[Audit log forwarding] - update audit-tls secret to IM deployments for audit forwarding support (#1061)

Originating issue: [IBMPrivateCloud/roadmap#67190](https://github.ibm.com/IBMPrivateCloud/roadmap/issues/67190)

---------

Signed-off-by: rashmi_kh <[email protected]>
Signed-off-by: Rob Hundley <[email protected]>
Co-authored-by: Rob Hundley <[email protected]>

Author: rashmi43

api/operator/v1alpha1/authentication_types.go

@@ -139,6 +139,8 @@ type ConfigSpec struct {
 	ICPPort                     int32          `json:"icpPort"`
 	FIPSEnabled                 bool           `json:"fipsEnabled"`
 	ROKSEnabled                 bool           `json:"roksEnabled"`
+	AuditUrl                    *string        `json:"auditUrl,omitempty"`
+	AuditSecret                 *string        `json:"auditSecret,omitempty"`
 	IBMCloudSaas                bool           `json:"ibmCloudSaas,omitempty"`
 	OnPremMultipleDeploy        bool           `json:"onPremMultipleDeploy,omitempty"`
 	SaasClientRedirectUrl       string         `json:"saasClientRedirectUrl,omitempty"`

api/operator/v1alpha1/zz_generated.deepcopy.go

@@ -79,6 +79,8 @@ metadata:
               "openshiftPort": 443,
               "preferredLogin": "",
               "providerIssuerURL": "",
+              "auditUrl": "",
+              "auditSecret": "",
               "roksEnabled": true,
               "roksURL": "https://roks.domain.name:443",
               "roksUserPrefix": "changeme",

bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml

@@ -228,6 +228,10 @@ spec:
                     type: string
                   providerIssuerURL:
                     type: string
+                  auditUrl:
+                    type: string
+                  auditSecret:
+                    type: string
                   roksEnabled:
                     type: boolean
                   roksURL:

bundle/manifests/operator.ibm.com_authentications.yaml

@@ -219,7 +219,11 @@ spec:
                   preferredLogin:
                     type: string
                   defaultLogin:
-                    type: string 
+                    type: string
+                  auditUrl:
+                    type: string
+                  auditSecret:
+                    type: string
                   providerIssuerURL:
                     type: string
                   roksEnabled:

config/crd/bases/operator.ibm.com_authentications.yaml

@@ -61,6 +61,8 @@ spec:
     preferredLogin: ''
     defaultLogin: ''
     bootstrapUserId: kubeadmin
+    auditUrl: ''
+    auditSecret: ''
     providerIssuerURL: ''
     claimsSupported: name,family_name,display_name,given_name,preferred_username
     claimsMap: name="givenName" family_name="givenName" given_name="givenName" preferred_username="displayName"

config/samples/bases/operator_v1alpha1_authentication.yaml

@@ -28,6 +28,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -36,8 +37,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 )
 
-// BootStrapReconciler handles modifications to the Authentication CR before it is reconciled by the
-// main Authentication controller
+// BootStrapReconciler handles modifications to the Authentication CR before it
+// is reconciled by the main Authentication controller; this is meant to handle
+// edge cases that are encountered during upgrades.
 type BootstrapReconciler struct {
 	client.Client
 }
@@ -105,10 +107,13 @@ func (r *BootstrapReconciler) makeAuthenticationCorrections(ctx context.Context,
 // writeConfigurationsToAuthenticationCR copies values from the
 // platform-auth-idp ConfigMap to the Authentication CR.
 func (r *BootstrapReconciler) writeConfigurationsToAuthenticationCR(ctx context.Context, authCR *operatorv1alpha1.Authentication) (err error) {
+	log := logf.FromContext(ctx, "ConfigMap.Name", "platform-auth-idp").V(1)
 	platformAuthIDPCM := &corev1.ConfigMap{}
 	if err = r.Get(ctx, types.NamespacedName{Name: "platform-auth-idp", Namespace: authCR.Namespace}, platformAuthIDPCM); k8sErrors.IsNotFound(err) {
+		log.Info("ConfigMap not found")
 		return nil
 	} else if err != nil {
+		log.Error(err, "Failed to get ConfigMap")
 		return fmt.Errorf("failed to get ConfigMap: %w", err)
 	}
 	keys := map[string]any{
@@ -129,23 +134,50 @@ func (r *BootstrapReconciler) writeConfigurationsToAuthenticationCR(ctx context.
 		"IBM_CLOUD_SAAS":           &authCR.Spec.Config.IBMCloudSaas,
 		"SAAS_CLIENT_REDIRECT_URL": &authCR.Spec.Config.SaasClientRedirectUrl,
 		"ATTR_MAPPING_FROM_CONFIG": &authCR.Spec.Config.AttrMappingFromConfig,
+		"AUDIT_URL":                &authCR.Spec.Config.AuditUrl,
+		"AUDIT_SECRET":             &authCR.Spec.Config.AuditSecret,
 	}
 
 	for key, crField := range keys {
+		keyLog := log.WithValues("key", key)
 		cmValue, ok := platformAuthIDPCM.Data[key]
 		if !ok {
+			keyLog.Info("Key not found; continuing")
 			continue
 		}
+		keyLog.Info("Key found", "value", cmValue)
 		switch crValue := crField.(type) {
+
 		case *string:
-			if *crValue != cmValue {
+			keyLog.Info("Value type is string")
+			if crValue != nil && *crValue != cmValue {
+				keyLog.Info("Value of property on CR does not match value for key in ConfigMap")
 				*crValue = cmValue
+			} else if crValue != nil {
+				keyLog.Info("Values match")
+			}
+		case **string:
+			keyLog.Info("Value type is optional string")
+			if *crValue == nil {
+				keyLog.Info("Property is not set on CR")
+				*crValue = ptr.To(cmValue)
+			} else if **crValue != cmValue {
+				keyLog.Info("Value of property on CR does not match value for key in ConfigMap")
+				*crValue = ptr.To(cmValue)
+			} else {
+				keyLog.Info("Values match")
 			}
 		case *bool:
+			keyLog.Info("Value type is bool")
 			cmValueBool, _ := strconv.ParseBool(cmValue)
-			if *crValue != cmValueBool {
+			if crValue != nil && *crValue != cmValueBool {
+				keyLog.Info("Value of property on CR does not match value for key in ConfigMap")
 				*crValue = cmValueBool
+			} else if crValue != nil {
+				keyLog.Info("Values match")
 			}
+		default:
+			keyLog.Info("Value type is unknown; skipping")
 		}
 	}
 

internal/controller/bootstrap/authentication_bootstrap_controller.go

@@ -443,6 +443,7 @@ func (r *AuthenticationReconciler) SetupWithManager(mgr ctrl.Manager) error {
 			}
 		}), builder.WithPredicates(predicate.Or(globalCMPred, productCMPred)),
 	)
+
 	bootstrappedPred := predicate.NewPredicateFuncs(func(o client.Object) bool {
 		return o.GetLabels()[ctrlcommon.ManagerVersionLabel] == version.Version
 	})

internal/controller/operator/authentication_controller.go

@@ -296,6 +296,8 @@ func updatePlatformAuthIDP(_ common.SecondaryReconciler, _ context.Context, obse
 			"IBM_CLOUD_SAAS",
 			"SAAS_CLIENT_REDIRECT_URL",
 			"ATTR_MAPPING_FROM_CONFIG",
+			"AUDIT_URL",
+			"AUDIT_SECRET",
 		),
 		updatesValuesWhen(observedKeyValueSetTo[*corev1.ConfigMap]("OS_TOKEN_LENGTH", "45"),
 			"OS_TOKEN_LENGTH"),
@@ -437,6 +439,11 @@ func (r *AuthenticationReconciler) generateAuthIdpConfigMap(clusterInfo *corev1.
 			}
 		}
 
+		// Found AUDIT variables
+		if authCR.Spec.Config.AuditUrl != nil || authCR.Spec.Config.AuditSecret != nil {
+			reqLogger.Info("Found audit variables", "AuditUrl", authCR.Spec.Config.AuditUrl, "AuditSecret", authCR.Spec.Config.AuditSecret)
+		}
+
 		// Set the path for SAML connections
 		var masterPath string
 		if masterPath, err = r.getMasterPath(ctx, ctrl.Request{NamespacedName: common.GetObjectKey(s.GetPrimary())}); err != nil {

internal/controller/operator/configmap.go

@@ -585,6 +585,8 @@ var _ = Describe("ConfigMap handling", func() {
 					"IDENTITY_MGMT_URL":                  "https://platform-identity-management:4500",
 					"MASTER_HOST":                        ibmcloudClusterInfo.Data["cluster_address"],
 					"MASTER_PATH":                        "/idauth",
+					"AUDIT_URL":                          "",
+					"AUDIT_SECRET":                       "",
 					"NODE_ENV":                           "production",
 					"ENABLE_JIT_EXTRA_ATTR":              "false",
 					"AUDIT_ENABLED_IDPROVIDER":           "false",
@@ -682,6 +684,13 @@ var _ = Describe("ConfigMap handling", func() {
 						"DB_SSL_MODE",
 					},
 				},
+				{
+					"AUDIT_URL",
+					[]string{
+						"AUDIT_URL",
+						"AUDIT_SECRET",
+					},
+				},
 				{
 					"SCIM_LDAP_ATTRIBUTES_MAPPING",
 					[]string{