From cd4ac9971bf41efae88718c75b29fde5466b67c2 Mon Sep 17 00:00:00 2001 From: desmax74 Date: Thu, 17 Mar 2022 23:37:34 +0100 Subject: [PATCH 1/2] [KIECLOUD-570] Hide adminPassword from Business automation operator kieapp instance Signed-off-by: desmax74 --- deploy/crds/kieapp.crd.yaml | 11 ++ deploy/crs/v2/snippets/auth_secret.yaml | 15 +++ .../dev/7.13.0-1/manifests/kieapp.crd.yaml | 11 ++ .../prod/7.13.0-1/manifests/kieapp.crd.yaml | 11 ++ .../test/7.13.0-1/manifests/kieapp.crd.yaml | 11 ++ deploy/ui/form.json | 63 ++++++++-- pkg/apis/app/v2/kieapp_types.go | 2 + pkg/controller/kieapp/constants/constants.go | 4 + pkg/controller/kieapp/defaults/defaults.go | 92 +++++++++++++- .../kieapp/defaults/defaults_test.go | 117 +++++++++++++++++- pkg/controller/kieapp/kieapp_controller.go | 3 + rhpam-config/7.13.0/common.yaml | 60 ++++++++- .../rhpam-standalone-dashbuilder.yaml | 14 +++ 13 files changed, 396 insertions(+), 18 deletions(-) create mode 100644 deploy/crs/v2/snippets/auth_secret.yaml diff --git a/deploy/crds/kieapp.crd.yaml b/deploy/crds/kieapp.crd.yaml index 820d3842f..a35136a33 100644 --- a/deploy/crds/kieapp.crd.yaml +++ b/deploy/crds/kieapp.crd.yaml @@ -346,6 +346,11 @@ spec: description: The password to use for keystore generation. format: password type: string + secretAdminCredentials: + description: Name of the secret containing admin's credentials, + the keys are username and password, if the adminUser and adminPassword + are provided the secretAdminCredentials will be skipped + type: string startupStrategy: description: Startup strategy for Console and Kieserver properties: @@ -3221,6 +3226,12 @@ spec: description: The password to use for keystore generation. format: password type: string + secretAdminCredentials: + description: Name of the secret containing admin's credentials, + the keys are username and password, if the adminUser and + adminPassword are provided the secretAdminCredentials will + be skipped + type: string startupStrategy: description: Startup strategy for Console and Kieserver properties: diff --git a/deploy/crs/v2/snippets/auth_secret.yaml b/deploy/crs/v2/snippets/auth_secret.yaml new file mode 100644 index 000000000..2233e7037 --- /dev/null +++ b/deploy/crs/v2/snippets/auth_secret.yaml @@ -0,0 +1,15 @@ +apiVersion: app.kiegroup.org/v2 +kind: KieApp +metadata: + name: rhapm-secret + annotations: + consoleName: snippet-secret-credentials-config + consoleTitle: Use secret credentials + consoleDesc: Use this snippet to specify admin credentials with a secret + consoleSnippet: true +spec: + commonConfig: + # By default is the cr.Name + applicationName: other + # Secret containing username and password keys + secretAdminCredentials: kie-admin-credentials diff --git a/deploy/olm-catalog/dev/7.13.0-1/manifests/kieapp.crd.yaml b/deploy/olm-catalog/dev/7.13.0-1/manifests/kieapp.crd.yaml index 820d3842f..a35136a33 100644 --- a/deploy/olm-catalog/dev/7.13.0-1/manifests/kieapp.crd.yaml +++ b/deploy/olm-catalog/dev/7.13.0-1/manifests/kieapp.crd.yaml @@ -346,6 +346,11 @@ spec: description: The password to use for keystore generation. format: password type: string + secretAdminCredentials: + description: Name of the secret containing admin's credentials, + the keys are username and password, if the adminUser and adminPassword + are provided the secretAdminCredentials will be skipped + type: string startupStrategy: description: Startup strategy for Console and Kieserver properties: @@ -3221,6 +3226,12 @@ spec: description: The password to use for keystore generation. format: password type: string + secretAdminCredentials: + description: Name of the secret containing admin's credentials, + the keys are username and password, if the adminUser and + adminPassword are provided the