CLOUDP-166251: Added optional secret references for alert configurations (#1002)

Author: igor-karpukhin

Makefile

@@ -107,7 +107,7 @@ e2e-openshift-upgrade:
 
 .PHONY: manager
 manager: generate fmt vet ## Build manager binary
-	@echo "Building operator with version $(VERSION); $(TARGET_OS) - $(TARGET_ARCH)}"
+	@echo "Building operator with version $(VERSION); $(TARGET_OS) - $(TARGET_ARCH)"
 	CGO_ENABLED=0 GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -o bin/manager -ldflags="-X github.com/mongodb/mongodb-atlas-kubernetes/pkg/version.Version=$(VERSION)" cmd/manager/main.go
 
 .PHONY: run

config/crd/bases/atlas.mongodb.com_atlasprojects.yaml

@@ -111,10 +111,38 @@ spec:
                               invalid, Atlas sends an email to the project owner and
                               eventually removes the token.
                             type: string
+                          apiTokenRef:
+                            description: ResourceRefNamespaced is a reference to a
+                              Kubernetes Resource that allows to configure the namespace
+                            properties:
+                              name:
+                                description: Name is the name of the Kubernetes Resource
+                                type: string
+                              namespace:
+                                description: Namespace is the namespace of the Kubernetes
+                                  Resource
+                                type: string
+                            required:
+                            - name
+                            type: object
                           channelName:
                             description: Slack channel name. Populated for the SLACK
                               notifications type.
                             type: string
+                          datadogAPIKeyRef:
+                            description: ResourceRefNamespaced is a reference to a
+                              Kubernetes Resource that allows to configure the namespace
+                            properties:
+                              name:
+                                description: Name is the name of the Kubernetes Resource
+                                type: string
+                              namespace:
+                                description: Namespace is the namespace of the Kubernetes
+                                  Resource
+                                type: string
+                            required:
+                            - name
+                            type: object
                           datadogApiKey:
                             description: Datadog API Key. Found in the Datadog dashboard.
                               Populated for the DATADOG notifications type.
@@ -144,6 +172,20 @@ spec:
                               becomes invalid, Atlas sends an email to the project
                               owner and eventually removes the token.
                             type: string
+                          flowdockApiTokenRef:
+                            description: ResourceRefNamespaced is a reference to a
+                              Kubernetes Resource that allows to configure the namespace
+                            properties:
+                              name:
+                                description: Name is the name of the Kubernetes Resource
+                                type: string
+                              namespace:
+                                description: Namespace is the namespace of the Kubernetes
+                                  Resource
+                                type: string
+                            required:
+                            - name
+                            type: object
                           intervalMin:
                             description: Number of minutes to wait between successive
                               notifications for unacknowledged alerts that are not
@@ -159,6 +201,20 @@ spec:
                               Atlas sends an email to the project owner and eventually
                               removes the token.
                             type: string
+                          opsGenieApiKeyRef:
+                            description: ResourceRefNamespaced is a reference to a
+                              Kubernetes Resource that allows to configure the namespace
+                            properties:
+                              name:
+                                description: Name is the name of the Kubernetes Resource
+                                type: string
+                              namespace:
+                                description: Namespace is the namespace of the Kubernetes
+                                  Resource
+                                type: string
+                            required:
+                            - name
+                            type: object
                           opsGenieRegion:
                             description: Region that indicates which API URL to use.
                             type: string
@@ -180,6 +236,20 @@ spec:
                               invalid, Atlas sends an email to the project owner and
                               eventually removes the key.
                             type: string
+                          serviceKeyRef:
+                            description: ResourceRefNamespaced is a reference to a
+                              Kubernetes Resource that allows to configure the namespace
+                            properties:
+                              name:
+                                description: Name is the name of the Kubernetes Resource
+                                type: string
+                              namespace:
+                                description: Namespace is the namespace of the Kubernetes
+                                  Resource
+                                type: string
+                            required:
+                            - name
+                            type: object
                           smsEnabled:
                             description: Flag indicating if text message notifications
                               should be sent. Populated for ORG, GROUP, and USER notifications
@@ -212,6 +282,20 @@ spec:
                               invalid, Atlas sends an email to the project owner and
                               eventually removes the key.
                             type: string
+                          victorOpsSecretRef:
+                            description: Secret for VictorOps should contain both
+                              APIKey and RoutingKey values
+                            properties:
+                              name:
+                                description: Name is the name of the Kubernetes Resource
+                                type: string
+                              namespace:
+                                description: Namespace is the namespace of the Kubernetes
+                                  Resource
+                                type: string
+                            required:
+                            - name
+                            type: object
                         type: object
                       type: array
                     threshold:

