSTEM_EVENTS_URL: https://system-172-27-27-105.nip.io/master/events/import + SYSTEM_SUPERDOMAIN: system-172-27-27-105.nip.io + BACKEND_EXTERNAL_ENDPOINT: http://backend-172-27-27-100.nip.io + diff --git a/config/local-setup/corsproxy.yaml b/config/local-setup/workloads/corsproxy.yaml similarity index 72% rename from config/local-setup/corsproxy.yaml rename to config/local-setup/workloads/corsproxy.yaml index 9d243b50..4cfcd447 100644 --- a/config/local-setup/corsproxy.yaml +++ b/config/local-setup/workloads/corsproxy.yaml @@ -9,8 +9,7 @@ spec: pullSecretName: pull-secrets pullPolicy: Always config: - systemDatabaseDSN: - override: mysql://app:password@system-mysql:3306/system_enterprise + systemDatabaseDSN: {fromSeed: {}} hpa: {} pdb: {} replicas: 1 diff --git a/config/local-setup/workloads/db-setup-pipelinerun.yaml b/config/local-setup/workloads/db-setup-pipelinerun.yaml new file mode 100644 index 00000000..9166500d --- /dev/null +++ b/config/local-setup/workloads/db-setup-pipelinerun.yaml @@ -0,0 +1,7 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + generateName: run-system-db-setup- +spec: + pipelineRef: + name: system-db-setup diff --git a/config/local-setup/discoveryservice.yaml b/config/local-setup/workloads/discoveryservice.yaml similarity index 100% rename from config/local-setup/discoveryservice.yaml rename to config/local-setup/workloads/discoveryservice.yaml diff --git a/config/local-setup/echoapi.yaml b/config/local-setup/workloads/echoapi.yaml similarity index 100% rename from config/local-setup/echoapi.yaml rename to config/local-setup/workloads/echoapi.yaml diff --git a/config/local-setup/kustomization.yaml b/config/local-setup/workloads/kustomization.yaml similarity index 97% rename from config/local-setup/kustomization.yaml rename to config/local-setup/workloads/kustomization.yaml index 2299fa44..eefbd046 100644 --- a/config/local-setup/kustomization.yaml +++ b/config/local-setup/workloads/kustomization.yaml @@ -5,7 +5,6 @@ namespace: default resources: - discoveryservice.yaml - configuration.yaml - - secrets - apicast.yaml - mappingservice.yaml - autossl.yaml @@ -52,3 +51,4 @@ secretGenerator: replacements: - path: replacements/images.yaml + - path: replacements/domains.yaml diff --git a/config/local-setup/mappingservice.yaml b/config/local-setup/workloads/mappingservice.yaml similarity index 68% rename from config/local-setup/mappingservice.yaml rename to config/local-setup/workloads/mappingservice.yaml index 74eed694..32b4dce0 100644 --- a/config/local-setup/mappingservice.yaml +++ b/config/local-setup/workloads/mappingservice.yaml @@ -4,9 +4,8 @@ metadata: name: mapping-service spec: config: - apiHost: https://multitenant-admin.system-172-27-27-105.nip.io - systemAdminToken: - override: apicast-mtoken + apiHost: REPLACE + systemAdminToken: {fromSeed: {}} image: name: REPLACE tag: REPLACE diff --git a/config/local-setup/mt-ingress.yaml b/config/local-setup/workloads/mt-ingress.yaml similarity index 100% rename from config/local-setup/mt-ingress.yaml rename to config/local-setup/workloads/mt-ingress.yaml diff --git a/config/local-setup/workloads/replacements/domains.yaml b/config/local-setup/workloads/replacements/domains.yaml new file mode 100644 index 00000000..ab4a5bce --- /dev/null +++ b/config/local-setup/workloads/replacements/domains.yaml @@ -0,0 +1,72 @@ +# APICAST +- source: + kind: ConfigMap + name: config + fieldPath: data.APICAST_POLICIES_ENDPOINT + targets: + - select: + kind: Apicast + fieldPaths: + - spec.staging.marin3r.dynamicConfigs.router.routeConfiguration.virtualHosts.0.domains.0 + +# AUTOSSL +- source: + kind: ConfigMap + name: config + fieldPath: data.SYSTEM_ENDPOINT + targets: + - select: + kind: AutoSSL + fieldPaths: + - spec.config.proxyEndpoint +- source: + kind: ConfigMap + name: config + fieldPath: data.AUTOSSL_VERIFICATION_ENDPOINT + targets: + - select: + kind: AutoSSL + fieldPaths: + - spec.config.verificationEndpoint + +# BACKEND +- source: + kind: ConfigMap + name: config + fieldPath: data.SYSTEM_EVENTS_URL + targets: + - select: + kind: Backend + fieldPaths: + - spec.config.systemEventsHookURL.override + +# MAPPINGSERVICE +- source: + kind: ConfigMap + name: config + fieldPath: data.SYSTEM_ENDPOINT + targets: + - select: + kind: MappingService + fieldPaths: + - spec.config.apiHost + +# SYSTEM +- source: + kind: ConfigMap + name: config + fieldPath: data.SYSTEM_SUPERDOMAIN + targets: + - select: + kind: System + fieldPaths: + - spec.config.threescaleSuperdomain +- source: + kind: ConfigMap + name: config + fieldPath: data.BACKEND_EXTERNAL_ENDPOINT + targets: + - select: + kind: System + fieldPaths: + - spec.config.backend.externalEndpoint diff --git a/config/local-setup/replacements/images.yaml b/config/local-setup/workloads/replacements/images.yaml similarity index 100% rename from config/local-setup/replacements/images.yaml rename to config/local-setup/workloads/replacements/images.yaml diff --git a/config/local-setup/system-config/amazon_s3.yml b/config/local-setup/workloads/system-config/amazon_s3.yml similarity index 100% rename from config/local-setup/system-config/amazon_s3.yml rename to config/local-setup/workloads/system-config/amazon_s3.yml diff --git a/config/local-setup/system-config/backend.yml b/config/local-setup/workloads/system-config/backend.yml similarity index 100% rename from config/local-setup/system-config/backend.yml rename to config/local-setup/workloads/system-config/backend.yml diff --git a/config/local-setup/system-config/backend_redis.yml b/config/local-setup/workloads/system-config/backend_redis.yml similarity index 100% rename from config/local-setup/system-config/backend_redis.yml rename to config/local-setup/workloads/system-config/backend_redis.yml diff --git a/config/local-setup/system-config/cache_store.yml b/config/local-setup/workloads/system-config/cache_store.yml similarity index 100% rename from config/local-setup/system-config/cache_store.yml rename to config/local-setup/workloads/system-config/cache_store.yml diff --git a/config/local-setup/system-config/core.yml b/config/local-setup/workloads/system-config/core.yml similarity index 100% rename from config/local-setup/system-config/core.yml rename to config/local-setup/workloads/system-config/core.yml diff --git a/config/local-setup/system-config/cors.yml b/config/local-setup/workloads/system-config/cors.yml similarity index 100% rename from config/local-setup/system-config/cors.yml rename to config/local-setup/workloads/system-config/cors.yml diff --git a/config/local-setup/system-config/currencies.yml b/config/local-setup/workloads/system-config/currencies.yml similarity index 100% rename from config/local-setup/system-config/currencies.yml rename to config/local-setup/workloads/system-config/currencies.yml diff --git a/config/local-setup/system-config/database.yml b/config/local-setup/workloads/system-config/database.yml similarity index 100% rename from config/local-setup/system-config/database.yml rename to config/local-setup/workloads/system-config/database.yml diff --git a/config/local-setup/system-config/features.yml b/config/local-setup/workloads/system-config/features.yml similarity index 100% rename from config/local-setup/system-config/features.yml rename to config/local-setup/workloads/system-config/features.yml diff --git a/config/local-setup/system-config/oauth2.yml b/config/local-setup/workloads/system-config/oauth2.yml similarity index 100% rename from config/local-setup/system-config/oauth2.yml rename to config/local-setup/workloads/system-config/oauth2.yml diff --git a/config/local-setup/system-config/paperclip.yml b/config/local-setup/workloads/system-config/paperclip.yml similarity index 100% rename from config/local-setup/system-config/paperclip.yml rename to config/local-setup/workloads/system-config/paperclip.yml diff --git a/config/local-setup/system-config/redhat_customer_portal.yml b/config/local-setup/workloads/system-config/redhat_customer_portal.yml similarity index 100% rename from config/local-setup/system-config/redhat_customer_portal.yml rename to config/local-setup/workloads/system-config/redhat_customer_portal.yml diff --git a/config/local-setup/system-config/redis.yml b/config/local-setup/workloads/system-config/redis.yml similarity index 100% rename from config/local-setup/system-config/redis.yml rename to config/local-setup/workloads/system-config/redis.yml diff --git a/config/local-setup/system-config/removed/banned_domains.yml b/config/local-setup/workloads/system-config/removed/banned_domains.yml similarity index 100% rename from config/local-setup/system-config/removed/banned_domains.yml rename to config/local-setup/workloads/system-config/removed/banned_domains.yml diff --git a/config/local-setup/system-config/removed/internal_domains.yml b/config/local-setup/workloads/system-config/removed/internal_domains.yml similarity index 100% rename from config/local-setup/system-config/removed/internal_domains.yml rename to config/local-setup/workloads/system-config/removed/internal_domains.yml diff --git a/config/local-setup/system-config/removed/plan_rules.yml b/config/local-setup/workloads/system-config/removed/plan_rules.yml similarity index 100% rename from config/local-setup/system-config/removed/plan_rules.yml rename to config/local-setup/workloads/system-config/removed/plan_rules.yml diff --git a/config/local-setup/system-config/removed/rolling_updates.yml b/config/local-setup/workloads/system-config/removed/rolling_updates.yml similarity index 100% rename from config/local-setup/system-config/removed/rolling_updates.yml rename to config/local-setup/workloads/system-config/removed/rolling_updates.yml diff --git a/config/local-setup/system-config/sandbox_proxy.yml b/config/local-setup/workloads/system-config/sandbox_proxy.yml similarity index 100% rename from config/local-setup/system-config/sandbox_proxy.yml rename to config/local-setup/workloads/system-config/sandbox_proxy.yml diff --git a/config/local-setup/system-config/secrets.yml b/config/local-setup/workloads/system-config/secrets.yml similarity index 100% rename from config/local-setup/system-config/secrets.yml rename to config/local-setup/workloads/system-config/secrets.yml diff --git a/config/local-setup/system-config/segment.yml b/config/local-setup/workloads/system-config/segment.yml similarity index 100% rename from config/local-setup/system-config/segment.yml rename to config/local-setup/workloads/system-config/segment.yml diff --git a/config/local-setup/system-config/service_discovery.yml b/config/local-setup/workloads/system-config/service_discovery.yml similarity index 100% rename from config/local-setup/system-config/service_discovery.yml rename to config/local-setup/workloads/system-config/service_discovery.yml diff --git a/config/local-setup/system-config/settings.yml b/config/local-setup/workloads/system-config/settings.yml similarity index 97% rename from config/local-setup/system-config/settings.yml rename to config/local-setup/workloads/system-config/settings.yml index 380cec4d..cfc54af6 100644 --- a/config/local-setup/system-config/settings.yml +++ b/config/local-setup/workloads/system-config/settings.yml @@ -30,7 +30,7 @@ production: zync_authentication_token: <%= ENV.fetch('ZYNC_AUTHENTICATION_TOKEN') %> sysadmin_email: "admin@cluster.local" impersonation_admin: - username: saas_impersonation_admin + username: 3scaleadmin domain: 3scale.redhat.com active_merchant_mode: :test bulk_indexing_queue: bulk_indexing diff --git a/config/local-setup/system-config/sidekiq_schedule.yml b/config/local-setup/workloads/system-config/sidekiq_schedule.yml similarity index 100% rename from config/local-setup/system-config/sidekiq_schedule.yml rename to config/local-setup/workloads/system-config/sidekiq_schedule.yml diff --git a/config/local-setup/system-config/smtp.yml b/config/local-setup/workloads/system-config/smtp.yml similarity index 100% rename from config/local-setup/system-config/smtp.yml rename to config/local-setup/workloads/system-config/smtp.yml diff --git a/config/local-setup/system-config/web_hooks.yml b/config/local-setup/workloads/system-config/web_hooks.yml similarity index 100% rename from config/local-setup/system-config/web_hooks.yml rename to config/local-setup/workloads/system-config/web_hooks.yml diff --git a/config/local-setup/system-config/zync.yml b/config/local-setup/workloads/system-config/zync.yml similarity index 100% rename from config/local-setup/system-config/zync.yml rename to config/local-setup/workloads/system-config/zync.yml diff --git a/config/local-setup/workloads/system.yaml b/config/local-setup/workloads/system.yaml new file mode 100644 index 00000000..8ade60fa --- /dev/null +++ b/config/local-setup/workloads/system.yaml @@ -0,0 +1,150 @@ +apiVersion: saas.3scale.net/v1alpha1 +kind: System +metadata: + name: system +spec: + image: + name: REPLACE + tag: REPLACE + pullSecretName: pull-secrets + pullPolicy: Always + config: + configFilesSecret: system-config + threescaleSuperdomain: REPLACE + rails: + console: true + environment: production + logLevel: info + redis: + queuesDSN: "redis://system-redis:6379" + backend: + externalEndpoint: REPLACE + internalAPIPassword: {fromSeed: {}} + internalAPIUser: {fromSeed: {}} + internalEndpoint: "http://backend-listener-internal" + redisDSN: "redis://backend-redis:6379/0" + assets: + bucket: system-assets # check config/amazon_s3.yml for the specific minio configuration (https://github.com/3scale/porta/blob/master/openshift/system/config/amazon_s3.yml) + region: us-east-1 + accessKey: {fromSeed: {}} + secretKey: {fromSeed: {}} + s3Endpoint: http://minio.minio.svc.cluster.local:9000 + databaseDSN: {fromSeed: {}} + databaseSecret: {fromSeed: {}} + secretKeyBase: {fromSeed: {}} + eventsSharedSecret: {fromSeed: {}} + searchServer: + host: system-searchd + zync: + authToken: {fromSeed: {}} + endpoint: "http://zync:8080" + smtp: + address: smtp.sendgrid.net + authProtocol: plain + opensslVerifyMode: peer + password: {fromSeed: {}} + user: {fromSeed: {}} + port: 587 + starttls: true + starttlsAuto: false + github: + clientID: {fromSeed: {}} + clientSecret: {fromSeed: {}} + mappingServiceAccessToken: {fromSeed: {}} + memcachedServers: system-memcached:11211 + recaptcha: + privateKey: {fromSeed: {}} + publicKey: {fromSeed: {}} + redhatCustomerPortal: + clientID: {fromSeed: {}} + clientSecret: {fromSeed: {}} + realm: "" + segment: + deletionWorkspace: "" + deletionToken: {fromSeed: {}} + writeKey: {fromSeed: {}} + app: + hpa: {} + pdb: {} + replicas: 1 + console: {} + searchd: + enabled: true + image: + name: REPLACE + tag: REPLACE + pullSecretName: pull-secrets + pullPolicy: Always + config: + databaseStorageSize: 1Gi + sidekiqBilling: + config: + maxThreads: 5 + hpa: {} + pdb: {} + resources: {} + replicas: 1 + sidekiqDefault: + config: + maxThreads: 5 + hpa: {} + pdb: {} + resources: {} + replicas: 1 + sidekiqLow: + config: + maxThreads: 5 + hpa: {} + pdb: {} + resources: {} + replicas: 1 + tasks: + - name: system-db-setup + description: |- + Creates the database, loads the schema, and initializes with the + seed data (use system-db-drop to drop the database first). It drops + the current database if one exists. + config: + command: ["container-entrypoint"] + args: ["bundle", "exec", "rake", "db:drop", "db:setup"] + extraEnv: + - name: MASTER_DOMAIN + value: multitenant-admin + - name: MASTER_ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: saas-seed + key: system-master-access-token + - name: MASTER_PASSWORD + valueFrom: + secretKeyRef: + name: saas-seed + key: system-master-password + - name: MASTER_USER + valueFrom: + secretKeyRef: + name: saas-seed + key: system-master-user + - name: TENANT_NAME + value: provider + - name: PROVIDER_NAME + value: "3scale SaaS Dev Provider" + - name: USER_LOGIN + valueFrom: + secretKeyRef: + name: saas-seed + key: system-tenant-user + - name: USER_PASSWORD + valueFrom: + secretKeyRef: + name: saas-seed + key: system-tenant-password + - name: ADMIN_ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: saas-seed + key: system-tenant-token + - name: USER_EMAIL + value: "admin@cluster.local" + - name: DISABLE_DATABASE_ENVIRONMENT_CHECK + value: "1" diff --git a/config/local-setup/zync.yaml b/config/local-setup/workloads/zync.yaml similarity index 59% rename from config/local-setup/zync.yaml rename to config/local-setup/workloads/zync.yaml index e37f89e6..ada5d242 100644 --- a/config/local-setup/zync.yaml +++ b/config/local-setup/workloads/zync.yaml @@ -10,15 +10,12 @@ spec: pullSecretName: pull-secrets pullPolicy: Always config: - databaseDSN: - override: postgresql://app:password@zync-psql:5432/zync + databaseDSN: {fromSeed: {}} rails: environment: production logLevel: info - secretKeyBase: - override: b0b7de6526e9ea4ad5fabea2d6ccb7d16759c4e07522ea0b7a605e5f84f14b5b45a0aac2418c45810d2fa1e7abeeb33870b0592fbea9aeaf5361ab590ee2600b - zyncAuthToken: - override: zync-auth-token + secretKeyBase: {fromSeed: {}} + zyncAuthToken: {fromSeed: {}} api: hpa: {} pdb: {} diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 3f40346a..1914ad7c 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -13,4 +13,4 @@ kind: Kustomization images: - name: controller newName: quay.io/3scale/saas-operator - newTag: v0.22.0 + newTag: v0.23.0-alpha.4 diff --git a/hack/apply-kustomize.sh b/hack/apply-kustomize.sh index a6260177..6b23d4dc 100755 --- a/hack/apply-kustomize.sh +++ b/hack/apply-kustomize.sh @@ -18,27 +18,29 @@ function filter_resources() { function resource_names() { local RESFILE=${1} local FILTER=${2} - filter_resources ${RESFILE} "${FILTER}" | ${YQ_BIN} -N .metadata.name + filter_resources ${RESFILE} "${FILTER}" | ${YQ_BIN} -N '[.metadata.namespace,.metadata.name] | join("/")' } function deploy_crds() { local RESFILE=${1} local FILTER=".kind == \"CustomResourceDefinition\"" - if [[ $(resource_names ${RESFILE} "${FILTER}") != "null" ]]; then + if [[ $(resource_names ${RESFILE} "${FILTER}") != "/" ]]; then echo; echo "#################### > Deploying CRDs for ${NAME}" filter_resources ${RESFILE} "${FILTER}" | kubectl apply -f - - resource_names ${RESFILE} "${FILTER}" | xargs kubectl wait --for condition=established --timeout=60s crd + resource_names ${RESFILE} "${FILTER}" | cut -f2 -d/ | xargs kubectl wait --for condition=established --timeout=60s crd fi } function wait_for() { local KIND=${1} - local NS=${2} + # local NS=${2} FILTER=".kind == \"${KIND}\"" - if [[ $(resource_names ${RESFILE} "${FILTER}") != "null" ]]; then + if [[ $(resource_names ${RESFILE} "${FILTER}") != "/" ]]; then for ITEM in $(resource_names ${RESFILE} "${FILTER}"); do - echo; echo "#################### > Waiting for ${KIND} ${ITEM} in namespace ${NS}" - local SELECTOR=$(kubectl -n ${NS} describe ${KIND} ${ITEM} | awk '/Selector/{print $2}') + local NAME=${ITEM#*/} + local NS=${ITEM%/*} + echo; echo "#################### > Waiting for ${KIND} ${NAME} in namespace ${NS}" + local SELECTOR=$(kubectl -n ${NS} describe ${KIND} ${NAME} | awk '/Selector/{print $2}') kubectl -n ${NS} get pods -l ${SELECTOR} --no-headers -o name | xargs kubectl -n ${NS} wait --for condition=ready done fi @@ -47,17 +49,17 @@ function wait_for() { function deploy_controller() { local RESFILE=${1} local FILTER=".kind != \"CustomResourceDefinition\" and .apiVersion != \"*${NAME}*\"" - if [[ $(resource_names ${RESFILE} "${FILTER}") != "null" ]]; then + if [[ $(resource_names ${RESFILE} "${FILTER}") != "/" ]]; then echo; echo "#################### > Deploying controller for ${NAME}" filter_resources ${RESFILE} "${FILTER}" | kubectl apply -f - - for KIND in "Deployment" "StatefulSet"; do wait_for ${KIND} ${NAME}; done + for KIND in "Deployment" "StatefulSet"; do wait_for ${KIND}; done fi } function deploy_custom_resources() { local RESFILE=${1} local FILTER=".kind != \"CustomResourceDefinition\" and .apiVersion == \"*${NAME}*\"" - if [[ $(resource_names ${RESFILE} "${FILTER}") != "null" ]]; then + if [[ $(resource_names ${RESFILE} "${FILTER}") != "/" ]]; then echo; echo "#################### > Deploying custom resources for ${NAME}" filter_resources ${RESFILE} "${FILTER}" | kubectl apply -f - fi @@ -71,6 +73,7 @@ test -n "${BASE_PATH}" || (echo "BASE_PATH envvar must be set" && exit -1) KUSTOMIZE_OPTIONS="--enable-helm" NAME=${1} RESFILE=$(generate_resources ${BASE_PATH}/${NAME}) +# resource_names release.yaml ".kind == \"StatefulSet\"" deploy_crds ${RESFILE} deploy_controller ${RESFILE} deploy_custom_resources ${RESFILE} diff --git a/pkg/version/version.go b/pkg/version/version.go index e2276715..1859c156 100644 --- a/pkg/version/version.go +++ b/pkg/version/version.go @@ -1,7 +1,7 @@ package version const ( - version string = "v0.22.0" + version string = "v0.23.0-alpha.3" ) // Current returns the current marin3r operator version From c2044510bb529d9d2cac9aab870ec02c8fb2f834 Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Tue, 30 Apr 2024 12:35:13 +0200 Subject: [PATCH 07/20] Use kustomize 'Components' --- Makefile | 24 +++++++++---------- .../local-setup/databases/kustomization.yaml | 4 ++-- .../{secrets => env-inputs}/.gitignore | 0 .../configuration.yaml | 0 .../kustomization.yaml | 5 ++-- .../seed-secret.yaml.envsubst | 0 config/local-setup/kustomization.yaml | 4 ++++ .../local-setup/workloads/kustomization.yaml | 5 ++-- config/local-setup/workloads/system.yaml | 9 +++++++ 9 files changed, 32 insertions(+), 19 deletions(-) rename config/local-setup/{secrets => env-inputs}/.gitignore (100%) rename config/local-setup/{workloads => env-inputs}/configuration.yaml (100%) rename config/local-setup/{secrets => env-inputs}/kustomization.yaml (75%) rename config/local-setup/{secrets => env-inputs}/seed-secret.yaml.envsubst (100%) create mode 100644 config/local-setup/kustomization.yaml diff --git a/Makefile b/Makefile index 6e7108a6..915e44f7 100644 --- a/Makefile +++ b/Makefile @@ -283,16 +283,16 @@ kind-refresh-controller: manifests kind docker-build ## Reloads the controller i $(KIND) load docker-image $(IMG) kubectl delete pod -l control-plane=controller-manager -LOCAL_SETUP_SECRETS_PATH=config/local-setup/secrets -$(LOCAL_SETUP_SECRETS_PATH)/seed-secret.yaml: $(LOCAL_SETUP_SECRETS_PATH)/seed.env +LOCAL_SETUP_INPUTS_PATH=config/local-setup/env-inputs +$(LOCAL_SETUP_INPUTS_PATH)/seed-secret.yaml: $(LOCAL_SETUP_INPUTS_PATH)/seed.env source $(@D)/seed.env && envsubst < $@.envsubst > $@ -kind-deploy-saas-secrets: export KUBECONFIG = $(PWD)/kubeconfig -kind-deploy-saas-secrets: $(LOCAL_SETUP_SECRETS_PATH)/seed-secret.yaml $(LOCAL_SETUP_SECRETS_PATH)/pull-secrets.json - $(KUSTOMIZE) build $(LOCAL_SETUP_SECRETS_PATH) | kubectl apply -f - +kind-deploy-saas-inputs: export KUBECONFIG = $(PWD)/kubeconfig +kind-deploy-saas-inputs: $(LOCAL_SETUP_INPUTS_PATH)/seed-secret.yaml $(LOCAL_SETUP_INPUTS_PATH)/pull-secrets.json + $(KUSTOMIZE) build $(LOCAL_SETUP_INPUTS_PATH) | kubectl apply -f - kind-deploy-databases: export KUBECONFIG = $(PWD)/kubeconfig -kind-deploy-databases: kind-deploy-controller kind-deploy-saas-secrets +kind-deploy-databases: kind-deploy-controller kind-deploy-saas-inputs $(KUSTOMIZE) build config/local-setup/databases | kubectl apply -f - sleep 10 kubectl wait --for condition=ready --timeout=300s pod --all @@ -307,24 +307,24 @@ kind-load-redis-with-ssh: $(KIND) load docker-image $(REDIS_WITH_SSH_IMG) kind-deploy-saas-workloads: export KUBECONFIG = ${PWD}/kubeconfig -kind-deploy-saas-workloads: kind-deploy-controller kind-deploy-saas-secrets kind-load-redis-with-ssh ## Deploys the 3scale SaaS dev environment workloads - $(KUSTOMIZE) build config/local-setup/workloads | kubectl apply -f - +kind-deploy-saas-workloads: kind-deploy-controller kind-deploy-saas-inputs kind-load-redis-with-ssh ## Deploys the 3scale SaaS dev environment workloads + $(KUSTOMIZE) build config/local-setup | $(YQ) 'select(.kind!="Zync")' | kubectl apply -f - sleep 10 - kubectl get pods --no-headers -o name | grep -v system | xargs kubectl wait --for condition=ready --timeout=300s + kubectl get pods --no-headers -o name xargs kubectl wait --for condition=ready --timeout=300s + $(KUSTOMIZE) build config/local-setup | $(YQ) 'select(.kind=="Zync")' | kubectl apply -f - kind-deploy-saas-run-db-setup: kubectl create -f config/local-setup/workloads/db-setup-pipelinerun.yaml kind-cleanup-saas: export KUBECONFIG = ${PWD}/kubeconfig kind-cleanup-saas: - -$(KUSTOMIZE) build config/local-setup/workloads | kubectl delete -f - - -$(KUSTOMIZE) build config/local-setup/databases | kubectl delete -f - + -$(KUSTOMIZE) build config/local-setup | kubectl delete -f - -kubectl get pod --no-headers -o name | grep -v saas-operator | xargs kubectl delete --grace-period=0 --force -kubectl get pvc --no-headers -o name | xargs kubectl delete LOCAL_SETUP_DEPS = metallb cert-manager marin3r prometheus-crds tekton grafana-crds external-secrets-crds minio kind-local-setup: export KUBECONFIG = ${PWD}/kubeconfig -kind-local-setup: $(foreach elem,$(LOCAL_SETUP_DEPS),install-$(elem)) kind-deploy-controller kind-deploy-saas-secrets kind-deploy-databases kind-deploy-saas-workloads kind-deploy-saas-run-db-setup +kind-local-setup: $(foreach elem,$(LOCAL_SETUP_DEPS),install-$(elem)) kind-deploy-controller kind-deploy-saas-workloads kind-deploy-saas-run-db-setup ##@ Build Dependencies diff --git a/config/local-setup/databases/kustomization.yaml b/config/local-setup/databases/kustomization.yaml index d73c1c48..39b55a20 100644 --- a/config/local-setup/databases/kustomization.yaml +++ b/config/local-setup/databases/kustomization.yaml @@ -1,5 +1,5 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component namespace: default resources: - autossl-redis diff --git a/config/local-setup/secrets/.gitignore b/config/local-setup/env-inputs/.gitignore similarity index 100% rename from config/local-setup/secrets/.gitignore rename to config/local-setup/env-inputs/.gitignore diff --git a/config/local-setup/workloads/configuration.yaml b/config/local-setup/env-inputs/configuration.yaml similarity index 100% rename from config/local-setup/workloads/configuration.yaml rename to config/local-setup/env-inputs/configuration.yaml diff --git a/config/local-setup/secrets/kustomization.yaml b/config/local-setup/env-inputs/kustomization.yaml similarity index 75% rename from config/local-setup/secrets/kustomization.yaml rename to config/local-setup/env-inputs/kustomization.yaml index adb69ba7..bea206d4 100644 --- a/config/local-setup/secrets/kustomization.yaml +++ b/config/local-setup/env-inputs/kustomization.yaml @@ -1,7 +1,8 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component namespace: default resources: +- configuration.yaml - seed-secret.yaml secretGenerator: - name: pull-secrets diff --git a/config/local-setup/secrets/seed-secret.yaml.envsubst b/config/local-setup/env-inputs/seed-secret.yaml.envsubst similarity index 100% rename from config/local-setup/secrets/seed-secret.yaml.envsubst