agents: API key from a Secret (#14)

Author: apetruhin

api/v1/coroot_types.go

@@ -307,9 +307,11 @@ type CorootSpec struct {
 	PodAnnotations map[string]string `json:"podAnnotations,omitempty"`
 
 	// The API key used by agents when sending telemetry to Coroot.
-	ApiKey       string           `json:"apiKey,omitempty"`
-	NodeAgent    NodeAgentSpec    `json:"nodeAgent,omitempty"`
-	ClusterAgent ClusterAgentSpec `json:"clusterAgent,omitempty"`
+	ApiKey string `json:"apiKey,omitempty"`
+	// Secret containing API key.
+	ApiKeySecret *corev1.SecretKeySelector `json:"apiKeySecret,omitempty"`
+	NodeAgent    NodeAgentSpec             `json:"nodeAgent,omitempty"`
+	ClusterAgent ClusterAgentSpec          `json:"clusterAgent,omitempty"`
 
 	// Prometheus configuration.
 	Prometheus PrometheusSpec `json:"prometheus,omitempty"`

api/v1/zz_generated.deepcopy.go

@@ -978,6 +978,29 @@ spec:
                 description: The API key used by agents when sending telemetry to
                   Coroot.
                 type: string
+              apiKeySecret:
+                description: Secret containing API key.
+                properties:
+                  key:
+                    description: The key of the secret to select from.  Must be a
+                      valid secret key.
+                    type: string
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                  optional:
+                    description: Specify whether the Secret or its key must be defined
+                    type: boolean
+                required:
+                - key
+                type: object
+                x-kubernetes-map-type: atomic
               authAnonymousRole:
                 description: Allows access to Coroot without authentication if set
                   (one of Admin, Editor, or Viewer).

config/crd/coroot.com_coroots.yaml

@@ -84,11 +84,19 @@ func (r *CorootReconciler) clusterAgentDeployment(cr *corootv1.Coroot) *appsv1.D
 	}
 	scrapeInterval := cmp.Or(cr.Spec.MetricsRefreshInterval, corootv1.DefaultMetricRefreshInterval)
 	env := []corev1.EnvVar{
-		{Name: "API_KEY", Value: cr.Spec.ApiKey},
 		{Name: "COROOT_URL", Value: corootURL},
 		{Name: "METRICS_SCRAPE_INTERVAL", Value: scrapeInterval},
 		{Name: "KUBE_STATE_METRICS_ADDRESS", Value: "127.0.0.1:10302"},
 	}
+
+	apiKey := corev1.EnvVar{Name: "API_KEY"}
+	if cr.Spec.ApiKeySecret != nil {
+		apiKey.ValueFrom = &corev1.EnvVarSource{SecretKeyRef: cr.Spec.ApiKeySecret}
+	} else {
+		apiKey.Value = cr.Spec.ApiKey
+	}
+	env = append(env, apiKey)
+
 	if tlsSkipVerify {
 		env = append(env, corev1.EnvVar{Name: "INSECURE_SKIP_VERIFY", Value: "true"})
 	}

controller/cluster_agent.go

@@ -31,10 +31,17 @@ func (r *CorootReconciler) nodeAgentDaemonSet(cr *corootv1.Coroot) *appsv1.Daemo
 	}
 	scrapeInterval := cmp.Or(cr.Spec.MetricsRefreshInterval, corootv1.DefaultMetricRefreshInterval)
 	env := []corev1.EnvVar{
-		{Name: "API_KEY", Value: cr.Spec.ApiKey},
 		{Name: "SCRAPE_INTERVAL", Value: scrapeInterval},
 	}
 
+	apiKey := corev1.EnvVar{Name: "API_KEY"}
+	if cr.Spec.ApiKeySecret != nil {
+		apiKey.ValueFrom = &corev1.EnvVarSource{SecretKeyRef: cr.Spec.ApiKeySecret}
+	} else {
+		apiKey.Value = cr.Spec.ApiKey
+	}
+	env = append(env, apiKey)
+
 	if tlsSkipVerify {
 		env = append(env, corev1.EnvVar{Name: "INSECURE_SKIP_VERIFY", Value: "true"})
 	}