[#100] DrupalSite Operator ckeditor4-lts secret

Configured the license key CKEDITOR_LICENSE_KEY for ckeditor4lts via gitlab CI and pass the secret as an environmental variable.

requested review from @crdeoliv and @fborgesa

assigned to @cpetala

@crdeoliv , @fborgesa Ι have performed some changes to add the license key for ckeditor4-lts as a secret to the operator and reconfigured my dev-cluster towards the newly created branch in okd-4install ( https://gitlab.cern.ch/paas-tools/okd4-install/-/commit/e06580e48cde5233397b98d614f57b5b7a52888d), that points to the latest targetRevision and to the operator image ckeditor4-lts-integration .

After trying to create a new site in my dev-cluster the pods have a CreateContainerConfigError status.

From the drupalsite-operator-controller-manager logs I can see the error Ckeditor4LTS Secret: CKEDITOR_LICENSE_KEY environment variable is not set :

{"level":"error","ts":1721373615.2560077,"logger":"controllers.DrupalSite","msg":"k8sAPIClientError while ensuring the resources","Request.Namespace":"my-personal-project/test-cp","Request.Name":"test-cp","error":"k8sAPIClientError: \\nk8sAPIClientError: %v: for Ckeditor4LTS Secret: CKEDITOR_LICENSE_KEY environment variable is not set","stacktrace":"gitlab.cern.ch/drupal/paas/drupalsite-operator/controllers.(\*DrupalSiteReconciler).Reconcile\\n\\t/workspace/controllers/drupalsite_controller.go:336\\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(\*Controller).reconcileHandler\\n\\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.9.2/pkg/internal/controller/controller.go:298\\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(\*Controller).processNextWorkItem\\n\\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.9.2/pkg/internal/controller/controller.go:253\\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(\*Controller).Start.func2.2\\n\\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.9.2/pkg/internal/controller/controller.go:214"}

Would it be possible for you to take a look at my changes when you get the chance and share your opinion?

Also I verified that if we create the secret manually in the dev cluster and then create a Drupalsite resource, pods are created/running without errors and also the key is available from within the php-fpm container:

[root@drupal-dev ~]# kubectl exec -it manual-bc6996757-k4ml6 -c php-fpm -- printenv | grep CKEDITOR_LICENSE_KEY

CKEDITOR_LICENSE_KEY=....................................

So the issue here is with the environmental variable not passed/retrieved correctly so that the secret is created successfully.

To progress with the task,I took a look at the next steps (after we overcome the issue with the environmental variable) and did the following:

• Changed encoding of the value of the key so as to be presented correctly when passed throught the secret (created manually for now) into the container:

 `echo -n "<ckeditor4lts_license_key>" | base64 -w 0`
[root@drupal-dev ~]# oc exec -it latest-745dcd54c9-bv5l7 -c php-fpm -- sh
/app $ echo $CKEDITOR_LICENSE_KEY
<ckeditor4lts_license_key>

• Resolved the login issue with my account on dev-cluster and created a new site /applied the ckeditor for4-lts image
• Perfomed the following drush commands:

drush -y config-set ckeditor.lts.settings license_key: $CKEDITOR_LICENSE_KEY
drush config-get ckeditor.lts.settings
'license_key:': <ckeditor4lts_license_key>

added 1 commit

• 02dbf268 - added variable in gitlab-ci yaml

Compare with previous version

After doing a bit more research, I believe that the above would be accomplished by having a K8S_SECRET_ prefixed environment variable, in case we had Auto DevOps enabled in gitlab, because the Variables section under the CI/CD Settings are environment variables for the CI/CD jobs, not for the application:

• https://about.gitlab.com/blog/2021/12/02/gitops-with-gitlab-secrets-management/#create-secrets-automatically-from-environment-variables-in-gitlab-ci

I am not sure if the logic here is correct and there is a workaround for this or if we should think of another way to create the secret, because what happens now is that the secret ckeditor-license-key needs to be created and present in the clusted before the creation of a Drupalsite resource. Just like the oidc-client-secret.

If the secret would be available on the cluster beforehand (created manually now to present my case), eg:

with the new code added to the operator, when a new Drupalsite resource is created, pods are running and the key is available as environmental_variable in the php-fpm container:

[root@drupal-dev ~]# oc exec -it ckeditor-785db9fc9f-99qjz -c php-fpm -- sh
/app $ echo $CKEDITOR_LICENSE_KEY
WWxoQmNYSTFabkZvYWpWTVVrSkZjamd6TmpseWN6STRjUT09LU56WXpOelE0TkRZNU9EYzVNems1

So after that we could propably add the following command to the ensure-site-install.sh and get the expected result.

drush -y config-set ckeditor.lts.settings license_key: $CKEDITOR_LICENSE_KEY

mentioned in issue cern-drupal-distribution#33 (closed)

added 1 commit

• 67b2e896 - first attempt to pass key from parameter

Compare with previous version

added 1 commit

• e0777521 - removing the dummy value from ckeditorLicenseKey

Compare with previous version

The operator has been updated to pass the ckeditor4_lts module's license_key from a Vault secret to the CKEDITOR_LICENSE_KEY environment variable in the php-fpm container.

changed title from WIP [#100 (closed)] DrupalSite Operator ckeditor4-lts secret to [#100 (closed)] DrupalSite Operator ckeditor4-lts secret

resolved all threads

added 1 commit

• 0731612d - improvemtns: one ckeditor secret per instance

Compare with previous version

added 1 commit

• 3c21f28a - enforce new deployment env on update as well

Compare with previous version

added 1 commit

• b1bede39 - Update file .gitlab-ci.yml

Compare with previous version

added 1 commit

• 296b9837 - Update .gitlab-ci.yml

Compare with previous version

added 1 commit

• d6e452f7 - Update .gitlab-ci.yml file

Compare with previous version

added 1 commit

• bbaf2ca0 - Update .gitlab-ci.yml

Compare with previous version