pkg/api/v1/alert_configurations.go

@@ -7,6 +7,7 @@ import (
 	"go.mongodb.org/atlas/mongodbatlas"
 	"go.uber.org/zap"
 
+	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1/common"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/util"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/util/compat"
 )
@@ -138,10 +139,14 @@ func (in *Threshold) ToAtlas() (*mongodbatlas.Threshold, error) {
 type Notification struct {
 	// Slack API token or Bot token. Populated for the SLACK notifications type. If the token later becomes invalid, Atlas sends an email to the project owner and eventually removes the token.
 	APIToken string `json:"apiToken,omitempty"`
+	// +optional
+	APITokenRef common.ResourceRefNamespaced `json:"apiTokenRef,omitempty"`
 	// Slack channel name. Populated for the SLACK notifications type.
 	ChannelName string `json:"channelName,omitempty"`
 	// Datadog API Key. Found in the Datadog dashboard. Populated for the DATADOG notifications type.
 	DatadogAPIKey string `json:"datadogApiKey,omitempty"`
+	// +optional
+	DatadogAPIKeyRef common.ResourceRefNamespaced `json:"datadogAPIKeyRef,omitempty"`
 	// Region that indicates which API URL to use
 	DatadogRegion string `json:"datadogRegion,omitempty"`
 	// Number of minutes to wait after an alert condition is detected before sending out the first notification.
@@ -152,6 +157,8 @@ type Notification struct {
 	EmailEnabled *bool `json:"emailEnabled,omitempty"`
 	// The Flowdock personal API token. Populated for the FLOWDOCK notifications type. If the token later becomes invalid, Atlas sends an email to the project owner and eventually removes the token.
 	FlowdockAPIToken string `json:"flowdockApiToken,omitempty"`
+	// +optional
+	FlowdockAPITokenRef common.ResourceRefNamespaced `json:"flowdockApiTokenRef,omitempty"`
 	// Flowdock flow namse in lower-case letters.
 	FlowName string `json:"flowName,omitempty"`
 	// Number of minutes to wait between successive notifications for unacknowledged alerts that are not resolved.
@@ -160,12 +167,16 @@ type Notification struct {
 	MobileNumber string `json:"mobileNumber,omitempty"`
 	// Opsgenie API Key. Populated for the OPS_GENIE notifications type. If the key later becomes invalid, Atlas sends an email to the project owner and eventually removes the token.
 	OpsGenieAPIKey string `json:"opsGenieApiKey,omitempty"`
+	// +optional
+	OpsGenieAPIKeyRef common.ResourceRefNamespaced `json:"opsGenieApiKeyRef,omitempty"`
 	// Region that indicates which API URL to use.
 	OpsGenieRegion string `json:"opsGenieRegion,omitempty"`
 	// Flowdock organization name in lower-case letters. This is the name that appears after www.flowdock.com/app/ in the URL string. Populated for the FLOWDOCK notifications type.
 	OrgName string `json:"orgName,omitempty"`
 	// PagerDuty service key. Populated for the PAGER_DUTY notifications type. If the key later becomes invalid, Atlas sends an email to the project owner and eventually removes the key.
 	ServiceKey string `json:"serviceKey,omitempty"`
+	// +optinal
+	ServiceKeyRef common.ResourceRefNamespaced `json:"serviceKeyRef,omitempty"`
 	// Flag indicating if text message notifications should be sent. Populated for ORG, GROUP, and USER notifications types.
 	SMSEnabled *bool `json:"smsEnabled,omitempty"`
 	// Unique identifier of a team.
@@ -178,6 +189,9 @@ type Notification struct {
 	Username string `json:"username,omitempty"`
 	// VictorOps API key. Populated for the VICTOR_OPS notifications type. If the key later becomes invalid, Atlas sends an email to the project owner and eventually removes the key.
 	VictorOpsAPIKey string `json:"victorOpsApiKey,omitempty"`
+	// +optional
+	// Secret for VictorOps should contain both APIKey and RoutingKey values
+	VictorOpsSecretRef common.ResourceRefNamespaced `json:"victorOpsSecretRef,omitempty"`
 	// VictorOps routing key. Populated for the VICTOR_OPS notifications type. If the key later becomes invalid, Atlas sends an email to the project owner and eventually removes the key.
 	VictorOpsRoutingKey string `json:"victorOpsRoutingKey,omitempty"`
 	// The following roles grant privileges within a project.

