AV-239701: Add secret to pass authentication details to health monitor (#1816)

* Add secret index

* Add UT

* Address comments

Author: ashishnayak96

ako-crd-operator/api/v1alpha1/healthmonitor_types.go

@@ -42,7 +42,7 @@ const (
 )
 
 // HealthMonitorSpec defines the desired state of HealthMonitor
-// +kubebuilder:validation:XValidation:rule="(!has(self.http_monitor) || !has(self.http_monitor.auth_type) || has(self.authentication.username) && has(self.authentication.password))",message="If auth_type is set, both username and password must be set in authentication"
+// +kubebuilder:validation:XValidation:rule="(!has(self.http_monitor) || !has(self.http_monitor.auth_type) || has(self.authentication.secret_ref))",message="If auth_type is set, secret_ref must be set in authentication"
 type HealthMonitorSpec struct {
 	// SendInterval is the frequency, in seconds, that pings are sent.
 	// +kubebuilder:validation:Minimum=1
@@ -102,14 +102,9 @@ type HealthMonitorSpec struct {
 
 // HealthMonitorInfo defines authentication information for HTTP/HTTPS monitors.
 type HealthMonitorInfo struct {
-	// Username for server authentication.
-	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:MaxLength=128
-	Username string `json:"username"`
-	// Password for server authentication.
-	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:MaxLength=128
-	Password string `json:"password"`
+	// +kubebuilder:validation:Required
+	// SecretRef is the reference to the secret containing the username and password.
+	SecretRef string `json:"secret_ref,omitempty"`
 }
 
 // TCPMonitor defines the TCP monitor configuration.
@@ -201,6 +196,9 @@ type HealthMonitorStatus struct {
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
 	// BackendObjectName is the name of the backend object
 	BackendObjectName string `json:"backendObjectName,omitempty"`
+	// DependencySum is the checksum of all the dependencies for the health monitor
+	// +optional
+	DependencySum uint32 `json:"dependencySum,omitempty"`
 }
 
 // +genclient

ako-crd-operator/config/crd/bases/ako.vmware.com_healthmonitors.yaml

@@ -45,19 +45,12 @@ spec:
                 description: Authentication defines the authentication information
                   for HTTP/HTTPS monitors.
                 properties:
-                  password:
-                    description: Password for server authentication.
-                    maxLength: 128
-                    minLength: 1
-                    type: string
-                  username:
-                    description: Username for server authentication.
-                    maxLength: 128
-                    minLength: 1
+                  secret_ref:
+                    description: SecretRef is the reference to the secret containing
+                      the username and password.
                     type: string
                 required:
-                - password
-                - username
+                - secret_ref
                 type: object
               failed_checks:
                 default: 2
@@ -220,10 +213,9 @@ spec:
             - type
             type: object
             x-kubernetes-validations:
-            - message: If auth_type is set, both username and password must be set
-                in authentication
+            - message: If auth_type is set, secret_ref must be set in authentication
               rule: (!has(self.http_monitor) || !has(self.http_monitor.auth_type)
-                || has(self.authentication.username) && has(self.authentication.password))
+                || has(self.authentication.secret_ref))
           status:
             description: Status defines the observed state of HealthMonitor
             properties:
@@ -287,6 +279,11 @@ spec:
                   - type
                   type: object
                 type: array
+              dependencySum:
+                description: DependencySum is the checksum of all the dependencies
+                  for the health monitor
+                format: int32
+                type: integer
               lastUpdated:
                 description: LastUpdated is the timestamp the object was last updated
                 format: date-time

ako-crd-operator/config/rbac/role.yaml

@@ -4,6 +4,14 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ako.vmware.com
   resources:

ako-crd-operator/docs/samples/healthmonitor/secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: healthmonitor-secret
+  namespace: default
+type: ako.vmware.com/basic-auth
+data:
+  username: YWJjZA==
+  password: ZWZnaA==

ako-crd-operator/helm/ako-crd-operator/chart/templates/crd/ako.vmware.com_healthmonitors.yaml

@@ -45,19 +45,12 @@ spec:
                 description: Authentication defines the authentication information
                   for HTTP/HTTPS monitors.
                 properties:
-                  password:
-                    description: Password for server authentication.
-                    maxLength: 128
-                    minLength: 1
-                    type: string
-                  username:
-                    description: Username for server authentication.
-                    maxLength: 128
-                    minLength: 1
+                  secret_ref:
+                    description: SecretRef is the reference to the secret containing
+                      the username and password.
                     type: string
                 required:
-                - password
-                - username
+                - secret_ref
                 type: object
               failed_checks:
                 default: 2
@@ -220,10 +213,9 @@ spec:
             - type
             type: object
             x-kubernetes-validations:
-            - message: If auth_type is set, both username and password must be set
-                in authentication
+            - message: If auth_type is set, secret_ref must be set in authentication
               rule: (!has(self.http_monitor) || !has(self.http_monitor.auth_type)
-                || has(self.authentication.username) && has(self.authentication.password))
+                || has(self.authentication.secret_ref))
           status:
             description: Status defines the observed state of HealthMonitor
             properties:
@@ -287,6 +279,11 @@ spec:
                   - type
                   type: object
                 type: array
+              dependencySum:
+                description: DependencySum is the checksum of all the dependencies
+                  for the health monitor
+                format: int32
+                type: integer
               lastUpdated:
                 description: LastUpdated is the timestamp the object was last updated
                 format: date-time

ako-crd-operator/internal/constants/constants.go

@@ -8,5 +8,6 @@ const (
 	Sensitive                   = "<sensitive>"
 	ApplicationProfileFinalizer = "applicationprofile.ako.vmware.com/finalizer"
 	ApplicationProfileURL       = "/api/applicationprofile"
+	HealthMonitorSecretType     = "ako.vmware.com/basic-auth"
 	RequeueInterval             = 5 * time.Minute
 )