Azure · matthchr · Jul 18, 2024
@@ -67,111 +67,6 @@ spec:
         - --webhook-cert-dir={{ .Values.webhook.certDir }}
         {{- end }}
         env:
-        - name: AZURE_CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_CLIENT_ID
-              name: aso-controller-settings
-        - name: AZURE_CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_CLIENT_SECRET
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_TENANT_ID
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_TENANT_ID
-              name: aso-controller-settings
-        - name: AZURE_SUBSCRIPTION_ID
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_SUBSCRIPTION_ID
-              name: aso-controller-settings
-        - name: AZURE_CLIENT_CERTIFICATE
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_CLIENT_CERTIFICATE
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_CLIENT_CERTIFICATE_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_CLIENT_CERTIFICATE_PASSWORD
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_AUTHORITY_HOST
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_AUTHORITY_HOST
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_RESOURCE_MANAGER_ENDPOINT
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_RESOURCE_MANAGER_ENDPOINT
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_RESOURCE_MANAGER_AUDIENCE
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_RESOURCE_MANAGER_AUDIENCE
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_TARGET_NAMESPACES
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_TARGET_NAMESPACES
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_OPERATOR_MODE
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_OPERATOR_MODE
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_SYNC_PERIOD
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_SYNC_PERIOD
-              name: aso-controller-settings
-              optional: true
-        - name: USE_WORKLOAD_IDENTITY_AUTH
-          valueFrom:
-            secretKeyRef:
-              key: USE_WORKLOAD_IDENTITY_AUTH
-              name: aso-controller-settings
-              optional: true
-        - name: AZURE_USER_AGENT_SUFFIX
-          valueFrom:
-            secretKeyRef:
-              key: AZURE_USER_AGENT_SUFFIX
-              name: aso-controller-settings
-              optional: true
-        - name: MAX_CONCURRENT_RECONCILES
-          valueFrom:
-            secretKeyRef:
-              key: MAX_CONCURRENT_RECONCILES
-              name: aso-controller-settings
-              optional: true
-        - name: RATE_LIMIT_MODE
-          valueFrom:
-            secretKeyRef:
-              key: RATE_LIMIT_MODE
-              name: aso-controller-settings
-              optional: true
-        - name: RATE_LIMIT_QPS
-          valueFrom:
-            secretKeyRef:
-              key: RATE_LIMIT_QPS
-              name: aso-controller-settings
-              optional: true
-        - name: RATE_LIMIT_BUCKET_SIZE
-          valueFrom:
-            secretKeyRef:
-              key: RATE_LIMIT_BUCKET_SIZE
-              name: aso-controller-settings
-              optional: true
         - name: POD_NAMESPACE
           valueFrom:
             fieldRef:
@@ -216,6 +111,9 @@ spec:
           name: cert
           readOnly: true
         {{- end }}
+        - name: settings-volume
+          readOnly: true
+          mountPath: "/etc/aso-controller-settings"
       {{- with .Values.nodeSelector }}
       nodeSelector:
       {{- toYaml . | nindent 8 }}
@@ -244,3 +142,6 @@ spec:
               audience: api://AzureADTokenExchange
               expirationSeconds: 3600
               path: azure-identity
+      - name: settings-volume
+        secret:
+          secretName: aso-controller-settings
@@ -6,9 +6,15 @@ metadata:
   namespace: {{.Release.Namespace}}
 type: Opaque
 data:
+  {{- if .Values.azureSubscriptionID }}
   AZURE_SUBSCRIPTION_ID: {{ .Values.azureSubscriptionID | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.azureTenantID }}
   AZURE_TENANT_ID: {{ .Values.azureTenantID | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.azureClientID }}
   AZURE_CLIENT_ID: {{ .Values.azureClientID | b64enc | quote }}
+  {{- end }}
   {{- if .Values.azureClientSecret }}
   AZURE_CLIENT_SECRET: {{ .Values.azureClientSecret | b64enc | quote }}
   {{- end }}

@@ -52,7 +52,21 @@ import (
 	"github.com/Azure/azure-service-operator/v2/pkg/genruntime/conditions"
 )
 
