Implement cluster source fields with external secrets (#1178)

* Implement cluster source fields with external secrets

* plumb in cloud expansion everywhere

* Add changelog entry

* fix linter issues

* fix console chart test

* fix up validation

* Add place where expander wasn't passed into factory initialization

Author: andrewstucki

.changes/unreleased/operator-Deprecated-20251111-122215.yaml

@@ -0,0 +1,4 @@
+project: operator
+kind: Deprecated
+body: Deprecated various fields in multiple CRDs for `kafka`, `adminAPI`, and `schemaRegistry` under the static configuration of `clusterSource` so that various fields that were only specifiable via an in-cluster secret can now be pulled via either external secret provider, in-cluster secret, config map, or inlined value.
+time: 2025-11-11T12:22:15.813496-05:00

acceptance/steps/helpers.go

@@ -370,7 +370,7 @@ func clientsForCluster(ctx context.Context, cluster string) *clusterClients {
 	t.Logf("Created fake user %q looking for cluster %q in namespace %q", referencer.Name, cluster, t.Namespace())
 	t.Logf("Fake user cluster ref: name=%q", referencer.Spec.ClusterSource.ClusterRef.Name)
 
-	factory := client.NewFactory(t.RestConfig(), t).WithDialer(kube.NewPodDialer(t.RestConfig()).DialContext)
+	factory := client.NewFactory(t.RestConfig(), t, nil).WithDialer(kube.NewPodDialer(t.RestConfig()).DialContext)
 
 	clients := &clusterClients{
 		resourceTarget: referencer,
@@ -415,7 +415,7 @@ func v1ClientsForCluster(ctx context.Context, cluster string) *clusterClients {
 	t.Logf("Created fake user %q looking for cluster %q in namespace %q", referencer.Name, cluster, t.Namespace())
 	t.Logf("Fake v1 user cluster ref: name=%q", referencer.Spec.ClusterSource.ClusterRef.Name)
 
-	factory := client.NewFactory(t.RestConfig(), t).WithDialer(kube.NewPodDialer(t.RestConfig()).DialContext)
+	factory := client.NewFactory(t.RestConfig(), t, nil).WithDialer(kube.NewPodDialer(t.RestConfig()).DialContext)
 
