coroot: project API keys from a Secret (#14)

Author: apetruhin

api/v1/coroot_types.go

@@ -251,9 +251,10 @@ type ProjectSpec struct {
 }
 
 type ApiKeySpec struct {
-	// Random string or UUID (must be unique; required).
-	// +kubebuilder:validation:Required
+	// Plain-text API key. Must be unique. Prefer using KeySecret for better security.
 	Key string `json:"key,omitempty"`
+	// Secret with the API key. Created automatically if missing.
+	KeySecret *corev1.SecretKeySelector `json:"keySecret,omitempty"`
 	// API key description (optional).
 	Description string `json:"description,omitempty"`
 }

api/v1/zz_generated.deepcopy.go

@@ -6168,10 +6168,34 @@ spec:
                             description: API key description (optional).
                             type: string
                           key:
-                            description: Random string or UUID (must be unique; required).
+                            description: Plain-text API key. Must be unique. Prefer
+                              using KeySecret for better security.
                             type: string
-                        required:
-                        - key
+                          keySecret:
+                            description: Secret with the API key. Created automatically
+                              if missing.
+                            properties:
+                              key:
+                                description: The key of the secret to select from.  Must
+                                  be a valid secret key.
+                                type: string
+                              name:
+                                default: ""
+                                description: |-
+                                  Name of the referent.
+                                  This field is effectively required, but due to backwards compatibility is
+                                  allowed to be empty. Instances of this type with an empty value here are
+                                  almost certainly wrong.
+                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                type: string
+                              optional:
+                                description: Specify whether the Secret or its key
+                                  must be defined
+                                type: boolean
+                            required:
+                            - key
+                            type: object
+                            x-kubernetes-map-type: atomic
                         type: object
                       minItems: 1
                       type: array

config/crd/coroot.com_coroots.yaml

@@ -27,6 +27,7 @@ rules:
   - ""
   resources:
   - persistentvolumeclaims
+  - secrets
   - serviceaccounts
   - services
   verbs:
@@ -37,15 +38,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-  - get
-  - list
-  - watch
 - apiGroups:
   - apps
   resources:

config/rbac/role.yaml

@@ -13,19 +13,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
-func (r *CorootReconciler) clickhouseSecret(cr *corootv1.Coroot) *corev1.Secret {
-	ls := Labels(cr, "clickhouse")
-	s := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      fmt.Sprintf("%s-clickhouse", cr.Name),
-			Namespace: cr.Namespace,
-			Labels:    ls,
-		},
-		Data: map[string][]byte{"password": []byte(RandomString(16))},
-	}
-	return s
-}
-
 func (r *CorootReconciler) clickhouseService(cr *corootv1.Coroot) *corev1.Service {
 	ls := Labels(cr, "clickhouse")
 	s := &corev1.Service{
@@ -218,12 +205,7 @@ func (r *CorootReconciler) clickhouseStatefulSets(cr *corootv1.Coroot) []*appsv1
 									},
 								}},
 								{Name: "CLICKHOUSE_PASSWORD", ValueFrom: &corev1.EnvVarSource{
-									SecretKeyRef: &corev1.SecretKeySelector{
-										LocalObjectReference: corev1.LocalObjectReference{
-											Name: fmt.Sprintf("%s-clickhouse", cr.Name),
-										},
-										Key: "password",
-									},
+									SecretKeyRef: secretKeySelector(fmt.Sprintf("%s-clickhouse", cr.Name), "password"),
 								}},
 							},
 							ReadinessProbe: &corev1.Probe{
@@ -241,14 +223,6 @@ func (r *CorootReconciler) clickhouseStatefulSets(cr *corootv1.Coroot) []*appsv1
 								EmptyDir: &corev1.EmptyDirVolumeSource{},
 							},
 						},
-						//{
-						//	Name: "data",
-						//	VolumeSource: corev1.VolumeSource{
-						//		PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
-						//			ClaimName: fmt.Sprintf("data-%s-clickhouse-shard-%d", cr.Name, shard),
-						//		},
-						//	},
-						//},
 					},
 				},
 			},

controller/clickhouse.go

@@ -69,7 +69,7 @@ func NewCorootReconciler(mgr ctrl.Manager) *CorootReconciler {
 // +kubebuilder:rbac:groups=coroot.com,resources=coroots/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=coroot.com,resources=coroots/finalizers,verbs=update
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
-// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create
+// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=namespaces;nodes;pods;endpoints;persistentvolumes,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=services;persistentvolumeclaims;serviceaccounts,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps,resources=deployments;replicasets;daemonsets;statefulsets;cronjobs,verbs=get;list;watch;create;update;patch;delete
@@ -123,10 +123,8 @@ func (r *CorootReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 		return ctrl.Result{}, nil
 	}
 
