Support more secret volume fields in secure settings

[thbkrkr]

Support items, key and path fields for the secure
settings secret similar to secret volume mounts to
give a way to inject a subset of secrets and/or
define a specific name to secure settings.

New syntax supported:

spec:
  secureSettings:
  - secretName: your-secure-settings-secret
    items:
    - key: username
      path: my-login
  - secretName: your-second-secure-settings-secret

Resolves #1458.

[pebrc]

LGTM! Nice, much easier than I thought. One tiny naming nit.

[barkbay]

I wanted to test this feature but I have the following error when I apply the manifest:

validation failure list:
type in spec.secureSettings is required

I have deleted and recreated the CRDs. I'm using K8S 1.15.3 (both client and server).

Here is my manifest:

apiVersion: elasticsearch.k8s.elastic.co/v1alpha1
kind: Elasticsearch
metadata:
  name: elasticsearch-sample
spec:
  secureSettings:
  - secretName: some-user-secret
    items:
    - key: key1
  version: 7.2.0
  nodes:
  - name: default
    config:
      # most Elasticsearch configuration parameters are possible to set, e.g:
      node.attr.attr_name: attr_value
      node.master: true
      node.data: true
      node.ingest: true
      node.ml: true
    podTemplate:
      spec:
        containers:
        - name: elasticsearch
          # specify resource limits and requests
          resources:
            limits:
              memory: 4Gi
              cpu: 1
          env:
          - name: ES_JAVA_OPTS
            value: "-Xms2g -Xmx2g"
    nodeCount: 2

Any idea ?

Also we should create a documentation issue and/or update the comments in the sample.

[thbkrkr]

I wanted to test this feature but I have the following error when I apply the manifest:

validation failure list:
type in spec.secureSettings is required

Thanks for spotting this!

items requires to declare a type, for the moment.

spec:
  secureSettings:
  - secretName: some-user-secret
    items:
    - key: key1
    type: array

It looks like this issue kubernetes/kubernetes#68466, which has been fixed for 1.16.

Also we should create a documentation issue and/or update the comments in the sample.

Yes! I'm going to update the doc and the samples in this PR.

[barkbay]

items requires to declare a type, for the moment.

I added this one in the spec, it has fixed the issue with kubectl, but now I have the same error on the operator side:

2019-09-02T13:34:41.610+0200	ERROR	kubebuilder.controller	Reconciler error	{"controller": "elasticsearch-controller", "request": "default/elasticsearch-sample", "error": "Elasticsearch.elasticsearch.k8s.elastic.co \"elasticsearch-sample\" is invalid: []: Invalid value: map[string]interface {}{\"apiVersion\":\"elasticsearch.k8s.elastic.co/v1alpha1\", \"kind\":\"Elasticsearch\", \"metadata\":map[string]interface {}{\"annotations\":map[string]interface {}{\"common.k8s.elastic.co/controller-version\":\"0.0.0\", \"kubectl.kubernetes.io/last-applied-configuration\":\"{\\\"apiVersion\\\":\\\"elasticsearch.k8s.elastic.co/v1alpha1\\\",\\\"kind\\\":\\\"Elasticsearch\\\",\\\"metadata\\\":{\\\"annotations\\\":{},\\\"name\\\":\\\"elasticsearch-sample\\\",\\\"namespace\\\":\\\"default\\\"},\\\"spec\\\":{\\\"nodes\\\":[{\\\"config\\\":{\\\"node.attr.attr_name\\\":\\\"attr_value\\\",\\\"node.data\\\":true,\\\"node.ingest\\\":true,\\\"node.master\\\":true,\\\"node.ml\\\":true},\\\"name\\\":\\\"default\\\",\\\"nodeCount\\\":2,\\\"podTemplate\\\":{\\\"spec\\\":{\\\"containers\\\":[{\\\"env\\\":[{\\\"name\\\":\\\"ES_JAVA_OPTS\\\",\\\"value\\\":\\\"-Xms2g -Xmx2g\\\"}],\\\"name\\\":\\\"elasticsearch\\\",\\\"resources\\\":{\\\"limits\\\":{\\\"cpu\\\":1,\\\"memory\\\":\\\"4Gi\\\"}}}]}}}],\\\"secureSettings\\\":[{\\\"items\\\":[{\\\"key\\\":\\\"key1\\\"}],\\\"secretName\\\":\\\"some-user-secret\\\",\\\"type\\\":\\\"array\\\"}],\\\"version\\\":\\\"7.2.0\\\"}}\\n\"}, \"creationTimestamp\":\"2019-09-02T11:34:19Z\", \"generation\":2, \"name\":\"elasticsearch-sample\", \"namespace\":\"default\", \"resourceVersion\":\"176973\", \"selfLink\":\"/apis/elasticsearch.k8s.elastic.co/v1alpha1/namespaces/default/elasticsearches/elasticsearch-sample\", \"uid\":\"d9495903-cc0a-410b-918f-8985b83121d7\"}, \"spec\":map[string]interface {}{\"http\":map[string]interface {}{\"service\":map[string]interface {}{\"metadata\":map[string]interface {}{\"creationTimestamp\":interface {}(nil)}, \"spec\":map[string]interface {}{}}, \"tls\":map[string]interface {}{\"certificate\":map[string]interface {}{}}}, \"nodes\":[]interface {}{map[string]interface {}{\"config\":map[string]interface {}{\"node.attr.attr_name\":\"attr_value\", \"node.data\":true, \"node.ingest\":true, \"node.master\":true, \"node.ml\":true}, \"name\":\"default\", \"nodeCount\":2, \"podTemplate\":map[string]interface {}{\"metadata\":map[string]interface {}{\"creationTimestamp\":interface {}(nil)}, \"spec\":map[string]interface {}{\"containers\":[]interface {}{map[string]interface {}{\"env\":[]interface {}{map[string]interface {}{\"name\":\"ES_JAVA_OPTS\", \"value\":\"-Xms2g -Xmx2g\"}}, \"name\":\"elasticsearch\", \"resources\":map[string]interface {}{\"limits\":map[string]interface {}{\"cpu\":\"1\", \"memory\":\"4Gi\"}}}}}}}}, \"secureSettings\":[]interface {}{map[string]interface {}{\"items\":[]interface {}{map[string]interface {}{\"key\":\"key1\", \"path\":\"\"}}, \"secretName\":\"some-user-secret\"}}, \"updateStrategy\":map[string]interface {}{}, \"version\":\"7.2.0\"}}: validation failure list:\ntype in spec.secureSettings is required"}

[thbkrkr]

My bad, indeed type is not enough. Unfortunately I do not see a way to fix or circumvent the validation failure caused by the presence of the items field.

I propose to use our own struct to type secureSettings, that has an entries field instead of items:

spec:
  secureSettings:
  - secretName: some-secret
  - secretName: another-secret
    entries:
    - key: key1
    - key: key2
      path: newkey2

Note that several fields of SecretVolumeSource have no sense in the context of the secure settings (optional, defaultMode, mode).

[barkbay]

LGTM 👍