pkg/api/v1/status/condition.go

@@ -42,7 +42,7 @@ const (
 	NetworkPeerReadyType            ConditionType = "NetworkPeerReady"
 	CloudProviderAccessReadyType    ConditionType = "CloudProviderAccessReady"
 	IntegrationReadyType            ConditionType = "ThirdPartyIntegrationReady"
-	AlertConfigurationReadyType     ConditionType = "AlertConfigurationReadyType"
+	AlertConfigurationReadyType     ConditionType = "AlertConfigurationReady"
 	EncryptionAtRestReadyType       ConditionType = "EncryptionAtRestReady"
 	AuditingReadyType               ConditionType = "AuditingReady"
 	ProjectSettingsReadyType        ConditionType = "ProjectSettingsReady"

pkg/api/v1/zz_generated.deepcopy.go

@@ -7,13 +7,19 @@ import (
 
 	"go.mongodb.org/atlas/mongodbatlas"
 	"go.uber.org/zap"
+	v1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	mdbv1 "github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1"
+	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1/common"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1/status"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/workflow"
 )
 
-func ensureAlertConfigurations(service *workflow.Context, project *mdbv1.AtlasProject, groupID string) workflow.Result {
+func (r *AtlasProjectReconciler) ensureAlertConfigurations(service *workflow.Context, project *mdbv1.AtlasProject, groupID string) workflow.Result {
+	service.Log.Debug("starting alert configurations processing")
+	defer service.Log.Debug("finished alert configurations processing")
+
 	if project.Spec.AlertConfigurationSyncEnabled {
 		specToSync := project.Spec.DeepCopy().AlertConfigurations
 
@@ -23,6 +29,11 @@ func ensureAlertConfigurations(service *workflow.Context, project *mdbv1.AtlasPr
 			service.UnsetCondition(alertConfigurationCondition)
 			return workflow.OK()
 		}
+		err := readAlertConfigurationsSecretsData(r.Client, project.Namespace, specToSync)
+		if err != nil {
+			service.SetConditionFalseMsg(alertConfigurationCondition, err.Error())
+			return workflow.Terminate(workflow.Internal, err.Error())
+		}
 		result := syncAlertConfigurations(ctx, service, groupID, specToSync)
 		if !result.IsOk() {
 			service.SetConditionFromResult(alertConfigurationCondition, result)
@@ -36,6 +47,76 @@ func ensureAlertConfigurations(service *workflow.Context, project *mdbv1.AtlasPr
 	return workflow.OK()
 }
 
+// This method reads secrets refs and fills the secret data for the related Notification
+func readAlertConfigurationsSecretsData(kubeClient client.Client, projectNs string, alertConfigs []mdbv1.AlertConfiguration) error {
+	for i := 0; i < len(alertConfigs); i++ {
+		ac := &alertConfigs[i]
+		for j := 0; j < len(ac.Notifications); j++ {
+			nf := &ac.Notifications[j]
+			var err error
+			switch {
+			case nf.APITokenRef.Name != "":
+				nf.APIToken, err = readNotificationSecret(kubeClient, nf.APITokenRef, projectNs, "APIToken")
+				if err != nil {
+					return err
+				}
+			case nf.DatadogAPIKeyRef.Name != "":
+				nf.DatadogAPIKey, err = readNotificationSecret(kubeClient, nf.DatadogAPIKeyRef, projectNs, "DatadogAPIKey")
+				if err != nil {
+					return err
+				}
+			case nf.FlowdockAPITokenRef.Name != "":
+				nf.FlowdockAPIToken, err = readNotificationSecret(kubeClient, nf.FlowdockAPITokenRef, projectNs, "FlowdockAPIToken")
+				if err != nil {
+					return err
+				}
+			case nf.OpsGenieAPIKeyRef.Name != "":
+				nf.OpsGenieAPIKey, err = readNotificationSecret(kubeClient, nf.OpsGenieAPIKeyRef, projectNs, "OpsGenieAPIKey")
+				if err != nil {
+					return err
+				}
+			case nf.ServiceKeyRef.Name != "":
+				nf.ServiceKey, err = readNotificationSecret(kubeClient, nf.ServiceKeyRef, projectNs, "ServiceKey")
+				if err != nil {
+					return err
+				}
+			case nf.VictorOpsSecretRef.Name != "":
+				nf.VictorOpsAPIKey, err = readNotificationSecret(kubeClient, nf.VictorOpsSecretRef, projectNs, "VictorOpsAPIKey")
+				if err != nil {
+					return err
+				}
+				nf.VictorOpsRoutingKey, err = readNotificationSecret(kubeClient, nf.VictorOpsSecretRef, projectNs, "VictorOpsRoutingKey")
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func readNotificationSecret(kubeClient client.Client, res common.ResourceRefNamespaced, parentNamespace string, fieldName string) (string, error) {
+	secret := &v1.Secret{}
+	var ns string
+	if res.Namespace == "" {
+		ns = parentNamespace
+	} else {
+		ns = res.Namespace
+	}
+
+	if err := kubeClient.Get(context.Background(), client.ObjectKey{Name: res.Name, Namespace: ns}, secret); err != nil {
+		return "", err
+	}
+	val, exists := secret.Data[fieldName]
+	switch {
+	case !exists:
+		return "", fmt.Errorf("secret '%s/%s' doesn't contain '%s' parameter", ns, res.Name, fieldName)
+	case len(val) == 0:
+		return "", fmt.Errorf("secret '%s/%s' contain an empty value for '%s' parameter", ns, res.Name, fieldName)
+	}
+	return string(val), nil
+}
+
 func syncAlertConfigurations(context context.Context, service *workflow.Context, groupID string, alertSpec []mdbv1.AlertConfiguration) workflow.Result {
 	logger := service.Log
 	existedAlertConfigs, _, err := service.Client.AlertConfigurations.List(context, groupID, nil)

pkg/controller/atlasproject/alert_configurations.go

@@ -246,7 +246,7 @@ func (r *AtlasProjectReconciler) ensureProjectResources(ctx *workflow.Context, p
 	}
 	results = append(results, result)
 
-	if result = ensureAlertConfigurations(ctx, project, projectID); result.IsOk() {
+	if result = r.ensureAlertConfigurations(ctx, project, projectID); result.IsOk() {
 		r.EventRecorder.Event(project, "Normal", string(status.AlertConfigurationReadyType), "")
 	}
 	results = append(results, result)

pkg/controller/atlasproject/atlasproject_controller.go

@@ -96,6 +96,15 @@ func (c *Context) SetConditionFalse(conditionType status.ConditionType) *Context
 	return c
 }
 
+func (c *Context) SetConditionFalseMsg(conditionType status.ConditionType, msg string) *Context {
+	c.EnsureCondition(status.Condition{
+		Type:    conditionType,
+		Status:  corev1.ConditionFalse,
+		Message: msg,
+	})
+	return c
+}
+
 func (c *Context) SetConditionTrue(conditionType status.ConditionType) *Context {
 	c.EnsureCondition(status.Condition{
 		Type:   conditionType,