From 4c4d8d549da2af5c16f59686768128f3e2534582 Mon Sep 17 00:00:00 2001 From: TIRUMALA MANNARU Date: Mon, 9 Jun 2025 11:39:06 +0530 Subject: [PATCH 1/2] consume ldap bindpwd and external edb certs SPCs --- ...bm-iam-operator.clusterserviceversion.yaml | 8 + config/rbac/role.yaml | 8 + controllers/common/constants.go | 9 + controllers/common/utils.go | 6 + .../operator/authentication_controller.go | 7 +- controllers/operator/containers.go | 245 +++++++++++------- controllers/operator/deployment.go | 236 ++++++++++++----- go.mod | 3 +- go.sum | 10 +- helm/templates/00-rbac.yaml | 8 + main.go | 3 + 11 files changed, 379 insertions(+), 164 deletions(-) diff --git a/bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml b/bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml index fd5b984f..c4606724 100644 --- a/bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml +++ b/bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml @@ -589,6 +589,14 @@ spec: - patch - update - watch + - apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch serviceAccountName: ibm-iam-operator strategy: deployment installModes: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index bfb748f5..4cf518d0 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -258,6 +258,14 @@ rules: - patch - update - watch +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/controllers/common/constants.go b/controllers/common/constants.go index 55745cf3..9d4261a6 100644 --- a/controllers/common/constants.go +++ b/controllers/common/constants.go @@ -37,6 +37,15 @@ const MongoStatefulsetName string = "icp-mongodb" // Name of CommonService created by IM Operator to provision EDB share const DatastoreEDBCSName string = "im-common-service" +// Name of SecretProvoderClass created by Paks that contains ldap bindpassword +const IMLdapBindPwdSpc string = "im-ldap-bind-pwd-spc" + +// Name of SecretProvoderClass created by Paks that contains external edb certs +const IMExtEDBSecretSpc string = "im-external-edb-certs-spc" + +// Name of volume that holds ldap bindpassword spc +const IMLdapBindPwdVolume string = "ldap-bind-cred-vol" + type DeploymentName string // The current names of Deployments managed by this Operator diff --git a/controllers/common/utils.go b/controllers/common/utils.go index 1a8e8bf6..5c975a02 100644 --- a/controllers/common/utils.go +++ b/controllers/common/utils.go @@ -37,6 +37,7 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client/config" + sscsidriverv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1" operatorv1alpha1 "github.com/IBM/ibm-iam-operator/apis/operator/v1alpha1" zenv1 "github.com/IBM/ibm-iam-operator/apis/zen.cpd.ibm.com/v1" @@ -190,6 +191,11 @@ func ClusterHasZenExtensionGroupVersion(dc *discovery.DiscoveryClient) (found bo return } +func ClusterHasCSIGroupVersion(dc *discovery.DiscoveryClient) (found bool) { + found, _ = clusterHasGroupVersion(dc, sscsidriverv1.SchemeGroupVersion) + return +} + func ClusterHasOperandRequestAPIResource(dc *discovery.DiscoveryClient) (found bool) { found, _ = clusterHasAPIResource(dc, operatorv1alpha1.GroupVersion, "operandrequests") return diff --git a/controllers/operator/authentication_controller.go b/controllers/operator/authentication_controller.go index c0a05c99..261b099c 100644 --- a/controllers/operator/authentication_controller.go +++ b/controllers/operator/authentication_controller.go @@ -48,6 +48,7 @@ import ( handler "sigs.k8s.io/controller-runtime/pkg/handler" "sigs.k8s.io/controller-runtime/pkg/predicate" "sigs.k8s.io/controller-runtime/pkg/reconcile" + sscsidriverv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1" certmgr "github.com/IBM/ibm-iam-operator/apis/certmanager/v1" operatorv1alpha1 "github.com/IBM/ibm-iam-operator/apis/operator/v1alpha1" @@ -382,7 +383,8 @@ func (r *AuthenticationReconciler) SetupWithManager(mgr ctrl.Manager) error { Watches(&corev1.Service{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner())). Watches(&netv1.Ingress{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner())). Watches(&appsv1.Deployment{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner())). - Watches(&autoscalingv2.HorizontalPodAutoscaler{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner())) + Watches(&autoscalingv2.HorizontalPodAutoscaler{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner())). + Watches(&sscsidriverv1.SecretProviderClass{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner())) //Add routes if ctrlcommon.ClusterHasOpenShiftConfigGroupVerison(&r.DiscoveryClient) { @@ -397,6 +399,9 @@ func (r *AuthenticationReconciler) SetupWithManager(mgr ctrl.Manager) error { if ctrlcommon.ClusterHasOperandBindInfoAPIResource(&r.DiscoveryClient) { authCtrl.Watches(&operatorv1alpha1.OperandBindInfo{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner())) } + if