messaging config from file

nasark · Jan 21, 2024 · da480ea · da480ea
1 parent 7a02ef9
commit da480ea
Show file tree

Hide file tree

Showing 4 changed files with 146 additions and 53 deletions.
diff --git a/images/manageiq-base/container-assets/container_env b/images/manageiq-base/container-assets/container_env
@@ -46,4 +46,35 @@ cat > ${APP_ROOT}/certs/v2_key << KEY
 :key: ${encryption_key}
 KEY
 
+
+[[ -f /run/secrets/messaging/MESSAGING_HOSTNAME ]] && messaging_hostname_file=$(cat /run/secrets/messaging/MESSAGING_HOSTNAME)
+[[ -f /run/secrets/messaging/MESSAGING_USERNAME ]] && messaging_username_file=$(cat /run/secrets/messaging/MESSAGING_USERNAME)
+[[ -f /run/secrets/messaging/MESSAGING_PASSWORD ]] && messaging_password_file=$(cat /run/secrets/messaging/MESSAGING_PASSWORD)
+[[ -f /run/secrets/messaging/MESSAGING_PORT ]] && messaging_port_file=$(cat /run/secrets/messaging/MESSAGING_PORT)
+[[ -f /run/secrets/messaging/MESSAGING_SASL_MECHANISM ]] && messaging_sasl_mechanism_file=$(cat /run/secrets/messaging/MESSAGING_SASL_MECHANISM)
+[[ -f /etc/pki/ca-trust/source/anchors/root.crt ]] && messaging_ca_path=/etc/pki/ca-trust/source/anchors/root.crt
+messaging_hostname=${MESSAGING_HOSTNAME:-$messaging_hostname_file}
+messaging_hostname=${messaging_hostname:-localhost}
+messaging_username=${MESSAGING_USERNAME:-$messaging_username_file}
+messaging_password=${MESSAGING_PASSWORD:-$messaging_password_file}
+messaging_port=${MESSAGING_PORT:-$messaging_port_file}
+messaging_port=${messaging_port:-9093}
+messaging_sasl_mechanism=${MESSAGING_SASL_MECHANISM:-$messaging_sasl_mechanism_file}
+messaging_ca_path=${messaging_ca_path:-/etc/pki/ca-trust/source/anchors/ca.crt}
+
+echo "== Writing messaging config =="
+cat > ${APP_ROOT}/config/messaging.yml << KEY
+---
+production:
+  host: ${messaging_hostname}
+  port: ${messaging_port}
+  protocol: Kafka
+  encoding: json
+  username: ${messaging_username}
+  password: ${messaging_password}
+  sasl_mechanism: ${messaging_sasl_mechanism}
+  ssl: true
+  ca_file: ${messaging_ca_path}
+KEY
+
 echo "${GUID}" > ${APP_ROOT}/GUID
diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/kafka/kafka.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/kafka/kafka.go
@@ -13,12 +13,16 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/util/retry"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 	"strconv"
 )
 
+var logger = log.Log.WithName("controller_manageiq")
+
 func KafkaCASecret(cr *miqv1alpha1.ManageIQ, client client.Client, scheme *runtime.Scheme, secretType string) (*corev1.Secret, controllerutil.MutateFn) {
 	caSecret := miqtool.InternalCertificatesSecret(cr, client)
 	secret := &corev1.Secret{}
@@ -173,6 +177,49 @@ func renewKafkaCASecret(cr *miqv1alpha1.ManageIQ, client client.Client, scheme *
 	return nil
 }
 
+func MessagingEnvSecret(cr *miqv1alpha1.ManageIQ, client client.Client, scheme *runtime.Scheme) (*corev1.Secret, controllerutil.MutateFn) {
+	secretData := make(map[string]string)
+
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "messaging-env-secret",
+			Namespace: cr.Namespace,
+		},
+		StringData: secretData,
+	}
+
+	f := func() error {
+		if err := controllerutil.SetControllerReference(cr, secret, scheme); err != nil {
+			return err
+		}
+		secretKey := types.NamespacedName{Namespace: cr.ObjectMeta.Namespace, Name: cr.Spec.AppName + "-user"}
+		kafkaUser := &corev1.Secret{}
+		secretErr := client.Get(context.TODO(), secretKey, kafkaUser)
+		if secretErr != nil {
+			return secretErr
+		}
+
+		miqtool.AddLabels(map[string]string{"app": "manageiq"}, &secret.ObjectMeta)
+
+		logger.Info("KAFKA USER", "result", kafkaUser.Data)
+
+		if kafkaUser.Data["password"] != nil {
+			secret.Data = map[string][]byte{"password": kafkaUser.Data["password"]}
+		}
+
+		secretData["hostname"] = cr.Spec.AppName + "-kafka-bootstrap"
+		secretData["username"] = cr.Spec.AppName + "-user"
+		secretData["port"] = "9093"
+		secretData["sasl_mechanism"] = "SCRAM-SHA-512"
+
+		secret.StringData = secretData
+
+		return nil
+	}
+
+	return secret, f
+}
+
 func KafkaClusterSpec() map[string]interface{} {
 	return map[string]interface{}{
 		"kafka": map[string]interface{}{

diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/orchestrator.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/orchestrator.go
@@ -12,10 +12,13 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 	"strconv"
 	"strings"
 )
 
+var logger = log.Log.WithName("controller_manageiq")
+
 func OrchestratorServiceAccount(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*corev1.ServiceAccount, controllerutil.MutateFn) {
 	sa := &corev1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
@@ -111,49 +114,49 @@ func orchestratorObjectName(cr *miqv1alpha1.ManageIQ) string {
 	return cr.Spec.AppName + "-orchestrator"
 }
 
-func addMessagingEnv(cr *miqv1alpha1.ManageIQ, c *corev1.Container, client client.Client) {
-	if !*cr.Spec.DeployMessagingService {
-		return
-	}
-
-	messagingEnv := []corev1.EnvVar{
-		corev1.EnvVar{
-			Name:  "MESSAGING_HOSTNAME",
-			Value: cr.Spec.AppName + "-kafka-bootstrap",
-		},
-		corev1.EnvVar{
-			Name: "MESSAGING_PASSWORD",
-			ValueFrom: &corev1.EnvVarSource{
-				SecretKeyRef: &corev1.SecretKeySelector{
-					LocalObjectReference: corev1.LocalObjectReference{Name: cr.Spec.AppName + "-user"},
-					Key:                  "password",
-				},
-			},
-		},
-		corev1.EnvVar{
-			Name:  "MESSAGING_PORT",
-			Value: "9093",
-		},
-		corev1.EnvVar{
-			Name:  "MESSAGING_TYPE",
-			Value: "kafka",
-		},
-		corev1.EnvVar{
-			Name:  "MESSAGING_USERNAME",
-			Value: cr.Spec.AppName + "-user",
-		},
-		corev1.EnvVar{
-			Name:  "MESSAGING_SASL_MECHANISM",
-			Value: "SCRAM-SHA-512",
-		},
-	}
-
-	for _, env := range messagingEnv {
-		c.Env = append(c.Env, env)
-	}
-
-	return
-}
+// func addMessagingEnv(cr *miqv1alpha1.ManageIQ, c *corev1.Container, client client.Client) {
+// 	if !*cr.Spec.DeployMessagingService {
+// 		return
+// 	}
+
+// 	messagingEnv := []corev1.EnvVar{
+// 		corev1.EnvVar{
+// 			Name:  "MESSAGING_HOSTNAME",
+// 			Value: cr.Spec.AppName + "-kafka-bootstrap",
+// 		},
+// 		corev1.EnvVar{
+// 			Name: "MESSAGING_PASSWORD",
+// 			ValueFrom: &corev1.EnvVarSource{
+// 				SecretKeyRef: &corev1.SecretKeySelector{
+// 					LocalObjectReference: corev1.LocalObjectReference{Name: cr.Spec.AppName + "-user"},
+// 					Key:                  "password",
+// 				},
+// 			},
+// 		},
+// 		corev1.EnvVar{
+// 			Name:  "MESSAGING_PORT",
+// 			Value: "9093",
+// 		},
+// 		corev1.EnvVar{
+// 			Name:  "MESSAGING_TYPE",
+// 			Value: "kafka",
+// 		},
+// 		corev1.EnvVar{
+// 			Name:  "MESSAGING_USERNAME",
+// 			Value: cr.Spec.AppName + "-user",
+// 		},
+// 		corev1.EnvVar{
+// 			Name:  "MESSAGING_SASL_MECHANISM",
+// 			Value: "SCRAM-SHA-512",
+// 		},
+// 	}
+
+// 	for _, env := range messagingEnv {
+// 		c.Env = append(c.Env, env)
+// 	}
+
+// 	return
+// }
 
 func addPostgresConfig(cr *miqv1alpha1.ManageIQ, d *appsv1.Deployment, client client.Client) {
 	d.Spec.Template.Spec.Containers[0].Env = addOrUpdateEnvVar(d.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{Name: "DATABASE_REGION", Value: cr.Spec.DatabaseRegion})
@@ -239,7 +242,6 @@ func OrchestratorDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme, cl
 		},
 	}
 
