[Audit log forwarding] - update audit-tls secret to IM deployments for audit forwarding support

bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml

@@ -79,6 +79,8 @@ metadata:
               "openshiftPort": 443,
               "preferredLogin": "",
               "providerIssuerURL": "",
+              "auditUrl": "",
+              "auditSecret": "",
               "roksEnabled": true,
               "roksURL": "https://roks.domain.name:443",
               "roksUserPrefix": "changeme",

bundle/manifests/operator.ibm.com_authentications.yaml

@@ -228,7 +228,7 @@ spec:
                     type: string
                   providerIssuerURL:
                     type: string
-                  auditURL:
+                  auditUrl:
                     type: string
                   auditSecret:
                     type: string

config/crd/bases/operator.ibm.com_authentications.yaml

@@ -219,7 +219,11 @@ spec:
                   preferredLogin:
                     type: string
                   defaultLogin:
-                    type: string 
+                    type: string
+                  auditUrl:
+                    type: string
+                  auditSecret:
+                    type: string
                   providerIssuerURL:
                     type: string
                   roksEnabled:

config/samples/bases/operator_v1alpha1_authentication.yaml

@@ -61,6 +61,8 @@ spec:
     preferredLogin: ''
     defaultLogin: ''
     bootstrapUserId: kubeadmin
+    auditUrl: ''
+    auditSecret: ''
     providerIssuerURL: ''
     claimsSupported: name,family_name,display_name,given_name,preferred_username
     claimsMap: name="givenName" family_name="givenName" given_name="givenName" preferred_username="displayName"

internal/controller/operator/authentication_controller.go

@@ -444,20 +444,6 @@ func (r *AuthenticationReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		}), builder.WithPredicates(predicate.Or(globalCMPred, productCMPred)),
 	)
 
-	authCtrl.Watches(&corev1.Secret{},
-		handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, o client.Object) (requests []reconcile.Request) {
-			authCR, _ := ctrlcommon.GetAuthentication(ctx, r.Client)
-			if authCR == nil {
-				return
-			}
-			return []reconcile.Request{
-				{NamespacedName: types.NamespacedName{
-					Name:      authCR.Name,
-					Namespace: authCR.Namespace,
-				}},
-			}
-		}),
-	)
 	bootstrappedPred := predicate.NewPredicateFuncs(func(o client.Object) bool {
 		return o.GetLabels()[ctrlcommon.ManagerVersionLabel] == version.Version
 	})

internal/controller/operator/configmap.go

@@ -442,7 +442,7 @@ func (r *AuthenticationReconciler) generateAuthIdpConfigMap(clusterInfo *corev1.
 		}
 
 		// Found AUDIT variables
-		reqLogger.Info("Found audit variables, audit url", authCR.Spec.Config.AuditUrl, " and audit secret", authCR.Spec.Config.AuditSecret)
+		reqLogger.Info("Found audit variables", "AuditUrl", authCR.Spec.Config.AuditUrl, "AuditSecret", authCR.Spec.Config.AuditSecret)
 
 		// Set the path for SAML connections
 		var masterPath string

internal/controller/operator/containers.go

@@ -414,7 +414,7 @@ func buildAuthServiceContainer(instance *operatorv1alpha1.Authentication, authSe
 
 }
 
-func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, identityProviderImage string, _ string, saasCRNId string, auditSecretName string) corev1.Container {
+func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, identityProviderImage string, _ string, saasCRNId string, auditSecretName *string) corev1.Container {
 
 	resources := instance.Spec.IdentityProvider.Resources
 	if resources == nil {
@@ -731,7 +731,7 @@ func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, i
 
 }
 
-func buildIdentityManagerContainer(instance *operatorv1alpha1.Authentication, identityManagerImage string, _ string, auditSecretName string) corev1.Container {
+func buildIdentityManagerContainer(instance *operatorv1alpha1.Authentication, identityManagerImage string, _ string, auditSecretName *string) corev1.Container {
 
 	replicaCount := int(instance.Spec.Replicas)
 	resources := instance.Spec.IdentityManager.Resources
@@ -1087,14 +1087,14 @@ func buildContainers(instance *operatorv1alpha1.Authentication, authServiceImage
 	return []corev1.Container{authServiceContainer}
 }
 
-func buildManagerContainers(instance *operatorv1alpha1.Authentication, identityManagerImage string, icpConsoleURL string, auditSecretName string) []corev1.Container {
+func buildManagerContainers(instance *operatorv1alpha1.Authentication, identityManagerImage string, icpConsoleURL string, auditSecretName *string) []corev1.Container {
 
 	identityManagerContainer := buildIdentityManagerContainer(instance, identityManagerImage, icpConsoleURL, auditSecretName)
 
 	return []corev1.Container{identityManagerContainer}
 }
 
-func buildProviderContainers(instance *operatorv1alpha1.Authentication, identityProviderImage string, icpConsoleURL string, saasCrnId string, auditSecretName string) []corev1.Container {
+func buildProviderContainers(instance *operatorv1alpha1.Authentication, identityProviderImage string, icpConsoleURL string, saasCrnId string, auditSecretName *string) []corev1.Container {
 
 	identityProviderContainer := buildIdentityProviderContainer(instance, identityProviderImage, icpConsoleURL, saasCrnId, auditSecretName)
 
@@ -1143,7 +1143,7 @@ func buildInitContainerEnvVars(envVarList []string, configmapName string) []core
 	return envVars
 }
 
-func buildIdentityManagerVolumeMounts(auditSecretName string) []corev1.VolumeMount {
+func buildIdentityManagerVolumeMounts(auditSecretName *string) []corev1.VolumeMount {
 	volumeMounts := []corev1.VolumeMount{
 		{
 			Name:      "cluster-ca",
@@ -1166,15 +1166,18 @@ func buildIdentityManagerVolumeMounts(auditSecretName string) []corev1.VolumeMou
 			MountPath: "/pgsql/clientinfo",
 		},
 	}
-	if len(auditSecretName) > 0 {
-		volumeMounts = EnsureVolumeMountPresent(volumeMounts, GetAuditCertsVolumeMount())
-
+	if auditSecretName != nil {
+		newVolMount := corev1.VolumeMount{
+			Name:      IMAuditTLSVolume,
+			MountPath: "/certs/audit-tls",
+		}
+		volumeMounts = append(volumeMounts, newVolMount)
 	}
 
 	return volumeMounts
 }
 
-func buildIdentityProviderVolumeMounts(auditSecretName string) []corev1.VolumeMount {
+func buildIdentityProviderVolumeMounts(auditSecretName *string) []corev1.VolumeMount {
 	volumeMounts := []corev1.VolumeMount{
 		{
 			Name:      "auth-key",
@@ -1197,28 +1200,12 @@ func buildIdentityProviderVolumeMounts(auditSecretName string) []corev1.VolumeMo
 			MountPath: "/pgsql/clientinfo",
 		},
 	}
-	if len(auditSecretName) > 0 {
-		volumeMounts = EnsureVolumeMountPresent(volumeMounts, GetAuditCertsVolumeMount())
-
-	}
-	return volumeMounts
-}
-
-// EnsureVolumeMountPresent checks if a volumeMount exists
-// If not, it appends the new volume and returns the updated slice.
-func EnsureVolumeMountPresent(volumeMounts []corev1.VolumeMount, newVolMount corev1.VolumeMount) []corev1.VolumeMount {
-	for _, v := range volumeMounts {
-		if v.Name == newVolMount.Name {
-			return volumeMounts // already exists
+	if auditSecretName != nil {
+		newVolMount := corev1.VolumeMount{
+			Name:      IMAuditTLSVolume,
+			MountPath: "/certs/audit-tls",
 		}
+		volumeMounts = append(volumeMounts, newVolMount)
 	}
-	return append(volumeMounts, newVolMount)
-}
-
-func GetAuditCertsVolumeMount() corev1.VolumeMount {
-	volMount := corev1.VolumeMount{
-		Name:      IMAuditTLSVolume,
-		MountPath: "/certs/audit-tls",
-	}
-	return volMount
+	return volumeMounts
 }

internal/controller/operator/deployment.go

@@ -82,7 +82,7 @@ func (r *AuthenticationReconciler) handleDeployments(ctx context.Context, req ct
 		samlConsoleURL = icpConsoleURL
 	}
 
