OCM controller - periodically pull the data and update corresponding

secret

Author: tremes

config/local.yaml

@@ -6,5 +6,8 @@ interval: "5m"
 storagePath: /tmp/insights-operator
 endpoint: http://[::1]:8081
 impersonate: system:serviceaccount:openshift-insights:gather
+ocm:
+  endpoint: https://jsonplaceholder.typicode.com/albums?id=1
+  interval: "4h"
 gather:
   - ALL

manifests/03-clusterrole.yaml

@@ -187,7 +187,17 @@ rules:
   verbs:
     - get
     - list
-    - watch      
+    - watch     
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - update
+  - get
+  - list
+  - watch
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

pkg/config/config.go

@@ -23,6 +23,10 @@ type Serialized struct {
 	} `json:"pull_report"`
 	Impersonate string   `json:"impersonate"`
 	Gather      []string `json:"gather"`
+	Ocm         struct {
+		Endpoint string `json:"endpoint"`
+		Interval string `json:"interval"`
+	}
 }
 
 // Controller defines the standard config for this operator.
@@ -37,6 +41,8 @@ type Controller struct {
 	ReportPullingTimeout time.Duration
 	Impersonate          string
 	Gather               []string
+	OcmEndpoint          string
+	OcmInterval          time.Duration
 
 	Username string
 	Password string
@@ -119,6 +125,18 @@ func ToController(s *Serialized, cfg *Controller) (*Controller, error) {
 	if len(cfg.StoragePath) == 0 {
 		return nil, fmt.Errorf("storagePath must point to a directory where snapshots can be stored")
 	}
+
+	if len(s.Ocm.Endpoint) > 0 {
+		cfg.OcmEndpoint = s.Ocm.Endpoint
+	}
+
+	if len(s.Ocm.Interval) > 0 {
+		i, err := time.ParseDuration(s.Ocm.Interval)
+		if err != nil {
+			return nil, fmt.Errorf("ocm interval must be a valid duration: %v", err)
+		}
+		cfg.OcmInterval = i
+	}
 	return cfg, nil
 }
 

pkg/config/configobserver/configobserver.go

@@ -189,6 +189,21 @@ func (c *Controller) retrieveConfig(ctx context.Context) error {
 				nextConfig.Report = false
 			}
 		}
+
+		// OCM config
+		if ocmEndpoint, ok := secret.Data["ocmEndpoint"]; ok {
+			nextConfig.OcmEndpoint = string(ocmEndpoint)
+		}
+		if ocmInterval, ok := secret.Data["ocmInterval"]; ok {
+			if oi, err := time.ParseDuration(string(ocmInterval)); err == nil {
+				nextConfig.OcmInterval = oi
+			} else {
+				klog.Warningf(
+					"secret contains an invalid value (%s) for ocmInterval. Using previous value",
+					ocmInterval,
+				)
+			}
+		}
 	}
 	if err != nil {
 		return err
@@ -263,6 +278,13 @@ func (c *Controller) mergeConfigLocked() {
 		if c.secretConfig.ReportMinRetryTime > 0 {
 			cfg.ReportMinRetryTime = c.secretConfig.ReportMinRetryTime
 		}
+		// OCM config
+		if len(c.secretConfig.OcmEndpoint) > 0 {
+			cfg.OcmEndpoint = c.secretConfig.OcmEndpoint
+		}
+		if c.secretConfig.OcmInterval > 0 {
+			cfg.OcmInterval = c.secretConfig.OcmInterval
+		}
 		cfg.HTTPConfig = c.secretConfig.HTTPConfig
 	}
 	if c.tokenConfig != nil {

pkg/controller/operator.go

@@ -31,6 +31,7 @@ import (
 	"github.com/openshift/insights-operator/pkg/insights/insightsclient"
 	"github.com/openshift/insights-operator/pkg/insights/insightsreport"
 	"github.com/openshift/insights-operator/pkg/insights/insightsuploader"
+	"github.com/openshift/insights-operator/pkg/ocm"
 	"github.com/openshift/insights-operator/pkg/recorder"
 	"github.com/openshift/insights-operator/pkg/recorder/diskrecorder"
 )
@@ -105,6 +106,11 @@ func (s *Operator) Run(ctx context.Context, controller *controllercmd.Controller
 	// the last sync time, if any was set
 	statusReporter := status.NewController(configClient, gatherKubeClient.CoreV1(), configObserver, os.Getenv("POD_NAMESPACE"))
 