secretAdminCredentials will + be skipped + type: string startupStrategy: description: Startup strategy for Console and Kieserver properties: diff --git a/deploy/olm-catalog/prod/7.13.0-1/manifests/kieapp.crd.yaml b/deploy/olm-catalog/prod/7.13.0-1/manifests/kieapp.crd.yaml index 820d3842f..a35136a33 100644 --- a/deploy/olm-catalog/prod/7.13.0-1/manifests/kieapp.crd.yaml +++ b/deploy/olm-catalog/prod/7.13.0-1/manifests/kieapp.crd.yaml @@ -346,6 +346,11 @@ spec: description: The password to use for keystore generation. format: password type: string + secretAdminCredentials: + description: Name of the secret containing admin's credentials, + the keys are username and password, if the adminUser and adminPassword + are provided the secretAdminCredentials will be skipped + type: string startupStrategy: description: Startup strategy for Console and Kieserver properties: @@ -3221,6 +3226,12 @@ spec: description: The password to use for keystore generation. format: password type: string + secretAdminCredentials: + description: Name of the secret containing admin's credentials, + the keys are username and password, if the adminUser and + adminPassword are provided the secretAdminCredentials will + be skipped + type: string startupStrategy: description: Startup strategy for Console and Kieserver properties: diff --git a/deploy/olm-catalog/test/7.13.0-1/manifests/kieapp.crd.yaml b/deploy/olm-catalog/test/7.13.0-1/manifests/kieapp.crd.yaml index 820d3842f..a35136a33 100644 --- a/deploy/olm-catalog/test/7.13.0-1/manifests/kieapp.crd.yaml +++ b/deploy/olm-catalog/test/7.13.0-1/manifests/kieapp.crd.yaml @@ -346,6 +346,11 @@ spec: description: The password to use for keystore generation. format: password type: string + secretAdminCredentials: + description: Name of the secret containing admin's credentials, + the keys are username and password, if the adminUser and adminPassword + are provided the secretAdminCredentials will be skipped + type: string startupStrategy: description: Startup strategy for Console and Kieserver properties: @@ -3221,6 +3226,12 @@ spec: description: The password to use for keystore generation. format: password type: string + secretAdminCredentials: + description: Name of the secret containing admin's credentials, + the keys are username and password, if the adminUser and + adminPassword are provided the secretAdminCredentials will + be skipped + type: string startupStrategy: description: Startup strategy for Console and Kieserver properties: diff --git a/deploy/ui/form.json b/deploy/ui/form.json index 99acfd087..7fe4e5b65 100644 --- a/deploy/ui/form.json +++ b/deploy/ui/form.json @@ -107,26 +107,63 @@ ] }, { - "label": "Admin user", - "type": "fieldGroup", + "label": "Admin user configuration", + "type": "dropDown", "required": false, - "jsonPath": "$.spec.commonConfig", "visible": true, + "default": "default", + "options": [ + { + "value": "secret", + "label": "Secret configuration" + }, + { + "value": "default", + "label": "Username and Password configuration" + } + ], "fields": [ { - "label": "Username", - "default": "adminUser", + "label": "Username and password", + "type": "fieldGroup", "required": false, - "description": "Administrative username for RHPAM components", - "jsonPath": "$.spec.commonConfig.adminUser", - "type": "text" + "jsonPath": "$.spec.commonConfig", + "displayWhen": "default", + "visible": true, + "fields": [ + { + "label": "Username", + "default": "adminUser", + "required": false, + "description": "Administrative username for RHPAM components", + "jsonPath": "$.spec.commonConfig.adminUser", + "type": "text" + }, + { + "label": "Password", + "required": false, + "description": "Administrative password to use instead of generating default