Merge pull request #118 from gmfrasca/rm-secret-creation

Remove External Connection Secrets from operator responsibilities
opendatahub-io · Nov 8, 2023 · 40a8930 · 40a8930
2 parents 6206cf2 + 4e4c3fa
commit 40a8930
Show file tree

Hide file tree

Showing 24 changed files with 252 additions and 191 deletions.
diff --git a/config/internal/apiserver/deployment.yaml.tmpl b/config/internal/apiserver/deployment.yaml.tmpl
@@ -80,6 +80,12 @@ spec:
               value: "ds-pipeline-visualizationserver"
             - name: ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_PORT
               value: "8888"
+            - name: OBJECTSTORECONFIG_CREDENTIALSSECRET
+              value: "{{.ObjectStorageConnection.CredentialsSecret.SecretName}}"
+            - name: OBJECTSTORECONFIG_CREDENTIALSACCESSKEYKEY
+              value: "{{.ObjectStorageConnection.CredentialsSecret.AccessKey}}"
+            - name: OBJECTSTORECONFIG_CREDENTIALSSECRETKEYKEY
+              value: "{{.ObjectStorageConnection.CredentialsSecret.SecretKey}}"
             - name: OBJECTSTORECONFIG_BUCKETNAME
               value: "{{.ObjectStorageConnection.Bucket}}"
             - name: OBJECTSTORECONFIG_ACCESSKEY

diff --git a/config/internal/devtools/database.secret.yaml.tmpl b/config/internal/devtools/database.secret.yaml.tmpl
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{.DBConnection.CredentialsSecret.Name}}"
+  namespace: {{.Namespace}}
+  labels:
+    app: mariadb-{{.Name}}
+    component: data-science-pipelines
+data:
+  password: {{.DBConnection.Password}}
diff --git a/config/internal/devtools/storage.secret.yaml.tmpl b/config/internal/devtools/storage.secret.yaml.tmpl
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{.ObjectStorageConnection.CredentialsSecret.SecretName}}"
+  namespace: {{.Namespace}}
+  labels:
+    app: minio-{{.Name}}
+    component: data-science-pipelines
+stringData:
+  host: "{{.ObjectStorageConnection.Host}}"
+  port: "{{.ObjectStorageConnection.Port}}"
+  secure: "{{.ObjectStorageConnection.Secure}}"
+data:
+  accesskey: "{{.ObjectStorageConnection.AccessKeyID}}"
+  secretkey: "{{.ObjectStorageConnection.SecretAccessKey}}"
diff --git a/config/internal/mariadb/secret.yaml.tmpl b/config/internal/mariadb/secret.yaml.tmpl
@@ -7,4 +7,4 @@ metadata:
     app: mariadb-{{.Name}}
     component: data-science-pipelines
 data:
-  password: {{.DBConnection.Password}}
+  {{.DBConnection.CredentialsSecret.Key}}: "{{.DBConnection.Password}}"
diff --git a/config/internal/minio/secret.yaml.tmpl b/config/internal/minio/secret.yaml.tmpl
@@ -11,5 +11,5 @@ stringData:
   port: "{{.ObjectStorageConnection.Port}}"
   secure: "{{.ObjectStorageConnection.Secure}}"
 data:
-  accesskey: "{{.ObjectStorageConnection.AccessKeyID}}"
-  secretkey: "{{.ObjectStorageConnection.SecretAccessKey}}"
+  {{.ObjectStorageConnection.CredentialsSecret.AccessKey}}: "{{.ObjectStorageConnection.AccessKeyID}}"
+  {{.ObjectStorageConnection.CredentialsSecret.SecretKey}}: "{{.ObjectStorageConnection.SecretAccessKey}}"
diff --git a/controllers/config/defaults.go b/controllers/config/defaults.go
@@ -32,8 +32,9 @@ const (
 	ArtifactScriptConfigMapKey         = "artifact_script"
 	DSPServicePrefix                   = "ds-pipeline"
 
-	DBSecretNamePrefix = "ds-pipeline-db-"
-	DBSecretKey        = "password"
+	DefaultDBSecretNamePrefix = "ds-pipeline-db-"
+	DefaultDBSecretKey        = "password"
+	GeneratedDBPasswordLength = 12
 
 	MariaDBName        = "mlpipeline"
 	MariaDBHostPrefix  = "mariadb"
@@ -47,9 +48,11 @@ const (
 	MinioDefaultBucket = "mlpipeline"
 	MinioPVCSize       = "10Gi"
 
-	ObjectStorageSecretName = "mlpipeline-minio-artifact" // hardcoded in kfp-tekton
-	ObjectStorageAccessKey  = "accesskey"
-	ObjectStorageSecretKey  = "secretkey"
+	DefaultObjectStorageSecretNamePrefix  = "ds-pipeline-s3-"
+	DefaultObjectStorageAccessKey         = "accesskey"
+	DefaultObjectStorageSecretKey         = "secretkey"
+	GeneratedObjectStorageAccessKeyLength = 16
+	GeneratedObjectStorageSecretKeyLength = 24
 
 	MlmdGrpcPort = "8080"
 )

diff --git a/controllers/database.go b/controllers/database.go
@@ -20,19 +20,19 @@ import (
 	"database/sql"
 	b64 "encoding/base64"
 	"fmt"
+
 	_ "github.com/go-sql-driver/mysql"
 	dspav1alpha1 "github.com/opendatahub-io/data-science-pipelines-operator/api/v1alpha1"
 	"github.com/opendatahub-io/data-science-pipelines-operator/controllers/config"
 )
 
 const dbSecret = "mariadb/secret.yaml.tmpl"
 
-var dbTemplates = []string{
+var mariadbTemplates = []string{
 	"mariadb/deployment.yaml.tmpl",
 	"mariadb/pvc.yaml.tmpl",
 	"mariadb/service.yaml.tmpl",
 	"mariadb/mariadb-sa.yaml.tmpl",
-	dbSecret,
 }
 
 // extract to var for mocking in testing
@@ -100,18 +100,22 @@ func (r *DSPAReconciler) ReconcileDatabase(ctx context.Context, dsp *dspav1alpha
 	// Default DB is currently MariaDB as well, but storing these bools seperately in case that changes
 	deployDefaultDB := !databaseSpecified || defaultDBRequired
 
+	externalDBCredentialsProvided := externalDBSpecified && (dsp.Spec.Database.ExternalDB.PasswordSecret != nil)
+	mariaDBCredentialsProvided := mariaDBSpecified && (dsp.Spec.Database.MariaDB.PasswordSecret != nil)
+	databaseCredentialsProvided := externalDBCredentialsProvided || mariaDBCredentialsProvided
+
 	// If external db is specified, it takes precedence
 	if externalDBSpecified {
-		log.Info("Deploying external db secret.")
-		// If using external DB, we just need to create the secret
-		// for apiserver
-		err := r.Apply(dsp, params, dbSecret)
-		if err != nil {
-			return err
-		}
+		log.Info("Using externalDB, bypassing database deployment.")
 	} else if deployMariaDB || deployDefaultDB {
+		if !databaseCredentialsProvided {
+			err := r.Apply(dsp, params, dbSecret)
+			if err != nil {
+				return err
+			}
+		}
 		log.Info("Applying mariaDB resources.")
-		for _, template := range dbTemplates {
+		for _, template := range mariadbTemplates {
 			err := r.Apply(dsp, params, template)
 			if err != nil {
 				return err