-func SetupControllerManager(ctx context.Context, setupLog logr.Logger, flgs *Flags) manager.Manager {
+type ManagerWrapper struct {
+	mgr     manager.Manager
+	watcher *config.Watcher
+}
+
+func (w *ManagerWrapper) Start(ctx context.Context) error {
+	err := w.watcher.Start(ctx)
+	if err != nil {
+		return errors.Wrap(err, "failed to start config watcher")
+	}
+
+	return w.mgr.Start(ctx) // This blocks
+}
+
+func SetupControllerManager(ctx context.Context, setupLog logr.Logger, flgs *Flags) ManagerWrapper {
 	scheme := controllers.CreateScheme()
 	_ = apiextensions.AddToScheme(scheme) // Used for managing CRDs
 
@@ -212,7 +226,14 @@ func SetupControllerManager(ctx context.Context, setupLog logr.Logger, flgs *Fla
 		setupLog.Error(err, "Failed setting up readyz check")
 		os.Exit(1)
 	}
-	return mgr
+
+	// This watches the mounted secret and restart the pod if it changes
+	configWatcher := config.NewWatcher(setupLog)
+
+	return ManagerWrapper{
+		mgr:     mgr,
+		watcher: configWatcher,
+	}
 }
 
 func getMetricsOpts(flags *Flags) server.Options {

@@ -8,119 +8,22 @@ spec:
     spec:
       nodeSelector:
         "kubernetes.io/os": linux
+      volumes:
+        - name: settings-volume
+          secret:
+            secretName: aso-controller-settings
       containers:
         # Change the value of image field below to your controller image URL
         - image: localhost:5000/azureserviceoperator:latest
           name: manager
           env:
-            - name: AZURE_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_CLIENT_ID
-            - name: AZURE_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_CLIENT_SECRET
-                  optional: true
-            - name: AZURE_TENANT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_TENANT_ID
-            - name: AZURE_SUBSCRIPTION_ID
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_SUBSCRIPTION_ID
-            - name: AZURE_CLIENT_CERTIFICATE
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_CLIENT_CERTIFICATE
-                  optional: true
-            - name: AZURE_CLIENT_CERTIFICATE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_CLIENT_CERTIFICATE_PASSWORD
-                  optional: true
-            - name: AZURE_AUTHORITY_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_AUTHORITY_HOST
-                  optional: true
-            - name: AZURE_RESOURCE_MANAGER_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_RESOURCE_MANAGER_ENDPOINT
-                  optional: true
-            - name: AZURE_RESOURCE_MANAGER_AUDIENCE
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_RESOURCE_MANAGER_AUDIENCE
-                  optional: true
-            - name: AZURE_TARGET_NAMESPACES
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_TARGET_NAMESPACES
-                  optional: true
-            - name: AZURE_OPERATOR_MODE
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_OPERATOR_MODE
-                  optional: true
-            - name: AZURE_SYNC_PERIOD
-              valueFrom:
-                secretKeyRef:
-                  name: aso-controller-settings
-                  key: AZURE_SYNC_PERIOD
-                  optional: true
-            - name: USE_WORKLOAD_IDENTITY_AUTH
-              valueFrom:
-                secretKeyRef:
-                  key: USE_WORKLOAD_IDENTITY_AUTH
-                  name: aso-controller-settings
-                  optional: true
-            - name: AZURE_USER_AGENT_SUFFIX
-              valueFrom:
-                secretKeyRef:
-                  key: AZURE_USER_AGENT_SUFFIX
-                  name: aso-controller-settings
-                  optional: true
-            - name: MAX_CONCURRENT_RECONCILES
-              valueFrom:
-                secretKeyRef:
-                  key: MAX_CONCURRENT_RECONCILES
-                  name: aso-controller-settings
-                  optional: true
-            - name: RATE_LIMIT_MODE
-              valueFrom:
-                secretKeyRef:
-                  key: RATE_LIMIT_MODE
-                  name: aso-controller-settings
-                  optional: true
-            - name: RATE_LIMIT_QPS
-              valueFrom:
-                secretKeyRef:
-                  key: RATE_LIMIT_QPS
-                  name: aso-controller-settings
-                  optional: true
-            - name: RATE_LIMIT_BUCKET_SIZE
-              valueFrom:
-                secretKeyRef:
-                  key: RATE_LIMIT_BUCKET_SIZE
-                  name: aso-controller-settings
-                  optional: true
             # Used for setting the operator-namespace annotation (and
             # for aad-pod-identity once we support it).
             - name: POD_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          volumeMounts:
+            - name: settings-volume
+              readOnly: true
+              mountPath: "/etc/aso-controller-settings"