feat: implement standardized PTP secret mounting with webhook validation

- Add PTP_SEC_FOLDER constant for mount path /etc/ptp-secret-mount/
- Add helper functions to extract secret name and key from sa_file path
- Add webhook validation for sa_file path format and secret key existence
- Implement deduplication in controller for unique secret mounts
- Refactor validateSppInSecret to use minimal arguments
- Mount entire secret as volume (all keys available as files)

Author: gtannous-spec

api/v1/ptpconfig_types.go

@@ -62,19 +62,18 @@ type PtpConfigList struct {
 }
 
 type PtpProfile struct {
-	Name          *string `json:"name"`
-	Interface     *string `json:"interface,omitempty"`
-	Ptp4lOpts     *string `json:"ptp4lOpts,omitempty"`
-	Phc2sysOpts   *string `json:"phc2sysOpts,omitempty"`
-	Ts2PhcOpts    *string `json:"ts2phcOpts,omitempty"`
-	Synce4lOpts   *string `json:"synce4lOpts,omitempty"`
-	ChronydOpts   *string `json:"chronydOpts,omitempty"`
-	Ptp4lConf     *string `json:"ptp4lConf,omitempty"`
-	Phc2sysConf   *string `json:"phc2sysConf,omitempty"`
-	Ts2PhcConf    *string `json:"ts2phcConf,omitempty"`
-	Synce4lConf   *string `json:"synce4lConf,omitempty"`
-	ChronydConf   *string `json:"chronydConf,omitempty"`
-	PtpSecretName *string `json:"ptpSecretName,omitempty"`
+	Name        *string `json:"name"`
+	Interface   *string `json:"interface,omitempty"`
+	Ptp4lOpts   *string `json:"ptp4lOpts,omitempty"`
+	Phc2sysOpts *string `json:"phc2sysOpts,omitempty"`
+	Ts2PhcOpts  *string `json:"ts2phcOpts,omitempty"`
+	Synce4lOpts *string `json:"synce4lOpts,omitempty"`
+	ChronydOpts *string `json:"chronydOpts,omitempty"`
+	Ptp4lConf   *string `json:"ptp4lConf,omitempty"`
+	Phc2sysConf *string `json:"phc2sysConf,omitempty"`
+	Ts2PhcConf  *string `json:"ts2phcConf,omitempty"`
+	Synce4lConf *string `json:"synce4lConf,omitempty"`
+	ChronydConf *string `json:"chronydConf,omitempty"`
 	// +kubebuilder:validation:Enum=SCHED_OTHER;SCHED_FIFO;
 	PtpSchedulingPolicy *string `json:"ptpSchedulingPolicy,omitempty"`
 	// +kubebuilder:validation:Minimum=1

api/v1/ptpconfig_webhook.go

@@ -43,6 +43,7 @@ const (
 	Master PtpRole = 1
 	Slave  PtpRole = 0
 )
+const PTP_SEC_FOLDER = "/etc/ptp-secret-mount/"
 
 // log is for logging in this package.
 var ptpconfiglog = logf.Log.WithName("ptpconfig-resource")
@@ -70,11 +71,6 @@ type Ptp4lConf struct {
 	sections map[string]Ptp4lConfSection
 }
 
-// PopulatePtp4lConf parses the ptp4l configuration
-func (p *Ptp4lConf) PopulatePtp4lConf(config *string, ptp4lopts *string) error {
-	return p.populatePtp4lConf(config, ptp4lopts)
-}
-
 // GetOption retrieves an option value from a specific section
 func (p *Ptp4lConf) GetOption(section, key string) string {
 	if sec, ok := p.sections[section]; ok {
@@ -85,7 +81,7 @@ func (p *Ptp4lConf) GetOption(section, key string) string {
 	return ""
 }
 
-func (output *Ptp4lConf) populatePtp4lConf(config *string, ptp4lopts *string) error {
+func (output *Ptp4lConf) PopulatePtp4lConf(config *string, ptp4lopts *string) error {
 	var string_config string
 	if config != nil {
 		string_config = *config
@@ -130,7 +126,7 @@ func (r *PtpConfig) validate() error {
 
 	for _, profile := range profiles {
 		conf := &Ptp4lConf{}
-		conf.populatePtp4lConf(profile.Ptp4lConf, profile.Ptp4lOpts)
+		conf.PopulatePtp4lConf(profile.Ptp4lConf, profile.Ptp4lOpts)
 