value", + "jsonPath": "$.spec.commonConfig.adminPassword", + "type": "password" + } + ] }, { - "label": "Password", + "label": "OpenShift admin credentials secret", + "type": "fieldGroup", "required": false, - "description": "Administrative password to use instead of generating default value", - "jsonPath": "$.spec.commonConfig.adminPassword", - "type": "password" + "jsonPath": "$.spec.commonConfig.secretAdminCredentials", + "displayWhen": "secret", + "visible": false, + "fields": [ + { + "label": "Secret configuration to use for Admin credentials", + "required": false, + "description": "If the secret is not present, kie-admin-credentials secret name will be used, if missing one with default username and generated password will be created", + "jsonPath": "$.spec.commonConfig.secretAdminCredentials", + "type": "text" + } + ] } ] }, @@ -1739,7 +1776,7 @@ "label": "Max Number of Session", "type": "integer", "required": false, - "jsonPath": "$.spec.objects.servers[*].MDBMaxSession", + "jsonPath": "$.spec.objects.servers[*].kieExecutorMDBMaxSession", "originalJsonPath": "$.spec.objects.servers[*].kieExecutorMDBMaxSession", "description": "Number of max session used by the JMS Executor, it must be lower than the value of max-pool-size passed as jboss.mdb.strict.max.pool.size, if leaved empty the max.pool.size will be set to 60." } diff --git a/pkg/apis/app/v2/kieapp_types.go b/pkg/apis/app/v2/kieapp_types.go index e1f82bac3..605d95320 100644 --- a/pkg/apis/app/v2/kieapp_types.go +++ b/pkg/apis/app/v2/kieapp_types.go @@ -945,6 +945,8 @@ type CommonConfig struct { DisableSsl bool `json:"disableSsl,omitempty"` // Startup strategy for Console and Kieserver StartupStrategy *StartupStrategy `json:"startupStrategy,omitempty"` + // Name of the secret containing admin's credentials, the keys are username and password, if the adminUser and adminPassword are provided the secretAdminCredentials will be skipped + SecretAdminCredentials string `json:"secretAdminCredentials,omitempty"` } // VersionConfigs ... diff --git a/pkg/controller/kieapp/constants/constants.go b/pkg/controller/kieapp/constants/constants.go index 7a7669279..84ff1f3a4 100644 --- a/pkg/controller/kieapp/constants/constants.go +++ b/pkg/controller/kieapp/constants/constants.go @@ -291,6 +291,10 @@ const ( SUBCOMPONENT_TYPE_INFRA = "infrastructure" DefaultDatagridUsername = "infinispan" + + KIE_ADMIN_CREDENTIALS_SECRET = "kie-admin-credentials" + USERNAME_ADMIN_SECRET_KEY = "username" + PASSWORD_ADMIN_SECRET_KEY = "password" ) var OseCli4ImageURL = ImageRegistry + "/openshift4/ose-cli:" + highestOcpVersion(Ocp4Versions) diff --git a/pkg/controller/kieapp/defaults/defaults.go b/pkg/controller/kieapp/defaults/defaults.go index e1d5a7bcf..ff87a487e 100644 --- a/pkg/controller/kieapp/defaults/defaults.go +++ b/pkg/controller/kieapp/defaults/defaults.go @@ -5,6 +5,7 @@ package defaults import ( "bytes" "context" + "errors" "fmt" "os" "strconv" @@ -61,6 +62,23 @@ func GetEnvironment(cr *api.KieApp, service kubernetes.PlatformService) (api.Env cr.Spec.Version = "" } + // if the secret is the only credential present + if len(cr.Spec.CommonConfig.SecretAdminCredentials) > 0 && len(cr.Spec.CommonConfig.AdminUser) == 0 && len(cr.Spec.CommonConfig.AdminPassword) == 0 { + errSecret, _, _ := checkAndCreateAdminSecret(service, cr) + if errSecret != nil { + log.Error("Can't create Admin Secret. ", errSecret) + } + } + + //in case of missing secretAdmin we use the AdminUsername AdminPassword and if missing we set the defaults + if len(cr.Spec.CommonConfig.SecretAdminCredentials) == 0 && len(cr.Spec.CommonConfig.AdminPassword) == 0 { + password := constants.DefaultPassword + if !isTrial(cr) { + password = string(shared.GeneratePassword(8)) + } + cr.Spec.CommonConfig.AdminPassword = password + } + envTemplate, err := getEnvTemplate(cr) if err != nil { return api.Environment{}, err @@ -1200,7 +1218,6 @@ func getDefaultQueue(append bool, defaultJmsQueue string, jmsQueue string) strin func setPasswords(spec *api.KieAppSpec, isTrialEnv bool) { passwords := []*string{ &spec.CommonConfig.KeyStorePassword, - &spec.CommonConfig.AdminPassword, &spec.CommonConfig.DBPassword, &spec.CommonConfig.AMQPassword, &spec.CommonConfig.AMQClusterPassword, @@ -2119,3 +2136,76 @@ func getRouteHostname(obj interface{}) (host string) { } return host } + +func checkAndCreateAdminSecret(service kubernetes.PlatformService, cr *api.KieApp) (error, string, string) { + secretName := cr.Spec.CommonConfig.SecretAdminCredentials + namespace := cr.Namespace + environment := cr.Spec.Environment + /* The default secret will be like this + apiVersion: v1 + kind: Secret + metadata: + name: kie-admin-credentials + type: Opaque + data: + //adminUser + username: YWRtaW4= + //RedHat + password: UmVkSGF0 + */ + + providedSecret, err := getSecret(service, namespace, secretName) + + // The secret passed by the user doesn't exist we create one with default values, except for the trial env + if err != nil { + username := constants.DefaultAdminUser + password := constants.DefaultPassword + if !strings.HasSuffix(string(environment), constants.TrialEnvSuffix) { + password = string(shared.GeneratePassword(8)) + } + + err := createSecret(service, namespace, constants.KIE_ADMIN_CREDENTIALS_SECRET, username, password, cr) + if err != nil { + log.Error("Can't create Admin Secret. ", err) + return errors.New("Isn't possible to create a secret with default values"), "", "" + } else { + return nil, username, password + } + } else { + // the customer secret exists and we read the keys to see if is correct + username := providedSecret.StringData[constants.USERNAME_ADMIN_SECRET_KEY] + password := providedSecret.StringData[constants.PASSWORD_ADMIN_SECRET_KEY] + if len(username) > 0 && len(password) > 0 { + log.Info("Found " + secretName + " secret") + } else { + return errors.New("Found" + secretName + " but lack username or password "), "", "" + } + return nil, username, password + } +} + +func createSecret(service kubernetes.PlatformService, namespace string, secretName string, username string, password string, cr *api.KieApp) error { + secret := corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: secretName, + Namespace: namespace, + OwnerReferences: cr.GetOwnerReferences(), + }, + Type: "Opaque", + StringData: map[string]string{ + constants.USERNAME_ADMIN_SECRET_KEY: username, + constants.PASSWORD_ADMIN_SECRET_KEY: password, + }, + } + err := service.Create(context.TODO(), &secret) + return err +} + +func getSecret(service kubernetes.PlatformService, namespace string, secretName string) (corev1.Secret, error) { + found := corev1.Secret{} + err := service.Get(context.TODO(), types.NamespacedName{ + Name: secretName, + Namespace: namespace, + }, &found) + return found, err +} diff --git a/pkg/controller/kieapp/defaults/defaults_test.go b/pkg/controller/kieapp/defaults/defaults_test.go index 4207e08d3..b3637ac8c 100644 --- a/pkg/controller/kieapp/defaults/defaults_test.go +++ b/pkg/controller/kieapp/defaults/defaults_test.go @@ -21,6 +21,7 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" clientv1 "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client/fake" @@ -3231,7 +3232,7 @@ func TestPartialTemplateConfig(t *testing.T) { assert.Equal(t, cr.Spec.CommonConfig.AdminPassword, adminPassword, "Expected provided password to take effect, but found %v", adminPassword) assert.Equal(t, cr.Spec.CommonConfig.AdminPassword, cr.Status.Applied.CommonConfig.AdminPassword) mavenPassword := getEnvVariable(env.Servers[0].DeploymentConfigs[0].Spec.Template.Spec.Containers[0], "RHDMCENTR_MAVEN_REPO_PASSWORD") - assert.Equal(t, "MyPassword", mavenPassword, "Expected default password of RedHat, but found %v", mavenPassword) + assert.Equal(t, adminPassword, mavenPassword, "Expected default password of RedHat, but found %v", mavenPassword) assert.Equal(t, "test-rhdmcentr", getEnvVariable(env.Servers[0].DeploymentConfigs[0].Spec.Template.Spec.Containers[0], "WORKBENCH_SERVICE_NAME"), "Variable should exist") assert.Equal(t, "ws", getEnvVariable(env.Servers[0].DeploymentConfigs[0].Spec.Template.Spec.Containers[0], "KIE_SERVER_CONTROLLER_PROTOCOL"), "Variable should exist") assert.Equal(t, "test-rhdmcentr", getEnvVariable(env.Servers[0].DeploymentConfigs[0].Spec.Template.Spec.Containers[0], "KIE_SERVER_CONTROLLER_SERVICE"), "Variable should exist") @@ -3266,7 +3267,7 @@ func TestOverwritePartialTrialPasswords(t *testing.T) { adminPassword := getEnvVariable(env.Servers[0].DeploymentConfigs[0].Spec.Template.Spec.Containers[0], "KIE_ADMIN_PWD") assert.Equal(t, "MyPassword", adminPassword, "Expected provided password to take effect, but found %v", adminPassword) mavenPassword := getEnvVariable(env.Servers[0].DeploymentConfigs[0].Spec.Template.Spec.Containers[0], "RHDMCENTR_MAVEN_REPO_PASSWORD") - assert.Equal(t, "MyPassword", mavenPassword, "Expected default password of RedHat, but found %v", mavenPassword) + assert.Equal(t, adminPassword, mavenPassword, "Expected default password of RedHat, but found %v", mavenPassword) assert.Equal(t, "test-rhdmcentr", env.Console.DeploymentConfigs[0].Name) assert.Equal(t, appsv1.DeploymentStrategyTypeRecreate, env.Console.DeploymentConfigs[0].Spec.Strategy.Type) @@ -5039,6 +5040,11 @@ func TestGetProcessMigrationTemplate(t *testing.T) { Objects: api.KieAppObjects{ ProcessMigration: &api.ProcessMigrationObject{}, }, + CommonConfig: api.CommonConfig{ + AdminUser: constants.DefaultAdminUser, + AdminPassword: constants.DefaultPassword, + SecretAdminCredentials: constants.KIE_ADMIN_CREDENTIALS_SECRET, + }, }, }, []api.ServerTemplate{ @@ -7491,3 +7497,110 @@ func TestRhpamKieserverEnvWithoutDecisionsOnlyEnabled(t *testing.T) { result, _ := strconv.ParseBool(getEnvVariable(env.Servers[0].DeploymentConfigs[0].Spec.Template.Spec.Containers[0], "KIE_SERVER_DECISIONS_ONLY")) assert.False(t, result) } + +func TestCredentialWithCredentialSecretAndCredentialsUseAsDefault(t *testing.T) { + // with all credentials provided the behaviour use the legacy with username and password + cr := &api.KieApp{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test", + Namespace: "myNamespace", + }, + Spec: api.KieAppSpec{ + Environment: api.RhpamProduction, + CommonConfig: api.CommonConfig{ + AdminPassword: "password", + AdminUser: "admin", + SecretAdminCredentials: constants.KIE_ADMIN_CREDENTIALS_SECRET, + }, + }, + } + + service := test.MockService() + env, err := GetEnvironment(cr, service) + assert.Nil(t, err, "Error getting prod environment") + adminUserEnv := getEnvVariable(env.Servers[0].DeploymentConfigs[0].Spec.Template.Spec.Containers[0], "KIE_ADMIN_USER") + adminPasswordEnv := getEnvVariable(env.Servers[0].DeploymentConfigs[0].Spec.Template.Spec.Containers[0], "KIE_ADMIN_PWD") + assert.Equal(t, len(adminUserEnv), 0) + assert.Equal(t, len(adminPasswordEnv), 0) +} + +func TestCredentialWithCredentialSecretAndCredentials(t *testing.T) { + cr := &api.KieApp{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test", + Namespace: "myNamespace", + }, + Spec: api.KieAppSpec{ + Environment: api.RhpamProduction, + CommonConfig: api.CommonConfig{ + SecretAdminCredentials: constants.KIE_ADMIN_CREDENTIALS_SECRET, + }, + }, + } + + service := test.MockService() + _, err := GetEnvironment(cr, service) + assert.Nil(t, err, "Error getting