ctrlcommon.ClusterHasCSIGroupVersion(&r.DiscoveryClient) { + authCtrl.Watches(&sscsidriverv1.SecretProviderClass{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner())) + } productCMPred := predicate.Funcs{ UpdateFunc: func(e event.UpdateEvent) bool { diff --git a/controllers/operator/containers.go b/controllers/operator/containers.go index 62480a5c..f942a010 100644 --- a/controllers/operator/containers.go +++ b/controllers/operator/containers.go @@ -130,7 +130,7 @@ func convertToLibertyFormat(memory string) string { } -func buildAuthServiceContainer(instance *operatorv1alpha1.Authentication, authServiceImage string, icpConsoleURL string) corev1.Container { +func buildAuthServiceContainer(instance *operatorv1alpha1.Authentication, authServiceImage string, icpConsoleURL string, ldapSpcExist bool) corev1.Container { resources := instance.Spec.AuthService.Resources @@ -348,41 +348,8 @@ func buildAuthServiceContainer(instance *operatorv1alpha1.Authentication, authSe Drop: []corev1.Capability{"ALL"}, }, }, - Resources: *resources, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "auth-key", - MountPath: "/certs/platform-auth", - }, - { - Name: "ibmid-jwk-cert", - MountPath: "/certs/ibmid/jwk", - }, - { - Name: "ibmid-ssl-cert", - MountPath: "/certs/ibmid/ssl", - }, - { - Name: "ldaps-ca-cert", - MountPath: "/opt/ibm/ldaps", - }, - { - Name: "saml-cert", - MountPath: "/certs/saml-certs", - }, - { - Name: "pgsql-ca-cert", - MountPath: "/certs/pgsql-ca", - }, - { - Name: "pgsql-client-cert", - MountPath: "/certs/pgsql-client", - }, - { - Name: "pgsql-client-cred", - MountPath: "/pgsql/clientinfo", - }, - }, + Resources: *resources, + VolumeMounts: buildAuthSvcVolumeMounts(ldapSpcExist), ReadinessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ @@ -418,7 +385,7 @@ func buildAuthServiceContainer(instance *operatorv1alpha1.Authentication, authSe } -func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, identityProviderImage string, icpConsoleURL string, saasCRNId string) corev1.Container { +func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, identityProviderImage string, icpConsoleURL string, saasCRNId string, ldapSpcExist bool) corev1.Container { resources := instance.Spec.IdentityProvider.Resources if resources == nil { @@ -704,33 +671,8 @@ func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, i Drop: []corev1.Capability{"ALL"}, }, }, - Resources: *resources, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "auth-key", - MountPath: "/opt/ibm/identity-provider/server/boot/auth-key", - }, - { - Name: "identity-provider-cert", - MountPath: "/opt/ibm/identity-provider/certs", - }, - { - Name: "saml-cert", - MountPath: "/certs/saml-certs", - }, - { - Name: "pgsql-ca-cert", - MountPath: "/certs/pgsql-ca", - }, - { - Name: "pgsql-client-cert", - MountPath: "/certs/pgsql-client", - }, - { - Name: "pgsql-client-cred", - MountPath: "/pgsql/clientinfo", - }, - }, + Resources: *resources, + VolumeMounts: buildIdentityProviderVolumeMounts(ldapSpcExist), ReadinessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ Exec: &corev1.ExecAction{ @@ -760,7 +702,7 @@ func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, i } -func buildIdentityManagerContainer(instance *operatorv1alpha1.Authentication, identityManagerImage string, icpConsoleURL string) corev1.Container { +func buildIdentityManagerContainer(instance *operatorv1alpha1.Authentication, identityManagerImage string, icpConsoleURL string, ldapSpcExist bool) corev1.Container { replicaCount := int(instance.Spec.Replicas) resources := instance.Spec.IdentityManager.Resources @@ -1065,33 +1007,8 @@ func buildIdentityManagerContainer(instance *operatorv1alpha1.Authentication, id Drop: []corev1.Capability{"ALL"}, }, }, - Resources: *resources, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "cluster-ca", - MountPath: "/opt/ibm/identity-mgmt/certs", - }, - { - Name: "platform-identity-management", - MountPath: "/opt/ibm/identity-mgmt/server/certs", - }, - { - Name: "scim-ldap-attributes-mapping", - MountPath: "/opt/ibm/identity-mgmt/config/scim-config", - }, - { - Name: "pgsql-ca-cert", - MountPath: "/certs/pgsql-ca", - }, - { - Name: "pgsql-client-cert", - MountPath: "/certs/pgsql-client", - }, - { - Name: "pgsql-client-cred", - MountPath: "/pgsql/clientinfo", - }, - }, + Resources: *resources, + VolumeMounts: buildIdentityManagerVolumeMounts(ldapSpcExist), ReadinessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ Exec: &corev1.ExecAction{ @@ -1121,25 +1038,25 @@ func buildIdentityManagerContainer(instance *operatorv1alpha1.Authentication, id } -func buildContainers(instance *operatorv1alpha1.Authentication, authServiceImage