[Audit log forwarding] - update audit-tls secret to IM deployments for audit forwarding support

api/operator/v1alpha1/authentication_types.go

@@ -139,8 +139,8 @@ type ConfigSpec struct {
 	ICPPort                     int32          `json:"icpPort"`
 	FIPSEnabled                 bool           `json:"fipsEnabled"`
 	ROKSEnabled                 bool           `json:"roksEnabled"`
-	AuditUrl                    string         `json:"auditUrl,omitempty"`
-	AuditSecret                 string         `json:"auditSecret,omitempty"`
+	AuditUrl                    *string        `json:"auditUrl,omitempty"`
+	AuditSecret                 *string        `json:"auditSecret,omitempty"`
 	IBMCloudSaas                bool           `json:"ibmCloudSaas,omitempty"`
 	OnPremMultipleDeploy        bool           `json:"onPremMultipleDeploy,omitempty"`
 	SaasClientRedirectUrl       string         `json:"saasClientRedirectUrl,omitempty"`

internal/controller/operator/configmap.go

@@ -473,8 +473,8 @@ func (r *AuthenticationReconciler) generateAuthIdpConfigMap(clusterInfo *corev1.
 				"AUDIT_ENABLED_IDPROVIDER":           "false",
 				"AUDIT_ENABLED_IDMGMT":               "false",
 				"AUDIT_DETAIL":                       "false",
-				"AUDIT_URL":                          authCR.Spec.Config.AuditUrl,
-				"AUDIT_SECRET":                       authCR.Spec.Config.AuditSecret,
+				"AUDIT_URL":                          *authCR.Spec.Config.AuditUrl,
+				"AUDIT_SECRET":                       *authCR.Spec.Config.AuditSecret,
 				"LOG_LEVEL_IDPROVIDER":               "info",
 				"LOG_LEVEL_AUTHSVC":                  "info",
 				"LOG_LEVEL_IDMGMT":                   "info",

internal/controller/operator/containers.go

@@ -414,7 +414,7 @@ func buildAuthServiceContainer(instance *operatorv1alpha1.Authentication, authSe
 
 }
 
-func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, identityProviderImage string, _ string, saasCRNId string, auditSecretName *string) corev1.Container {
+func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, identityProviderImage string, _ string, saasCRNId string) corev1.Container {
 
 	resources := instance.Spec.IdentityProvider.Resources
 	if resources == nil {
@@ -701,7 +701,7 @@ func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, i
 			},
 		},
 		Resources:    *resources,
-		VolumeMounts: buildIdentityProviderVolumeMounts(auditSecretName),
+		VolumeMounts: buildIdentityProviderVolumeMounts(instance.Spec.Config.AuditSecret),
 		ReadinessProbe: &corev1.Probe{
 			ProbeHandler: corev1.ProbeHandler{
 				Exec: &corev1.ExecAction{
@@ -731,7 +731,7 @@ func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, i
 
 }
 
-func buildIdentityManagerContainer(instance *operatorv1alpha1.Authentication, identityManagerImage string, _ string, auditSecretName *string) corev1.Container {
+func buildIdentityManagerContainer(instance *operatorv1alpha1.Authentication, identityManagerImage string, _ string) corev1.Container {
 
 	replicaCount := int(instance.Spec.Replicas)
 	resources := instance.Spec.IdentityManager.Resources
@@ -1048,7 +1048,7 @@ func buildIdentityManagerContainer(instance *operatorv1alpha1.Authentication, id
 			},
 		},
 		Resources:    *resources,
-		VolumeMounts: buildIdentityManagerVolumeMounts(auditSecretName),
+		VolumeMounts: buildIdentityManagerVolumeMounts(instance.Spec.Config.AuditSecret),
 		ReadinessProbe: &corev1.Probe{
 			ProbeHandler: corev1.ProbeHandler{
 				Exec: &corev1.ExecAction{
@@ -1087,16 +1087,16 @@ func buildContainers(instance *operatorv1alpha1.Authentication, authServiceImage
 	return []corev1.Container{authServiceContainer}
 }
 