-	auditSecretName, err := r.getAuditSecretNameIfExists(context.TODO(), req.Namespace)
+	auditSecretName, err := r.getAuditSecretNameIfExists(ctx, req.Namespace)
 	if err != nil {
 		return subreconciler.RequeueWithError(err)
 	}
@@ -189,7 +189,7 @@ func (r *AuthenticationReconciler) removeCP2Deployments(ctx context.Context, req
 // cluster, or an empty string when the Secret isn't found or cannot otherwise
 // be retrieved. If an error other than NotFound is received when trying to get
 // the Secret, that is returned as well.
-func (r *AuthenticationReconciler) getAuditSecretNameIfExists(ctx context.Context, namespace string) (string, error) {
+func (r *AuthenticationReconciler) getAuditSecretNameIfExists(ctx context.Context, namespace string) (*string, error) {
 	var auditSecretName string
 	var auditURL string
 	// Check for the presence of audit-endpoint configmap
@@ -198,22 +198,22 @@ func (r *AuthenticationReconciler) getAuditSecretNameIfExists(ctx context.Contex
 	idpCMLogger := log.WithValues("ConfigMap.Name", authIdpConfigMapName, "ConfigMap.Namespace", namespace)
 	if err := r.Get(ctx, types.NamespacedName{Name: authIdpConfigMapName, Namespace: namespace}, authIdpConfigMap); k8sErrors.IsNotFound(err) {
 		idpCMLogger.Info("ConfigMap was not found")
-		return "", nil
+		return nil, nil
 	} else if err != nil {
 		idpCMLogger.Error(err, "Failed to get ConfigMap")
-		return "", err
+		return nil, err
 	}
 	if authIdpConfigMap.Data == nil {
 		idpCMLogger.Info("Invalid ConfigMap")
-		return "", nil
+		return nil, nil
 	}
 	if authIdpConfigMap.Data["AUDIT_URL"] == "" {
 		idpCMLogger.Info("Audit URL is not specified in ConfigMap; assume no Secret to mount", "key", "AUDIT_URL")
-		return "", nil
+		return nil, nil
 	}
 	if authIdpConfigMap.Data["AUDIT_SECRET"] == "" {
 		idpCMLogger.Info("Audit Secret is not specified in ConfigMap; assume no Secret", "key", "AUDIT_SECRET")
-		return "", nil
+		return nil, nil
 	}
 	auditURL = authIdpConfigMap.Data["AUDIT_URL"]
 	auditSecretName = authIdpConfigMap.Data["AUDIT_SECRET"]
@@ -225,26 +225,14 @@ func (r *AuthenticationReconciler) getAuditSecretNameIfExists(ctx context.Contex
 	err := r.Get(ctx, auditTLSSecretStruct, auditTLSSecret)
 	if k8sErrors.IsNotFound(err) {
 		auditTLSSecretLogger.Info("Secret for audit configuration not found")
-		return "", nil
+		return nil, nil
 	} else if err != nil {
 		auditTLSSecretLogger.Error(err, "Failed to retrieve Secret for audit configuration")
-		return "", err
+		return nil, err
 	}
 
 	auditTLSSecretLogger.Info("Secret found for audit configuration")
-	return auditSecretName, nil
-}
-
-func checkSecretExists(client client.Client, namespace string, auditSecretName string) (bool, error) {
-	auditTLSSecret := &corev1.Secret{}
-	auditTLSSecretStruct := types.NamespacedName{Name: auditSecretName, Namespace: namespace}
-	err := client.Get(context.TODO(), auditTLSSecretStruct, auditTLSSecret)
-	if k8sErrors.IsNotFound(err) {
-		return false, nil
-	} else if err != nil {
-		return false, err
-	}
-	return true, nil
+	return &auditSecretName, nil
 }
 