 	clients := &clusterClients{
 		resourceTarget: referencer,

charts/console/chart/templates/_console.config.tpl

@@ -106,7 +106,7 @@
 {{- end -}}
 {{- if (ne (toJson $schema.sasl) "null") -}}
 {{- $_ := (set $cfg "authentication" (mustMergeOverwrite (dict) (dict "basic" (mustMergeOverwrite (dict) (dict "username" $schema.sasl.username))))) -}}
-{{- $_ := (get (fromJson (include "console.configMapper.addEnv" (dict "a" (list $m "SCHEMAREGISTRY_AUTHENTICATION_BASIC_PASSWORD" $schema.sasl.passwordSecretRef)))) "r") -}}
+{{- $_ := (get (fromJson (include "console.configMapper.addEnv" (dict "a" (list $m "SCHEMAREGISTRY_AUTHENTICATION_BASIC_PASSWORD" $schema.sasl.password)))) "r") -}}
 {{- $_ := (get (fromJson (include "console.configMapper.addEnv" (dict "a" (list $m "SCHEMAREGISTRY_AUTHENTICATION_BEARERTOKEN" $schema.sasl.token)))) "r") -}}
 {{- end -}}
 {{- $_is_returning = true -}}
@@ -129,15 +129,15 @@
 {{- if $tls.insecureSkipTlsVerify -}}
 {{- $_ := (set $out "insecureSkipTlsVerify" $tls.insecureSkipTlsVerify) -}}
 {{- end -}}
-{{- $ca_7 := (get (fromJson (include "console.volumes.MaybeAdd" (dict "a" (list $m.Volumes $tls.caCertSecretRef)))) "r") -}}
+{{- $ca_7 := (get (fromJson (include "console.volumes.MaybeAdd" (dict "a" (list $m.Volumes $tls.caCert)))) "r") -}}
 {{- if (ne (toJson $ca_7) "null") -}}
 {{- $_ := (set $out "caFilepath" $ca_7) -}}
 {{- end -}}
-{{- $cert_8 := (get (fromJson (include "console.volumes.MaybeAddSecret" (dict "a" (list $m.Volumes $tls.certSecretRef)))) "r") -}}
+{{- $cert_8 := (get (fromJson (include "console.volumes.MaybeAddSecret" (dict "a" (list $m.Volumes $tls.cert)))) "r") -}}
 {{- if (ne (toJson $cert_8) "null") -}}
 {{- $_ := (set $out "certFilepath" $cert_8) -}}
 {{- end -}}
-{{- $key_9 := (get (fromJson (include "console.volumes.MaybeAddSecret" (dict "a" (list $m.Volumes $tls.keySecretRef)))) "r") -}}
+{{- $key_9 := (get (fromJson (include "console.volumes.MaybeAddSecret" (dict "a" (list $m.Volumes $tls.key)))) "r") -}}
 {{- if (ne (toJson $key_9) "null") -}}
 {{- $_ := (set $out "keyFilepath" $key_9) -}}
 {{- end -}}
@@ -150,9 +150,15 @@
 {{- define "console.configMapper.addEnv" -}}
 {{- $m := (index .a 0) -}}
 {{- $name := (index .a 1) -}}
-{{- $ref := (index .a 2) -}}
+{{- $secretRef := (index .a 2) -}}
 {{- range $_ := (list 1) -}}
 {{- $_is_returning := false -}}
+{{- if (or (eq (toJson $secretRef) "null") (eq (toJson $secretRef.secretKeyRef) "null")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $ref := $secretRef.secretKeyRef -}}
 {{- if (or (eq $ref.key "") (eq $ref.name "")) -}}
 {{- $_is_returning = true -}}
 {{- (dict "r" (list)) | toJson -}}
@@ -181,7 +187,7 @@
 {{- $skr_11 := $ref.secretKeyRef -}}
 {{- if (ne (toJson $skr_11) "null") -}}
 {{- $_is_returning = true -}}
-{{- (dict "r" (get (fromJson (include "console.volumes.MaybeAddSecret" (dict "a" (list $v (mustMergeOverwrite (dict "name" "") (dict "name" $skr_11.name "key" $skr_11.key)))))) "r")) | toJson -}}
+{{- (dict "r" (get (fromJson (include "console.volumes.MaybeAddSecret" (dict "a" (list $v (mustMergeOverwrite (dict) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" $skr_11.name)) (dict "key" $skr_11.key)))))))) "r")) | toJson -}}
 {{- break -}}
 {{- end -}}
 {{- $_is_returning = true -}}
@@ -200,9 +206,9 @@
 {{- (dict "r" (coalesce nil)) | toJson -}}
 {{- break -}}
 {{- end -}}
-{{- $_238___ok_12 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $v.ConfigMaps $ref.name (coalesce nil))))) "r") -}}
-{{- $_ := (index $_238___ok_12 0) -}}
-{{- $ok_12 := (index $_238___ok_12 1) -}}
+{{- $_245___ok_12 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $v.ConfigMaps $ref.name (coalesce nil))))) "r") -}}
+{{- $_ := (index $_245___ok_12 0) -}}
+{{- $ok_12 := (index $_245___ok_12 1) -}}
 {{- if (not $ok_12) -}}
 {{- $_ := (set $v.ConfigMaps $ref.name (dict)) -}}
 {{- end -}}
@@ -215,17 +221,23 @@
 