 		// Validate that interface field only set in ordinary clock
 		if profile.Interface != nil && *profile.Interface != "" {
@@ -216,100 +212,64 @@ func (r *PtpConfig) validate() error {
 			}
 		}
 
-		// Validate secret-related settings for this profile
-		if profile.PtpSecretName != nil && *profile.PtpSecretName != "" {
-			sppValue, err := getSppFromPtp4lConf(conf)
-			if err != nil {
-				return fmt.Errorf("failed to get spp value from ptp4lConf: %w", err)
-			}
-			if err := validateSecretExists(sppValue, *profile.PtpSecretName); err != nil {
-				return fmt.Errorf("failed to validate secret from profile: %w", err)
-			}
-			saFilePath, err := getSaFileFromPtp4lConf(conf)
-			if err != nil {
-				return fmt.Errorf("failed to get sa file path from ptp4lConf: %w", err)
-			}
-			if err := validateSaFileSecretConflicts(saFilePath, *profile.PtpSecretName, r.Name, r.Namespace); err != nil {
-				return fmt.Errorf("failed to validate secret conflicts from profile: %w", err)
-			}
+		// validate secret-related settings for this profile
+		saFilePath, err := getSaFileFromPtp4lConf(conf)
+		if err != nil {
+			return fmt.Errorf("failed to get sa file path from ptp4lConf: %w", err)
 		}
-	}
-	return nil
-}
-
-// validateSecretConflicts checks if a single profile's sa_file + secret combination
-// conflicts with any existing PtpConfigs in the openshift-ptp namespace
-func validateSaFileSecretConflicts(saFilePath string, secretName string, name string, namespace string) error {
-	if webhookClient == nil {
-		ptpconfiglog.Info("webhook client not initialized, skipping cross-PtpConfig validation")
-		return nil
-	}
-
-	// List all existing PtpConfigs in openshift-ptp namespace
-	ptpConfigList := &PtpConfigList{}
-	if err := webhookClient.List(context.Background(), ptpConfigList, &client.ListOptions{
-		Namespace: "openshift-ptp",
-	}); err != nil {
-		ptpconfiglog.Error(err, "failed to list PtpConfigs for validation")
-		// Don't block creation if we can't list - fail open
-		return nil
-	}
-
-	// Check each existing PtpConfig for conflicts
-	for _, existingConfig := range ptpConfigList.Items {
-		// Skip checking against ourselves (for updates)
-		if existingConfig.Name == name && existingConfig.Namespace == namespace {
-			continue
+		if err := validateSaFile(saFilePath); err != nil {
+			return fmt.Errorf("failed to validate sa file: %w", err)
 		}
-
-		// Check each profile in the existing config
-		for _, existingProfile := range existingConfig.Spec.Profile {
-			if existingProfile.PtpSecretName == nil || *existingProfile.PtpSecretName == "" {
-				continue
-			}
-			if existingProfile.Ptp4lConf == nil {
-				continue
-			}
-
-			existingConf := &Ptp4lConf{}
-			if err := existingConf.populatePtp4lConf(existingProfile.Ptp4lConf, existingProfile.Ptp4lOpts); err != nil {
-				continue
-			}
-			globalSection, exists := existingConf.sections["[global]"]
-			if !exists {
-				continue
-			}
-			existingSaFile, exists := globalSection.options["sa_file"]
-			if !exists {
-				continue
-			}
-			// Check if same sa_file as our profile and different secret
-			if existingSaFile == saFilePath && *existingProfile.PtpSecretName != secretName {
-				return fmt.Errorf("sa_file '%s' conflict: PtpConfig '%s' already uses secret '%s' with this sa_file path, but this profile tries to use secret '%s'. All PtpConfigs using the same sa_file must reference the same secret",
-					saFilePath, existingConfig.Name, *existingProfile.PtpSecretName, secretName)
-			}
+		secretName := GetSecretNameFromSaFilePath(saFilePath)
+		sppValue, err := getSppFromPtp4lConf(conf)
+		if err != nil {
+			return fmt.Errorf("failed to get spp value from ptp4lConf: %w", err)
+		}
+		if err := validateSecretForSPP(sppValue, secretName); err != nil {
+			return fmt.Errorf("failed to validate secret from profile: %w", err)
 		}
-	}
 
