Change how we read configuration

Moving from a model where we have to explicitly set each secret in the
pod env to a model where we just mount the whole secret into the pod.
This has the added benefit of allowing us to autodetect secret changes
and restart the pod AND means that users can totally omit the secret now
as opposed to having to create the secret with empty values.

Author: matthchr

v2/charts/azure-service-operator/templates/apps_v1_deployment_azureserviceoperator-controller-manager.yaml

@@ -59,111 +59,6 @@ spec:
         - --webhook-cert-dir={{ .Values.webhook.certDir }}
         {{- end }}
         env:
-        - name: AZURE_CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_CLIENT_ID
-              name: aso-controller-settings
-        - name: AZURE_CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_CLIENT_SECRET
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_TENANT_ID
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_TENANT_ID
-              name: aso-controller-settings
-        - name: AZURE_SUBSCRIPTION_ID
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_SUBSCRIPTION_ID
-              name: aso-controller-settings
-        - name: AZURE_CLIENT_CERTIFICATE
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_CLIENT_CERTIFICATE
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_CLIENT_CERTIFICATE_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_CLIENT_CERTIFICATE_PASSWORD
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_AUTHORITY_HOST
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_AUTHORITY_HOST
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_RESOURCE_MANAGER_ENDPOINT
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_RESOURCE_MANAGER_ENDPOINT
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_RESOURCE_MANAGER_AUDIENCE
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_RESOURCE_MANAGER_AUDIENCE
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_TARGET_NAMESPACES
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_TARGET_NAMESPACES
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_OPERATOR_MODE
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_OPERATOR_MODE
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_SYNC_PERIOD
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_SYNC_PERIOD
-              name: aso-controller-settings
-              optional: true
-        - name: USE_WORKLOAD_IDENTITY_AUTH
-          valueFrom:
-            secretKeyRef:
-              key: USE_WORKLOAD_IDENTITY_AUTH
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_USER_AGENT_SUFFIX
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_USER_AGENT_SUFFIX
-              name: aso-controller-settings
-              optional: true
-        - name: MAX_CONCURRENT_RECONCILES
-          valueFrom:
-            secretKeyRef:
-              key: MAX_CONCURRENT_RECONCILES
-              name: aso-controller-settings
-              optional: true
-        - name: RATE_LIMIT_MODE
-          valueFrom:
-            secretKeyRef:
-              key: RATE_LIMIT_MODE
-              name: aso-controller-settings
-              optional: true
-        - name: RATE_LIMIT_QPS
-          valueFrom:
-            secretKeyRef:
-              key: RATE_LIMIT_QPS
-              name: aso-controller-settings
-              optional: true
-        - name: RATE_LIMIT_BUCKET_SIZE
-          valueFrom:
-            secretKeyRef:
-              key: RATE_LIMIT_BUCKET_SIZE
-              name: aso-controller-settings
-              optional: true
         - name: POD_NAMESPACE
           valueFrom:
             fieldRef:
@@ -210,6 +105,9 @@ spec:
           name: cert
           readOnly: true
         {{- end }}
+        - name: settings-volume
+          readOnly: true
+          mountPath: "/etc/aso-controller-settings"
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: azureserviceoperator-default
@@ -229,3 +127,6 @@ spec:
               audience: api://AzureADTokenExchange
               expirationSeconds: 3600
               path: azure-identity
+      - name: settings-volume
+        secret:
+          secretName: aso-controller-settings

v2/charts/azure-service-operator/templates/secret.yaml

@@ -6,9 +6,15 @@ metadata:
   namespace: {{.Release.Namespace}}
 type: Opaque
 data:
+  {{- if .Values.azureSubscriptionID }}
   AZURE_SUBSCRIPTION_ID: {{ .Values.azureSubscriptionID | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.azureTenantID }}
   AZURE_TENANT_ID: {{ .Values.azureTenantID | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.azureClientID }}
   AZURE_CLIENT_ID: {{ .Values.azureClientID | b64enc | quote }}
+  {{- end }}
   {{- if .Values.azureClientSecret }}
   AZURE_CLIENT_SECRET: {{ .Values.azureClientSecret | b64enc | quote }}
   {{- end }}

v2/cmd/controller/app/setup.go

@@ -107,7 +107,21 @@ func SetupPreUpgradeCheck(ctx context.Context) error {
 	return kerrors.NewAggregate(errs)
 }
 