string, icpConsoleURL string) []corev1.Container { +func buildContainers(instance *operatorv1alpha1.Authentication, authServiceImage string, icpConsoleURL string, ldapSpcExist bool) []corev1.Container { - authServiceContainer := buildAuthServiceContainer(instance, authServiceImage, icpConsoleURL) + authServiceContainer := buildAuthServiceContainer(instance, authServiceImage, icpConsoleURL, ldapSpcExist) //identityProviderContainer := buildIdentityProviderContainer(instance, identityProviderImage, icpConsoleURL, saasCrnId) //identityManagerContainer := buildIdentityManagerContainer(instance, identityManagerImage, icpConsoleURL) return []corev1.Container{authServiceContainer} } -func buildManagerContainers(instance *operatorv1alpha1.Authentication, identityManagerImage string, icpConsoleURL string) []corev1.Container { +func buildManagerContainers(instance *operatorv1alpha1.Authentication, identityManagerImage string, icpConsoleURL string, ldapSpcExist bool) []corev1.Container { - identityManagerContainer := buildIdentityManagerContainer(instance, identityManagerImage, icpConsoleURL) + identityManagerContainer := buildIdentityManagerContainer(instance, identityManagerImage, icpConsoleURL, ldapSpcExist) return []corev1.Container{identityManagerContainer} } -func buildProviderContainers(instance *operatorv1alpha1.Authentication, identityProviderImage string, icpConsoleURL string, saasCrnId string) []corev1.Container { +func buildProviderContainers(instance *operatorv1alpha1.Authentication, identityProviderImage string, icpConsoleURL string, saasCrnId string, ldapSpcExist bool) []corev1.Container { - identityProviderContainer := buildIdentityProviderContainer(instance, identityProviderImage, icpConsoleURL, saasCrnId) + identityProviderContainer := buildIdentityProviderContainer(instance, identityProviderImage, icpConsoleURL, saasCrnId, ldapSpcExist) return []corev1.Container{identityProviderContainer} } @@ -1185,3 +1102,135 @@ func buildInitContainerEnvVars(envVarList []string, configmapName string) []core } return envVars } + +func buildAuthSvcVolumeMounts(ldapSpcExist bool) []corev1.VolumeMount { + volumeMounts := []corev1.VolumeMount{ + { + Name: "auth-key", + MountPath: "/certs/platform-auth", + }, + { + Name: "ibmid-jwk-cert", + MountPath: "/certs/ibmid/jwk", + }, + { + Name: "ibmid-ssl-cert", + MountPath: "/certs/ibmid/ssl", + }, + { + Name: "ldaps-ca-cert", + MountPath: "/opt/ibm/ldaps", + }, + { + Name: "saml-cert", + MountPath: "/certs/saml-certs", + }, + { + Name: "pgsql-ca-cert", + MountPath: "/certs/pgsql-ca", + }, + { + Name: "pgsql-client-cert", + MountPath: "/certs/pgsql-client", + }, + { + Name: "pgsql-client-cred", + MountPath: "/pgsql/clientinfo", + }, + } + if ldapSpcExist { + volumeMounts = EnsureVolumeMountPresent(volumeMounts, GetLdapBindPwdVolumeMount()) + + } + + return volumeMounts +} + +func buildIdentityManagerVolumeMounts(ldapSpcExist bool) []corev1.VolumeMount { + volumeMounts := []corev1.VolumeMount{ + { + Name: "cluster-ca", + MountPath: "/opt/ibm/identity-mgmt/certs", + }, + { + Name: "platform-identity-management", + MountPath: "/opt/ibm/identity-mgmt/server/certs", + }, + { + Name: "scim-ldap-attributes-mapping", + MountPath: "/opt/ibm/identity-mgmt/config/scim-config", + }, + { + Name: "pgsql-ca-cert", + MountPath: "/certs/pgsql-ca", + }, + { + Name: "pgsql-client-cert", + MountPath: "/certs/pgsql-client", + }, + { + Name: "pgsql-client-cred", + MountPath: "/pgsql/clientinfo", + }, + } + if ldapSpcExist { + volumeMounts = EnsureVolumeMountPresent(volumeMounts, GetLdapBindPwdVolumeMount()) + + } + + return volumeMounts +} + +func buildIdentityProviderVolumeMounts(ldapSpcExist bool) []corev1.VolumeMount { + volumeMounts := []corev1.VolumeMount{ + { + Name: "auth-key", + MountPath: "/opt/ibm/identity-provider/server/boot/auth-key", + }, + { + Name: "identity-provider-cert", + MountPath: "/opt/ibm/identity-provider/certs", + }, + { + Name: "saml-cert", + MountPath: "/certs/saml-certs", + }, + { + Name: "pgsql-ca-cert", + MountPath: "/certs/pgsql-ca", + }, + { + Name: "pgsql-client-cert", + MountPath: "/certs/pgsql-client", + }, + { + Name: "pgsql-client-cred", + MountPath: "/pgsql/clientinfo", + }, + } + if ldapSpcExist { + volumeMounts = EnsureVolumeMountPresent(volumeMounts, GetLdapBindPwdVolumeMount()) + + } + + return volumeMounts +} + +// EnsureVolumeMountPresent checks if a volumeMount exists +// If not, it appends the new volume and returns the updated slice. +func EnsureVolumeMountPresent(volumeMounts []corev1.VolumeMount, newVolMount corev1.VolumeMount) []corev1.VolumeMount { + for _, v := range volumeMounts { + if v.Name == newVolMount.Name { + return volumeMounts // already exists + } + } + return