rename to config/local-setup/env-inputs/seed-secret.yaml.envsubst diff --git a/config/local-setup/kustomization.yaml b/config/local-setup/kustomization.yaml new file mode 100644 index 00000000..4cda311b --- /dev/null +++ b/config/local-setup/kustomization.yaml @@ -0,0 +1,4 @@ +components: + - env-inputs + - databases + - workloads \ No newline at end of file diff --git a/config/local-setup/workloads/kustomization.yaml b/config/local-setup/workloads/kustomization.yaml index eefbd046..dd105ecf 100644 --- a/config/local-setup/workloads/kustomization.yaml +++ b/config/local-setup/workloads/kustomization.yaml @@ -1,10 +1,9 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component namespace: default resources: - discoveryservice.yaml - - configuration.yaml - apicast.yaml - mappingservice.yaml - autossl.yaml diff --git a/config/local-setup/workloads/system.yaml b/config/local-setup/workloads/system.yaml index 8ade60fa..93870948 100644 --- a/config/local-setup/workloads/system.yaml +++ b/config/local-setup/workloads/system.yaml @@ -67,6 +67,15 @@ spec: hpa: {} pdb: {} replicas: 1 + # the default cpu limit is low, so container + # startup is slower. Change the liveness to account + # for it. + livenessProbe: + initialDelaySeconds: 150 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 console: {} searchd: enabled: true From 20d1fc446983ce0c896d4d753d5106e23432ff0a Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Tue, 30 Apr 2024 13:11:56 +0200 Subject: [PATCH 08/20] Completely disable proxy-protocol --- config/local-setup/workloads/apicast.yaml | 4 ++++ config/local-setup/workloads/backend.yaml | 2 ++ config/local-setup/workloads/echoapi.yaml | 2 ++ 3 files changed, 8 insertions(+) diff --git a/config/local-setup/workloads/apicast.yaml b/config/local-setup/workloads/apicast.yaml index bbfee209..33ebfdbb 100644 --- a/config/local-setup/workloads/apicast.yaml +++ b/config/local-setup/workloads/apicast.yaml @@ -14,6 +14,8 @@ spec: threescalePortalEndpoint: "http://mapping-service/config" endpoint: {dns: []} hpa: {} + loadBalancer: + proxyProtocol: false marin3r: dynamicConfigs: gateway_cluster: @@ -62,6 +64,8 @@ spec: threescalePortalEndpoint: "http://mapping-service/config" endpoint: {dns: []} hpa: {} + loadBalancer: + proxyProtocol: false marin3r: dynamicConfigs: gateway_cluster: diff --git a/config/local-setup/workloads/backend.yaml b/config/local-setup/workloads/backend.yaml index af2798f3..cf5b9a9c 100644 --- a/config/local-setup/workloads/backend.yaml +++ b/config/local-setup/workloads/backend.yaml @@ -24,6 +24,8 @@ spec: redisAsync: true endpoint: {dns: []} hpa: {} + loadBalancer: + proxyProtocol: false marin3r: dynamicConfigs: backend_listener_cluster: diff --git a/config/local-setup/workloads/echoapi.yaml b/config/local-setup/workloads/echoapi.yaml index 0124ed0c..82455555 100644 --- a/config/local-setup/workloads/echoapi.yaml +++ b/config/local-setup/workloads/echoapi.yaml @@ -10,6 +10,8 @@ spec: tag: REPLACE pullSecretName: pull-secrets pullPolicy: Always + loadBalancer: + proxyProtocol: false marin3r: dynamicConfigs: echo_api_cluster: From ef375b1fa8bd2e076a075b285d0bd173396091d6 Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Tue, 30 Apr 2024 14:48:23 +0200 Subject: [PATCH 09/20] Don't deploy the inputs configmap --- config/local-setup/env-inputs/configuration.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/local-setup/env-inputs/configuration.yaml b/config/local-setup/env-inputs/configuration.yaml index 7331379a..926f7ebb 100644 --- a/config/local-setup/env-inputs/configuration.yaml +++ b/config/local-setup/env-inputs/configuration.yaml @@ -2,6 +2,8 @@ apiVersion: v1 kind: ConfigMap metadata: name: config + annotations: + config.kubernetes.io/local-config: 'true' data: # APICAST CONFIGURATION APICAST_IMAGE_NAME: quay.io/3scale/apicast-cloud-hosted From 0216d4e30d509aa0bc06cfd5fb76b89172869d24 Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Tue, 30 Apr 2024 15:29:59 +0200 Subject: [PATCH 10/20] Fix rollouts when using seed Secret --- pkg/generators/backend/generator.go | 9 +++------ pkg/generators/corsproxy/generator.go | 3 +-- pkg/generators/mappingservice/generator.go | 3 +-- pkg/generators/zync/generator.go | 7 +++---- pkg/resource_builders/pod/environment.go | 4 ++-- pkg/resource_builders/pod/environment_test.go | 5 ++++- 6 files changed, 14 insertions(+), 17 deletions(-) diff --git a/pkg/generators/backend/generator.go b/pkg/generators/backend/generator.go index cfa767dd..034c01eb 100644 --- a/pkg/generators/backend/generator.go +++ b/pkg/generators/backend/generator.go @@ -6,7 +6,6 @@ import ( "github.com/3scale-ops/basereconciler/mutators" "github.com/3scale-ops/basereconciler/resource" - "github.com/3scale-ops/basereconciler/util" saasv1alpha1 "github.com/3scale-ops/saas-operator/api/v1alpha1" "github.com/3scale-ops/saas-operator/pkg/generators" "github.com/3scale-ops/saas-operator/pkg/generators/backend/config" @@ -216,8 +215,7 @@ func (gen *ListenerGenerator) Labels() map[string]string { func (gen *ListenerGenerator) Deployment() *resource.Template[*appsv1.Deployment] { return resource.NewTemplateFromObjectFunction(gen.deployment). WithMutation(mutators.SetDeploymentReplicas(gen.ListenerSpec.HPA.IsDeactivated())). - WithMutation(mutators.RolloutTrigger{Name: "backend-internal-api", SecretName: util.Pointer("backend-internal-api")}.Add()). - WithMutation(mutators.RolloutTrigger{Name: "backend-error-monitoring", SecretName: util.Pointer("backend-error-monitoring")}.Add()) + WithMutations(gen.Options.GenerateRolloutTriggers()) } func (gen *ListenerGenerator) HPASpec() *saasv1alpha1.HorizontalPodAutoscalerSpec { @@ -270,8 +268,7 @@ var _ deployment_workload.DeploymentWorkload = &WorkerGenerator{} func (gen *WorkerGenerator) Deployment() *resource.Template[*appsv1.Deployment] { return resource.NewTemplateFromObjectFunction(gen.deployment). WithMutation(mutators.SetDeploymentReplicas(gen.WorkerSpec.HPA.IsDeactivated())). - WithMutation(mutators.RolloutTrigger{Name: "backend-system-events-hook", SecretName: util.Pointer("backend-system-events-hook")}.Add()). - WithMutation(mutators.RolloutTrigger{Name: "backend-error-monitoring", SecretName: util.Pointer("backend-error-monitoring")}.Add()) + WithMutations(gen.Options.GenerateRolloutTriggers()) } func (gen *WorkerGenerator) HPASpec() *saasv1alpha1.HorizontalPodAutoscalerSpec { return gen.WorkerSpec.HPA @@ -303,7 +300,7 @@ var _ deployment_workload.DeploymentWorkload = &CronGenerator{} func (gen *CronGenerator) Deployment() *resource.Template[*appsv1.Deployment] { return resource.NewTemplateFromObjectFunction(gen.deployment). - WithMutation(mutators.RolloutTrigger{Name: "backend-error-monitoring", SecretName: util.Pointer("backend-error-monitoring")}.Add()) + WithMutations(gen.Options.GenerateRolloutTriggers()) } func (gen *CronGenerator) HPASpec() *saasv1alpha1.HorizontalPodAutoscalerSpec { return &saasv1alpha1.HorizontalPodAutoscalerSpec{} diff --git a/pkg/generators/corsproxy/generator.go b/pkg/generators/corsproxy/generator.go index c8906530..c098f346 100644 --- a/pkg/generators/corsproxy/generator.go +++ b/pkg/generators/corsproxy/generator.go @@ -5,7 +5,6 @@ import ( "github.com/3scale-ops/basereconciler/mutators" "github.com/3scale-ops/basereconciler/resource" - "github.com/3scale-ops/basereconciler/util" saasv1alpha1 "github.com/3scale-ops/saas-operator/api/v1alpha1" "github.com/3scale-ops/saas-operator/pkg/generators" "github.com/3scale-ops/saas-operator/pkg/generators/corsproxy/config" @@ -92,7 +91,7 @@ var _ deployment_workload.DeploymentWorkload = &Generator{} func (gen *Generator) Deployment() *resource.Template[*appsv1.Deployment] { return resource.NewTemplateFromObjectFunction(gen.deployment). WithMutation(mutators.SetDeploymentReplicas(gen.Spec.HPA.IsDeactivated())). - WithMutation(mutators.RolloutTrigger{Name: "cors-proxy-system-database", SecretName: util.Pointer("cors-proxy-system-database")}.Add()) + WithMutations(gen.Options.GenerateRolloutTriggers()) } func (gen *Generator) HPASpec() *saasv1alpha1.HorizontalPodAutoscalerSpec { diff --git a/pkg/generators/mappingservice/generator.go b/pkg/generators/mappingservice/generator.go index 72338b33..271a0d6e 100644 --- a/pkg/generators/mappingservice/generator.go +++ b/pkg/generators/mappingservice/generator.go @@ -5,7 +5,6 @@ import ( "github.com/3scale-ops/basereconciler/mutators" "github.com/3scale-ops/basereconciler/resource" - "github.com/3scale-ops/basereconciler/util" saasv1alpha1 "github.com/3scale-ops/saas-operator/api/v1alpha1" "github.com/3scale-ops/saas-operator/pkg/generators" "github.com/3scale-ops/saas-operator/pkg/generators/mappingservice/config" @@ -92,7 +91,7 @@ var _ deployment_workload.DeploymentWorkload = &Generator{} func (gen *Generator) Deployment() *resource.Template[*appsv1.Deployment] { return resource.NewTemplateFromObjectFunction(gen.deployment). WithMutation(mutators.SetDeploymentReplicas(gen.Spec.HPA.IsDeactivated())). - WithMutation(mutators.RolloutTrigger{Name: "mapping-service-system-master-access-token", SecretName: util.Pointer("mapping-service-system-master-access-token")}.Add()) + WithMutations(gen.Options.GenerateRolloutTriggers()) } func (gen *Generator) HPASpec() *saasv1alpha1.HorizontalPodAutoscalerSpec { diff --git a/pkg/generators/zync/generator.go b/pkg/generators/zync/generator.go index 26a0c095..1d7fa973 100644 --- a/pkg/generators/zync/generator.go +++ b/pkg/generators/zync/generator.go @@ -6,7 +6,6 @@ import ( "github.com/3scale-ops/basereconciler/mutators" "github.com/3scale-ops/basereconciler/resource" - "github.com/3scale-ops/basereconciler/util" saasv1alpha1 "github.com/3scale-ops/saas-operator/api/v1alpha1" "github.com/3scale-ops/saas-operator/pkg/generators" "github.com/3scale-ops/saas-operator/pkg/generators/zync/config" @@ -154,7 +153,7 @@ func (gen *APIGenerator) Labels() map[string]string { func (gen *APIGenerator) Deployment() *resource.Template[*appsv1.Deployment] { return resource.NewTemplateFromObjectFunction(gen.deployment). WithMutation(mutators.SetDeploymentReplicas(gen.APISpec.HPA.IsDeactivated())). - WithMutation(mutators.RolloutTrigger{Name: "zync", SecretName: util.Pointer("zync")}.Add()) + WithMutations(gen.Options.GenerateRolloutTriggers()) } func (gen *APIGenerator) HPASpec() *saasv1alpha1.HorizontalPodAutoscalerSpec { @@ -195,7 +194,7 @@ var _ deployment_workload.DeploymentWorkload = &QueGenerator{} func (gen *QueGenerator) Deployment() *resource.Template[*appsv1.Deployment] { return resource.NewTemplateFromObjectFunction(gen.deployment). WithMutation(mutators.SetDeploymentReplicas(gen.QueSpec.HPA.IsDeactivated())). - WithMutation(mutators.RolloutTrigger{Name: "zync", SecretName: util.Pointer("zync")}.Add()) + WithMutations(gen.Options.GenerateRolloutTriggers()) } func (gen *QueGenerator) HPASpec() *saasv1alpha1.HorizontalPodAutoscalerSpec { return gen.QueSpec.HPA @@ -222,6 +221,6 @@ func (gen *ConsoleGenerator) StatefulSet() []resource.TemplateInterface { return []resource.TemplateInterface{ resource.NewTemplateFromObjectFunction(gen.statefulset). WithEnabled(gen.Enabled). - WithMutation(mutators.RolloutTrigger{Name: "zync", SecretName: util.Pointer("zync")}.Add()), + WithMutations(gen.Options.GenerateRolloutTriggers()), } } diff --git a/pkg/resource_builders/pod/environment.go b/pkg/resource_builders/pod/environment.go index 990906c4..abf4d2ae 100644 --- a/pkg/resource_builders/pod/environment.go +++ b/pkg/resource_builders/pod/environment.go @@ -143,14 +143,14 @@ func (options *Options) DeepCopy() *Options { // FilterSecretOptions returns a list of options that will generate a Secret resource func (options *Options) FilterSecretOptions() Options { - return lo.Filter[*Option](*options, func(item *Option, index int) bool { + return lo.Filter(*options, func(item *Option, index int) bool { return item.valueFrom != nil && item.valueFrom.SecretKeyRef != nil }) } func (options *Options) ListSecretResourceNames() []string { list := lo.Reduce(options.FilterSecretOptions(), func(agg []string, item *Option, _ int) []string { - return append(agg, item.secretName) + return append(agg, item.valueFrom.SecretKeyRef.Name) }, []string{}) return lo.Uniq(list) diff --git a/pkg/resource_builders/pod/environment_test.go b/pkg/resource_builders/pod/environment_test.go index 468e08d2..5a1a9c78 100644 --- a/pkg/resource_builders/pod/environment_test.go +++ b/pkg/resource_builders/pod/environment_test.go @@ -593,9 +593,12 @@ func TestOptions_ListSecretResourceNames(t *testing.T) { // ok o.AddEnvvar("envvar3").AsSecretRef(TSecret("secret2")). Unpack(&saasv1alpha1.SecretReference{FromVault: &saasv1alpha1.VaultSecretReference{}}) + // ok: secret from seed + o.AddEnvvar("envvar4").AsSecretRef(TSecret("secret3")).WithSeedKey(TSeedKey("seed-key")). + Unpack(&saasv1alpha1.SecretReference{FromSeed: &saasv1alpha1.SeedSecretReference{}}) return o }(), - want: []string{"secret1", "secret2"}, + want: []string{"secret1", "secret2", "saas-seed"}, }, } for _, tt := range tests { From 5fca222c77e3610a698eb18e15eb23b3021202cf Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Tue, 30 Apr 2024 17:15:21 +0200 Subject: [PATCH 11/20] Add System options to configure apicast endpoints So far this config was hardcoded in the system config files --- api/v1alpha1/system_types.go | 14 ++++++ api/v1alpha1/zz_generated.deepcopy.go | 20 ++++++++ config/crd/bases/saas.3scale.net_systems.yaml | 23 +++++++++ .../local-setup/env-inputs/configuration.yaml | 8 ++-- config/local-setup/workloads/apicast.yaml | 7 --- .../workloads/replacements/domains.yaml | 47 ++++++++++++++----- .../workloads/system-config/sandbox_proxy.yml | 14 +++--- config/local-setup/workloads/system.yaml | 5 ++ pkg/generators/system/config/options.go | 7 +++ 9 files changed, 118 insertions(+), 27 deletions(-) diff --git a/api/v1alpha1/system_types.go b/api/v1alpha1/system_types.go index 79e46dc1..d70dcb51 100644 --- a/api/v1alpha1/system_types.go +++ b/api/v1alpha1/system_types.go @@ -482,6 +482,8 @@ type SystemConfig struct { Backend SystemBackendSpec `json:"backend"` // Assets has configuration to access assets in AWS s3 Assets AssetsSpec `json:"assets"` + // Apicast can be used to pass down apicast endpoints configuration + Apicast *SystemApicastEndpointsSpec `json:"apicast,omitempty"` } // Default applies default values to a SystemConfig struct @@ -691,6 +693,18 @@ type SystemRailsSpec struct { LogLevel *string `json:"logLevel,omitempty"` } +// ApicastSpec holds properties to configure Apicast endpoints +type SystemApicastEndpointsSpec struct { + // Apicast Staging endpoint + StagingDomain string `json:"stagingDomain"` + // Apicast Production endpoint + ProductionDomain string `json:"productionDomain"` + // Policies registry URL for Apicast Cloud Hosteed + CloudHostedRegistryURL string `json:"cloudHostedRegistryURL"` + // Policies registry URL for Apicast Self Managed (on-prem) + SelfManagedRegistryURL string `json:"selfManagedRegistryURL"` +} + // Default applies defaults for SystemRailsSpec func (srs *SystemRailsSpec) Default() { srs.Console = boolOrDefault(srs.Console, util.Pointer(systemDefaultRailsConsole)) diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 08057c12..5cbf08c4 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -3026,6 +3026,21 @@ func (in *System) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SystemApicastEndpointsSpec) DeepCopyInto(out *SystemApicastEndpointsSpec) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SystemApicastEndpointsSpec. +func (in *SystemApicastEndpointsSpec) DeepCopy() *SystemApicastEndpointsSpec { + if in == nil { + return nil + } + out := new(SystemApicastEndpointsSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SystemAppSpec) DeepCopyInto(out *SystemAppSpec) { *out = *in @@ -3179,6 +3194,11 @@ func (in *SystemConfig) DeepCopyInto(out *SystemConfig) { in.Zync.DeepCopyInto(&out.Zync) in.Backend.DeepCopyInto(&out.Backend) in.Assets.DeepCopyInto(&out.Assets) + if in.Apicast != nil { + in, out := &in.Apicast, &out.Apicast + *out = new(SystemApicastEndpointsSpec) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SystemConfig. diff --git a/config/crd/bases/saas.3scale.net_systems.yaml b/config/crd/bases/saas.3scale.net_systems.yaml index ffff7ee2..46f40000 100644 --- a/config/crd/bases/saas.3scale.net_systems.yaml +++ b/config/crd/bases/saas.3scale.net_systems.yaml @@ -680,6 +680,29 @@ spec: value. type: string type: object + apicast: + description: Apicast can be used to pass down apicast endpoints + configuration + properties: + cloudHostedRegistryURL: + description: Policies registry URL for Apicast Cloud Hosteed + type: string + productionDomain: + description: Apicast Production endpoint + type: string + selfManagedRegistryURL: + description: Policies registry URL for Apicast Self Managed + (on-prem) + type: string + stagingDomain: + description: Apicast Staging endpoint + type: string + required: + - cloudHostedRegistryURL + - productionDomain + - selfManagedRegistryURL + - stagingDomain + type: object assets: description: Assets has configuration to access assets in AWS s3 diff --git a/config/local-setup/env-inputs/configuration.yaml b/config/local-setup/env-inputs/configuration.yaml index 926f7ebb..be9aee8b 100644 --- a/config/local-setup/env-inputs/configuration.yaml +++ b/config/local-setup/env-inputs/configuration.yaml @@ -3,7 +3,7 @@ kind: ConfigMap metadata: name: config annotations: - config.kubernetes.io/local-config: 'true' + config.kubernetes.io/local-config: "true" data: # APICAST CONFIGURATION APICAST_IMAGE_NAME: quay.io/3scale/apicast-cloud-hosted @@ -43,10 +43,12 @@ data: ENVOY_IMAGE: envoyproxy/envoy:v1.22.11 # DOMAIN CONFIGURATION - APICAST_POLICIES_ENDPOINT: policies.staging-172-27-27-102.nip.io SYSTEM_ENDPOINT: https://multitenant-admin.system-172-27-27-105.nip.io AUTOSSL_VERIFICATION_ENDPOINT: https://multitenant-admin.system-172-27-27-105.nip.io/swagger/spec.json SYSTEM_EVENTS_URL: https://system-172-27-27-105.nip.io/master/events/import SYSTEM_SUPERDOMAIN: system-172-27-27-105.nip.io BACKEND_EXTERNAL_ENDPOINT: http://backend-172-27-27-100.nip.io - + APICAST_STAGING_DOMAIN: staging-172-27-27-102.nip.io + APICAST_PRODUCTION_DOMAIN: production-172-27-27-101.nip.io + APICAST_CLOUD_HOSTED_REGISTRY_URL: http://apicast-staging-management:8090/policies + APICAST_SELF_MANAGED_REGISTRY_URL: http://policies.apicast.io/latest/policies.json diff --git a/config/local-setup/workloads/apicast.yaml b/config/local-setup/workloads/apicast.yaml index 33ebfdbb..16e9ed3d 100644 --- a/config/local-setup/workloads/apicast.yaml +++ b/config/local-setup/workloads/apicast.yaml @@ -84,13 +84,6 @@ spec: router: routeConfiguration: virtualHosts: - - domains: [REPLACE] - name: policies - routes: - - match: - prefix: /policies - route: - cluster: mgmt_cluster - domains: ["*"] name: gateway routes: diff --git a/config/local-setup/workloads/replacements/domains.yaml b/config/local-setup/workloads/replacements/domains.yaml index ab4a5bce..ccce21b3 100644 --- a/config/local-setup/workloads/replacements/domains.yaml +++ b/config/local-setup/workloads/replacements/domains.yaml @@ -1,14 +1,3 @@ -# APICAST -- source: - kind: ConfigMap - name: config - fieldPath: data.APICAST_POLICIES_ENDPOINT - targets: - - select: - kind: Apicast - fieldPaths: - - spec.staging.marin3r.dynamicConfigs.router.routeConfiguration.virtualHosts.0.domains.0 - # AUTOSSL - source: kind: ConfigMap @@ -70,3 +59,39 @@ kind: System fieldPaths: - spec.config.backend.externalEndpoint +- source: + kind: ConfigMap + name: config + fieldPath: data.APICAST_STAGING_DOMAIN + targets: + - select: + kind: System + fieldPaths: + - spec.config.apicast.stagingDomain +- source: + kind: ConfigMap + name: config + fieldPath: data.APICAST_PRODUCTION_DOMAIN + targets: + - select: + kind: System + fieldPaths: + - spec.config.apicast.productionDomain +- source: + kind: ConfigMap + name: config + fieldPath: data.APICAST_CLOUD_HOSTED_REGISTRY_URL + targets: + - select: + kind: System + fieldPaths: + - spec.config.apicast.cloudHostedRegistryURL +- source: + kind: ConfigMap + name: config + fieldPath: data.APICAST_SELF_MANAGED_REGISTRY_URL + targets: + - select: + kind: System + fieldPaths: + - spec.config.apicast.selfManagedRegistryURL diff --git a/config/local-setup/workloads/system-config/sandbox_proxy.yml b/config/local-setup/workloads/system-config/sandbox_proxy.yml index 67846898..acd5ac48 100644 --- a/config/local-setup/workloads/system-config/sandbox_proxy.yml +++ b/config/local-setup/workloads/system-config/sandbox_proxy.yml @@ -1,10 +1,12 @@ production: test_api_hosts: - - echo-api-172-27-27-103.nip.io + - echo-api.3scale.net ignore_test_failures: [] - apicast_staging_endpoint: https://%{system_name}-%{account_id}.staging-172-27-27-102.nip.io - apicast_production_endpoint: https://%{system_name}-%{account_id}.production-172-27-27-101.nip.io - apicast_registry_url: http://apicast-staging-management:8090/policies - self_managed_apicast_registry_url: http://policies.apicast.io/latest/policies.json + apicast_staging_endpoint: 'https://%{system_name}-%{account_id}.<%=ENV.fetch('APICAST_STAGING_DOMAIN')%>:%{port}' + apicast_production_endpoint: 'https://%{system_name}-%{account_id}.<%=ENV.fetch('APICAST_PRODUCTION_DOMAIN')%>:%{port}' + sandbox_endpoint: 'https://%{system_name}-%{account_id}.<%=ENV.fetch('APICAST_STAGING_DOMAIN')%>:%{port}' + hosted_proxy_endpoint: 'https://%{system_name}-%{account_id}.<%=ENV.fetch('APICAST_PRODUCTION_DOMAIN')%>:%{port}' + apicast_registry_url: <%= ENV.fetch('APICAST_CLOUD_HOSTED_REGISTRY_URL') %> + self_managed_apicast_registry_url: <%= ENV.fetch('APICAST_SELF_MANAGED_REGISTRY_URL') %> backend_endpoint: <%= ENV.fetch('BACKEND_PUBLIC_URL') %> - verify_mode: <%= ::OpenSSL::SSL::VERIFY_PEER %> + verify_mode: <%= OpenSSL::SSL.const_get(ENV.fetch('THREESCALE_SANDBOX_PROXY_OPENSSL_VERIFY_MODE', 'VERIFY_NONE')) %> \ No newline at end of file diff --git a/config/local-setup/workloads/system.yaml b/config/local-setup/workloads/system.yaml index 93870948..24e44811 100644 --- a/config/local-setup/workloads/system.yaml +++ b/config/local-setup/workloads/system.yaml @@ -63,6 +63,11 @@ spec: deletionWorkspace: "" deletionToken: {fromSeed: {}} writeKey: {fromSeed: {}} + apicast: + stagingDomain: REPLACE + productionDomain: REPLACE + cloudHostedRegistryURL: REPLACE + selfManagedRegistryURL: REPLACE app: hpa: {} pdb: {} diff --git a/pkg/generators/system/config/options.go b/pkg/generators/system/config/options.go index d4bff5b3..7a650b99 100644 --- a/pkg/generators/system/config/options.go +++ b/pkg/generators/system/config/options.go @@ -118,5 +118,12 @@ func NewOptions(spec saasv1alpha1.SystemSpec) pod.Options { opts.AddEnvvar("DB_SECRET").AsSecretRef(SystemAppSecret).WithSeedKey(seed.SystemDatabaseSecret). Unpack(spec.Config.DatabaseSecret) + if spec.Config.Apicast != nil { + opts.AddEnvvar("APICAST_STAGING_DOMAIN").Unpack(spec.Config.Apicast.StagingDomain) + opts.AddEnvvar("APICAST_PRODUCTION_DOMAIN").Unpack(spec.Config.Apicast.ProductionDomain) + opts.AddEnvvar("APICAST_CLOUD_HOSTED_REGISTRY_URL").Unpack(spec.Config.Apicast.CloudHostedRegistryURL) + opts.AddEnvvar("APICAST_SELF_MANAGED_REGISTRY_URL").Unpack(spec.Config.Apicast.SelfManagedRegistryURL) + } + return opts } From 0b0d505b03b795733351080d745e4a5f655543f5 Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Tue, 30 Apr 2024 17:46:28 +0200 Subject: [PATCH 12/20] Use the config ConfigMap for dns setup --- .../local-setup/env-inputs/configuration.yaml | 11 +++ config/local-setup/workloads/apicast.yaml | 4 +- config/local-setup/workloads/autossl.yaml | 2 +- config/local-setup/workloads/backend.yaml | 2 +- config/local-setup/workloads/echoapi.yaml | 2 +- config/local-setup/workloads/mt-ingress.yaml | 11 ++- .../workloads/replacements/domains.yaml | 80 +++++++++++++++++++ 7 files changed, 106 insertions(+), 6 deletions(-) diff --git a/config/local-setup/env-inputs/configuration.yaml b/config/local-setup/env-inputs/configuration.yaml index be9aee8b..6b7a998a 100644 --- a/config/local-setup/env-inputs/configuration.yaml +++ b/config/local-setup/env-inputs/configuration.yaml @@ -52,3 +52,14 @@ data: APICAST_PRODUCTION_DOMAIN: production-172-27-27-101.nip.io APICAST_CLOUD_HOSTED_REGISTRY_URL: http://apicast-staging-management:8090/policies APICAST_SELF_MANAGED_REGISTRY_URL: http://policies.apicast.io/latest/policies.json + + # DNS CONFIG + APICAST_STAGING_DNS: '*.staging-172-27-27-102.nip.io' + APICAST_PRODUCTION_DNS: '*.production-172-27-27-101.nip.io' + AUTOSSL_DNS: autossl-172-27-27-104.nip.io + BACKEND_DNS: backend-172-27-27-100.nip.io + ECHOAPI_DNS: echo-api-172-27-27-103.nip.io + SYSTEM_DNS: '*.system-172-27-27-105.nip.io' + + # CERTIFICATE CONFIG + CERT_MANAGER_ISSUER: selfsigned-cluster-issuer \ No newline at end of file diff --git a/config/local-setup/workloads/apicast.yaml b/config/local-setup/workloads/apicast.yaml index 16e9ed3d..a90c00fa 100644 --- a/config/local-setup/workloads/apicast.yaml +++ b/config/local-setup/workloads/apicast.yaml @@ -12,7 +12,7 @@ spec: config: configurationCache: 300 threescalePortalEndpoint: "http://mapping-service/config" - endpoint: {dns: []} + endpoint: {dns: [REPLACE]} hpa: {} loadBalancer: proxyProtocol: false @@ -62,7 +62,7 @@ spec: config: configurationCache: 60 threescalePortalEndpoint: "http://mapping-service/config" - endpoint: {dns: []} + endpoint: {dns: [REPLACE]} hpa: {} loadBalancer: proxyProtocol: false diff --git a/config/local-setup/workloads/autossl.yaml b/config/local-setup/workloads/autossl.yaml index 217f0475..a86476a0 100644 --- a/config/local-setup/workloads/autossl.yaml +++ b/config/local-setup/workloads/autossl.yaml @@ -15,7 +15,7 @@ spec: proxyEndpoint: REPLACE redisHost: autossl-redis verificationEndpoint: REPLACE - endpoint: {dns: []} + endpoint: {dns: [REPLACE]} hpa: {} pdb: {} replicas: 1 diff --git a/config/local-setup/workloads/backend.yaml b/config/local-setup/workloads/backend.yaml index cf5b9a9c..572ad559 100644 --- a/config/local-setup/workloads/backend.yaml +++ b/config/local-setup/workloads/backend.yaml @@ -22,7 +22,7 @@ spec: config: listenerWorkers: 1 redisAsync: true - endpoint: {dns: []} + endpoint: {dns: [REPLACE]} hpa: {} loadBalancer: proxyProtocol: false diff --git a/config/local-setup/workloads/echoapi.yaml b/config/local-setup/workloads/echoapi.yaml index 82455555..b39f8616 100644 --- a/config/local-setup/workloads/echoapi.yaml +++ b/config/local-setup/workloads/echoapi.yaml @@ -3,7 +3,7 @@ kind: EchoAPI metadata: name: echo-api spec: - endpoint: {dns: []} + endpoint: {dns: [REPLACE]} hpa: {} image: name: REPLACE diff --git a/config/local-setup/workloads/mt-ingress.yaml b/config/local-setup/workloads/mt-ingress.yaml index cbadd9bd..bfea4cdf 100644 --- a/config/local-setup/workloads/mt-ingress.yaml +++ b/config/local-setup/workloads/mt-ingress.yaml @@ -3,7 +3,7 @@ kind: Certificate metadata: name: mt-ingress-cert spec: - dnsNames: ["*.system-172-27-27-105.nip.io"] + dnsNames: [REPLACE] issuerRef: kind: ClusterIssuer name: selfsigned-cluster-issuer @@ -35,6 +35,15 @@ spec: apiVersion: v1 kind: Service metadata: + annotations: + external-dns.alpha.kubernetes.io/hostname: REPLACE + service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-connection-draining-timeout: "60" + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "2" + service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "5" + service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout: "3" + service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "2" labels: app: mt-ingress name: mt-ingress diff --git a/config/local-setup/workloads/replacements/domains.yaml b/config/local-setup/workloads/replacements/domains.yaml index ccce21b3..45110b3a 100644 --- a/config/local-setup/workloads/replacements/domains.yaml +++ b/config/local-setup/workloads/replacements/domains.yaml @@ -1,3 +1,23 @@ +# APICAST +- source: + kind: ConfigMap + name: config + fieldPath: data.APICAST_STAGING_DNS + targets: + - select: + kind: Apicast + fieldPaths: + - spec.staging.endpoint.dns.0 +- source: + kind: ConfigMap + name: config + fieldPath: data.APICAST_PRODUCTION_DNS + targets: + - select: + kind: Apicast + fieldPaths: + - spec.production.endpoint.dns.0 + # AUTOSSL - source: kind: ConfigMap @@ -17,6 +37,15 @@ kind: AutoSSL fieldPaths: - spec.config.verificationEndpoint +- source: + kind: ConfigMap + name: config + fieldPath: data.AUTOSSL_DNS + targets: + - select: + kind: AutoSSL + fieldPaths: + - spec.endpoint.dns.0 # BACKEND - source: @@ -28,6 +57,26 @@ kind: Backend fieldPaths: - spec.config.systemEventsHookURL.override +- source: + kind: ConfigMap + name: config + fieldPath: data.BACKEND_DNS + targets: + - select: + kind: Backend + fieldPaths: + - spec.listener.endpoint.dns.0 + +# ECHOAPI +- source: + kind: ConfigMap + name: config + fieldPath: data.ECHOAPI_DNS + targets: + - select: + kind: EchoAPI + fieldPaths: + - spec.endpoint.dns.0 # MAPPINGSERVICE - source: @@ -95,3 +144,34 @@ kind: System fieldPaths: - spec.config.apicast.selfManagedRegistryURL +- source: + kind: ConfigMap + name: config + fieldPath: data.SYSTEM_DNS + targets: + - select: + kind: Service + name: mt-ingress + fieldPaths: + - metadata.annotations.[external-dns.alpha.kubernetes.io/hostname] +- source: + kind: ConfigMap + name: config + fieldPath: data.SYSTEM_DNS + targets: + - select: + kind: Certificate + name: mt-ingress-cert + fieldPaths: + - spec.dnsNames.0 + +# CERT-MANAGER +- source: + kind: ConfigMap + name: config + fieldPath: data.CERT_MANAGER_ISSUER + targets: + - select: + kind: Certificate + fieldPaths: + - spec.issuerRef.name \ No newline at end of file From e1ad9c27546cf634b71ad65376d0faf9d30b1ea5 Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Thu, 2 May 2024 13:15:39 +0200 Subject: [PATCH 13/20] Don't create external-secrets when using seed --- pkg/resource_builders/pod/environment.go | 17 ++++++++++++----- pkg/resource_builders/pod/environment_test.go | 11 +++++++++++ 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/pkg/resource_builders/pod/environment.go b/pkg/resource_builders/pod/environment.go index abf4d2ae..39f9c0d2 100644 --- a/pkg/resource_builders/pod/environment.go +++ b/pkg/resource_builders/pod/environment.go @@ -20,9 +20,8 @@ import ( ) type Option struct { - value *string - valueFrom *corev1.EnvVarSource - // secretRef *saasv1alpha1.SecretReference + value *string + valueFrom *corev1.EnvVarSource envVariable string secretName string seedKey string @@ -148,6 +147,14 @@ func (options *Options) FilterSecretOptions() Options { }) } +// FilterSecretOptions returns a list of options that will generate a Secret resource +// with a Vault secret store as its source (via an ExternalSecret) +func (options *Options) FilterFromVaultOptions() Options { + return lo.Filter(*options, func(item *Option, index int) bool { + return item.vaultKey != "" && item.vaultPath != "" + }) +} + func (options *Options) ListSecretResourceNames() []string { list := lo.Reduce(options.FilterSecretOptions(), func(agg []string, item *Option, _ int) []string { return append(agg, item.valueFrom.SecretKeyRef.Name) @@ -243,7 +250,7 @@ func (opts *Options) BuildEnvironment() []corev1.EnvVar { func (opts *Options) GenerateExternalSecrets(namespace string, labels map[string]string, secretStoreName, secretStoreKind string, refreshInterval metav1.Duration) []resource.TemplateInterface { list := []resource.TemplateInterface{} - for _, group := range lo.PartitionBy[*Option, string](opts.FilterSecretOptions(), func(item *Option) string { return item.secretName }) { + for _, group := range lo.PartitionBy(opts.FilterFromVaultOptions(), func(item *Option) string { return item.secretName }) { data := []externalsecretsv1beta1.ExternalSecretData{} name := group[0].secretName for _, opt := range group { @@ -266,7 +273,7 @@ func (opts *Options) GenerateExternalSecrets(namespace string, labels map[string } func Union(lists ...[]*Option) *Options { - all := operatorutil.ConcatSlices[*Option](lists...) + all := operatorutil.ConcatSlices(lists...) all = lo.UniqBy(all, func(item *Option) string { return item.envVariable }) diff --git a/pkg/resource_builders/pod/environment_test.go b/pkg/resource_builders/pod/environment_test.go index 5a1a9c78..326c38ca 100644 --- a/pkg/resource_builders/pod/environment_test.go +++ b/pkg/resource_builders/pod/environment_test.go @@ -466,6 +466,17 @@ func TestOptions_GenerateExternalSecrets(t *testing.T) { args: args{}, want: []client.Object{}, }, + { + name: "Skips 'fromSeed' secret options", + opts: func() *Options { + o := NewOptions() + o.AddEnvvar("envvar1").AsSecretRef(TSecret("secret")).WithSeedKey(TSeedKey("key")). + Unpack(&saasv1alpha1.SecretReference{FromSeed: &saasv1alpha1.SeedSecretReference{}}) + return o + }(), + args: args{}, + want: []client.Object{}, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { From 52d87adae33db688921d8f67f9d38728f54bd7fb Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Thu, 2 May 2024 16:45:54 +0200 Subject: [PATCH 14/20] Simplify domain config for local-setup --- .../local-setup/env-inputs/configuration.yaml | 19 +-- config/local-setup/workloads/apicast.yaml | 4 +- config/local-setup/workloads/autossl.yaml | 4 +- config/local-setup/workloads/backend.yaml | 2 +- .../local-setup/workloads/mappingservice.yaml | 2 +- config/local-setup/workloads/mt-ingress.yaml | 4 +- .../workloads/replacements/domains.yaml | 143 +++++++----------- config/local-setup/workloads/system.yaml | 6 +- 8 files changed, 71 insertions(+), 113 deletions(-) diff --git a/config/local-setup/env-inputs/configuration.yaml b/config/local-setup/env-inputs/configuration.yaml index 6b7a998a..445321d3 100644 --- a/config/local-setup/env-inputs/configuration.yaml +++ b/config/local-setup/env-inputs/configuration.yaml @@ -43,23 +43,12 @@ data: ENVOY_IMAGE: envoyproxy/envoy:v1.22.11 # DOMAIN CONFIGURATION - SYSTEM_ENDPOINT: https://multitenant-admin.system-172-27-27-105.nip.io - AUTOSSL_VERIFICATION_ENDPOINT: https://multitenant-admin.system-172-27-27-105.nip.io/swagger/spec.json - SYSTEM_EVENTS_URL: https://system-172-27-27-105.nip.io/master/events/import - SYSTEM_SUPERDOMAIN: system-172-27-27-105.nip.io - BACKEND_EXTERNAL_ENDPOINT: http://backend-172-27-27-100.nip.io + SYSTEM_ENDPOINT: multitenant-admin.system-172-27-27-105.nip.io + BACKEND_ENDPOINT: backend-172-27-27-100.nip.io APICAST_STAGING_DOMAIN: staging-172-27-27-102.nip.io APICAST_PRODUCTION_DOMAIN: production-172-27-27-101.nip.io - APICAST_CLOUD_HOSTED_REGISTRY_URL: http://apicast-staging-management:8090/policies - APICAST_SELF_MANAGED_REGISTRY_URL: http://policies.apicast.io/latest/policies.json - - # DNS CONFIG - APICAST_STAGING_DNS: '*.staging-172-27-27-102.nip.io' - APICAST_PRODUCTION_DNS: '*.production-172-27-27-101.nip.io' - AUTOSSL_DNS: autossl-172-27-27-104.nip.io - BACKEND_DNS: backend-172-27-27-100.nip.io - ECHOAPI_DNS: echo-api-172-27-27-103.nip.io - SYSTEM_DNS: '*.system-172-27-27-105.nip.io' + AUTOSSL_ENDPOINT: autossl-172-27-27-104.nip.io + ECHOAPI_ENDPOINT: echo-api-172-27-27-103.nip.io # CERTIFICATE CONFIG CERT_MANAGER_ISSUER: selfsigned-cluster-issuer \ No newline at end of file diff --git a/config/local-setup/workloads/apicast.yaml b/config/local-setup/workloads/apicast.yaml index a90c00fa..029caf89 100644 --- a/config/local-setup/workloads/apicast.yaml +++ b/config/local-setup/workloads/apicast.yaml @@ -12,7 +12,7 @@ spec: config: configurationCache: 300 threescalePortalEndpoint: "http://mapping-service/config" - endpoint: {dns: [REPLACE]} + endpoint: {dns: ['*.REPLACE']} hpa: {} loadBalancer: proxyProtocol: false @@ -62,7 +62,7 @@ spec: config: configurationCache: 60 threescalePortalEndpoint: "http://mapping-service/config" - endpoint: {dns: [REPLACE]} + endpoint: {dns: ['*.REPLACE']} hpa: {} loadBalancer: proxyProtocol: false diff --git a/config/local-setup/workloads/autossl.yaml b/config/local-setup/workloads/autossl.yaml index a86476a0..9961ee2a 100644 --- a/config/local-setup/workloads/autossl.yaml +++ b/config/local-setup/workloads/autossl.yaml @@ -12,9 +12,9 @@ spec: contactEmail: 3scale-operations@redhat.com domainWhitelist: [] logLevel: debug - proxyEndpoint: REPLACE + proxyEndpoint: https://REPLACE redisHost: autossl-redis - verificationEndpoint: REPLACE + verificationEndpoint: https://REPLACE/swagger/spec.json endpoint: {dns: [REPLACE]} hpa: {} pdb: {} diff --git a/config/local-setup/workloads/backend.yaml b/config/local-setup/workloads/backend.yaml index 572ad559..bc311b1b 100644 --- a/config/local-setup/workloads/backend.yaml +++ b/config/local-setup/workloads/backend.yaml @@ -17,7 +17,7 @@ spec: redisQueuesDSN: "redis://backend-redis:6379/1" redisStorageDSN: "redis://backend-redis:6379/0" systemEventsHookPassword: {} - systemEventsHookURL: {override: REPLACE } + systemEventsHookURL: {override: https://REPLACE/master/events/import } listener: config: listenerWorkers: 1 diff --git a/config/local-setup/workloads/mappingservice.yaml b/config/local-setup/workloads/mappingservice.yaml index 32b4dce0..2db2f553 100644 --- a/config/local-setup/workloads/mappingservice.yaml +++ b/config/local-setup/workloads/mappingservice.yaml @@ -4,7 +4,7 @@ metadata: name: mapping-service spec: config: - apiHost: REPLACE + apiHost: https://REPLACE systemAdminToken: {fromSeed: {}} image: name: REPLACE diff --git a/config/local-setup/workloads/mt-ingress.yaml b/config/local-setup/workloads/mt-ingress.yaml index bfea4cdf..ca256c95 100644 --- a/config/local-setup/workloads/mt-ingress.yaml +++ b/config/local-setup/workloads/mt-ingress.yaml @@ -3,7 +3,7 @@ kind: Certificate metadata: name: mt-ingress-cert spec: - dnsNames: [REPLACE] + dnsNames: ['*.REPLACE'] issuerRef: kind: ClusterIssuer name: selfsigned-cluster-issuer @@ -36,7 +36,7 @@ apiVersion: v1 kind: Service metadata: annotations: - external-dns.alpha.kubernetes.io/hostname: REPLACE + external-dns.alpha.kubernetes.io/hostname: '*.REPLACE' service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled: "true" service.beta.kubernetes.io/aws-load-balancer-connection-draining-timeout: "60" service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" diff --git a/config/local-setup/workloads/replacements/domains.yaml b/config/local-setup/workloads/replacements/domains.yaml index 45110b3a..e6f2cad2 100644 --- a/config/local-setup/workloads/replacements/domains.yaml +++ b/config/local-setup/workloads/replacements/domains.yaml @@ -1,24 +1,38 @@ -# APICAST +# CONFIGURE APICAST ENDPOINTS - source: kind: ConfigMap name: config - fieldPath: data.APICAST_STAGING_DNS + fieldPath: data.APICAST_STAGING_DOMAIN targets: - select: kind: Apicast fieldPaths: - spec.staging.endpoint.dns.0 + options: + delimiter: "." + index: 1 + - select: + kind: System + fieldPaths: + - spec.config.apicast.stagingDomain - source: kind: ConfigMap name: config - fieldPath: data.APICAST_PRODUCTION_DNS + fieldPath: data.APICAST_PRODUCTION_DOMAIN targets: - select: kind: Apicast fieldPaths: - spec.production.endpoint.dns.0 + options: + delimiter: "." + index: 1 + - select: + kind: System + fieldPaths: + - spec.config.apicast.productionDomain -# AUTOSSL +# CONFIGURE AUTOSSL ENDPOINT - source: kind: ConfigMap name: config @@ -28,142 +42,97 @@ kind: AutoSSL fieldPaths: - spec.config.proxyEndpoint -- source: - kind: ConfigMap - name: config - fieldPath: data.AUTOSSL_VERIFICATION_ENDPOINT - targets: - - select: - kind: AutoSSL - fieldPaths: - spec.config.verificationEndpoint + options: + delimiter: "/" + index: 2 - source: kind: ConfigMap name: config - fieldPath: data.AUTOSSL_DNS + fieldPath: data.AUTOSSL_ENDPOINT targets: - select: kind: AutoSSL fieldPaths: - spec.endpoint.dns.0 -# BACKEND +# CONFIGURE ECHOAPI ENDPOINT - source: kind: ConfigMap name: config - fieldPath: data.SYSTEM_EVENTS_URL - targets: - - select: - kind: Backend - fieldPaths: - - spec.config.systemEventsHookURL.override -- source: - kind: ConfigMap - name: config - fieldPath: data.BACKEND_DNS - targets: - - select: - kind: Backend - fieldPaths: - - spec.listener.endpoint.dns.0 - -# ECHOAPI -- source: - kind: ConfigMap - name: config - fieldPath: data.ECHOAPI_DNS + fieldPath: data.ECHOAPI_ENDPOINT targets: - select: kind: EchoAPI fieldPaths: - spec.endpoint.dns.0 -# MAPPINGSERVICE +# CONFIGURE BACKEND ENDPOINT - source: kind: ConfigMap name: config - fieldPath: data.SYSTEM_ENDPOINT + fieldPath: data.BACKEND_ENDPOINT targets: - select: - kind: MappingService - fieldPaths: - - spec.config.apiHost - -# SYSTEM -- source: - kind: ConfigMap - name: config - fieldPath: data.SYSTEM_SUPERDOMAIN - targets: - - select: - kind: System + kind: Backend fieldPaths: - - spec.config.threescaleSuperdomain -- source: - kind: ConfigMap - name: config - fieldPath: data.BACKEND_EXTERNAL_ENDPOINT - targets: + - spec.listener.endpoint.dns.0 - select: kind: System fieldPaths: - spec.config.backend.externalEndpoint + options: + delimiter: "/" + index: 2 + +# CONFIGURE SYSTEM ENDPOINT - source: kind: ConfigMap name: config - fieldPath: data.APICAST_STAGING_DOMAIN - targets: - - select: - kind: System - fieldPaths: - - spec.config.apicast.stagingDomain -- source: - kind: ConfigMap - name: config - fieldPath: data.APICAST_PRODUCTION_DOMAIN + fieldPath: data.SYSTEM_ENDPOINT targets: - select: - kind: System + kind: Backend fieldPaths: - - spec.config.apicast.productionDomain -- source: - kind: ConfigMap - name: config - fieldPath: data.APICAST_CLOUD_HOSTED_REGISTRY_URL - targets: + - spec.config.systemEventsHookURL.override + options: + delimiter: "/" + index: 2 - select: - kind: System + kind: MappingService fieldPaths: - - spec.config.apicast.cloudHostedRegistryURL + - spec.config.apiHost + options: + delimiter: "/" + index: 2 - source: kind: ConfigMap name: config - fieldPath: data.APICAST_SELF_MANAGED_REGISTRY_URL + fieldPath: data.SYSTEM_ENDPOINT + options: + delimiter: "multitenant-admin." + index: 1 targets: - select: kind: System fieldPaths: - - spec.config.apicast.selfManagedRegistryURL -- source: - kind: ConfigMap - name: config - fieldPath: data.SYSTEM_DNS - targets: + - spec.config.threescaleSuperdomain - select: kind: Service name: mt-ingress fieldPaths: - metadata.annotations.