-	addMessagingEnv(cr, &container, client)
 	err = addResourceReqs(cr.Spec.OrchestratorMemoryLimit, cr.Spec.OrchestratorMemoryRequest, cr.Spec.OrchestratorCpuLimit, cr.Spec.OrchestratorCpuRequest, &container)
 	if err != nil {
 		return nil, nil, err
@@ -299,15 +301,6 @@ func OrchestratorDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme, cl
 			deployment.Spec.Template.Spec.Containers[0].Env = addOrUpdateEnvVar(deployment.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{Name: "UI_SSL_SECRET_NAME", Value: cr.Spec.InternalCertificatesSecret})
 		}
 
-		messagingCAPath := ""
-		if certSecret := InternalCertificatesSecret(cr, client); certSecret.Data["root_crt"] != nil && certSecret.Data["root_key"] != nil {
-			messagingCAPath = "/etc/pki/ca-trust/source/anchors/root.crt"
-		} else {
-			messagingCAPath = "/etc/pki/ca-trust/source/anchors/ca.crt"
-		}
-
-		deployment.Spec.Template.Spec.Containers[0].Env = addOrUpdateEnvVar(deployment.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{Name: "MESSAGING_SSL_CA", Value: messagingCAPath})
-
 		volumeMount := corev1.VolumeMount{Name: "encryption-key", MountPath: "/run/secrets/manageiq/application", ReadOnly: true}
 		deployment.Spec.Template.Spec.Containers[0].VolumeMounts = addOrUpdateVolumeMount(deployment.Spec.Template.Spec.Containers[0].VolumeMounts, volumeMount)
 
@@ -326,6 +319,21 @@ func OrchestratorDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme, cl
 		}}
 		deployment.Spec.Template.Spec.Volumes = addOrUpdateVolume(deployment.Spec.Template.Spec.Volumes, corev1.Volume{Name: "database-secret", VolumeSource: corev1.VolumeSource{Secret: &databaseSecretVolumeSource}})
 
+		messagingVolumeMount := corev1.VolumeMount{Name: "messaging-env-secret", MountPath: "/run/secrets/messaging", ReadOnly: true}
+		deployment.Spec.Template.Spec.Containers[0].VolumeMounts = addOrUpdateVolumeMount(deployment.Spec.Template.Spec.Containers[0].VolumeMounts, messagingVolumeMount)
+
+		envSecret := miqutilsv1alpha1.FindSecretByName(client, cr.Namespace, "messaging-env-secret")
+		logger.Info("ENV SECRET", "result", envSecret)
+
+		messagingSecretVolumeSource := corev1.SecretVolumeSource{SecretName: "messaging-env-secret", Items: []corev1.KeyToPath{
+			corev1.KeyToPath{Key: "hostname", Path: "MESSAGING_HOSTNAME"},
+			corev1.KeyToPath{Key: "username", Path: "MESSAGING_USERNAME"},
+			corev1.KeyToPath{Key: "password", Path: "MESSAGING_PASSWORD"},
+			corev1.KeyToPath{Key: "port", Path: "MESSAGING_PORT"},
+			corev1.KeyToPath{Key: "sasl_mechanism", Path: "MESSAGING_SASL_MECHANISM"},
+		}}
+		deployment.Spec.Template.Spec.Volumes = addOrUpdateVolume(deployment.Spec.Template.Spec.Volumes, corev1.Volume{Name: "messaging-env-secret", VolumeSource: corev1.VolumeSource{Secret: &messagingSecretVolumeSource}})
+
 		miqutilsv1alpha1.SetDeploymentNodeAffinity(deployment, client)
 
 		return nil

diff --git a/manageiq-operator/internal/controller/manageiq_controller.go b/manageiq-operator/internal/controller/manageiq_controller.go
@@ -582,6 +582,13 @@ func (r *ManageIQReconciler) generateKafkaResources(cr *miqv1alpha1.ManageIQ) er
 		}
 	}
 
+	secret, mutateFunc := miqkafka.MessagingEnvSecret(cr, r.Client, r.Scheme)
+	if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.Client, secret, mutateFunc); err != nil {
+		return err
+	} else if result != controllerutil.OperationResultNone {
+		logger.Info("Secret has been reconciled", "component", "kafka", "result", result)
+	}
+
 	return nil
 }