append(volumeMounts, newVolMount) +} + +func GetLdapBindPwdVolumeMount() corev1.VolumeMount { + volMount := corev1.VolumeMount{ + Name: ctrlCommon.IMLdapBindPwdVolume, + MountPath: "/opt/ibm/vault/ldap-bind-cred", + } + return volMount +} diff --git a/controllers/operator/deployment.go b/controllers/operator/deployment.go index 245575a2..7274c4ab 100644 --- a/controllers/operator/deployment.go +++ b/controllers/operator/deployment.go @@ -41,6 +41,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" logf "sigs.k8s.io/controller-runtime/pkg/log" + sscsidriverv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1" ) const RestartAnnotation string = "authentications.operator.ibm.com/restartedAt" @@ -99,20 +100,23 @@ func (r *AuthenticationReconciler) handleDeployments(ctx context.Context, req ct saasServiceIdCrn = saasTenantConfigMap.Data["service_crn_id"] } + ldapSpcExists := r.CheckSPCExists(ctx, ctrlcommon.IMLdapBindPwdSpc, authCR.Namespace) + edbSpcExists := r.CheckSPCExists(ctx, ctrlcommon.IMExtEDBSecretSpc, authCR.Namespace) + imagePullSecret := os.Getenv("IMAGE_PULL_SECRET") builders := []*ctrlcommon.SecondaryReconcilerBuilder[*appsv1.Deployment]{ ctrlcommon.NewSecondaryReconcilerBuilder[*appsv1.Deployment](). WithName("platform-auth-service"). - WithGenerateFns(generatePlatformAuthService(imagePullSecret, icpConsoleURL, saasServiceIdCrn)). - WithModifyFns(modifyDeployment(r.needsRollout)), + WithGenerateFns(generatePlatformAuthService(imagePullSecret, icpConsoleURL, saasServiceIdCrn, ldapSpcExists, edbSpcExists)). + WithModifyFns(modifyDeployment(r.needsRollout, ldapSpcExists, edbSpcExists)), ctrlcommon.NewSecondaryReconcilerBuilder[*appsv1.Deployment](). WithName("platform-identity-management"). - WithGenerateFns(generatePlatformIdentityManagement(imagePullSecret, icpConsoleURL, saasServiceIdCrn)). - WithModifyFns(modifyDeployment(r.needsRollout)), + WithGenerateFns(generatePlatformIdentityManagement(imagePullSecret, icpConsoleURL, saasServiceIdCrn, ldapSpcExists, edbSpcExists)). + WithModifyFns(modifyDeployment(r.needsRollout, ldapSpcExists, edbSpcExists)), ctrlcommon.NewSecondaryReconcilerBuilder[*appsv1.Deployment](). WithName("platform-identity-provider"). - WithGenerateFns(generatePlatformIdentityProvider(imagePullSecret, samlConsoleURL, saasServiceIdCrn)). - WithModifyFns(modifyDeployment(r.needsRollout)), + WithGenerateFns(generatePlatformIdentityProvider(imagePullSecret, samlConsoleURL, saasServiceIdCrn, ldapSpcExists, edbSpcExists)). + WithModifyFns(modifyDeployment(r.needsRollout, ldapSpcExists, edbSpcExists)), } subRecs := []ctrlcommon.SecondaryReconciler{} @@ -175,7 +179,7 @@ func (r *AuthenticationReconciler) removeCP2Deployments(ctx context.Context, req return subreconciler.ContinueReconciling() } -func generatePlatformAuthService(imagePullSecret, icpConsoleURL, saasServiceIdCrn string) ctrlcommon.GenerateFn[*appsv1.Deployment] { +func generatePlatformAuthService(imagePullSecret, icpConsoleURL, saasServiceIdCrn string, ldapSpcExist bool, edbSpcExist bool) ctrlcommon.GenerateFn[*appsv1.Deployment] { return func(s ctrlcommon.SecondaryReconciler, ctx context.Context, deploy *appsv1.Deployment) (err error) { reqLogger := logf.FromContext(ctx) authServiceImage := common.GetImageRef("ICP_PLATFORM_AUTH_IMAGE") @@ -194,7 +198,7 @@ func generatePlatformAuthService(imagePullSecret, icpConsoleURL, saasServiceIdCr "app": s.GetName(), "operator.ibm.com/bindinfoRefresh": "enabled", }, - ctrlCommon.GetCommonLabels()) + ctrlcommon.GetCommonLabels()) podLabels := common.MergeMaps(nil, authCR.Spec.Labels, @@ -205,7 +209,7 @@ func generatePlatformAuthService(imagePullSecret, icpConsoleURL, saasServiceIdCr "app.kubernetes.io/instance": s.GetName(), "intent": "projected", }, - ctrlCommon.GetCommonLabels()) + ctrlcommon.GetCommonLabels()) *deploy = appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ @@ -331,13 +335,14 @@ func generatePlatformAuthService(imagePullSecret, icpConsoleURL, saasServiceIdCr Operator: corev1.TolerationOpExists, }, }, - Volumes: buildIdpVolumes(ldapCACert, routerCertSecret), - Containers: buildContainers(authCR, authServiceImage, icpConsoleURL), + Volumes: buildIdpVolumes(ldapCACert, routerCertSecret, ldapSpcExist, edbSpcExist), + Containers: buildContainers(authCR, authServiceImage, icpConsoleURL, ldapSpcExist), InitContainers: buildInitContainers(initContainerImage), }, }, }, } + if imagePullSecret != "" { deploy.Spec.Template.Spec.ImagePullSecrets = []corev1.LocalObjectReference{{Name: imagePullSecret}} } @@ -351,7 +356,7 @@ func generatePlatformAuthService(imagePullSecret, icpConsoleURL, saasServiceIdCr } } -func generatePlatformIdentityManagement(imagePullSecret, icpConsoleURL, saasServiceIdCrn string) ctrlcommon.GenerateFn[*appsv1.Deployment] { +func