-func SetupControllerManager(ctx context.Context, setupLog logr.Logger, flgs Flags) manager.Manager {
+type ManagerWrapper struct {
+	mgr     manager.Manager
+	watcher *config.Watcher
+}
+
+func (w *ManagerWrapper) Start(ctx context.Context) error {
+	err := w.watcher.Start(ctx)
+	if err != nil {
+		return errors.Wrap(err, "failed to start config watcher")
+	}
+
+	return w.mgr.Start(ctx) // This blocks
+}
+
+func SetupControllerManager(ctx context.Context, setupLog logr.Logger, flgs Flags) ManagerWrapper {
 	scheme := controllers.CreateScheme()
 	_ = apiextensions.AddToScheme(scheme) // Used for managing CRDs
 
@@ -263,7 +277,14 @@ func SetupControllerManager(ctx context.Context, setupLog logr.Logger, flgs Flag
 		setupLog.Error(err, "Failed setting up readyz check")
 		os.Exit(1)
 	}
-	return mgr
+
+	// This watches the mounted secret and restart the pod if it changes
+	configWatcher := config.NewWatcher(setupLog)
+
+	return ManagerWrapper{
+		mgr:     mgr,
+		watcher: configWatcher,
+	}
 }
 
 func getMetricsOpts(flags Flags) server.Options {

v2/config/manager/manager_image_patch.yaml

@@ -8,119 +8,22 @@ spec:
     spec:
       nodeSelector:
         "kubernetes.io/os": linux
+      volumes:
+        - name: settings-volume
+          secret:
+            secretName: aso-controller-settings
       containers:
         # Change the value of image field below to your controller image URL
         - image: localhost:5000/azureserviceoperator:latest
           name: manager
           env:
-            - name: AZURE_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_CLIENT_ID
-            - name: AZURE_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_CLIENT_SECRET
-                  optional: true
-            - name: AZURE_TENANT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_TENANT_ID
-            - name: AZURE_SUBSCRIPTION_ID
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_SUBSCRIPTION_ID
-            - name: AZURE_CLIENT_CERTIFICATE
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_CLIENT_CERTIFICATE
-                  optional: true
-            - name: AZURE_CLIENT_CERTIFICATE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_CLIENT_CERTIFICATE_PASSWORD
-                  optional: true
-            - name: AZURE_AUTHORITY_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_AUTHORITY_HOST
-                  optional: true
-            - name: AZURE_RESOURCE_MANAGER_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_RESOURCE_MANAGER_ENDPOINT
-                  optional: true
-            - name: AZURE_RESOURCE_MANAGER_AUDIENCE
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_RESOURCE_MANAGER_AUDIENCE
-                  optional: true
-            - name: AZURE_TARGET_NAMESPACES
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_TARGET_NAMESPACES
-                  optional: true
-            - name: AZURE_OPERATOR_MODE
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_OPERATOR_MODE
-                  optional: true
-            - name: AZURE_SYNC_PERIOD
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_SYNC_PERIOD
-                  optional: true
-            - name: USE_WORKLOAD_IDENTITY_AUTH
-              valueFrom:
-                secretKeyRef:
-                  key: USE_WORKLOAD_IDENTITY_AUTH
-                  name: aso-controller-settings
-                  optional: true
-            - name: AZURE_USER_AGENT_SUFFIX
-              valueFrom:
-                secretKeyRef:
-                  key: AZURE_USER_AGENT_SUFFIX
-                  name: aso-controller-settings
-                  optional: true
-            - name: MAX_CONCURRENT_RECONCILES
-              valueFrom:
-                secretKeyRef:
-                  key: MAX_CONCURRENT_RECONCILES
-                  name: aso-controller-settings
-                  optional: true
-            - name: RATE_LIMIT_MODE
-              valueFrom:
-                secretKeyRef:
-                  key: RATE_LIMIT_MODE
-                  name: aso-controller-settings
-                  optional: true
-            - name: RATE_LIMIT_QPS
-              valueFrom:
-                secretKeyRef:
-                  key: RATE_LIMIT_QPS
-                  name: aso-controller-settings
-                  optional: true
-            - name: RATE_LIMIT_BUCKET_SIZE
-              valueFrom:
-                secretKeyRef:
-                  key: RATE_LIMIT_BUCKET_SIZE
-                  name: aso-controller-settings
-                  optional: true
             # Used for setting the operator-namespace annotation (and
             # for aad-pod-identity once we support it).
             - name: POD_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          volumeMounts:
+            - name: settings-volume
+              readOnly: true
+              mountPath: "/etc/aso-controller-settings"