-	if cr.Spec.Replicas > 1 && cr.Spec.Postgres == nil {
-		logger.Error(fmt.Errorf("postgres not configured"), "Coroot requires Postgres to run multiple replicas (will run only one replica)")
-		cr.Spec.Replicas = 1
-	}
+	r.corootValidate(ctx, cr)
+
 	r.CreateOrUpdateServiceAccount(ctx, cr, "coroot", sccNonroot)
 	for _, pvc := range r.corootPVCs(cr) {
 		r.CreateOrUpdatePVC(ctx, cr, pvc, cr.Spec.Storage.ReclaimPolicy)
@@ -149,7 +147,7 @@ func (r *CorootReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 	}
 
 	if cr.Spec.ExternalClickhouse == nil {
-		r.CreateSecret(ctx, cr, r.clickhouseSecret(cr))
+		r.CreateOrUpdateSecret(ctx, cr, "clickhouse", fmt.Sprintf("%s-clickhouse", cr.Name), "password", 16)
 
 		r.CreateOrUpdateServiceAccount(ctx, cr, "clickhouse-keeper", sccNonroot)
 		r.CreateOrUpdateService(ctx, cr, r.clickhouseKeeperServiceHeadless(cr))
@@ -204,8 +202,28 @@ func (r *CorootReconciler) CreateOrUpdate(ctx context.Context, cr *corootv1.Coro
 	}
 }
 
-func (r *CorootReconciler) CreateSecret(ctx context.Context, cr *corootv1.Coroot, s *corev1.Secret) {
-	r.CreateOrUpdate(ctx, cr, s, false, false, nil)
+func (r *CorootReconciler) CreateOrUpdateSecret(ctx context.Context, cr *corootv1.Coroot, component, name, key string, length int) string {
+	s := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: cr.Namespace,
+			Labels:    Labels(cr, component),
+		},
+	}
+	var data string
+	r.CreateOrUpdate(ctx, cr, s, false, false, func() error {
+		if s.Data == nil {
+			s.Data = map[string][]byte{}
+		}
+		if d, ok := s.Data[key]; ok {
+			data = string(d)
+		} else {
+			data = RandomString(length)
+			s.Data[key] = []byte(data)
+		}
+		return nil
+	})
+	return data
 }
 
 func (r *CorootReconciler) CreateOrUpdateDeployment(ctx context.Context, cr *corootv1.Coroot, d *appsv1.Deployment) {

controller/controller.go

@@ -3,6 +3,7 @@ package controller
 import (
 	"bytes"
 	"cmp"
+	"context"
 	"fmt"
 	"strings"
 	"text/template"
@@ -15,8 +16,26 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/utils/ptr"
+	ctrl "sigs.k8s.io/controller-runtime"
 )
 
+func (r *CorootReconciler) corootValidate(ctx context.Context, cr *corootv1.Coroot) {
+	logger := ctrl.Log.WithValues("namespace", cr.Namespace, "name", cr.Name)
+
+	if cr.Spec.Replicas > 1 && cr.Spec.Postgres == nil {
+		logger.Error(fmt.Errorf("postgres not configured"), "Coroot requires Postgres to run multiple replicas (will run only one replica)")
+		cr.Spec.Replicas = 1
+	}
+
+	for _, p := range cr.Spec.Projects {
+		for i, k := range p.ApiKeys {
+			if k.KeySecret != nil {
+				p.ApiKeys[i].Key = r.CreateOrUpdateSecret(ctx, cr, "coroot", k.KeySecret.Name, k.KeySecret.Key, 32)
+			}
+		}
+	}
+}
+
 func (r *CorootReconciler) corootService(cr *corootv1.Coroot) *corev1.Service {
 	ls := Labels(cr, "coroot")
 
@@ -175,9 +194,6 @@ func (r *CorootReconciler) corootStatefulSet(cr *corootv1.Coroot) *appsv1.Statef
 	if cr.Spec.AuthBootstrapAdminPassword != "" {
 		env = append(env, corev1.EnvVar{Name: "AUTH_BOOTSTRAP_ADMIN_PASSWORD", Value: cr.Spec.AuthBootstrapAdminPassword})
 	}
-	for _, e := range cr.Spec.Env {
-		env = append(env, e)
-	}
 
 	image := r.getAppImage(cr, AppCorootCE)
 	if cr.Spec.EnterpriseEdition != nil {
@@ -259,6 +275,10 @@ func (r *CorootReconciler) corootStatefulSet(cr *corootv1.Coroot) *appsv1.Statef
 		env = append(env, corev1.EnvVar{Name: "URL_BASE_PATH", Value: cr.Spec.Ingress.Path})
 	}
 
+	for _, e := range cr.Spec.Env {
+		env = append(env, e)
+	}
+
 	replicas := int32(cr.Spec.Replicas)
 	if replicas <= 0 {
 		replicas = 1