prod environment") + + providedSecret := corev1.Secret{} + errS := service.Get(context.TODO(), types.NamespacedName{ + Name: constants.KIE_ADMIN_CREDENTIALS_SECRET, + Namespace: "myNamespace", + }, &providedSecret) + assert.Nil(t, errS, "Error secret") + adminUSer := providedSecret.StringData[constants.USERNAME_ADMIN_SECRET_KEY] + adminPassword := providedSecret.StringData[constants.PASSWORD_ADMIN_SECRET_KEY] + assert.True(t, len(adminUSer) > 0) + assert.True(t, len(adminPassword) > 0) + assert.Equal(t, adminUSer, constants.DefaultAdminUser) +} + +func TestCredentialWithCredentialSecretAndCredentialsAlreadySet(t *testing.T) { + mySecretUsername := "mySecretUsername" + mySecretPassword := "mySecretPassword" + myNamespace := "myNamespace" + cr := &api.KieApp{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test", + Namespace: myNamespace, + }, + Spec: api.KieAppSpec{ + Environment: api.RhpamProduction, + CommonConfig: api.CommonConfig{ + SecretAdminCredentials: constants.KIE_ADMIN_CREDENTIALS_SECRET, + }, + }, + } + + service := test.MockService() + secret := corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: constants.KIE_ADMIN_CREDENTIALS_SECRET, + Namespace: myNamespace, + }, + Type: "Opaque", + StringData: map[string]string{ + constants.USERNAME_ADMIN_SECRET_KEY: mySecretUsername, + constants.PASSWORD_ADMIN_SECRET_KEY: mySecretPassword, + }, + } + + errCreateSecret := service.Create(context.TODO(), &secret) + assert.Nil(t, errCreateSecret, "Error creating Secret") + _, err := GetEnvironment(cr, service) + assert.Nil(t, err, "Error getting prod environment") + + providedSecret := corev1.Secret{} + errS := service.Get(context.TODO(), types.NamespacedName{ + Name: constants.KIE_ADMIN_CREDENTIALS_SECRET, + Namespace: myNamespace, + }, &providedSecret) + + assert.Nil(t, errS, "Error secret") + adminUserRetrieved := providedSecret.StringData[constants.USERNAME_ADMIN_SECRET_KEY] + adminPassword := providedSecret.StringData[constants.PASSWORD_ADMIN_SECRET_KEY] + assert.True(t, len(adminUserRetrieved) > 0) + assert.True(t, len(adminPassword) > 0) + assert.Equal(t, adminUserRetrieved, mySecretUsername) + assert.Equal(t, adminPassword, mySecretPassword) +} diff --git a/pkg/controller/kieapp/kieapp_controller.go b/pkg/controller/kieapp/kieapp_controller.go index 761a0ab14..ce62fb21b 100644 --- a/pkg/controller/kieapp/kieapp_controller.go +++ b/pkg/controller/kieapp/kieapp_controller.go @@ -52,6 +52,7 @@ type Reconciler struct { func (reconciler *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { // The next several lines only execute if the operator is running in a pod, via deployment. // Otherwise, embedded configs are used and no console is deployed. + mementoOwnerReferences := &api.KieApp{} if opName, depNameSpace, useEmbedded := defaults.UseEmbeddedFiles(reconciler.Service); !useEmbedded { myDep := &appsv1.Deployment{} err := reconciler.Service.Get(ctx, types.NamespacedName{Namespace: depNameSpace, Name: opName}, myDep) @@ -66,11 +67,13 @@ func (reconciler *Reconciler) Reconcile(ctx context.Context, request reconcile.R if err = reconciler.createConsoleYAMLSamples(); err != nil { log.Error(err) } + mementoOwnerReferences.SetOwnerReferences(myDep.GetOwnerReferences()) } // Fetch the KieApp instance instance := &api.KieApp{} err := reconciler.Service.Get(ctx, request.NamespacedName, instance) + instance.SetOwnerReferences(mementoOwnerReferences.GetOwnerReferences()) if err != nil { if errors.IsNotFound(err) { // Request object not found, could have been deleted after reconcile request. diff --git a/rhpam-config/7.13.0/common.yaml b/rhpam-config/7.13.0/common.yaml index f78530c2a..d86a30867 100644 --- a/rhpam-config/7.13.0/common.yaml +++ b/rhpam-config/7.13.0/common.yaml @@ -84,10 +84,24 @@ console: value: "/opt/kie/data/configuration/application-users.properties" - name: APPLICATION_ROLES_PROPERTIES value: "/opt/kie/data/configuration/application-roles.properties" + #[[if not .SecretAdminCredentials]] - name: KIE_ADMIN_USER value: "[[.AdminUser]]" - name: KIE_ADMIN_PWD value: "[[.AdminPassword]]" + #[[end]] + #[[if .SecretAdminCredentials]] + - name: KIE_ADMIN_USER + valueFrom: + secretKeyRef: + name: "[[.SecretAdminCredentials]]" + key: username + - name: KIE_ADMIN_PWD + valueFrom: + secretKeyRef: + name: "[[.SecretAdminCredentials]]" + key: password + #[[end]] - name: KIE_MBEANS value: enabled #[[if or .Console.GitHooks.MountPath .Console.GitHooks.From]] @@ -561,10 +575,24 @@ smartRouter: - name: KIE_SERVER_ROUTER_TLS_KEYSTORE value: "/etc/smartrouter-secret-volume/keystore.jks" #[[end]] + #[[if not .SecretAdminCredentials]] - name: KIE_ADMIN_USER - value: "[[.AdminUser]]" + value: "[[$.AdminUser]]" - name: KIE_ADMIN_PWD - value: "[[.AdminPassword]]" + value: "[[$.AdminPassword]]" + #[[end]] + #[[if .SecretAdminCredentials]] + - name: KIE_ADMIN_USER + valueFrom: + secretKeyRef: + name: "[[.SecretAdminCredentials]]" + key: username + - name: KIE_ADMIN_PWD + valueFrom: + secretKeyRef: + name: "[[.SecretAdminCredentials]]" + key: password + #[[end]] - name: KIE_SERVER_CONTROLLER_SERVICE value: "[[.ApplicationName]]-[[.Console.Name]]" - name: KIE_SERVER_CONTROLLER_PROTOCOL @@ -771,10 +799,24 @@ servers: - name: KIE_SERVER_CONTROLLER_PROTOCOL value: ws #[[end]] + #[[if not $.SecretAdminCredentials]] - name: KIE_ADMIN_USER value: "[[$.AdminUser]]" - name: KIE_ADMIN_PWD value: "[[$.AdminPassword]]" + #[[end]] + #[[if $.SecretAdminCredentials]] + - name: KIE_ADMIN_USER + valueFrom: + secretKeyRef: + name: "[[$.SecretAdminCredentials]]" + key: username + - name: KIE_ADMIN_PWD + valueFrom: + secretKeyRef: + name: "[[$.SecretAdminCredentials]]" + key: password + #[[end]] - name: KIE_SERVER_STARTUP_STRATEGY value: "[[.StartupStrategy.StrategyName]]" #[[if eq .StartupStrategy.StrategyName "OpenShiftStartupStrategy" ]] @@ -803,10 +845,24 @@ servers: fieldPath: metadata.labels['services.server.kie.org/kie-server-id'] - name: KIE_SERVER_ROUTE_NAME value: "[[.KieName]]" + #[[if not $.SecretAdminCredentials]] - name: "[[$.Constants.MavenRepo]]_MAVEN_REPO_USERNAME" value: "[[$.AdminUser]]" - name: "[[$.Constants.MavenRepo]]_MAVEN_REPO_PASSWORD" value: "[[$.AdminPassword]]" + #[[end]] + #[[if $.SecretAdminCredentials]] + - name: "[[$.Constants.MavenRepo]]_MAVEN_REPO_USERNAME" + valueFrom: + secretKeyRef: + name: "[[$.SecretAdminCredentials]]" + key: username + - name: "[[$.Constants.MavenRepo]]_MAVEN_REPO_PASSWORD" + valueFrom: + secretKeyRef: + name: "[[$.SecretAdminCredentials]]" + key: password + #[[end]] - name: "[[$.Constants.MavenRepo]]_MAVEN_REPO_SERVICE" value: "[[$.ApplicationName]]-[[$.Console.Name]]" - name: MAVEN_REPOS diff --git a/rhpam-config/7.13.0/dashbuilder/rhpam-standalone-dashbuilder.yaml b/rhpam-config/7.13.0/dashbuilder/rhpam-standalone-dashbuilder.yaml index 8ca916b21..bd3296a40 100644 --- a/rhpam-config/7.13.0/dashbuilder/rhpam-standalone-dashbuilder.yaml +++ b/rhpam-config/7.13.0/dashbuilder/rhpam-standalone-dashbuilder.yaml @@ -86,10 +86,24 @@ dashbuilder: containerPort: 8443 protocol: TCP env: + #[[if not .SecretAdminCredentials]] - name: KIE_ADMIN_USER value: "[[.AdminUser]]" - name: KIE_ADMIN_PWD value: "[[.AdminPassword]]" + #[[end]] + #[[if .SecretAdminCredentials]] + - name: KIE_ADMIN_USER + valueFrom: + secretKeyRef: + name: "[[.SecretAdminCredentials]]" + key: username + - name: KIE_ADMIN_PWD + valueFrom: + secretKeyRef: + name: "[[.SecretAdminCredentials]]" + key: password + #[[end]] ## Dashbuilder config BEGIN #[[if .Dashbuilder.Config.AllowExternalFileRegister]] - name: DASHBUILDER_ALLOW_EXTERNAL_FILE_REGISTER From 04d9787a9654c687118bcae0f02b5beee2780189 Mon Sep 17 00:00:00 2001 From: spolti Date: Mon, 21 Mar 2022 17:44:27 -0300 Subject: [PATCH 2/2] add owner ref to created secret Signed-off-by: spolti --- pkg/controller/kieapp/defaults/defaults.go | 14 +++++++++++++- pkg/controller/kieapp/kieapp_controller.go | 3 --- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/pkg/controller/kieapp/defaults/defaults.go b/pkg/controller/kieapp/defaults/defaults.go index ff87a487e..f830c7f1f 100644 --- a/pkg/controller/kieapp/defaults/defaults.go +++ b/pkg/controller/kieapp/defaults/defaults.go @@ -63,7 +63,7 @@ func GetEnvironment(cr *api.KieApp, service kubernetes.PlatformService) (api.Env } // if the secret is the only credential present - if len(cr.Spec.CommonConfig.SecretAdminCredentials) > 0 && len(cr.Spec.CommonConfig.AdminUser) == 0 && len(cr.Spec.CommonConfig.AdminPassword) == 0 { + if len(cr.Spec.CommonConfig.SecretAdminCredentials) > 0 || (len(cr.Spec.CommonConfig.AdminUser) == 0 && len(cr.Spec.CommonConfig.AdminPassword) == 0) { errSecret, _, _ := checkAndCreateAdminSecret(service, cr) if errSecret != nil { log.Error("Can't create Admin Secret. ", errSecret) @@ -2138,6 +2138,7 @@ func getRouteHostname(obj interface{}) (host string) { } func checkAndCreateAdminSecret(service kubernetes.PlatformService, cr *api.KieApp) (error, string, string) { + log.Infof("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ") secretName := cr.Spec.CommonConfig.SecretAdminCredentials namespace := cr.Namespace environment := cr.Spec.Environment @@ -2185,6 +2186,16 @@ func checkAndCreateAdminSecret(service kubernetes.PlatformService, cr *api.KieAp } func createSecret(service kubernetes.PlatformService, namespace string, secretName string, username string, password string, cr *api.KieApp) error { + ownerRef := []metav1.OwnerReference{ + { + APIVersion: cr.APIVersion, + Kind: cr.Kind, + Name: cr.Name, + UID: cr.ObjectMeta.GetUID(), + Controller: Pbool(true), + BlockOwnerDeletion: Pbool(true), + }, + } secret := corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: secretName, @@ -2197,6 +2208,7 @@ func createSecret(service kubernetes.PlatformService, namespace string, secretNa constants.PASSWORD_ADMIN_SECRET_KEY: password, }, } + secret.SetOwnerReferences(ownerRef) err := service.Create(context.TODO(), &secret) return err } diff --git a/pkg/controller/kieapp/kieapp_controller.go b/pkg/controller/kieapp/kieapp_controller.go index ce62fb21b..761a0ab14 100644 --- a/pkg/controller/kieapp/kieapp_controller.go +++ b/pkg/controller/kieapp/kieapp_controller.go @@ -52,7 +52,6 @@ type Reconciler struct { func (reconciler *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { // The next several lines only execute if the operator is running in a pod, via deployment. // Otherwise, embedded configs are used and no console is deployed. - mementoOwnerReferences := &api.KieApp{} if opName, depNameSpace, useEmbedded := defaults.UseEmbeddedFiles(reconciler.Service); !useEmbedded { myDep := &appsv1.Deployment{} err := reconciler.Service.Get(ctx, types.NamespacedName{Namespace: depNameSpace, Name: opName}, myDep) @@ -67,13 +66,11 @@ func (reconciler *Reconciler) Reconcile(ctx context.Context, request reconcile.R if err = reconciler.createConsoleYAMLSamples(); err != nil { log.Error(err) } - mementoOwnerReferences.SetOwnerReferences(myDep.GetOwnerReferences()) } // Fetch the KieApp instance instance := &api.KieApp{} err := reconciler.Service.Get(ctx, request.NamespacedName, instance) - instance.SetOwnerReferences(mementoOwnerReferences.GetOwnerReferences()) if err != nil { if errors.IsNotFound(err) { // Request object not found, could have been deleted after reconcile request.