generatePlatformIdentityManagement(imagePullSecret, icpConsoleURL, saasServiceIdCrn string, ldapSpcExist bool, edbSpcExist bool) ctrlcommon.GenerateFn[*appsv1.Deployment] { return func(s ctrlcommon.SecondaryReconciler, ctx context.Context, deploy *appsv1.Deployment) (err error) { reqLogger := logf.FromContext(ctx) identityManagerImage := common.GetImageRef("ICP_IDENTITY_MANAGER_IMAGE") @@ -370,7 +375,7 @@ func generatePlatformIdentityManagement(imagePullSecret, icpConsoleURL, saasServ "app": s.GetName(), "operator.ibm.com/bindinfoRefresh": "enabled", }, - ctrlCommon.GetCommonLabels()) + ctrlcommon.GetCommonLabels()) podLabels := common.MergeMaps(nil, authCR.Spec.Labels, @@ -381,7 +386,7 @@ func generatePlatformIdentityManagement(imagePullSecret, icpConsoleURL, saasServ "app.kubernetes.io/instance": s.GetName(), "intent": "projected", }, - ctrlCommon.GetCommonLabels()) + ctrlcommon.GetCommonLabels()) *deploy = appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ @@ -506,8 +511,8 @@ func generatePlatformIdentityManagement(imagePullSecret, icpConsoleURL, saasServ Operator: corev1.TolerationOpExists, }, }, - Volumes: buildIdpVolumes(ldapCACert, routerCertSecret), - Containers: buildManagerContainers(authCR, identityManagerImage, icpConsoleURL), + Volumes: buildIdpVolumes(ldapCACert, routerCertSecret, ldapSpcExist, edbSpcExist), + Containers: buildManagerContainers(authCR, identityManagerImage, icpConsoleURL, ldapSpcExist), InitContainers: buildInitForMngrAndProvider(initContainerImage), }, }, @@ -525,7 +530,7 @@ func generatePlatformIdentityManagement(imagePullSecret, icpConsoleURL, saasServ } } -func generatePlatformIdentityProvider(imagePullSecret, icpConsoleURL, saasServiceIdCrn string) ctrlcommon.GenerateFn[*appsv1.Deployment] { +func generatePlatformIdentityProvider(imagePullSecret, icpConsoleURL, saasServiceIdCrn string, ldapSpcExist bool, edbSpcExist bool) ctrlcommon.GenerateFn[*appsv1.Deployment] { return func(s common.SecondaryReconciler, ctx context.Context, deploy *appsv1.Deployment) (err error) { reqLogger := logf.FromContext(ctx) identityProviderImage := common.GetImageRef("ICP_IDENTITY_PROVIDER_IMAGE") @@ -544,7 +549,7 @@ func generatePlatformIdentityProvider(imagePullSecret, icpConsoleURL, saasServic "app": s.GetName(), "operator.ibm.com/bindinfoRefresh": "enabled", }, - ctrlCommon.GetCommonLabels()) + ctrlcommon.GetCommonLabels()) podLabels := common.MergeMaps(nil, authCR.Spec.Labels, @@ -555,7 +560,7 @@ func generatePlatformIdentityProvider(imagePullSecret, icpConsoleURL, saasServic "app.kubernetes.io/instance": s.GetName(), "intent": "projected", }, - ctrlCommon.GetCommonLabels()) + ctrlcommon.GetCommonLabels()) *deploy = appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ @@ -681,8 +686,8 @@ func generatePlatformIdentityProvider(imagePullSecret, icpConsoleURL, saasServic Operator: corev1.TolerationOpExists, }, }, - Volumes: buildIdpVolumes(ldapCACert, routerCertSecret), - Containers: buildProviderContainers(authCR, identityProviderImage, icpConsoleURL, saasServiceIdCrn), + Volumes: buildIdpVolumes(ldapCACert, routerCertSecret, ldapSpcExist, edbSpcExist), + Containers: buildProviderContainers(authCR, identityProviderImage, icpConsoleURL, saasServiceIdCrn, ldapSpcExist), InitContainers: buildInitForMngrAndProvider(initContainerImage), }, }, @@ -775,7 +780,7 @@ func specsDiffer(observed, generated *appsv1.Deployment) (different bool, err er // generated Deployments and makes modifications to the observed Deployment when // such differences are found. Returns a boolean representing whether a // modification was made and an error if the operation could not be completed. -func modifyDeployment(needsRollout bool) ctrlcommon.ModifyFn[*appsv1.Deployment] { +func modifyDeployment(needsRollout bool, ldapSpcExist bool, edbSpcExist bool) ctrlcommon.ModifyFn[*appsv1.Deployment] { return func(s ctrlcommon.SecondaryReconciler, ctx context.Context, observed, generated *appsv1.Deployment) (modified bool, err error) { preserveObservedFields(observed, generated) authCR, ok := s.GetPrimary().