[external-dns.alpha.kubernetes.io/hostname] -- source: - kind: ConfigMap - name: config - fieldPath: data.SYSTEM_DNS - targets: + options: + delimiter: "." + index: 1 - select: kind: Certificate name: mt-ingress-cert fieldPaths: - spec.dnsNames.0 + options: + delimiter: "." + index: 1 # CERT-MANAGER - source: @@ -174,4 +143,4 @@ - select: kind: Certificate fieldPaths: - - spec.issuerRef.name \ No newline at end of file + - spec.issuerRef.name diff --git a/config/local-setup/workloads/system.yaml b/config/local-setup/workloads/system.yaml index 24e44811..98191d91 100644 --- a/config/local-setup/workloads/system.yaml +++ b/config/local-setup/workloads/system.yaml @@ -18,7 +18,7 @@ spec: redis: queuesDSN: "redis://system-redis:6379" backend: - externalEndpoint: REPLACE + externalEndpoint: http://REPLACE internalAPIPassword: {fromSeed: {}} internalAPIUser: {fromSeed: {}} internalEndpoint: "http://backend-listener-internal" @@ -66,8 +66,8 @@ spec: apicast: stagingDomain: REPLACE productionDomain: REPLACE - cloudHostedRegistryURL: REPLACE - selfManagedRegistryURL: REPLACE + cloudHostedRegistryURL: http://apicast-staging-management:8090/policies + selfManagedRegistryURL: https://policies.apicast.io/latest/policies.json app: hpa: {} pdb: {} From aed59cdd7f47a50ec35a16ebbab08ec440b97df9 Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Mon, 6 May 2024 12:10:05 +0200 Subject: [PATCH 15/20] Upgrade actions --- .github/workflows/release.yaml | 24 ++++++++---------------- .github/workflows/test-e2e.yaml | 25 ------------------------- .github/workflows/test.yaml | 25 ++++++++----------------- 3 files changed, 16 insertions(+), 58 deletions(-) delete mode 100644 .github/workflows/test-e2e.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a5de7599..76cfaa30 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -7,27 +7,16 @@ on: jobs: build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Setup Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v5 with: go-version: "1.21" - - uses: actions/cache@v2 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: ${{ runner.os }}-go- - - - uses: actions/cache@v2 - with: - path: ./testbin - key: ${{ runner.os }}-testbin - - - uses: actions/cache@v2 + - uses: actions/cache@v4 with: path: ./bin key: ${{ runner.os }}-bin @@ -35,6 +24,9 @@ jobs: - name: Run tests run: make test + - name: Run e2e tests + run: make test-e2e + - name: Build image run: make docker-build @@ -44,7 +36,7 @@ jobs: - name: Login to quay.io/3scale if: ${{ env.NEW_RELEASE != '' }} - uses: docker/login-action@v1 + uses: docker/login-action@v3 with: registry: quay.io username: ${{ secrets.REGISTRY_USER }} diff --git a/.github/workflows/test-e2e.yaml b/.github/workflows/test-e2e.yaml deleted file mode 100644 index 2c28b5de..00000000 --- a/.github/workflows/test-e2e.yaml +++ /dev/null @@ -1,25 +0,0 @@ -name: test-e2e - -on: - pull_request: - branches: - - main - -jobs: - test: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - - name: Setup Go - uses: actions/setup-go@v2 - with: - go-version: "1.21" - - - uses: actions/cache@v2 - with: - path: ./bin - key: ${{ runner.os }}-bin - - - name: Run test-e2e - run: make test-e2e \ No newline at end of file diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 24b4908e..228ed442 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -6,31 +6,22 @@ on: - main jobs: test: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Setup Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v5 with: go-version: "1.21" - - uses: actions/cache@v2 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: ${{ runner.os }}-go- - - - uses: actions/cache@v2 - with: - path: ./testbin - key: ${{ runner.os }}-testbin - - - uses: actions/cache@v2 + - uses: actions/cache@v4 with: path: ./bin key: ${{ runner.os }}-bin - name: Run tests - run: | - make test + run: make test + + - name: Run e2e tests + run: make test-e2e From 66ebbf450086a27255254a5870d8a0806489305f Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Mon, 6 May 2024 12:24:24 +0200 Subject: [PATCH 16/20] Fix kustomize-apply script --- hack/apply-kustomize.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hack/apply-kustomize.sh b/hack/apply-kustomize.sh index 6b23d4dc..2cc9ef80 100755 --- a/hack/apply-kustomize.sh +++ b/hack/apply-kustomize.sh @@ -1,6 +1,6 @@ #!/bin/bash -set -eu +set -eux function generate_resources() { local KPATH=${1} @@ -40,7 +40,7 @@ function wait_for() { local NAME=${ITEM#*/} local NS=${ITEM%/*} echo; echo "#################### > Waiting for ${KIND} ${NAME} in namespace ${NS}" - local SELECTOR=$(kubectl -n ${NS} describe ${KIND} ${NAME} | awk '/Selector/{print $2}') + local SELECTOR=$(kubectl -n ${NS} describe ${KIND} ${NAME} | awk '/^Selector:/{print $2}') kubectl -n ${NS} get pods -l ${SELECTOR} --no-headers -o name | xargs kubectl -n ${NS} wait --for condition=ready done fi From e5d23784c8373fa97cd0196f8d28cf5b55302255 Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Mon, 6 May 2024 16:16:08 +0200 Subject: [PATCH 17/20] Bump release --- Makefile | 8 +- bundle.Dockerfile | 3 +- .../saas-operator.clusterserviceversion.yaml | 158 ++++++++++++++- .../manifests/saas.3scale.net_apicasts.yaml | 32 +-- .../manifests/saas.3scale.net_autossls.yaml | 16 +- .../manifests/saas.3scale.net_backends.yaml | 56 ++++-- .../saas.3scale.net_corsproxies.yaml | 20 +- .../manifests/saas.3scale.net_echoapis.yaml | 16 +- .../saas.3scale.net_mappingservices.yaml | 20 +- bundle/manifests/saas.3scale.net_systems.yaml | 187 ++++++++++++++---- bundle/manifests/saas.3scale.net_zyncs.yaml | 48 +++-- bundle/metadata/annotations.yaml | 3 +- config/manager/kustomization.yaml | 2 +- hack/apply-kustomize.sh | 2 +- pkg/version/version.go | 2 +- 15 files changed, 440 insertions(+), 133 deletions(-) diff --git a/Makefile b/Makefile index 915e44f7..d86cb3f5 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ # To re-generate a bundle for another specific version without changing the standard setup, you can: # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) -VERSION ?= 0.23.0-alpha.4 +VERSION ?= 0.23.0-alpha.9 # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") # To re-generate a bundle for other specific channels without changing the standard setup, you can: @@ -307,12 +307,14 @@ kind-load-redis-with-ssh: $(KIND) load docker-image $(REDIS_WITH_SSH_IMG) kind-deploy-saas-workloads: export KUBECONFIG = ${PWD}/kubeconfig -kind-deploy-saas-workloads: kind-deploy-controller kind-deploy-saas-inputs kind-load-redis-with-ssh ## Deploys the 3scale SaaS dev environment workloads +kind-deploy-saas-workloads: kind-deploy-controller $(LOCAL_SETUP_INPUTS_PATH)/seed-secret.yaml $(LOCAL_SETUP_INPUTS_PATH)/pull-secrets.json kind-load-redis-with-ssh ## Deploys the 3scale SaaS dev environment workloads $(KUSTOMIZE) build config/local-setup | $(YQ) 'select(.kind!="Zync")' | kubectl apply -f - sleep 10 - kubectl get pods --no-headers -o name xargs kubectl wait --for condition=ready --timeout=300s + kubectl get pods --no-headers -o name | grep -v system | xargs kubectl wait --for condition=ready --timeout=300s $(KUSTOMIZE) build config/local-setup | $(YQ) 'select(.kind=="Zync")' | kubectl apply -f - + kubectl get pods --no-headers -o name | grep -v system | xargs kubectl wait --for condition=ready --timeout=300s +kind-deploy-saas-run-db-setup: export KUBECONFIG = ${PWD}/kubeconfig kind-deploy-saas-run-db-setup: kubectl create -f config/local-setup/workloads/db-setup-pipelinerun.yaml diff --git a/bundle.Dockerfile b/bundle.Dockerfile index e44312a4..b80837a0 100644 --- a/bundle.Dockerfile +++ b/bundle.Dockerfile @@ -5,8 +5,7 @@ LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ LABEL operators.operatorframework.io.bundle.package.v1=saas-operator -LABEL operators.operatorframework.io.bundle.channels.v1=alpha,stable -LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha +LABEL operators.operatorframework.io.bundle.channels.v1=alpha LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.27.0 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3 diff --git a/bundle/manifests/saas-operator.clusterserviceversion.yaml b/bundle/manifests/saas-operator.clusterserviceversion.yaml index 673eacf2..741f8648 100644 --- a/bundle/manifests/saas-operator.clusterserviceversion.yaml +++ b/bundle/manifests/saas-operator.clusterserviceversion.yaml @@ -598,7 +598,7 @@ metadata: capabilities: Basic Install categories: Integration & Delivery containerImage: quay.io/3scale/saas-operator - createdAt: "2024-01-23T13:46:39Z" + createdAt: "2024-05-06T14:15:35Z" description: |- The 3scale SaaS Operator creates and maintains a SaaS-ready deployment of the Red Hat 3scale API Management on OpenShift. @@ -606,7 +606,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/3scale-ops/saas-operator support: Red Hat - name: saas-operator.v0.22.0 + name: saas-operator.v0.23.0-alpha.9 namespace: placeholder spec: apiservicedefinitions: {} @@ -1308,6 +1308,10 @@ spec: key displayName: Error Monitoring Key path: config.errorMonitoringKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.errorMonitoringKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -1325,6 +1329,10 @@ spec: service displayName: Error Monitoring Service path: config.errorMonitoringService + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.errorMonitoringService.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -1358,6 +1366,10 @@ spec: - description: A reference to the secret holding the backend-internal-api password displayName: Internal APIPassword path: config.internalAPIPassword + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.internalAPIPassword.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -1374,6 +1386,10 @@ spec: - description: A reference to the secret holding the backend-internal-api user displayName: Internal APIUser path: config.internalAPIUser + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.internalAPIUser.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -1403,6 +1419,10 @@ spec: password displayName: System Events Hook Password path: config.systemEventsHookPassword + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.systemEventsHookPassword.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -1420,6 +1440,10 @@ spec: URL displayName: System Events Hook URL path: config.systemEventsHookURL + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.systemEventsHookURL.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -1940,6 +1964,10 @@ spec: - description: System database connection string displayName: System Database DSN path: config.systemDatabaseDSN + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.systemDatabaseDSN.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2293,6 +2321,10 @@ spec: - description: A reference to the secret holding the system admin token displayName: System Admin Token path: config.systemAdminToken + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.systemAdminToken.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2794,6 +2826,10 @@ spec: - description: AccessCode to protect admin urls displayName: Access Code path: config.accessCode + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.accessCode.