 {{- define "console.volumes.MaybeAddSecret" -}}
 {{- $v := (index .a 0) -}}
-{{- $ref := (index .a 1) -}}
+{{- $secretRef := (index .a 1) -}}
 {{- range $_ := (list 1) -}}
 {{- $_is_returning := false -}}
+{{- if (or (eq (toJson $secretRef) "null") (eq (toJson $secretRef.secretKeyRef) "null")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $ref := $secretRef.secretKeyRef -}}
 {{- if (or (eq (toJson $ref) "null") ((and (eq $ref.key "") (eq $ref.name "")))) -}}
 {{- $_is_returning = true -}}
 {{- (dict "r" (coalesce nil)) | toJson -}}
 {{- break -}}
 {{- end -}}
-{{- $_250___ok_13 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $v.Secrets $ref.name (coalesce nil))))) "r") -}}
-{{- $_ := (index $_250___ok_13 0) -}}
-{{- $ok_13 := (index $_250___ok_13 1) -}}
+{{- $_262___ok_13 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $v.Secrets $ref.name (coalesce nil))))) "r") -}}
+{{- $_ := (index $_262___ok_13 0) -}}
+{{- $ok_13 := (index $_262___ok_13 1) -}}
 {{- if (not $ok_13) -}}
 {{- $_ := (set $v.Secrets $ref.name (dict)) -}}
 {{- end -}}

charts/console/config.go

@@ -123,7 +123,7 @@ func (m *configMapper) configureKafka(kafka *ir.KafkaAPISpec) *PartialKafka {
 			// TODO all the other ones......
 		}
 		if kafka.SASL.Password != nil {
-			m.addEnv("KAFKA_SASL_PASSWORD", *kafka.SASL.Password)
+			m.addEnv("KAFKA_SASL_PASSWORD", kafka.SASL.Password)
 		}
 	}
 
@@ -187,7 +187,12 @@ func (m *configMapper) configureTLS(tls *ir.CommonTLS) *PartialTLS {
 	return out
 }
 
-func (m *configMapper) addEnv(name string, ref ir.SecretKeyRef) {
+func (m *configMapper) addEnv(name string, secretRef *ir.ValueSource) {
+	if secretRef == nil || secretRef.SecretKeyRef == nil {
+		return
+	}
+	ref := secretRef.SecretKeyRef
+
 	if ref.Key == "" || ref.Name == "" {
 		return
 	}
@@ -212,7 +217,7 @@ type volumes struct {
 	ConfigMaps map[string]map[string]bool
 }
 
-func (v *volumes) MaybeAdd(ref *ir.ObjectKeyRef) *string {
+func (v *volumes) MaybeAdd(ref *ir.ValueSource) *string {
 	if ref == nil {
 		return nil
 	}
@@ -222,9 +227,11 @@ func (v *volumes) MaybeAdd(ref *ir.ObjectKeyRef) *string {
 	}
 
 	if skr := ref.SecretKeyRef; skr != nil {
-		return v.MaybeAddSecret(&ir.SecretKeyRef{
-			Name: skr.Name,
-			Key:  skr.Key,
+		return v.MaybeAddSecret(&ir.ValueSource{
+			SecretKeyRef: &corev1.SecretKeySelector{
+				LocalObjectReference: corev1.LocalObjectReference{Name: skr.Name},
+				Key:                  skr.Key,
+			},
 		})
 	}
 
@@ -242,7 +249,12 @@ func (v *volumes) MaybeAddConfigMap(ref *corev1.ConfigMapKeySelector) *string {
 	return ptr.To(fmt.Sprintf("%s/configmaps/%s/%s", v.Dir, ref.Name, ref.Key))
 }
 
-func (v *volumes) MaybeAddSecret(ref *ir.SecretKeyRef) *string {
+func (v *volumes) MaybeAddSecret(secretRef *ir.ValueSource) *string {
+	if secretRef == nil || secretRef.SecretKeyRef == nil {
+		return nil
+	}
+	ref := secretRef.SecretKeyRef
+
 	if ref == nil || (ref.Key == "" && ref.Name == "") {
 		return nil
 	}