Using exesting secret for tempest

Using the same secret configmap which is generated by the openstack-operator and also used by the openstackclient pods.
openstack-k8s-operators · Sep 13, 2023 · 3febe18 · 3febe18
1 parent b6814fc
commit 3febe18
Show file tree

Hide file tree

Showing 9 changed files with 71 additions and 71 deletions.
diff --git a/api/bases/test.openstack.org_tempests.yaml b/api/bases/test.openstack.org_tempests.yaml
@@ -104,9 +104,15 @@ spec:
                 description: NodeSelector to target subset of worker nodes running
                   this service
                 type: object
-              secret:
-                description: Secret containing OpenStack password information for
-                  Admin user
+              openStackConfigMap:
+                default: openstack-config
+                description: OpenStackConfigMap is the name of the ConfigMap containing
+                  the clouds.yaml
+                type: string
+              openStackConfigSecret:
+                default: openstack-config-secret
+                description: OpenStackConfigSecret is the name of the Secret containing
+                  the secure.yaml
                 type: string
               skippedTests:
                 description: SkippedTests
@@ -118,6 +124,8 @@ spec:
                 type: string
             required:
             - containerImage
+            - openStackConfigMap
+            - openStackConfigSecret
             type: object
           status:
             description: TempestStatus defines the observed state of Tempest

diff --git a/api/v1beta1/tempest_types.go b/api/v1beta1/tempest_types.go
@@ -45,9 +45,15 @@ type TempestSpec struct {
 	// NodeSelector to target subset of worker nodes running this service
 	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
 
-	// +kubebuilder:validation:Optional
-	// Secret containing OpenStack password information for Admin user
-	Secret string `json:"secret,omitempty"`
+        // +kubebuilder:validation:Required
+	// +kubebuilder:default=openstack-config
+        // OpenStackConfigMap is the name of the ConfigMap containing the clouds.yaml
+        OpenStackConfigMap string `json:"openStackConfigMap"`
+
+        // +kubebuilder:validation:Required
+	// +kubebuilder:default=openstack-config-secret
+        // OpenStackConfigSecret is the name of the Secret containing the secure.yaml
+        OpenStackConfigSecret string `json:"openStackConfigSecret"`
 
 	// +kubebuilder:validation:Optional
 	// NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network

diff --git a/config/crd/bases/test.openstack.org_tempests.yaml b/config/crd/bases/test.openstack.org_tempests.yaml
@@ -104,9 +104,15 @@ spec:
                 description: NodeSelector to target subset of worker nodes running
                   this service
                 type: object
-              secret:
-                description: Secret containing OpenStack password information for
-                  Admin user
+              openStackConfigMap:
+                default: openstack-config
+                description: OpenStackConfigMap is the name of the ConfigMap containing
+                  the clouds.yaml
+                type: string
+              openStackConfigSecret:
+                default: openstack-config-secret
+                description: OpenStackConfigSecret is the name of the Secret containing
+                  the secure.yaml
                 type: string
               skippedTests:
                 description: SkippedTests
@@ -118,6 +124,8 @@ spec:
                 type: string
             required:
             - containerImage
+            - openStackConfigMap
+            - openStackConfigSecret
             type: object
           status:
             description: TempestStatus defines the observed state of Tempest

diff --git a/config/samples/tempest-secret.yaml b/config/samples/tempest-secret.yaml
diff --git a/controllers/tempest_controller.go b/controllers/tempest_controller.go
@@ -31,13 +31,11 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/configmap"
-	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/job"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/labels"
 	nad "github.com/openstack-k8s-operators/lib-common/modules/common/networkattachment"
 	common_rbac "github.com/openstack-k8s-operators/lib-common/modules/common/rbac"
-	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	testv1beta1 "github.com/openstack-k8s-operators/test-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/test-operator/pkg/tempest"
@@ -235,32 +233,6 @@ func (r *TempestReconciler) reconcileNormal(ctx context.Context, instance *testv
 		return rbacResult, nil
 	}
 
-	// ConfigMap
-	configMapVars := make(map[string]env.Setter)
-
-	//
-	// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map,
-	//
-	tempestSecret, hash, err := secret.GetSecret(ctx, helper, instance.Spec.Secret, instance.Namespace)
-	if err != nil {
-		if k8s_errors.IsNotFound(err) {
-			instance.Status.Conditions.Set(condition.FalseCondition(
-				condition.InputReadyCondition,
-				condition.RequestedReason,
-				condition.SeverityInfo,
-				condition.InputReadyWaitingMessage))
-			return ctrl.Result{RequeueAfter: time.Duration(10) * time.Second}, fmt.Errorf("OpenStack secret %s not found", instance.Spec.Secret)
-		}
-		instance.Status.Conditions.Set(condition.FalseCondition(
-			condition.InputReadyCondition,
-			condition.ErrorReason,
-			condition.SeverityWarning,
-			condition.InputReadyErrorMessage,
-			err.Error()))
-		return ctrl.Result{}, err
-	}
-	configMapVars[tempestSecret.Name] = env.SetValue(hash)
-
 	instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)
 	// run check OpenStack secret - end
 
