diff --git a/internal/utils/sm_utils.go b/internal/utils/sm_utils.go index 1bbdbc94..e09872f9 100644 --- a/internal/utils/sm_utils.go +++ b/internal/utils/sm_utils.go @@ -27,6 +27,8 @@ func GetSMClient(ctx context.Context, secretResolver *SecretResolver, resourceNa URL: string(secret.Data["sm_url"]), TokenURL: string(secret.Data["tokenurl"]), TokenURLSuffix: string(secret.Data["tokenurlsuffix"]), + TLSPrivateKey: string(secret.Data[v1.TLSPrivateKeyKey]), + TLSCertKey: string(secret.Data[v1.TLSCertKey]), SSLDisabled: false, } @@ -35,7 +37,8 @@ func GetSMClient(ctx context.Context, secretResolver *SecretResolver, resourceNa return nil, fmt.Errorf("invalid Service-Manager credentials, contact your cluster administrator") } - if len(clientConfig.ClientSecret) == 0 { + //backward compatibility (tls data in a dedicated secret) + if len(clientConfig.ClientSecret) == 0 && (len(clientConfig.TLSPrivateKey) == 0 || len(clientConfig.TLSCertKey) == 0) { tlsSecret, err := secretResolver.GetSecretForResource(ctx, resourceNamespace, SAPBTPOperatorTLSSecretName) if client.IgnoreNotFound(err) != nil { return nil, err diff --git a/internal/utils/sm_utils_test.go b/internal/utils/sm_utils_test.go index 10771ecb..520a15bd 100644 --- a/internal/utils/sm_utils_test.go +++ b/internal/utils/sm_utils_test.go @@ -39,25 +39,51 @@ var _ = Describe("SM Utils", func() { Context("SAPBTPOperatorSecret", func() { When("secret is valid", func() { - BeforeEach(func() { - secret = &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: SAPBTPOperatorSecretName, - Namespace: managementNamespace, - }, - Data: map[string][]byte{ - "clientid": []byte("12345"), - "clientsecret": []byte("client-secret"), - "sm_url": []byte("https://some.url"), - "tokenurl": []byte("https://token.url"), - }, - } - Expect(k8sClient.Create(ctx, secret)).To(Succeed()) + When("secret contains clientSecret", func() { + BeforeEach(func() { + secret = &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: SAPBTPOperatorSecretName, + Namespace: managementNamespace, + }, + Data: map[string][]byte{ + "clientid": []byte("12345"), + "clientsecret": []byte("client-secret"), + "sm_url": []byte("https://some.url"), + "tokenurl": []byte("https://token.url"), + }, + } + Expect(k8sClient.Create(ctx, secret)).To(Succeed()) + }) + It("should succeed", func() { + client, err := GetSMClient(ctx, resolver, testNamespace, "") + Expect(err).ToNot(HaveOccurred()) + Expect(client).ToNot(BeNil()) + }) }) - It("should succeed", func() { - client, err := GetSMClient(ctx, resolver, testNamespace, "") - Expect(err).ToNot(HaveOccurred()) - Expect(client).ToNot(BeNil()) + When("secret not contains clientSecret but contains tls data", func() { + BeforeEach(func() { + secret = &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: SAPBTPOperatorSecretName, + Namespace: managementNamespace, + }, + Data: map[string][]byte{ + "clientid": []byte("12345"), + "clientsecret": []byte(""), + "sm_url": []byte("https://some.url"), + "tokenurl": []byte("https://token.url"), + "tls.key": []byte(tlskey), + "tls.crt": []byte(tlscrt), + }, + } + Expect(k8sClient.Create(ctx, secret)).To(Succeed()) + }) + It("should succeed", func() { + client, err := GetSMClient(ctx, resolver, testNamespace, "") + Expect(err).ToNot(HaveOccurred()) + Expect(client).ToNot(BeNil()) + }) }) }) When("secret is missing client secret and there is no tls secret", func() { diff --git a/sapbtp-operator-charts/templates/deployment.yml b/sapbtp-operator-charts/templates/deployment.yml index 3b024756..34759e00 100644 --- a/sapbtp-operator-charts/templates/deployment.yml +++ b/sapbtp-operator-charts/templates/deployment.yml @@ -21,8 +21,7 @@ spec: annotations: {{- $configmap := (include (print $.Template.BasePath "/configmap.yml") .) -}} {{- $secret := (include (print $.Template.BasePath "/secret.yml") .) -}} - {{- $secretTls := (include (print $.Template.BasePath "/secret-tls.yml") .) -}} - {{- $configSha := (print $configmap $secret $secretTls) | sha256sum }} + {{- $configSha := (print $configmap $secret) | sha256sum }} checksum/config: {{ $configSha }} {{- if .Values.manager.annotations }} {{- toYaml .Values.manager.annotations | nindent 8 }} diff --git a/sapbtp-operator-charts/templates/secret-tls.yml b/sapbtp-operator-charts/templates/secret-tls.yml deleted file mode 100644 index d227bd48..00000000 --- a/sapbtp-operator-charts/templates/secret-tls.yml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if and (.Values.manager.secret.tls.crt) (.Values.manager.secret.tls.key) }} -apiVersion: v1 -kind: Secret -metadata: - name: sap-btp-service-operator-tls - namespace: {{ .Release.Namespace }} -type: kubernetes.io/tls -data: - {{- if .Values.manager.secret.b64encoded }} - tls.crt: {{ .Values.manager.secret.tls.crt }} - tls.key: {{ .Values.manager.secret.tls.key }} - {{- else}} - tls.crt: {{ .Values.manager.secret.tls.crt | b64enc }} - tls.key: {{ .Values.manager.secret.tls.key | b64enc }} - {{- end }} -{{- end }} diff --git a/sapbtp-operator-charts/templates/secret.yml b/sapbtp-operator-charts/templates/secret.yml index 4992ad9d..5da2dcb8 100644 --- a/sapbtp-operator-charts/templates/secret.yml +++ b/sapbtp-operator-charts/templates/secret.yml @@ -22,4 +22,13 @@ data: tokenurl: {{ .Values.manager.secret.tokenurl | b64enc | quote }} {{- end }} tokenurlsuffix: {{ .Values.manager.secret.tokenurlsuffix | b64enc | quote }} + {{- if and (.Values.manager.secret.tls.crt) (.Values.manager.secret.tls.key) }} + {{- if .Values.manager.secret.b64encoded }} + tls.crt: {{ .Values.manager.secret.tls.crt }} + tls.key: {{ .Values.manager.secret.tls.key }} + {{- else}} + tls.crt: {{ .Values.manager.secret.tls.crt | b64enc }} + tls.key: {{ .Values.manager.secret.tls.key | b64enc }} + {{- end }} +{{- end }} {{ end }}