tls secret resolver improvement (#397)

SAP · Feb 12, 2024 · b434879 · b434879
1 parent d3d7887
commit b434879
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 37 deletions.
diff --git a/internal/utils/sm_utils.go b/internal/utils/sm_utils.go
@@ -27,6 +27,8 @@ func GetSMClient(ctx context.Context, secretResolver *SecretResolver, resourceNa
 		URL:            string(secret.Data["sm_url"]),
 		TokenURL:       string(secret.Data["tokenurl"]),
 		TokenURLSuffix: string(secret.Data["tokenurlsuffix"]),
+		TLSPrivateKey:  string(secret.Data[v1.TLSPrivateKeyKey]),
+		TLSCertKey:     string(secret.Data[v1.TLSCertKey]),
 		SSLDisabled:    false,
 	}
 
@@ -35,7 +37,8 @@ func GetSMClient(ctx context.Context, secretResolver *SecretResolver, resourceNa
 		return nil, fmt.Errorf("invalid Service-Manager credentials, contact your cluster administrator")
 	}
 
-	if len(clientConfig.ClientSecret) == 0 {
+	//backward compatibility (tls data in a dedicated secret)
+	if len(clientConfig.ClientSecret) == 0 && (len(clientConfig.TLSPrivateKey) == 0 || len(clientConfig.TLSCertKey) == 0) {
 		tlsSecret, err := secretResolver.GetSecretForResource(ctx, resourceNamespace, SAPBTPOperatorTLSSecretName)
 		if client.IgnoreNotFound(err) != nil {
 			return nil, err

diff --git a/internal/utils/sm_utils_test.go b/internal/utils/sm_utils_test.go
@@ -39,25 +39,51 @@ var _ = Describe("SM Utils", func() {
 
 		Context("SAPBTPOperatorSecret", func() {
 			When("secret is valid", func() {
-				BeforeEach(func() {
-					secret = &corev1.Secret{
-						ObjectMeta: metav1.ObjectMeta{
-							Name:      SAPBTPOperatorSecretName,
-							Namespace: managementNamespace,
-						},
-						Data: map[string][]byte{
-							"clientid":     []byte("12345"),
-							"clientsecret": []byte("client-secret"),
-							"sm_url":       []byte("https://some.url"),
-							"tokenurl":     []byte("https://token.url"),
-						},
-					}
-					Expect(k8sClient.Create(ctx, secret)).To(Succeed())
+				When("secret contains clientSecret", func() {
+					BeforeEach(func() {
+						secret = &corev1.Secret{
+							ObjectMeta: metav1.ObjectMeta{
+								Name:      SAPBTPOperatorSecretName,
+								Namespace: managementNamespace,
+							},
+							Data: map[string][]byte{
+								"clientid":     []byte("12345"),
+								"clientsecret": []byte("client-secret"),
+								"sm_url":       []byte("https://some.url"),
+								"tokenurl":     []byte("https://token.url"),
+							},
+						}
+						Expect(k8sClient.Create(ctx, secret)).To(Succeed())
+					})
+					It("should succeed", func() {
+						client, err := GetSMClient(ctx, resolver, testNamespace, "")
+						Expect(err).ToNot(HaveOccurred())
+						Expect(client).ToNot(BeNil())
+					})
 				})
-				It("should succeed", func() {
-					client, err := GetSMClient(ctx, resolver, testNamespace, "")
-					Expect(err).ToNot(HaveOccurred())
-					Expect(client).ToNot(BeNil())
+				When("secret not contains clientSecret but contains tls data", func() {
+					BeforeEach(func() {
+						secret = &corev1.Secret{
+							ObjectMeta: metav1.ObjectMeta{
+								Name:      SAPBTPOperatorSecretName,
+								Namespace: managementNamespace,
+							},
+							Data: map[string][]byte{
+								"clientid":     []byte("12345"),
+								"clientsecret": []byte(""),
+								"sm_url":       []byte("https://some.url"),
+								"tokenurl":     []byte("https://token.url"),
+								"tls.key":      []byte(tlskey),
+								"tls.crt":      []byte(tlscrt),
+							},
+						}
+						Expect(k8sClient.Create(ctx, secret)).To(Succeed())
+					})
+					It("should succeed", func() {
+						client, err := GetSMClient(ctx, resolver, testNamespace, "")
+						Expect(err).ToNot(HaveOccurred())
+						Expect(client).ToNot(BeNil())
+					})
 				})
 			})
 			When("secret is missing client secret and there is no tls secret", func() {

diff --git a/sapbtp-operator-charts/templates/deployment.yml b/sapbtp-operator-charts/templates/deployment.yml
@@ -21,8 +21,7 @@ spec:
       annotations:
         {{- $configmap := (include (print $.Template.BasePath "/configmap.yml") .) -}}
         {{- $secret := (include (print $.Template.BasePath "/secret.yml") .) -}}
-        {{- $secretTls := (include (print $.Template.BasePath "/secret-tls.yml") .) -}}
-        {{- $configSha := (print $configmap $secret $secretTls) | sha256sum }}
+        {{- $configSha := (print $configmap $secret) | sha256sum }}
         checksum/config: {{ $configSha }}
         {{- if .Values.manager.annotations }}
         {{- toYaml .Values.manager.annotations | nindent 8 }}

diff --git a/sapbtp-operator-charts/templates/secret-tls.yml b/sapbtp-operator-charts/templates/secret-tls.yml
diff --git a/sapbtp-operator-charts/templates/secret.yml b/sapbtp-operator-charts/templates/secret.yml
@@ -22,4 +22,13 @@ data:
   tokenurl: {{ .Values.manager.secret.tokenurl | b64enc | quote }}
   {{- end }}
   tokenurlsuffix: {{ .Values.manager.secret.tokenurlsuffix | b64enc | quote }}
+  {{- if and (.Values.manager.secret.tls.crt) (.Values.manager.secret.tls.key) }}
+  {{- if .Values.manager.secret.b64encoded }}
+  tls.crt: {{ .Values.manager.secret.tls.crt }}
+  tls.key: {{ .Values.manager.secret.tls.key }}
+  {{- else}}
+  tls.crt: {{ .Values.manager.secret.tls.crt | b64enc }}
+  tls.key: {{ .Values.manager.secret.tls.key | b64enc }}
+  {{- end }}
+{{- end }}
 {{ end }}