@@ -274,7 +246,7 @@ func (r *TempestReconciler) reconcileNormal(ctx context.Context, instance *testv
 	// - %-config configmap holding minimal neutron config required to get the service up, user can add additional files to be added to the service
 	// - parameters which has passwords gets added from the OpenStack secret via the init container
 	//
-	err = r.generateServiceConfigMaps(ctx, helper, instance, &configMapVars, *tempestSecret)
+	err = r.generateServiceConfigMaps(ctx, helper, instance)
 	if err != nil {
 		instance.Status.Conditions.Set(condition.FalseCondition(
 			condition.ServiceConfigReadyCondition,
@@ -408,16 +380,12 @@ func (r *TempestReconciler) generateServiceConfigMaps(
 	ctx context.Context,
 	h *helper.Helper,
 	instance *testv1beta1.Tempest,
-	envVars *map[string]env.Setter,
-	tempestSecret corev1.Secret,
 ) error {
 	// Create/update configmaps from templates
 	cmLabels := labels.GetLabels(instance, labels.GetGroupLabel(tempest.ServiceName), map[string]string{})
 
 	templateParameters := make(map[string]interface{})
 
-	templateParameters["KeystoneApiEndpoint"] = string(tempestSecret.Data["KeystoneApiEndpoint"])
-	templateParameters["OpenStackAdminPassword"] = string(tempestSecret.Data["OpenStackAdminPassword"])
 	templateParameters["AllowedTests"] = instance.Spec.AllowedTests
 	templateParameters["SkippedTests"] = instance.Spec.SkippedTests
 
@@ -440,5 +408,5 @@ func (r *TempestReconciler) generateServiceConfigMaps(
 			ConfigOptions: templateParameters,
 		},
 	}
-	return configmap.EnsureConfigMaps(ctx, h, instance, cms, envVars)
+	return configmap.EnsureConfigMaps(ctx, h, instance, cms, nil)
 }
diff --git a/pkg/tempest/job.go b/pkg/tempest/job.go
@@ -55,7 +55,7 @@ func Job(
 							VolumeMounts: GetVolumeMounts(),
 						},
 					},
-					Volumes: GetVolumes(instance.Name),
+					Volumes: GetVolumes(instance),
 				},
 			},
 		},

diff --git a/pkg/tempest/volumes.go b/pkg/tempest/volumes.go
@@ -1,13 +1,15 @@
 package tempest
 
 import (
+	testv1beta1 "github.com/openstack-k8s-operators/test-operator/api/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 )
 
 // GetVolumes -
-func GetVolumes(name string) []corev1.Volume {
+func GetVolumes(instance *testv1beta1.Tempest) []corev1.Volume {
 
 	var scriptsVolumeDefaultMode int32 = 0755
+	var scriptsVolumeConfidentialMode int32 = 0420
 
 	//source_type := corev1.HostPathDirectoryOrCreate
 	return []corev1.Volume{
@@ -33,7 +35,7 @@ func GetVolumes(name string) []corev1.Volume {
 				ConfigMap: &corev1.ConfigMapVolumeSource{
 					DefaultMode: &scriptsVolumeDefaultMode,
 					LocalObjectReference: corev1.LocalObjectReference{
-						Name: name + "-scripts",
+						Name: instance.Name + "-scripts",
 					},
 				},
 			},
@@ -44,11 +46,31 @@ func GetVolumes(name string) []corev1.Volume {
 				ConfigMap: &corev1.ConfigMapVolumeSource{
 					DefaultMode: &scriptsVolumeDefaultMode,
 					LocalObjectReference: corev1.LocalObjectReference{
-						Name: name + "-config-data",
+						Name: instance.Name + "-config-data",
 					},
 				},
 			},
 		},
+		{
+			Name: "openstack-config",
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					DefaultMode: &scriptsVolumeConfidentialMode,
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: "openstack-config",
+					},
+				},
+			},
+		},
+		{
+			Name: "openstack-config-secret",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					DefaultMode: &scriptsVolumeConfidentialMode,
+					SecretName:  "openstack-config-secret",
+				},
+			},
+		},
 	}
 
 }
@@ -76,5 +98,17 @@ func GetVolumeMounts() []corev1.VolumeMount {
 			MountPath: "/var/lib/config-data/",
 			ReadOnly:  false,
 		},
+		{
+			Name:      "openstack-config",
+			MountPath: "/etc/openstack/clouds.yaml",
+			SubPath:   "clouds.yaml",
+			ReadOnly:  true,
+		},
+		{
+			Name:      "openstack-config-secret",
+			MountPath: "/etc/openstack/secure.yaml",
+			ReadOnly:  false,
+			SubPath:   "secure.yaml",
+		},
 	}
 }
diff --git a/templates/tempest/config/clouds.yaml b/templates/tempest/config/clouds.yaml
diff --git a/templates/tempest/config/tempest-config.json b/templates/tempest/config/tempest-config.json
@@ -1,12 +1,6 @@
 {
     "command": "/var/lib/tempest/run_tempest.sh",
     "config_files": [
-        {
-            "source": "/var/lib/config-data/clouds.yaml",
-            "dest": "/var/lib/tempest/external_files/clouds.yaml",
-            "owner": "root:tempest",
-            "perm": "0640"
-        },
         {
             "source": "/var/lib/config-data/include.txt",
             "dest": "/var/lib/tempest/external_files/include.txt",