-func buildManagerContainers(instance *operatorv1alpha1.Authentication, identityManagerImage string, icpConsoleURL string, auditSecretName *string) []corev1.Container {
+func buildManagerContainers(instance *operatorv1alpha1.Authentication, identityManagerImage string, icpConsoleURL string) []corev1.Container {
 
-	identityManagerContainer := buildIdentityManagerContainer(instance, identityManagerImage, icpConsoleURL, auditSecretName)
+	identityManagerContainer := buildIdentityManagerContainer(instance, identityManagerImage, icpConsoleURL)
 
 	return []corev1.Container{identityManagerContainer}
 }
 
-func buildProviderContainers(instance *operatorv1alpha1.Authentication, identityProviderImage string, icpConsoleURL string, saasCrnId string, auditSecretName *string) []corev1.Container {
+func buildProviderContainers(instance *operatorv1alpha1.Authentication, identityProviderImage string, icpConsoleURL string, saasCrnId string) []corev1.Container {
 
-	identityProviderContainer := buildIdentityProviderContainer(instance, identityProviderImage, icpConsoleURL, saasCrnId, auditSecretName)
+	identityProviderContainer := buildIdentityProviderContainer(instance, identityProviderImage, icpConsoleURL, saasCrnId)
 
 	return []corev1.Container{identityProviderContainer}
 }
@@ -1200,7 +1200,7 @@ func buildIdentityProviderVolumeMounts(auditSecretName *string) []corev1.VolumeM
 			MountPath: "/pgsql/clientinfo",
 		},
 	}
-	if auditSecretName != nil {
+	if auditSecretName != nil && *auditSecretName != "" {
 		newVolMount := corev1.VolumeMount{
 			Name:      IMAuditTLSVolume,
 			MountPath: "/certs/audit-tls",

internal/controller/operator/deployment.go

@@ -82,7 +82,7 @@ func (r *AuthenticationReconciler) handleDeployments(ctx context.Context, req ct
 		samlConsoleURL = icpConsoleURL
 	}
 
-	auditSecretName, err := r.getAuditSecretNameIfExists(ctx, req.Namespace)
+	auditSecretName, err := r.getAuditSecretNameIfExists(context.TODO(), req.Namespace, authCR.Spec.Config.AuditUrl, authCR.Spec.Config.AuditSecret)
 	if err != nil {
 		return subreconciler.RequeueWithError(err)
 	}
@@ -189,50 +189,35 @@ func (r *AuthenticationReconciler) removeCP2Deployments(ctx context.Context, req
 // cluster, or an empty string when the Secret isn't found or cannot otherwise
 // be retrieved. If an error other than NotFound is received when trying to get
 // the Secret, that is returned as well.
-func (r *AuthenticationReconciler) getAuditSecretNameIfExists(ctx context.Context, namespace string) (*string, error) {
-	var auditSecretName string
-	var auditURL string
-	// Check for the presence of audit-endpoint configmap
-	authIdpConfigMapName := "platform-auth-idp"
-	authIdpConfigMap := &corev1.ConfigMap{}
-	idpCMLogger := log.WithValues("ConfigMap.Name", authIdpConfigMapName, "ConfigMap.Namespace", namespace)
-	if err := r.Get(ctx, types.NamespacedName{Name: authIdpConfigMapName, Namespace: namespace}, authIdpConfigMap); k8sErrors.IsNotFound(err) {
-		idpCMLogger.Info("ConfigMap was not found")
-		return nil, nil
-	} else if err != nil {
-		idpCMLogger.Error(err, "Failed to get ConfigMap")
-		return nil, err
-	}
-	if authIdpConfigMap.Data == nil {
-		idpCMLogger.Info("Invalid ConfigMap")
-		return nil, nil
-	}
-	if authIdpConfigMap.Data["AUDIT_URL"] == "" {
-		idpCMLogger.Info("Audit URL is not specified in ConfigMap; assume no Secret to mount", "key", "AUDIT_URL")
+func (r *AuthenticationReconciler) getAuditSecretNameIfExists(ctx context.Context, namespace string, auditUrl *string, auditSecretName *string) (*string, error) {
+	//var auditSecretName string
+	//var auditURL string
+	reqLogger := logf.FromContext(ctx)
+
+	if auditUrl == nil {
+		reqLogger.Info("Audit URL is not specified in Authentication CR", "key", "AUDIT_URL")
 		return nil, nil
 	}
-	if authIdpConfigMap.Data["AUDIT_SECRET"] == "" {
-		idpCMLogger.Info("Audit Secret is not specified in ConfigMap; assume no Secret", "key", "AUDIT_SECRET")
+	if auditSecretName == nil {
+		reqLogger.Info("Audit Secret is not specified in Authentication CR", "key", "AUDIT_SECRET")
 		return nil, nil
 	}
-	auditURL = authIdpConfigMap.Data["AUDIT_URL"]
-	auditSecretName = authIdpConfigMap.Data["AUDIT_SECRET"]
-	idpCMLogger.Info("Fetched audit URL and audit Secret from ConfigMap", "AUDIT_SECRET", auditSecretName, "AUDIT_URL", auditURL)
 