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2810,6 +2846,10 @@ spec: - description: AWS access key displayName: Access Key path: config.assets.accessKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.assets.accessKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2832,9 +2872,16 @@ spec: - description: AWS S3 region displayName: Region path: config.assets.region + - description: Assets custom S3 endpoint + displayName: S3 Endpoint + path: config.assets.s3Endpoint - description: AWS secret access key displayName: Secret Key path: config.assets.secretKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.assets.secretKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2857,6 +2904,10 @@ spec: - description: Internal API password displayName: Internal APIPassword path: config.backend.internalAPIPassword + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.backend.internalAPIPassword.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2873,6 +2924,10 @@ spec: - description: Internal API user displayName: Internal APIUser path: config.backend.internalAPIUser + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.backend.internalAPIUser.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2898,6 +2953,10 @@ spec: - description: API key displayName: APIKey path: config.bugsnag.apiKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.bugsnag.apiKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2921,6 +2980,10 @@ spec: - description: DSN of system's main database displayName: Database DSN path: config.databaseDSN + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.databaseDSN.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2934,9 +2997,14 @@ spec: - description: Override allows to directly specify a string value. displayName: Override path: config.databaseDSN.override - - description: Database secret + - description: DatabaseSecret is a site key stored off-database for improved + more secure password hashing See https://github.com/3scale/porta/blob/ae498814cef3d856613f60d29330882fa870271d/config/initializers/site_keys.rb#L2-L19 displayName: Database Secret path: config.databaseSecret + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.databaseSecret.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2950,9 +3018,14 @@ spec: - description: Override allows to directly specify a string value. displayName: Override path: config.databaseSecret.override - - description: EventsSharedSecret + - description: EventsSharedSecret is a password that protects System's event + hooks endpoint. displayName: Events Shared Secret path: config.eventsSharedSecret + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.eventsSharedSecret.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -2992,6 +3065,10 @@ spec: - description: Client ID displayName: Client ID path: config.github.clientID + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.github.clientID.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3008,6 +3085,10 @@ spec: - description: Client secret displayName: Client Secret path: config.github.clientSecret + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.github.clientSecret.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3024,6 +3105,10 @@ spec: - description: Mapping Service access token displayName: Mapping Service Access Token path: config.mappingServiceAccessToken + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.mappingServiceAccessToken.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3058,6 +3143,10 @@ spec: - description: Private key displayName: Private Key path: config.recaptcha.privateKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.recaptcha.privateKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3074,6 +3163,10 @@ spec: - description: Public key displayName: Public Key path: config.recaptcha.publicKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.recaptcha.publicKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3093,6 +3186,10 @@ spec: - description: Client ID displayName: Client ID path: config.redhatCustomerPortal.clientID + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.redhatCustomerPortal.clientID.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3109,6 +3206,10 @@ spec: - description: Client secret displayName: Client Secret path: config.redhatCustomerPortal.clientSecret + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.redhatCustomerPortal.clientSecret.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3146,9 +3247,14 @@ spec: - description: Defines the address port displayName: Port path: config.searchServer.port - - description: SecretKeyBase + - description: 'SecretKeyBase: https://api.rubyonrails.org/classes/Rails/Application.html#method-i-secret_key_base + You can generate one random key using ''bundle exec rake secret''' displayName: Secret Key Base path: config.secretKeyBase + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.secretKeyBase.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3168,6 +3274,10 @@ spec: - description: Deletion token displayName: Deletion Token path: config.segment.deletionToken + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.segment.deletionToken.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3187,6 +3297,10 @@ spec: - description: Write key displayName: Write Key path: config.segment.writeKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.segment.writeKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3215,6 +3329,10 @@ spec: - description: Password displayName: Password path: config.smtp.password + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.smtp.password.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3240,6 +3358,10 @@ spec: - description: User displayName: User path: config.smtp.user + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.smtp.user.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -3268,6 +3390,10 @@ spec: - description: Zync authentication token displayName: Auth Token path: config.zync.authToken + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.zync.authToken.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -4155,6 +4281,10 @@ spec: - description: API key displayName: APIKey path: config.bugsnag.apiKey + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.bugsnag.apiKey.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -4174,6 +4304,10 @@ spec: - description: A reference to the secret holding the database DSN displayName: Database DSN path: config.databaseDSN + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.databaseDSN.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -4219,6 +4353,10 @@ spec: - description: A reference to the secret holding the secret-key-base displayName: Secret Key Base path: config.secretKeyBase + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.secretKeyBase.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -4235,6 +4373,10 @@ spec: - description: A reference to the secret holding the zync authentication token displayName: Zync Auth Token path: config.zyncAuthToken + - description: FromSeed will try to retrieve the secret value from the default + seed Secret. + displayName: From Seed + path: config.zyncAuthToken.fromSeed - description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault displayName: From Vault @@ -4468,7 +4610,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.annotations['olm.targetNamespaces'] - image: quay.io/3scale/saas-operator:v0.22.0 + image: quay.io/3scale/saas-operator:v0.23.0-alpha.9 livenessProbe: httpGet: path: /healthz @@ -4622,7 +4764,7 @@ spec: - update - watch - apiGroups: - - integreatly.org + - grafana.integreatly.org resources: - grafanadashboards verbs: @@ -5032,4 +5174,4 @@ spec: provider: name: Red Hat url: https://www.3scale.net/ - version: 0.22.0 + version: 0.23.0-alpha.9 diff --git a/bundle/manifests/saas.3scale.net_apicasts.yaml b/bundle/manifests/saas.3scale.net_apicasts.yaml index 950291e0..798b9b8f 100644 --- a/bundle/manifests/saas.3scale.net_apicasts.yaml +++ b/bundle/manifests/saas.3scale.net_apicasts.yaml @@ -153,18 +153,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -182,7 +182,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -210,18 +210,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -239,7 +239,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -1078,18 +1078,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -1107,7 +1107,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -1135,18 +1135,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -1164,7 +1164,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than diff --git a/bundle/manifests/saas.3scale.net_autossls.yaml b/bundle/manifests/saas.3scale.net_autossls.yaml index df9090fa..6f31dc05 100644 --- a/bundle/manifests/saas.3scale.net_autossls.yaml +++ b/bundle/manifests/saas.3scale.net_autossls.yaml @@ -152,18 +152,18 @@ spec: must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -181,7 +181,7 @@ spec: used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than @@ -208,18 +208,18 @@ spec: must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -237,7 +237,7 @@ spec: used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than diff --git a/bundle/manifests/saas.3scale.net_backends.yaml b/bundle/manifests/saas.3scale.net_backends.yaml index 734a589d..30bd2bab 100644 --- a/bundle/manifests/saas.3scale.net_backends.yaml +++ b/bundle/manifests/saas.3scale.net_backends.yaml @@ -41,6 +41,10 @@ spec: description: A reference to the secret holding the backend-error-monitoring key properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -64,6 +68,10 @@ spec: description: A reference to the secret holding the backend-error-monitoring service properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -106,6 +114,10 @@ spec: description: A reference to the secret holding the backend-internal-api password properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -129,6 +141,10 @@ spec: description: A reference to the secret holding the backend-internal-api user properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -165,6 +181,10 @@ spec: description: A reference to the secret holding the backend-system-events-hook password properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -188,6 +208,10 @@ spec: description: A reference to the secret holding the backend-system-events-hook URL properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -638,18 +662,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -667,7 +691,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -695,18 +719,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -724,7 +748,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -1640,18 +1664,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -1669,7 +1693,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -1697,18 +1721,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -1726,7 +1750,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than diff --git a/bundle/manifests/saas.3scale.net_corsproxies.yaml b/bundle/manifests/saas.3scale.net_corsproxies.yaml index 3faa2d86..d6ad032f 100644 --- a/bundle/manifests/saas.3scale.net_corsproxies.yaml +++ b/bundle/manifests/saas.3scale.net_corsproxies.yaml @@ -59,6 +59,10 @@ spec: systemDatabaseDSN: description: System database connection string properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -119,18 +123,18 @@ spec: must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -148,7 +152,7 @@ spec: used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than @@ -175,18 +179,18 @@ spec: must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -204,7 +208,7 @@ spec: used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than diff --git a/bundle/manifests/saas.3scale.net_echoapis.yaml b/bundle/manifests/saas.3scale.net_echoapis.yaml index 4454c5e7..f5b7c6f6 100644 --- a/bundle/manifests/saas.3scale.net_echoapis.yaml +++ b/bundle/manifests/saas.3scale.net_echoapis.yaml @@ -71,18 +71,18 @@ spec: must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -100,7 +100,7 @@ spec: used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than @@ -127,18 +127,18 @@ spec: must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -156,7 +156,7 @@ spec: used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than diff --git a/bundle/manifests/saas.3scale.net_mappingservices.yaml b/bundle/manifests/saas.3scale.net_mappingservices.yaml index b4238b4a..52710a22 100644 --- a/bundle/manifests/saas.3scale.net_mappingservices.yaml +++ b/bundle/manifests/saas.3scale.net_mappingservices.yaml @@ -69,6 +69,10 @@ spec: description: A reference to the secret holding the system admin token properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -130,18 +134,18 @@ spec: must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -159,7 +163,7 @@ spec: used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than @@ -186,18 +190,18 @@ spec: must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -215,7 +219,7 @@ spec: used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than diff --git a/bundle/manifests/saas.3scale.net_systems.yaml b/bundle/manifests/saas.3scale.net_systems.yaml index 2c2adee9..f0595fe1 100644 --- a/bundle/manifests/saas.3scale.net_systems.yaml +++ b/bundle/manifests/saas.3scale.net_systems.yaml @@ -139,18 +139,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -168,7 +168,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -196,18 +196,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -225,7 +225,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -656,6 +656,10 @@ spec: accessCode: description: AccessCode to protect admin urls properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -675,6 +679,29 @@ spec: value. type: string type: object + apicast: + description: Apicast can be used to pass down apicast endpoints + configuration + properties: + cloudHostedRegistryURL: + description: Policies registry URL for Apicast Cloud Hosteed + type: string + productionDomain: + description: Apicast Production endpoint + type: string + selfManagedRegistryURL: + description: Policies registry URL for Apicast Self Managed + (on-prem) + type: string + stagingDomain: + description: Apicast Staging endpoint + type: string + required: + - cloudHostedRegistryURL + - productionDomain + - selfManagedRegistryURL + - stagingDomain + type: object assets: description: Assets has configuration to access assets in AWS s3 @@ -682,6 +709,10 @@ spec: accessKey: description: AWS access key properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -710,9 +741,16 @@ spec: region: description: AWS S3 region type: string + s3Endpoint: + description: Assets custom S3 endpoint + type: string secretKey: description: AWS secret access key properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -748,6 +786,10 @@ spec: internalAPIPassword: description: Internal API password properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -770,6 +812,10 @@ spec: internalAPIUser: description: Internal API user properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -808,6 +854,10 @@ spec: apiKey: description: API key properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -840,6 +890,10 @@ spec: databaseDSN: description: DSN of system's main database properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -860,8 +914,13 @@ spec: type: string type: object databaseSecret: - description: Database secret + description: DatabaseSecret is a site key stored off-database + for improved more secure password hashing See https://github.com/3scale/porta/blob/ae498814cef3d856613f60d29330882fa870271d/config/initializers/site_keys.rb#L2-L19 properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -882,8 +941,13 @@ spec: type: string type: object eventsSharedSecret: - description: EventsSharedSecret + description: EventsSharedSecret is a password that protects System's + event hooks endpoint. properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -931,6 +995,10 @@ spec: clientID: description: Client ID properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -953,6 +1021,10 @@ spec: clientSecret: description: Client secret properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -979,6 +1051,10 @@ spec: mappingServiceAccessToken: description: Mapping Service access token properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1028,6 +1104,10 @@ spec: privateKey: description: Private key properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1050,6 +1130,10 @@ spec: publicKey: description: Public key properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1079,6 +1163,10 @@ spec: clientID: description: Client ID properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1101,6 +1189,10 @@ spec: clientSecret: description: Client secret properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1155,8 +1247,13 @@ spec: type: integer type: object secretKeyBase: - description: SecretKeyBase + description: 'SecretKeyBase: https://api.rubyonrails.org/classes/Rails/Application.html#method-i-secret_key_base + You can generate one random key using ''bundle exec rake secret''' properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1182,6 +1279,10 @@ spec: deletionToken: description: Deletion token properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1207,6 +1308,10 @@ spec: writeKey: description: Write key properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1246,6 +1351,10 @@ spec: password: description: Password properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1278,6 +1387,10 @@ spec: user: description: User properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1321,6 +1434,10 @@ spec: authToken: description: Zync authentication token properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -2234,18 +2351,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -2263,7 +2380,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -2291,18 +2408,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -2320,7 +2437,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -2864,18 +2981,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -2893,7 +3010,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -2921,18 +3038,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -2950,7 +3067,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -3494,18 +3611,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -3523,7 +3640,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -3551,18 +3668,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -3580,7 +3697,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than diff --git a/bundle/manifests/saas.3scale.net_zyncs.yaml b/bundle/manifests/saas.3scale.net_zyncs.yaml index 963c9ed2..0132d5b5 100644 --- a/bundle/manifests/saas.3scale.net_zyncs.yaml +++ b/bundle/manifests/saas.3scale.net_zyncs.yaml @@ -63,18 +63,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -92,7 +92,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -120,18 +120,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -149,7 +149,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -578,6 +578,10 @@ spec: apiKey: description: API key properties: + fromSeed: + description: FromSeed will try to retrieve the secret + value from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -606,6 +610,10 @@ spec: databaseDSN: description: A reference to the secret holding the database DSN properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -669,6 +677,10 @@ spec: secretKeyBase: description: A reference to the secret holding the secret-key-base properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -692,6 +704,10 @@ spec: description: A reference to the secret holding the zync authentication token properties: + fromSeed: + description: FromSeed will try to retrieve the secret value + from the default seed Secret. + type: object fromVault: description: FromVault is a reference to a secret key/value stored in a Hashicorp Vault @@ -1093,18 +1109,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -1122,7 +1138,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than @@ -1150,18 +1166,18 @@ spec: which must hold true for a specified past interval. properties: periodSeconds: - description: PeriodSeconds specifies the window + description: periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). format: int32 type: integer type: - description: Type is used to specify the scaling + description: type is used to specify the scaling policy. type: string value: - description: Value contains the amount of change + description: value contains the amount of change which is permitted by the policy. It must be greater than zero format: int32 @@ -1179,7 +1195,7 @@ spec: Max is used. type: string stabilizationWindowSeconds: - description: 'StabilizationWindowSeconds is the number + description: 'stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml index 5d8597be..77fadbff 100644 --- a/bundle/metadata/annotations.yaml +++ b/bundle/metadata/annotations.yaml @@ -4,8 +4,7 @@ annotations: operators.operatorframework.io.bundle.manifests.v1: manifests/ operators.operatorframework.io.bundle.metadata.v1: metadata/ operators.operatorframework.io.bundle.package.v1: saas-operator - operators.operatorframework.io.bundle.channels.v1: alpha,stable - operators.operatorframework.io.bundle.channel.default.v1: alpha + operators.operatorframework.io.bundle.channels.v1: alpha operators.operatorframework.io.metrics.builder: operator-sdk-v1.27.0 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3 diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 1914ad7c..e28b324e 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -13,4 +13,4 @@ kind: Kustomization images: - name: controller newName: quay.io/3scale/saas-operator - newTag: v0.23.0-alpha.4 + newTag: v0.23.0-alpha.9 diff --git a/hack/apply-kustomize.sh b/hack/apply-kustomize.sh index 2cc9ef80..97026180 100755 --- a/hack/apply-kustomize.sh +++ b/hack/apply-kustomize.sh @@ -1,6 +1,6 @@ #!/bin/bash -set -eux +set -eu function generate_resources() { local KPATH=${1} diff --git a/pkg/version/version.go b/pkg/version/version.go index 1859c156..08394576 100644 --- a/pkg/version/version.go +++ b/pkg/version/version.go @@ -1,7 +1,7 @@ package version const ( - version string = "v0.23.0-alpha.3" + version string = "v0.23.0-alpha.9" ) // Current returns the current marin3r operator version From cf4325bd48a113e537642dbd0738b5de57f4bf2b Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Mon, 6 May 2024 16:45:41 +0200 Subject: [PATCH 18/20] Clean hack/apply-kustomize.yaml --- hack/apply-kustomize.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/hack/apply-kustomize.sh b/hack/apply-kustomize.sh index 97026180..f8629536 100755 --- a/hack/apply-kustomize.sh +++ b/hack/apply-kustomize.sh @@ -33,7 +33,6 @@ function deploy_crds() { function wait_for() { local KIND=${1} - # local NS=${2} FILTER=".kind == \"${KIND}\"" if [[ $(resource_names ${RESFILE} "${FILTER}") != "/" ]]; then for ITEM in $(resource_names ${RESFILE} "${FILTER}"); do @@ -73,7 +72,6 @@ test -n "${BASE_PATH}" || (echo "BASE_PATH envvar must be set" && exit -1) KUSTOMIZE_OPTIONS="--enable-helm" NAME=${1} RESFILE=$(generate_resources ${BASE_PATH}/${NAME}) -# resource_names release.yaml ".kind == \"StatefulSet\"" deploy_crds ${RESFILE} deploy_controller ${RESFILE} deploy_custom_resources ${RESFILE} From 01bd15f373b3dea3b198a910fcf99b480bfdc656 Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Mon, 6 May 2024 16:46:53 +0200 Subject: [PATCH 19/20] Clean pkg/generators/seed/types.go --- pkg/generators/seed/types.go | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/pkg/generators/seed/types.go b/pkg/generators/seed/types.go index 4be9964c..bde62c94 100644 --- a/pkg/generators/seed/types.go +++ b/pkg/generators/seed/types.go @@ -15,7 +15,7 @@ const ( SystemDatabaseDsn SeedKey = "system-database-dsn" SystemRecaptchaPublicKey SeedKey = "system-recaptcha-public-key" SystemRecaptchaPrivateKey SeedKey = "system-recaptcha-private-key" - SystemEventsHookURL SeedKey = "system-events-url" // this shouldn't be a secret + SystemEventsHookURL SeedKey = "system-events-url" SystemEventsHookSharedSecret SeedKey = "system-events-shared-secret" SystemSmtpUser SeedKey = "system-smpt-user" SystemSmtpPassword SeedKey = "system-smpt-password" @@ -40,21 +40,3 @@ const ( ZyncAuthToken SeedKey = "zync-auth-token" ZyncBugsnagApiKey SeedKey = "zync-bugsnag-api-key" ) - -// TODO: use this to generate a Secret from some input params -// var AutoGen map[SeedKey]string = map[SeedKey]string{ -// BackendInternalApiUser: "user", -// BackendInternalApiPassword: "", -// SystemDatabaseDsn: "mysql2://app:@:3306/system_enterprise", -// SystemEventsHookURL: "https:///master/events/import", -// SystemEventsHookSharedSecret: "", -// SystemMasterAccessToken: "", -// SystemAssetsS3AwsAccessKey: "", -// SystemAssetsS3AwsSecretKey: "", -// SystemSecretKeyBase: "", -// SystemAccessCode: "", -// SystemDatabaseSecret: "", -// ZyncDatabaseUrl: "postgresql://app:@:5432/zync", -// ZyncSecretKeyBase: "", -// ZyncAuthToken: "", -// } From 4ee4541fc2041eb230972e939e17d2b51c6b309d Mon Sep 17 00:00:00 2001 From: Roi Vazquez Date: Mon, 6 May 2024 16:57:34 +0200 Subject: [PATCH 20/20] Update local-setup README --- config/local-setup/README.md | 48 ++++++++++++++++++++++++++++++++++-- 1 file changed, 46 insertions(+), 2 deletions(-) diff --git a/config/local-setup/README.md b/config/local-setup/README.md index e5d059be..747c5802 100644 --- a/config/local-setup/README.md +++ b/config/local-setup/README.md @@ -1,6 +1,6 @@ # Instructions -1. Create the file `config/local-setup/secrets/pull-secrets.json` with the registry auths required (for private repositories used). Example: +1. Create the file `config/local-setup/env-inputs/pull-secrets.json` with the registry auths required (for private repositories used). Example: ```json { @@ -15,7 +15,51 @@ } ``` -1. Issue the following commands +2. Create the file `config/local-setup/env-inputs/seed.env` with the following contents. Change the values to your heart's content: + +```bash +MYSQL_ROOT_PASSWORD=password +MYSQL_DATABASE=system_enterprise +MYSQL_USER=app +MYSQL_PASSWORD=password +POSTGRES_USER=app +POSTGRES_PASSWORD=password +POSTGRES_DB=zync +BACKEND_INTERNAL_API_USER=user +BACKEND_INTERNAL_API_PASSWORD=password +SYSTEM_MASTER_USER=admin +SYSTEM_MASTER_PASSWORD=master-pass +SYSTEM_MASTER_ACCESS_TOKEN=mtoken +SYSTEM_TENANT_USER=admin +SYSTEM_TENANT_PASSWORD=provider-pass +SYSTEM_TENANT_TOKEN=ptoken +SYSTEM_APICAST_TOKEN=atoken +SYSTEM_EVENTS_SHARED_SECRET=password +SYSTEM_ASSETS_S3_ACCESS_KEY=admin +SYSTEM_ASSETS_S3_SECRET_KEY=admin1234 +SYSTEM_SECRET_KEY_BASE=xxxxx +SYSTEM_DATABASE_SECRET=xxxxx +SYSTEM_SMTP_USER="" +SYSTEM_SMTP_PASSWORD="" +SYSTEM_ACCESS_CODE="" +SYSTEM_SEGMENT_DELETION_TOKEN="" +SYSTEM_SEGMENT_WRITE_KEY="" +SYSTEM_GITHUB_CLIENT_ID="" +SYSTEM_GITHUB_CLIENT_SECRET="" +SYSTEM_RH_CUSTOMER_PORTAL_CLIENT_ID="" +SYSTEM_RH_CUSTOMER_PORTAL_CLIENT_SECRET="" +SYSTEM_BUGSNAG_API_KEY="" +SYSTEM_RECAPTCHA_PUBLIC_KEY="" +SYSTEM_RECAPTCHA_PRIVATE_KEY="" +ZYNC_SECRET_KEY_BASE=xxxxx +ZYNC_AUTH_TOKEN=ztoken +ZYNC_BUGSNAG_API_KEY="" +``` + +3. You can tweak configurations in `config/local-setup/env-inputs/configuration.yaml`. + + +4. Issue the following commands ```bash make kind-create