 func generatePlatformAuthService(imagePullSecret, icpConsoleURL, _ string) common.GenerateFn[*appsv1.Deployment] {
@@ -403,7 +391,7 @@ func generatePlatformAuthService(imagePullSecret, icpConsoleURL, _ string) commo
 								Operator: corev1.TolerationOpExists,
 							},
 						},
-						Volumes:        buildIdpVolumes(ldapCACert, routerCertSecret, ""),
+						Volumes:        buildIdpVolumes(ldapCACert, routerCertSecret, nil),
 						Containers:     buildContainers(authCR, authServiceImage, icpConsoleURL),
 						InitContainers: buildInitContainers(initContainerImage),
 					},
@@ -423,7 +411,7 @@ func generatePlatformAuthService(imagePullSecret, icpConsoleURL, _ string) commo
 	}
 }
 
-func generatePlatformIdentityManagement(imagePullSecret, icpConsoleURL, _ string, auditSecretName string) common.GenerateFn[*appsv1.Deployment] {
+func generatePlatformIdentityManagement(imagePullSecret, icpConsoleURL, _ string, auditSecretName *string) common.GenerateFn[*appsv1.Deployment] {
 	return func(s common.SecondaryReconciler, ctx context.Context, deploy *appsv1.Deployment) (err error) {
 		reqLogger := logf.FromContext(ctx)
 		identityManagerImage := common.GetImageRef("ICP_IDENTITY_MANAGER_IMAGE")
@@ -597,7 +585,7 @@ func generatePlatformIdentityManagement(imagePullSecret, icpConsoleURL, _ string
 	}
 }
 
-func generatePlatformIdentityProvider(imagePullSecret, icpConsoleURL, saasServiceIdCrn string, auditSecretName string) common.GenerateFn[*appsv1.Deployment] {
+func generatePlatformIdentityProvider(imagePullSecret, icpConsoleURL, saasServiceIdCrn string, auditSecretName *string) common.GenerateFn[*appsv1.Deployment] {
 	return func(s common.SecondaryReconciler, ctx context.Context, deploy *appsv1.Deployment) (err error) {
 		reqLogger := logf.FromContext(ctx)
 		identityProviderImage := common.GetImageRef("ICP_IDENTITY_PROVIDER_IMAGE")
@@ -923,7 +911,7 @@ func hasDataField(fields metav1.ManagedFieldsEntry) bool {
 	return false
 }
 
-func buildIdpVolumes(ldapCACert string, routerCertSecret string, auditSecretName string) []corev1.Volume {
+func buildIdpVolumes(ldapCACert string, routerCertSecret string, auditSecretName *string) []corev1.Volume {
 	volumes := []corev1.Volume{
 		{
 			Name: "platform-identity-management",
@@ -1107,12 +1095,12 @@ func buildIdpVolumes(ldapCACert string, routerCertSecret string, auditSecretName
 			},
 		},
 	}
-	if len(auditSecretName) > 0 {
+	if auditSecretName != nil {
 		auditVolume := corev1.Volume{
 			Name: IMAuditTLSVolume,
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: auditSecretName,
+					SecretName: *auditSecretName,
 					Items: []corev1.KeyToPath{
 						{
 							Key:  "tls.crt",
@@ -1136,7 +1124,7 @@ func buildIdpVolumes(ldapCACert string, routerCertSecret string, auditSecretName
 	return volumes
 }
 
-// EnsureVolumeMountPresent checks if a volumeMount exists
+// EnsureVolumePresent checks if a volume exists
 // If not, it appends the new volume and returns the updated slice.
 func EnsureVolumePresent(volumes []corev1.Volume, newVol corev1.Volume) []corev1.Volume {
 	for _, v := range volumes {