-	auditTLSSecretLogger := log.WithValues("Secret.Name", auditSecretName, "Secret.Namespace", namespace)
+	reqLogger.Info("Fetched audit URL and audit Secret from Authentication CR", "AUDIT_SECRET", auditSecretName, "AUDIT_URL", auditUrl)
+
 	auditTLSSecret := &corev1.Secret{}
-	auditTLSSecretStruct := types.NamespacedName{Name: auditSecretName, Namespace: namespace}
-	err := r.Get(ctx, auditTLSSecretStruct, auditTLSSecret)
-	if k8sErrors.IsNotFound(err) {
-		auditTLSSecretLogger.Info("Secret for audit configuration not found")
+	auditTLSSecretStruct := types.NamespacedName{Name: *auditSecretName, Namespace: namespace}
+	err1 := r.Get(ctx, auditTLSSecretStruct, auditTLSSecret)
+	if k8sErrors.IsNotFound(err1) {
+		reqLogger.Info("Secret for audit configuration not found")
 		return nil, nil
-	} else if err != nil {
-		auditTLSSecretLogger.Error(err, "Failed to retrieve Secret for audit configuration")
-		return nil, err
+	} else if err1 != nil {
+		reqLogger.Error(err1, "Failed to retrieve Secret for audit configuration")
+		return nil, err1
 	}
 
-	auditTLSSecretLogger.Info("Secret found for audit configuration")
-	return &auditSecretName, nil
+	reqLogger.Info("Secret found for audit configuration")
+	return auditSecretName, nil
 }
 
 func generatePlatformAuthService(imagePullSecret, icpConsoleURL, _ string) common.GenerateFn[*appsv1.Deployment] {
@@ -567,7 +552,7 @@ func generatePlatformIdentityManagement(imagePullSecret, icpConsoleURL, _ string
 							},
 						},
 						Volumes:        buildIdpVolumes(ldapCACert, routerCertSecret, auditSecretName),
-						Containers:     buildManagerContainers(authCR, identityManagerImage, icpConsoleURL, auditSecretName),
+						Containers:     buildManagerContainers(authCR, identityManagerImage, icpConsoleURL),
 						InitContainers: buildInitForMngrAndProvider(initContainerImage),
 					},
 				},
@@ -742,7 +727,7 @@ func generatePlatformIdentityProvider(imagePullSecret, icpConsoleURL, saasServic
 							},
 						},
 						Volumes:        buildIdpVolumes(ldapCACert, routerCertSecret, auditSecretName),
-						Containers:     buildProviderContainers(authCR, identityProviderImage, icpConsoleURL, saasServiceIdCrn, auditSecretName),
+						Containers:     buildProviderContainers(authCR, identityProviderImage, icpConsoleURL, saasServiceIdCrn),
 						InitContainers: buildInitForMngrAndProvider(initContainerImage),
 					},
 				},