Commit 7b3f4031 authored by Stephen Greene's avatar Stephen Greene
Browse files

Ingress: Mount router stats secret as a volume

https://github.com/openshift/router/pull/291 gave the router
the ability to use stats credentials contained in separate username
and password files for security reasons.
This commit modifies the Ingress deployment so that the router-stats
secret is mounted into router pods, and the filenames for the username
and password files are passed to the Router binary via new
environment variables.

pkg/operator/controller/ingress/deployment.go:

Add a new volume and volume mount for the router stats secret.
Replace the STATS_USERNAME and STATS_PASSWORD environment variables with
the new STATS_USER_NAME_FILE and STATS_PASSWORD_FILE environment
variables.

pkg/operator/controller/ingress/deployment_test.go:

Update `TestDeploymentConfigChanged` to reflect the new stats-auth
volume.

Update `TestDesiredRouterDeployment` to verify that the expected
volumes exist with the proper secret references.

This commit is in support of Bug 1955822.
parent 2a9e3c24
......@@ -358,24 +358,28 @@ func desiredRouterDeployment(ci *operatorv1.IngressController, ingressController
}}
statsSecretName := fmt.Sprintf("router-stats-%s", ci.Name)
statsVolumeName := "stats-auth"
statsVolumeMountPath := "/var/lib/haproxy/conf/metrics-auth"
statsVolume := corev1.Volume{
Name: statsVolumeName,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: statsSecretName,
},
},
}
statsVolumeMount := corev1.VolumeMount{
Name: statsVolumeName,
MountPath: statsVolumeMountPath,
ReadOnly: true,
}
volumes = append(volumes, statsVolume)
routerVolumeMounts = append(routerVolumeMounts, statsVolumeMount)
env := []corev1.EnvVar{
{Name: "ROUTER_SERVICE_NAME", Value: ci.Name},
{Name: "STATS_USERNAME", ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: statsSecretName,
},
Key: "statsUsername",
},
}},
{Name: "STATS_PASSWORD", ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: statsSecretName,
},
Key: "statsPassword",
},
}},
{Name: "STATS_USERNAME_FILE", Value: filepath.Join(statsVolumeMountPath, "statsUsername")},
{Name: "STATS_PASSWORD_FILE", Value: filepath.Join(statsVolumeMountPath, "statsPassword")},
}
// Enable prometheus metrics
......
......@@ -224,14 +224,23 @@ func TestDesiredRouterDeployment(t *testing.T) {
checkDeploymentHasEnvVar(t, deployment, "ROUTER_CANONICAL_HOSTNAME", false, "")
if deployment.Spec.Template.Spec.Volumes[0].Secret == nil {
t.Error("router Deployment has no secret volume")
checkDeploymentHasEnvVar(t, deployment, "STATS_USERNAME_FILE", true, "/var/lib/haproxy/conf/metrics-auth/statsUsername")
checkDeploymentHasEnvVar(t, deployment, "STATS_PASSWORD_FILE", true, "/var/lib/haproxy/conf/metrics-auth/statsPassword")
expectedVolumeSecretPairs := map[string]string{
"default-certificate": fmt.Sprintf("router-certs-%s", ci.Name),
"metrics-certs": fmt.Sprintf("router-metrics-certs-%s", ci.Name),
"stats-auth": fmt.Sprintf("router-stats-%s", ci.Name),
}
defaultSecretName := fmt.Sprintf("router-certs-%s", ci.Name)
if deployment.Spec.Template.Spec.Volumes[0].Secret.SecretName != defaultSecretName {
t.Errorf("router Deployment expected volume with secret %s, got %s",
defaultSecretName, deployment.Spec.Template.Spec.Volumes[0].Secret.SecretName)
for _, volume := range deployment.Spec.Template.Spec.Volumes {
if secretName, ok := expectedVolumeSecretPairs[volume.Name]; ok {
if volume.Secret.SecretName != secretName {
t.Errorf("router Deployment expected volume %s to have secret %s, got %s", volume.Name, secretName, volume.Secret.SecretName)
}
} else if volume.Name != "service-ca-bundle" {
t.Errorf("router deployment has unexpected volume %s", volume.Name)
}
}
if expected, got := 2, len(deployment.Spec.Template.Annotations); expected != got {
......@@ -546,12 +555,20 @@ func TestDesiredRouterDeployment(t *testing.T) {
t.Errorf("expected startup probe host to be \"localhost\", got %q", deployment.Spec.Template.Spec.Containers[0].StartupProbe.Handler.HTTPGet.Host)
}
if deployment.Spec.Template.Spec.Volumes[0].Secret == nil {
t.Error("router Deployment has no secret volume")
expectedVolumeSecretPairs = map[string]string{
"default-certificate": secretName,
"metrics-certs": fmt.Sprintf("router-metrics-certs-%s", ci.Name),
"stats-auth": fmt.Sprintf("router-stats-%s", ci.Name),
}
if deployment.Spec.Template.Spec.Volumes[0].Secret.SecretName != secretName {
t.Errorf("expected router Deployment volume with secret %s, got %s",
secretName, deployment.Spec.Template.Spec.Volumes[0].Secret.SecretName)
for _, volume := range deployment.Spec.Template.Spec.Volumes {
if secretName, ok := expectedVolumeSecretPairs[volume.Name]; ok {
if volume.Secret.SecretName != secretName {
t.Errorf("router Deployment expected volume %s to have secret %s, got %s", volume.Name, secretName, volume.Secret.SecretName)
}
} else if volume.Name != "service-ca-bundle" {
t.Errorf("router deployment has unexpected volume %s", volume.Name)
}
}
checkDeploymentHasContainer(t, deployment, operatorv1.ContainerLoggingSidecarContainerName, false)
......@@ -1078,6 +1095,14 @@ func TestDeploymentConfigChanged(t *testing.T) {
},
},
},
{
Name: "stats-auth",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "router-stats-default",
},
},
},
},
Containers: []corev1.Container{
{
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment