refactor: config policy merging and use namespaced secret sources for secure settings related secrets

Author: pkoutsovasilis

pkg/apis/stackconfigpolicy/v1alpha1/stackconfigpolicy_types.go

@@ -98,6 +98,54 @@ type ElasticsearchConfigPolicySpec struct {
 	SecureSettings []commonv1.SecretSource `json:"secureSettings,omitempty"`
 }
 
+// GetElasticsearchNamespacedSecureSettings returns the Elasticsearch secure settings from this policy
+// as NamespacedSecretSources, with each secret source namespaced to the policy's namespace.
+// Returns nil if the policy is nil or has no Elasticsearch secure settings defined.
+func (p *StackConfigPolicy) GetElasticsearchNamespacedSecureSettings() []commonv1.NamespacedSecretSource {
+	if p == nil {
+		return nil
+	}
+
+	ssLen := len(p.Spec.Elasticsearch.SecureSettings)
+	if ssLen == 0 {
+		return nil
+	}
+	pNs := p.GetNamespace()
+	ssNsn := make([]commonv1.NamespacedSecretSource, ssLen)
+	for idx, ss := range p.Spec.Elasticsearch.SecureSettings {
+		ssNsn[idx] = commonv1.NamespacedSecretSource{
+			Namespace:  pNs,
+			SecretName: ss.SecretName,
+			Entries:    ss.Entries,
+		}
+	}
+	return ssNsn
+}
+
+// GetKibanaNamespacedSecureSettings returns the Kibana secure settings from this policy
+// as NamespacedSecretSources, with each secret source namespaced to the policy's namespace.
+// Returns nil if the policy is nil or has no Kibana secure settings defined.
+func (p *StackConfigPolicy) GetKibanaNamespacedSecureSettings() []commonv1.NamespacedSecretSource {
+	if p == nil {
+		return nil
+	}
+
+	ssLen := len(p.Spec.Kibana.SecureSettings)
+	if ssLen == 0 {
+		return nil
+	}
+	pNs := p.GetNamespace()
+	ssNsn := make([]commonv1.NamespacedSecretSource, ssLen)
+	for idx, ss := range p.Spec.Kibana.SecureSettings {
+		ssNsn[idx] = commonv1.NamespacedSecretSource{
+			Namespace:  pNs,
+			SecretName: ss.SecretName,
+			Entries:    ss.Entries,
+		}
+	}
+	return ssNsn
+}
+
 type KibanaConfigPolicySpec struct {
 	// Config holds the settings that go into kibana.yml.
 	// +kubebuilder:pruning:PreserveUnknownFields

pkg/controller/elasticsearch/filesettings/file_settings.go

@@ -81,12 +81,12 @@ func newEmptySettingsState() SettingsState {
 }
 
 // updateState updates the Settings state from a StackConfigPolicy for a given Elasticsearch.
-func (s *Settings) updateState(es types.NamespacedName, policy policyv1alpha1.StackConfigPolicy) error {
-	p := policy.DeepCopy() // be sure to not mutate the original policy
+func (s *Settings) updateState(es types.NamespacedName, esConfigPolicy policyv1alpha1.ElasticsearchConfigPolicySpec) error {
+	esConfigPolicy = *esConfigPolicy.DeepCopy() // be sure to not mutate the original es config policy
 	state := newEmptySettingsState()
 	// mutate Snapshot Repositories
-	if p.Spec.Elasticsearch.SnapshotRepositories != nil {
-		for name, untypedDefinition := range p.Spec.Elasticsearch.SnapshotRepositories.Data {
+	if esConfigPolicy.SnapshotRepositories != nil {
+		for name, untypedDefinition := range esConfigPolicy.SnapshotRepositories.Data {
 			definition, ok := untypedDefinition.(map[string]interface{})
 			if !ok {
 				return fmt.Errorf(`invalid type (%T) for definition of snapshot repository %q of Elasticsearch "%s/%s"`, untypedDefinition, name, es.Namespace, es.Name)
@@ -95,31 +95,31 @@ func (s *Settings) updateState(es types.NamespacedName, policy policyv1alpha1.St
 			if err != nil {
 				return err
 			}
-			p.Spec.Elasticsearch.SnapshotRepositories.Data[name] = repoSettings
+			esConfigPolicy.SnapshotRepositories.Data[name] = repoSettings
 		}
-		state.SnapshotRepositories = p.Spec.Elasticsearch.SnapshotRepositories
+		state.SnapshotRepositories = esConfigPolicy.SnapshotRepositories
 	}
 	// just copy other settings
-	if p.Spec.Elasticsearch.ClusterSettings != nil {
-		state.ClusterSettings = p.Spec.Elasticsearch.ClusterSettings
+	if esConfigPolicy.ClusterSettings != nil {
+		state.ClusterSettings = esConfigPolicy.ClusterSettings
 	}
-	if p.Spec.Elasticsearch.SnapshotLifecyclePolicies != nil {
-		state.SLM = p.Spec.Elasticsearch.SnapshotLifecyclePolicies
+	if esConfigPolicy.SnapshotLifecyclePolicies != nil {
+		state.SLM = esConfigPolicy.SnapshotLifecyclePolicies
 	}
-	if p.Spec.Elasticsearch.SecurityRoleMappings != nil {
-		state.RoleMappings = p.Spec.Elasticsearch.SecurityRoleMappings
+	if esConfigPolicy.SecurityRoleMappings != nil {
+		state.RoleMappings = esConfigPolicy.SecurityRoleMappings
 	}
-	if p.Spec.Elasticsearch.IndexLifecyclePolicies != nil {
-		state.IndexLifecyclePolicies = p.Spec.Elasticsearch.IndexLifecyclePolicies
+	if esConfigPolicy.IndexLifecyclePolicies != nil {
+		state.IndexLifecyclePolicies = esConfigPolicy.IndexLifecyclePolicies
 	}
-	if p.Spec.Elasticsearch.IngestPipelines != nil {
-		state.IngestPipelines = p.Spec.Elasticsearch.IngestPipelines
+	if esConfigPolicy.IngestPipelines != nil {
+		state.IngestPipelines = esConfigPolicy.IngestPipelines
 	}
-	if p.Spec.Elasticsearch.IndexTemplates.ComposableIndexTemplates != nil {
-		state.IndexTemplates.ComposableIndexTemplates = p.Spec.Elasticsearch.IndexTemplates.ComposableIndexTemplates
+	if esConfigPolicy.IndexTemplates.ComposableIndexTemplates != nil {
+		state.IndexTemplates.ComposableIndexTemplates = esConfigPolicy.IndexTemplates.ComposableIndexTemplates
 	}
-	if p.Spec.Elasticsearch.IndexTemplates.ComponentTemplates != nil {
-		state.IndexTemplates.ComponentTemplates = p.Spec.Elasticsearch.IndexTemplates.ComponentTemplates
+	if esConfigPolicy.IndexTemplates.ComponentTemplates != nil {
+		state.IndexTemplates.ComponentTemplates = esConfigPolicy.IndexTemplates.ComponentTemplates
 	}
 	s.State = state
 	return nil

pkg/controller/elasticsearch/filesettings/file_settings_test.go

@@ -436,7 +436,7 @@ func Test_updateState(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			settings := Settings{}
-			err := settings.updateState(esSample, tt.args.policy)
+			err := settings.updateState(esSample, tt.args.policy.Spec.Elasticsearch)
 			if tt.wantErr != nil {
 				assert.Equal(t, tt.wantErr, err)
 				return

pkg/controller/elasticsearch/filesettings/reconciler.go

@@ -53,7 +53,7 @@ func ReconcileEmptyFileSettingsSecret(
 	// extract the metadata that should be propagated to children
 	meta := metadata.Propagate(&es, metadata.Metadata{Labels: label.NewLabels(k8s.ExtractNamespacedName(&es))})
 	// no secret, reconcile a new empty file settings
-	expectedSecret, _, err := NewSettingsSecretWithVersion(k8s.ExtractNamespacedName(&es), nil, nil, meta)
+	expectedSecret, _, err := NewSettingsSecretWithVersion(k8s.ExtractNamespacedName(&es), nil, nil, nil, meta)
 	if err != nil {
 		return err
 	}

pkg/controller/elasticsearch/filesettings/secret.go

@@ -34,18 +34,18 @@ const (
 // The Settings version is updated using the current timestamp only when the Settings have changed.
 // If the new settings from the policy changed compared to the actual from the secret, the settings version is
 // updated
-func NewSettingsSecretWithVersion(es types.NamespacedName, currentSecret *corev1.Secret, policy *policyv1alpha1.StackConfigPolicy, meta metadata.Metadata) (corev1.Secret, int64, error) {
+func NewSettingsSecretWithVersion(es types.NamespacedName, currentSecret *corev1.Secret, esConfigPolicy *policyv1alpha1.ElasticsearchConfigPolicySpec, namespacedSecretSources []commonv1.NamespacedSecretSource, meta metadata.Metadata) (corev1.Secret, int64, error) {
 	newVersion := time.Now().UnixNano()
-	return newSettingsSecret(newVersion, es, currentSecret, policy, meta)
+	return newSettingsSecret(newVersion, es, currentSecret, esConfigPolicy, namespacedSecretSources, meta)
 }
 
 // NewSettingsSecret returns a new SettingsSecret for a given Elasticsearch and StackConfigPolicy.
-func newSettingsSecret(version int64, es types.NamespacedName, currentSecret *corev1.Secret, policy *policyv1alpha1.StackConfigPolicy, meta metadata.Metadata) (corev1.Secret, int64, error) {
+func newSettingsSecret(version int64, es types.NamespacedName, currentSecret *corev1.Secret, esConfigPolicy *policyv1alpha1.ElasticsearchConfigPolicySpec, namespacedSecretSources []commonv1.NamespacedSecretSource, meta metadata.Metadata) (corev1.Secret, int64, error) {
 	settings := NewEmptySettings(version)
 
 	// update the settings according to the config policy
-	if policy != nil {
-		err := settings.updateState(es, *policy)
+	if esConfigPolicy != nil {
+		err := settings.updateState(es, *esConfigPolicy)
 		if err != nil {
 			return corev1.Secret{}, 0, err
 		}
@@ -84,11 +84,9 @@ func newSettingsSecret(version int64, es types.NamespacedName, currentSecret *co
 		},
 	}
 
-	if policy != nil {
-		// add the Secure Settings Secret sources to the Settings Secret
-		if err := setSecureSettings(settingsSecret, *policy); err != nil {
-			return corev1.Secret{}, 0, err
-		}
+	// add the Secure Settings Secret sources to the Settings Secret
+	if err := setSecureSettings(settingsSecret, namespacedSecretSources); err != nil {
+		return corev1.Secret{}, 0, err
 	}
 
 	// Add a label to reset secret on deletion of the stack config policy
@@ -131,24 +129,11 @@ func SetSoftOwner(settingsSecret *corev1.Secret, policy policyv1alpha1.StackConf
 }
 
 // setSecureSettings stores the SecureSettings Secret sources referenced in the given StackConfigPolicy in the annotation of the Settings Secret.
-func setSecureSettings(settingsSecret *corev1.Secret, policy policyv1alpha1.StackConfigPolicy) error {
-	//nolint:staticcheck
-	if len(policy.Spec.SecureSettings) == 0 && len(policy.Spec.Elasticsearch.SecureSettings) == 0 {
+func setSecureSettings(settingsSecret *corev1.Secret, secretSources []commonv1.NamespacedSecretSource) error {
+	if len(secretSources) == 0 {
 		return nil
 	}
 
-	var secretSources []commonv1.NamespacedSecretSource //nolint:prealloc
-	// Common secureSettings field, this is mainly there to maintain backwards compatibility
-	//nolint:staticcheck
-	for _, src := range policy.Spec.SecureSettings {
-		secretSources = append(secretSources, commonv1.NamespacedSecretSource{Namespace: policy.GetNamespace(), SecretName: src.SecretName, Entries: src.Entries})
-	}
-
-	// SecureSettings field under Elasticsearch in the StackConfigPolicy
-	for _, src := range policy.Spec.Elasticsearch.SecureSettings {
-		secretSources = append(secretSources, commonv1.NamespacedSecretSource{Namespace: policy.GetNamespace(), SecretName: src.SecretName, Entries: src.Entries})
-	}
-
 	bytes, err := json.Marshal(secretSources)
 	if err != nil {
 		return err

pkg/controller/elasticsearch/filesettings/secret_test.go

@@ -38,7 +38,7 @@ func Test_NewSettingsSecret(t *testing.T) {
 
 	// no policy
 	expectedVersion := int64(1)
-	secret, reconciledVersion, err := newSettingsSecret(expectedVersion, es, nil, nil, metadata.Metadata{})
+	secret, reconciledVersion, err := newSettingsSecret(expectedVersion, es, nil, nil, nil, metadata.Metadata{})
 	assert.NoError(t, err)
 	assert.Equal(t, "esNs", secret.Namespace)
 	assert.Equal(t, "esName-es-file-settings", secret.Name)
@@ -47,7 +47,7 @@ func Test_NewSettingsSecret(t *testing.T) {
 
 	// policy
 	expectedVersion = int64(2)
-	secret, reconciledVersion, err = newSettingsSecret(expectedVersion, es, &secret, &policy, metadata.Metadata{})
+	secret, reconciledVersion, err = newSettingsSecret(expectedVersion, es, &secret, &policy.Spec.Elasticsearch, policy.GetElasticsearchNamespacedSecureSettings(), metadata.Metadata{})
 	assert.NoError(t, err)
 	assert.Equal(t, "esNs", secret.Namespace)
 	assert.Equal(t, "esName-es-file-settings", secret.Name)
@@ -79,14 +79,14 @@ func Test_SettingsSecret_hasChanged(t *testing.T) {
 	expectedEmptySettings := NewEmptySettings(expectedVersion)
 
 	// no policy -> emptySettings
-	secret, reconciledVersion, err := newSettingsSecret(expectedVersion, es, nil, nil, metadata.Metadata{})
+	secret, reconciledVersion, err := newSettingsSecret(expectedVersion, es, nil, nil, nil, metadata.Metadata{})
 	assert.NoError(t, err)
 	assert.Equal(t, false, hasChanged(secret, expectedEmptySettings))
 	assert.Equal(t, expectedVersion, reconciledVersion)
 
 	// policy without settings -> emptySettings
 	sameSettings := NewEmptySettings(expectedVersion)
-	err = sameSettings.updateState(es, policy)
+	err = sameSettings.updateState(es, policy.Spec.Elasticsearch)
 	assert.NoError(t, err)
 	assert.Equal(t, false, hasChanged(secret, sameSettings))
 	assert.Equal(t, strconv.FormatInt(expectedVersion, 10), sameSettings.Metadata.Version)
@@ -95,7 +95,7 @@ func Test_SettingsSecret_hasChanged(t *testing.T) {
 	newVersion := int64(2)
 	newSettings := NewEmptySettings(newVersion)
 
-	err = newSettings.updateState(es, otherPolicy)
+	err = newSettings.updateState(es, otherPolicy.Spec.Elasticsearch)
 	assert.NoError(t, err)
 	assert.Equal(t, true, hasChanged(secret, newSettings))
 	assert.Equal(t, strconv.FormatInt(newVersion, 10), newSettings.Metadata.Version)
@@ -112,31 +112,35 @@ func Test_SettingsSecret_setSecureSettings_getSecureSettings(t *testing.T) {
 			Name:      "policyName",
 		},
 		Spec: policyv1alpha1.StackConfigPolicySpec{
-			SecureSettings: nil,
+			Elasticsearch: policyv1alpha1.ElasticsearchConfigPolicySpec{
+				SecureSettings: nil,
+			},
 		}}
 	otherPolicy := policyv1alpha1.StackConfigPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: "otherPolicyNs",
 			Name:      "otherPolicyName",
 		},
 		Spec: policyv1alpha1.StackConfigPolicySpec{
-			SecureSettings: []commonv1.SecretSource{{SecretName: "secure-settings-secret"}},
+			Elasticsearch: policyv1alpha1.ElasticsearchConfigPolicySpec{
+				SecureSettings: []commonv1.SecretSource{{SecretName: "secure-settings-secret"}},
+			},
 		}}
 
-	secret, _, err := NewSettingsSecretWithVersion(es, nil, nil, metadata.Metadata{})
+	secret, _, err := NewSettingsSecretWithVersion(es, nil, nil, nil, metadata.Metadata{})
 	assert.NoError(t, err)
 
 	secureSettings, err := getSecureSettings(secret)
 	assert.NoError(t, err)
 	assert.Equal(t, []commonv1.NamespacedSecretSource{}, secureSettings)
 
-	err = setSecureSettings(&secret, policy)
+	err = setSecureSettings(&secret, policy.GetElasticsearchNamespacedSecureSettings())
 	assert.NoError(t, err)
 	secureSettings, err = getSecureSettings(secret)
 	assert.NoError(t, err)
 	assert.Equal(t, []commonv1.NamespacedSecretSource{}, secureSettings)
 
-	err = setSecureSettings(&secret, otherPolicy)
+	err = setSecureSettings(&secret, otherPolicy.GetElasticsearchNamespacedSecureSettings())
 	assert.NoError(t, err)
 	secureSettings, err = getSecureSettings(secret)
 	assert.NoError(t, err)

pkg/controller/stackconfigpolicy/controller.go

@@ -333,20 +333,11 @@ func (r *ReconcileStackConfigPolicy) reconcileElasticsearchResources(ctx context
 		}
 
 		// build the final config by merging all policies that target the given Elasticsearch cluster
-		esPolicyConfigFinal, err := getPolicyConfigForElasticsearch(&es, allPolicies, r.params)
+		esConfigPolicyFinal, err := getConfigPolicyForElasticsearch(&es, allPolicies, r.params)
 		switch {
 		case errors.Is(err, errMergeConflict):
-			log.V(1).Info("StackConfigPolicy merge conflict for Elasticsearch", "es_namespace", es.Namespace, "es_name", es.Name, "error", err)
-			results.WithRequeue(defaultRequeue)
-			if esPolicyConfigFinal == nil {
-				continue
-			}
-			conflictErr, exists := esPolicyConfigFinal.PoliciesWithConflictErrors[reconcilingPolicyNsn]
-			if !exists || conflictErr == nil {
-				continue
-			}
-			err = status.AddPolicyErrorFor(esNsn, policyv1alpha1.ConflictPhase, conflictErr.Error(), policyv1alpha1.ElasticsearchResourceType)
-			if err != nil {
+			log.Info("StackConfigPolicy merge conflict for Elasticsearch", "es_namespace", es.Namespace, "es_name", es.Name, "error", err)
+			if err = status.AddPolicyErrorFor(esNsn, policyv1alpha1.ConflictPhase, err.Error(), policyv1alpha1.ElasticsearchResourceType); err != nil {
 				return results.WithError(err), status
 			}
 			continue
@@ -357,16 +348,11 @@ func (r *ReconcileStackConfigPolicy) reconcileElasticsearchResources(ctx context
 		// extract the metadata that should be propagated to children
 		meta := metadata.Propagate(&es, metadata.Metadata{Labels: eslabel.NewLabels(k8s.ExtractNamespacedName(&es))})
 		// create the expected Settings Secret
-		expectedSecret, expectedVersion, err := filesettings.NewSettingsSecretWithVersion(esNsn, &actualSettingsSecret, &policyv1alpha1.StackConfigPolicy{
-			ObjectMeta: reconcilingPolicy.ObjectMeta,
-			Spec: policyv1alpha1.StackConfigPolicySpec{
-				Elasticsearch: esPolicyConfigFinal.Spec,
-			},
-		}, meta)
+		expectedSecret, expectedVersion, err := filesettings.NewSettingsSecretWithVersion(esNsn, &actualSettingsSecret, &esConfigPolicyFinal.Spec, esConfigPolicyFinal.SecretSources, meta)
 		if err != nil {
 			return results.WithError(err), status
 		}
-		err = setMultipleSoftOwners(&expectedSecret, esPolicyConfigFinal.PoliciesRefs)
+		err = setMultipleSoftOwners(&expectedSecret, esConfigPolicyFinal.PolicyRefs)
 		if err != nil {
 			return results.WithError(err), status
 		}
@@ -390,11 +376,11 @@ func (r *ReconcileStackConfigPolicy) reconcileElasticsearchResources(ctx context
 		}
 
 		// create expected elasticsearch config secret
-		expectedConfigSecret, err := newElasticsearchConfigSecret(esPolicyConfigFinal.Spec, es)
+		expectedConfigSecret, err := newElasticsearchConfigSecret(esConfigPolicyFinal.Spec, es)
 		if err != nil {
 			return results.WithError(err), status
 		}
-		err = setMultipleSoftOwners(&expectedConfigSecret, esPolicyConfigFinal.PoliciesRefs)
+		err = setMultipleSoftOwners(&expectedConfigSecret, esConfigPolicyFinal.PolicyRefs)
 		if err != nil {
 			return results.WithError(err), status
 		}
@@ -404,7 +390,7 @@ func (r *ReconcileStackConfigPolicy) reconcileElasticsearchResources(ctx context
 		}
 
 		// Check if required Elasticsearch config and secret mounts are applied.
-		configAndSecretMountsApplied, err := elasticsearchConfigAndSecretMountsApplied(ctx, r.Client, esPolicyConfigFinal.Spec, es)
+		configAndSecretMountsApplied, err := elasticsearchConfigAndSecretMountsApplied(ctx, r.Client, esConfigPolicyFinal.Spec, es)
 		if err != nil {
 			return results.WithError(err), status
 		}
@@ -467,7 +453,6 @@ func (r *ReconcileStackConfigPolicy) reconcileKibanaResources(ctx context.Contex
 		return results.WithError(err), status
 	}
 
-	reconcilingPolicyNsn := k8s.ExtractNamespacedName(&reconcilingPolicy)
 	configuredResources := kbMap{}
 	for _, kibana := range kibanaList.Items {
 		log.V(1).Info("Reconcile StackConfigPolicy", "kibana_namespace", kibana.Namespace, "kibana_name", kibana.Name)
@@ -477,20 +462,11 @@ func (r *ReconcileStackConfigPolicy) reconcileKibanaResources(ctx context.Contex
 		kibanaNsn := k8s.ExtractNamespacedName(&kibana)
 
 		// build the final config by merging all policies that target the given Kibana instance
-		kbnPolicyConfigFinal, err := getPolicyConfigForKibana(&kibana, allPolicies, r.params)
+		kbnPolicyConfigFinal, err := getConfigPolicyForKibana(&kibana, allPolicies, r.params)
 		switch {
 		case errors.Is(err, errMergeConflict):
-			log.V(1).Info("StackConfigPolicy merge conflict for Kibana", "kibana_namespace", kibana.Namespace, "kibana_name", kibana.Name, "error", err)
-			results.WithRequeue(defaultRequeue)
-			if kbnPolicyConfigFinal == nil {
-				continue
-			}
-			conflictErr, exists := kbnPolicyConfigFinal.PoliciesWithConflictErrors[reconcilingPolicyNsn]
-			if !exists || conflictErr == nil {
-				continue
-			}
-			err = status.AddPolicyErrorFor(kibanaNsn, policyv1alpha1.ConflictPhase, conflictErr.Error(), policyv1alpha1.KibanaResourceType)
-			if err != nil {
+			log.Info("StackConfigPolicy merge conflict for Kibana", "kibana_namespace", kibana.Namespace, "kibana_name", kibana.Name, "error", err)
+			if err = status.AddPolicyErrorFor(kibanaNsn, policyv1alpha1.ConflictPhase, err.Error(), policyv1alpha1.KibanaResourceType); err != nil {
 				return results.WithError(err), status
 			}
 			continue
@@ -503,7 +479,7 @@ func (r *ReconcileStackConfigPolicy) reconcileKibanaResources(ctx context.Contex
 			// Only add to configured resources if Kibana config is set.
 			// This will help clean up the config secret if config gets removed from the stack config reconcilingPolicy.
 			configuredResources[kibanaNsn] = kibana
-			expectedConfigSecret, err := newKibanaConfigSecret(kbnPolicyConfigFinal.Spec, reconcilingPolicy.GetNamespace(), kibana, kbnPolicyConfigFinal.PoliciesRefs)
+			expectedConfigSecret, err := newKibanaConfigSecret(kbnPolicyConfigFinal.Spec, kbnPolicyConfigFinal.SecretSources, kibana, kbnPolicyConfigFinal.PolicyRefs)
 			if err != nil {
 				return results.WithError(err), status
 			}