+	// OMC controller periodically checks and pull data from the OCM API
+	// the data is exposed in the OpenShift API
+	ocmController := ocm.New(ctx, gatherKubeClient.CoreV1(), configObserver)
+	go ocmController.Run()
+
 	// the recorder periodically flushes any recorded data to disk as tar.gz files
 	// in s.StoragePath, and also prunes files above a certain age
 	recdriver := diskrecorder.New(s.StoragePath)

pkg/ocm/ocm.go

@@ -0,0 +1,161 @@
+package ocm
+
+import (
+	"context"
+	"io/ioutil"
+	"net/http"
+	"time"
+
+	"github.com/openshift/insights-operator/pkg/config"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
+	"k8s.io/klog/v2"
+)
+
+const (
+	targetNamespaceName = "openshift-config-managed"
+	secretName          = "simple-content-access-cert"
+)
+
+// Controller holds all the required resources to be able to communicate with OCM API
+type Controller struct {
+	coreClient   corev1client.CoreV1Interface
+	context      context.Context
+	configurator Configurator
+}
+
+// Configurator represents the interface to retrieve the configuration for the gatherer
+type Configurator interface {
+	Config() *config.Controller
+	ConfigChanged() (<-chan struct{}, func())
+}
+
+// New creates new instance
+func New(ctx context.Context, coreClient corev1client.CoreV1Interface, configurator Configurator) *Controller {
+	return &Controller{
+		coreClient:   coreClient,
+		context:      ctx,
+		configurator: configurator,
+	}
+}
+
+// Run periodically queries the OCM API and update corresponding secret accordingly
+func (c *Controller) Run() {
+	cfg := c.configurator.Config()
+	endpoint := cfg.OcmEndpoint
+	interval := cfg.OcmInterval
+	configCh, cancel := c.configurator.ConfigChanged()
+	defer cancel()
+
+	c.requestDataAndCheckSecret(endpoint)
+	for {
+		select {
+		case <-time.After(interval):
+			c.requestDataAndCheckSecret(endpoint)
+		case <-configCh:
+			cfg := c.configurator.Config()
+			interval = cfg.OcmInterval
+			endpoint = cfg.OcmEndpoint
+		}
+	}
+}
+
+func (c *Controller) requestDataAndCheckSecret(endpoint string) {
+	data, err := requestData(endpoint)
+	if err != nil {
+		klog.Errorf("errror requesting data from %s: %v", endpoint, err)
+	}
+	// check & update the secret here
+	ok, err := c.checkSecret(data)
+	if !ok {
+		// TODO - change IO status in case of failure ?
+		klog.Errorf("error when checking the %s secret: %v", secretName, err)
+		return
+	}
+	klog.Infof("%s secret successfuly updated", secretName)
+
+}
+
+// checkSecret checks "simple-content-access" secret in the "openshift-config-managed" namespace.
+// If the secret doesn't exist then it will create a new one.
+// If the secret already exist then it will update the data.
+func (c *Controller) checkSecret(data []byte) (bool, error) {
+	scaSec, err := c.coreClient.Secrets(targetNamespaceName).Get(c.context, secretName, metav1.GetOptions{})
+
+	//if the secret doesn't exist then create one
+	if errors.IsNotFound(err) {
+		_, err = c.createSecret(data)
+		if err != nil {
+			return false, err
+		}
+		return true, nil
+	}
+	if err != nil {
+		return false, err
+	}
+
+	_, err = c.updateSecret(scaSec, data)
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
+func (o *Controller) createSecret(data []byte) (*v1.Secret, error) {
+	newSCA := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secretName,
+			Namespace: targetNamespaceName,
+		},
+		// TODO set the data correctly
+		Data: map[string][]byte{
+			v1.TLSCertKey:       data,
+			v1.TLSPrivateKeyKey: data,
+		},
+		Type: v1.SecretTypeTLS,
+	}
+	cm, err := o.coreClient.Secrets(targetNamespaceName).Create(o.context, newSCA, metav1.CreateOptions{})
+	if err != nil {
+		return nil, err
+	}
+	return cm, nil
+}
+
+// updateSecret updates provided secret with given data
+func (o *Controller) updateSecret(s *v1.Secret, data []byte) (*v1.Secret, error) {
+
+	// TODO set the data correctly
+	s.Data = map[string][]byte{
+		v1.TLSCertKey:       data,
+		v1.TLSPrivateKeyKey: data,
+	}
+	s, err := o.coreClient.Secrets(s.Namespace).Update(o.context, s, metav1.UpdateOptions{})
+	if err != nil {
+		return nil, err
+	}
+	return s, nil
+}
+
+// TODO
+// - no need to create new HTTP client every time
+// - add authorization
+// - add response status check
+// - move this to insightsclient?
+func requestData(endpoint string) ([]byte, error) {
+	req, err := http.NewRequest(http.MethodGet, endpoint, nil)
+	if err != nil {
+		return nil, err
+	}
+	client := &http.Client{}
+	res, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	d, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, err
+	}
+	return d, nil
+}