(*operatorv1alpha1.Authentication) @@ -845,8 +850,8 @@ func hasDataField(fields metav1.ManagedFieldsEntry) bool { return false } -func buildIdpVolumes(ldapCACert string, routerCertSecret string) []corev1.Volume { - return []corev1.Volume{ +func buildIdpVolumes(ldapCACert string, routerCertSecret string, ldapSpcExist bool, edbSpcExist bool) []corev1.Volume { + volumes := []corev1.Volume{ { Name: "platform-identity-management", VolumeSource: corev1.VolumeSource{ @@ -991,40 +996,6 @@ func buildIdpVolumes(ldapCACert string, routerCertSecret string) []corev1.Volume }, }, }, - { - Name: "pgsql-ca-cert", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: ctrlcommon.DatastoreEDBSecretName, - Items: []corev1.KeyToPath{ - { - Key: "ca.crt", - Path: "ca.crt", - }, - }, - DefaultMode: &partialAccess, - }, - }, - }, - { - Name: "pgsql-client-cert", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: ctrlcommon.DatastoreEDBSecretName, - Items: []corev1.KeyToPath{ - { - Key: "tls.crt", - Path: "tls.crt", - }, - { - Key: "tls.key", - Path: "tls.key", - }, - }, - DefaultMode: &partialAccess, - }, - }, - }, { Name: "pgsql-client-cred", VolumeSource: corev1.VolumeSource{ @@ -1054,4 +1025,153 @@ func buildIdpVolumes(ldapCACert string, routerCertSecret string) []corev1.Volume }, }, } + + if ldapSpcExist { + volumes = EnsureVolumePresent(volumes, GetLdapBindPwdCsiVolume()) + } + if edbSpcExist { + volumes = EnsureVolumePresent(volumes, GetPgsqlCACsiVolume()) + volumes = EnsureVolumePresent(volumes, GetPgsqlClientCsiVolume()) + } else { + volumes = EnsureVolumePresent(volumes, GetPgsqlCASecretVolume()) + volumes = EnsureVolumePresent(volumes, GetPgsqlClientSecretVolume()) + } + return volumes +} + +func (r *AuthenticationReconciler) CheckSPCExists(ctx context.Context, spcName string, namespace string) (exist bool) { + spc := &sscsidriverv1.SecretProviderClass{} + if ctrlcommon.ClusterHasCSIGroupVersion(&r.DiscoveryClient) { + err := r.Client.Get(ctx, types.NamespacedName{Name: spcName, Namespace: namespace}, spc) + return err == nil + } + return false +} + +func GetVolumeType(vol corev1.Volume) string { + switch { + case vol.VolumeSource.Secret != nil: + return "Secret" + case vol.VolumeSource.CSI != nil: + return "CSI" + case vol.VolumeSource.ConfigMap != nil: + return "ConfigMap" + // add other cases as needed + default: + return "Unknown" + } +} + +func GetPgsqlCASecretVolume() corev1.Volume { + vol := corev1.Volume{ + Name: "pgsql-ca-cert", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: ctrlcommon.DatastoreEDBSecretName, + Items: []corev1.KeyToPath{ + { + Key: "ca.crt", + Path: "ca.crt", + }, + }, + DefaultMode: &partialAccess, + }, + }, + } + return vol +} + +func GetPgsqlClientSecretVolume() corev1.Volume { + vol := corev1.Volume{ + Name: "pgsql-client-cert", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: ctrlcommon.DatastoreEDBSecretName, + Items: []corev1.KeyToPath{ + { + Key: "tls.crt", + Path: "tls.crt", + }, + { + Key: "tls.key", + Path: "tls.key", + }, + }, + DefaultMode: &partialAccess, + }, + }, + } + return vol +} + +func GetPgsqlCACsiVolume() corev1.Volume { + vol := corev1.Volume{ + Name: "pgsql-ca-cert", + VolumeSource: corev1.VolumeSource{ + CSI: &corev1.CSIVolumeSource{ + Driver: "secrets-store.csi.k8s.io", + ReadOnly: boolPtr(true), + VolumeAttributes: map[string]string{ + "secretProviderClass": ctrlcommon.IMExtEDBSecretSpc, + }, + }, + }, + } + return vol +} + +func GetPgsqlClientCsiVolume() corev1.Volume { + vol := corev1.Volume{ + Name: "pgsql-client-cert", + VolumeSource: corev1.VolumeSource{ + CSI: &corev1.CSIVolumeSource{ + Driver: "secrets-store.csi.k8s.io", + ReadOnly: boolPtr(true), + VolumeAttributes: map[string]string{ + "secretProviderClass": ctrlcommon.IMExtEDBSecretSpc, + }, + }, + }, + } + return vol +} + +func GetLdapBindPwdCsiVolume() corev1.Volume { + vol := corev1.Volume{ + Name: ctrlCommon.IMLdapBindPwdVolume, + VolumeSource: corev1.VolumeSource{ + CSI: &corev1.CSIVolumeSource{ + Driver: "secrets-store.csi.k8s.io", + ReadOnly: boolPtr(true), + VolumeAttributes: map[string]string{ + "secretProviderClass": ctrlcommon.IMLdapBindPwdSpc, + }, + }, + }, + } + return vol +} + +func boolPtr(b bool) *bool { + return &b +} + +// EnsureVolumePresent checks if a volume exists by name. +// If not, it appends the new volume and returns the updated slice. +func EnsureVolumePresent(volumes []corev1.Volume, newVol corev1.Volume) []corev1.Volume { + for _, v := range volumes { + if v.Name == newVol.Name { + return volumes // already exists + } + } + return append(volumes, newVol) +} + +func GetVolumeByName(volumes []corev1.Volume, name string) (corev1.Volume, bool) { + for _, v := range volumes { + if v.Name == name { + return v, true + } + } + return corev1.Volume{}, false } diff --git a/go.mod b/go.mod index 7ff6fee0..ba6e78a2 100644 --- a/go.mod +++ b/go.mod @@ -16,6 +16,7 @@ require ( k8s.io/client-go v0.28.1 k8s.io/utils v0.0.0-20230726121419-3b25d923346b sigs.k8s.io/controller-runtime v0.16.1 + sigs.k8s.io/secrets-store-csi-driver v1.5.1 ) require ( @@ -34,7 +35,7 @@ require ( github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.6.0 // indirect diff --git a/go.sum b/go.sum index 16826f77..deb58e03 100644 --- a/go.sum +++ b/go.sum @@ -40,14 +40,12 @@ github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -236,8 +234,6 @@ gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -273,6 +269,8 @@ sigs.k8s.io/controller-runtime v0.16.1 h1:+15lzrmHsE0s2kNl0Dl8cTchI5Cs8qofo5PGcP sigs.k8s.io/controller-runtime v0.16.1/go.mod h1:vpMu3LpI5sYWtujJOa2uPK61nB5rbwlN7BAB8aSLvGU= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/secrets-store-csi-driver v1.5.1 h1:agXZcHDgteybHKtnmwH9uR0bBwrULfNsl4q6XCQx3YI= +sigs.k8s.io/secrets-store-csi-driver v1.5.1/go.mod h1:drcHdJiveR7a20tuOJwGylJxkwaK4GhVibpT4llZN7A= sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= diff --git a/helm/templates/00-rbac.yaml b/helm/templates/00-rbac.yaml index b2d5218d..9dfe1fdb 100644 --- a/helm/templates/00-rbac.yaml +++ b/helm/templates/00-rbac.yaml @@ -284,6 +284,14 @@ rules: - patch - update - watch +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/main.go b/main.go index 3a44f875..3f7dc305 100644 --- a/main.go +++ b/main.go @@ -34,6 +34,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" + sscsidriverv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1" certmgrv1 "github.com/IBM/ibm-iam-operator/apis/certmanager/v1" oidcsecurityv1 "github.com/IBM/ibm-iam-operator/apis/oidc.security/v1" @@ -60,6 +61,8 @@ func init() { utilruntime.Must(oidcsecurityv1.AddToScheme(scheme)) utilruntime.Must(certmgrv1.AddToScheme(scheme)) utilruntime.Must(zenv1.AddToScheme(scheme)) + utilruntime.Must(sscsidriverv1.AddToScheme(scheme)) + // Add the Route scheme if found on the cluster cfg, err := config.GetConfig() if err != nil { From df175dc47611cce057dac0a33adc1252e5c20ecb Mon Sep 17 00:00:00 2001 From: TIRUMALA MANNARU Date: Fri, 27 Jun 2025 22:31:15 +0530 Subject: [PATCH 2/2] single volume for pgsql certs --- controllers/common/constants.go | 4 +- .../operator/authentication_controller.go | 24 ++++++- controllers/operator/containers.go | 24 ++----- controllers/operator/deployment.go | 70 +++---------------- 4 files changed, 40 insertions(+), 82 deletions(-) diff --git a/controllers/common/constants.go b/controllers/common/constants.go index 9d4261a6..1ab3c84f 100644 --- a/controllers/common/constants.go +++ b/controllers/common/constants.go @@ -38,10 +38,10 @@ const MongoStatefulsetName string = "icp-mongodb" const DatastoreEDBCSName string = "im-common-service" // Name of SecretProvoderClass created by Paks that contains ldap bindpassword -const IMLdapBindPwdSpc string = "im-ldap-bind-pwd-spc" +const IMLdapBindCredSpc string = "im-ldap-bind-creds-spc" // Name of SecretProvoderClass created by Paks that contains external edb certs -const IMExtEDBSecretSpc string = "im-external-edb-certs-spc" +const IMExtEDBSecretSpc string = "im-external-edb-creds-spc" // Name of volume that holds ldap bindpassword spc const IMLdapBindPwdVolume string = "ldap-bind-cred-vol" diff --git a/controllers/operator/authentication_controller.go b/controllers/operator/authentication_controller.go index 261b099c..ba835ac9 100644 --- a/controllers/operator/authentication_controller.go +++ b/controllers/operator/authentication_controller.go @@ -399,9 +399,6 @@ func (r *AuthenticationReconciler) SetupWithManager(mgr ctrl.Manager) error { if ctrlcommon.ClusterHasOperandBindInfoAPIResource(&r.DiscoveryClient) { authCtrl.Watches(&operatorv1alpha1.OperandBindInfo{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner())) } - if ctrlcommon.ClusterHasCSIGroupVersion(&r.DiscoveryClient) { - authCtrl.Watches(&sscsidriverv1.SecretProviderClass{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner())) - } productCMPred := predicate.Funcs{ UpdateFunc: func(e event.UpdateEvent) bool { @@ -448,6 +445,27 @@ func (r *AuthenticationReconciler) SetupWithManager(mgr ctrl.Manager) error { } }), builder.WithPredicates(predicate.Or(globalCMPred, productCMPred)), ) + ldapSPCPred := predicate.NewPredicateFuncs(func(o client.Object) bool { + return o.GetName() == ctrlcommon.IMLdapBindCredSpc + }) + edbSPCPred := predicate.NewPredicateFuncs(func(o client.Object) bool { + return o.GetName() == ctrlcommon.IMExtEDBSecretSpc + }) + + authCtrl.Watches(&sscsidriverv1.SecretProviderClass{}, + handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, o client.Object) (requests []reconcile.Request) { + authCR, _ := ctrlcommon.GetAuthentication(ctx, r.Client) + if authCR == nil { + return + } + return []reconcile.Request{ + {NamespacedName: types.NamespacedName{ + Name: authCR.Name, + Namespace: authCR.Namespace, + }}, + } + }), builder.WithPredicates(predicate.Or(ldapSPCPred, edbSPCPred)), + ) bootstrappedPred := predicate.NewPredicateFuncs(func(o client.Object) bool { return o.GetLabels()[ctrlcommon.ManagerVersionLabel] == version.Version }) diff --git a/controllers/operator/containers.go b/controllers/operator/containers.go index f942a010..57c61ab6 100644 --- a/controllers/operator/containers.go +++ b/controllers/operator/containers.go @@ -1126,12 +1126,8 @@ func buildAuthSvcVolumeMounts(ldapSpcExist bool) []corev1.VolumeMount { MountPath: "/certs/saml-certs", }, { - Name: "pgsql-ca-cert", - MountPath: "/certs/pgsql-ca", - }, - { - Name: "pgsql-client-cert", - MountPath: "/certs/pgsql-client", + Name: "pgsql-certs", + MountPath: "/certs/pgsql", }, { Name: "pgsql-client-cred", @@ -1161,12 +1157,8 @@ func buildIdentityManagerVolumeMounts(ldapSpcExist bool) []corev1.VolumeMount { MountPath: "/opt/ibm/identity-mgmt/config/scim-config", }, { - Name: "pgsql-ca-cert", - MountPath: "/certs/pgsql-ca", - }, - { - Name: "pgsql-client-cert", - MountPath: "/certs/pgsql-client", + Name: "pgsql-certs", + MountPath: "/certs/pgsql", }, { Name: "pgsql-client-cred", @@ -1196,12 +1188,8 @@ func buildIdentityProviderVolumeMounts(ldapSpcExist bool) []corev1.VolumeMount { MountPath: "/certs/saml-certs", }, { - Name: "pgsql-ca-cert", - MountPath: "/certs/pgsql-ca", - }, - { - Name: "pgsql-client-cert", - MountPath: "/certs/pgsql-client", + Name: "pgsql-certs", + MountPath: "/certs/pgsql", }, { Name: "pgsql-client-cred", diff --git a/controllers/operator/deployment.go b/controllers/operator/deployment.go index 7274c4ab..0d10b6f2 100644 --- a/controllers/operator/deployment.go +++ b/controllers/operator/deployment.go @@ -100,9 +100,8 @@ func (r *AuthenticationReconciler) handleDeployments(ctx context.Context, req ct saasServiceIdCrn = saasTenantConfigMap.Data["service_crn_id"] } - ldapSpcExists := r.CheckSPCExists(ctx, ctrlcommon.IMLdapBindPwdSpc, authCR.Namespace) + ldapSpcExists := r.CheckSPCExists(ctx, ctrlcommon.IMLdapBindCredSpc, authCR.Namespace) edbSpcExists := r.CheckSPCExists(ctx, ctrlcommon.IMExtEDBSecretSpc, authCR.Namespace) - imagePullSecret := os.Getenv("IMAGE_PULL_SECRET") builders := []*ctrlcommon.SecondaryReconcilerBuilder[*appsv1.Deployment]{ ctrlcommon.NewSecondaryReconcilerBuilder[*appsv1.Deployment](). @@ -1027,14 +1026,12 @@ func buildIdpVolumes(ldapCACert string, routerCertSecret string, ldapSpcExist bo } if ldapSpcExist { - volumes = EnsureVolumePresent(volumes, GetLdapBindPwdCsiVolume()) + volumes = EnsureVolumePresent(volumes, GetLdapBindCredCsiVolume()) } if edbSpcExist { - volumes = EnsureVolumePresent(volumes, GetPgsqlCACsiVolume()) - volumes = EnsureVolumePresent(volumes, GetPgsqlClientCsiVolume()) + volumes = EnsureVolumePresent(volumes, GetPgsqlCredCsiVolume()) } else { - volumes = EnsureVolumePresent(volumes, GetPgsqlCASecretVolume()) - volumes = EnsureVolumePresent(volumes, GetPgsqlClientSecretVolume()) + volumes = EnsureVolumePresent(volumes, GetPgsqlSecretVolume()) } return volumes } @@ -1062,41 +1059,12 @@ func GetVolumeType(vol corev1.Volume) string { } } -func GetPgsqlCASecretVolume() corev1.Volume { +func GetPgsqlSecretVolume() corev1.Volume { vol := corev1.Volume{ - Name: "pgsql-ca-cert", + Name: "pgsql-certs", VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: ctrlcommon.DatastoreEDBSecretName, - Items: []corev1.KeyToPath{ - { - Key: "ca.crt", - Path: "ca.crt", - }, - }, - DefaultMode: &partialAccess, - }, - }, - } - return vol -} - -func GetPgsqlClientSecretVolume() corev1.Volume { - vol := corev1.Volume{ - Name: "pgsql-client-cert", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: ctrlcommon.DatastoreEDBSecretName, - Items: []corev1.KeyToPath{ - { - Key: "tls.crt", - Path: "tls.crt", - }, - { - Key: "tls.key", - Path: "tls.key", - }, - }, + SecretName: ctrlcommon.DatastoreEDBSecretName, DefaultMode: &partialAccess, }, }, @@ -1104,25 +1072,9 @@ func GetPgsqlClientSecretVolume() corev1.Volume { return vol } -func GetPgsqlCACsiVolume() corev1.Volume { - vol := corev1.Volume{ - Name: "pgsql-ca-cert", - VolumeSource: corev1.VolumeSource{ - CSI: &corev1.CSIVolumeSource{ - Driver: "secrets-store.csi.k8s.io", - ReadOnly: boolPtr(true), - VolumeAttributes: map[string]string{ - "secretProviderClass": ctrlcommon.IMExtEDBSecretSpc, - }, - }, - }, - } - return vol -} - -func GetPgsqlClientCsiVolume() corev1.Volume { +func GetPgsqlCredCsiVolume() corev1.Volume { vol := corev1.Volume{ - Name: "pgsql-client-cert", + Name: "pgsql-certs", VolumeSource: corev1.VolumeSource{ CSI: &corev1.CSIVolumeSource{ Driver: "secrets-store.csi.k8s.io", @@ -1136,7 +1088,7 @@ func GetPgsqlClientCsiVolume() corev1.Volume { return vol } -func GetLdapBindPwdCsiVolume() corev1.Volume { +func GetLdapBindCredCsiVolume() corev1.Volume { vol := corev1.Volume{ Name: ctrlCommon.IMLdapBindPwdVolume, VolumeSource: corev1.VolumeSource{ @@ -1144,7 +1096,7 @@ func GetLdapBindPwdCsiVolume() corev1.Volume { Driver: "secrets-store.csi.k8s.io", ReadOnly: boolPtr(true), VolumeAttributes: map[string]string{ - "secretProviderClass": ctrlcommon.IMLdapBindPwdSpc, + "secretProviderClass": ctrlcommon.IMLdapBindCredSpc, }, }, },