+	}
 	return nil
 }
 
-// validateSecretExists checks that a single profile's ptpSecretName references an existing secret
-func validateSecretExists(sppValue string, secretName string) error {
+// checking if the secret exists in the openshift-ptp namespace
+func isValidSecretName(secretName string) *corev1.Secret {
 	if webhookClient == nil {
 		ptpconfiglog.Info("webhook client not initialized, skipping secret existence validation")
 		return nil
 	}
-
-	// Try to get the secret from openshift-ptp namespace
 	secret := &corev1.Secret{}
 	err := webhookClient.Get(context.Background(), types.NamespacedName{
 		Namespace: "openshift-ptp",
 		Name:      secretName,
 	}, secret)
-
 	if err != nil {
-		return fmt.Errorf("failed to get secret %q: %w", secretName, err)
+		return nil
+	}
+	return secret
+}
+
+// GetSecretNameFromSaFilePath extracts the secret name from the sa_file path
+func GetSecretNameFromSaFilePath(sa_file string) string {
+	path := strings.TrimPrefix(sa_file, PTP_SEC_FOLDER)
+	index := strings.Index(path, "/")
+	return path[:index]
+}
+
+// GetSecretKeyFromSaFilePath extracts the secret key from the sa_file path
+func GetSecretKeyFromSaFilePath(sa_file string) string {
+	path := strings.TrimPrefix(sa_file, PTP_SEC_FOLDER)
+	index := strings.Index(path, "/")
+	return path[index+1:]
+}
+
+// validateSecretExists checks that a single profile's ptpSecretName references an existing secret
+func validateSecretForSPP(sppValue string, secretName string) error {
+
+	secret := isValidSecretName(secretName)
+	if secret == nil {
+		return fmt.Errorf("secret %s does not exist", secretName)
 	}
 
 	// Validate SPP (Security Parameter Profile) if specified
@@ -349,6 +309,38 @@ func getSaFileFromPtp4lConf(conf *Ptp4lConf) (string, error) {
 	return saFileValue, nil
 }
 
+// validateSaFile checks that the sa_file path is valid with prefix PTP_SEC_FOLDER
+// next directory must be a valid secret name, e.g. PTP_SEC_FOLDER/secret_name/secret_key
+// check that secret_key exists in the secret_name secret
+func validateSaFile(saFilePath string) error {
+	if !strings.HasPrefix(saFilePath, PTP_SEC_FOLDER) {
+		return fmt.Errorf("sa_file path '%s' is invalid; must start with '%s'", saFilePath, PTP_SEC_FOLDER)
+	}
+	path := strings.TrimPrefix(saFilePath, PTP_SEC_FOLDER)
+	index := strings.Index(path, "/")
+	if index == -1 || index == len(path)-1 {
+		return fmt.Errorf("sa_file path '%s' is incomplete; must contain a secret key", saFilePath)
+	}
+	secretName := path[:index]
+	if secretName == "" {
+		return fmt.Errorf("sa_file path '%s' is invalid; must contain a secret name", saFilePath)
+	}
+	secret := isValidSecretName(secretName)
+	if secret == nil {
+		return fmt.Errorf("sa_file path '%s' has invalid secret name '%s'", saFilePath, secretName)
+	}
+	keyCandidate := path[index+1:]
+	return validateKeyInSecret(secret, keyCandidate)
+}
+
+// this function will recieve a secret and a key candidate and check if the key is part of the secret
+func validateKeyInSecret(secret *corev1.Secret, keyCandidate string) error {
+	if _, exists := secret.Data[keyCandidate]; !exists {
+		return fmt.Errorf("key '%s' is not part of the secret", keyCandidate)
+	}
+	return nil
+}
+
 // validateSppInSecret checks that the spp value in ptp4lConf exists in the referenced secret
 func validateSppInSecret(sppValue string, secret *corev1.Secret) error {
 	for key, value := range secret.Data {
@@ -435,7 +427,7 @@ func GetInterfaces(config PtpConfig, mode PtpRole) (interfaces []string) {
 	}
 	conf := &Ptp4lConf{}
 	var dummy *string
-	err := conf.populatePtp4lConf(config.Spec.Profile[0].Ptp4lConf, dummy)
+	err := conf.PopulatePtp4lConf(config.Spec.Profile[0].Ptp4lConf, dummy)
 	if err != nil {
 		logrus.Warnf("ptp4l conf parsing failed, err=%s", err)
 	}

api/v1/zz_generated.deepcopy.go

@@ -61,7 +61,7 @@ metadata:
     categories: Networking
     certified: "false"
     containerImage: quay.io/openshift/origin-ptp-operator:4.21
-    createdAt: "2025-11-25T10:35:27Z"
+    createdAt: "2025-11-27T17:10:01Z"
     description: This software enables configuration of Precision Time Protocol(PTP)
       on Kubernetes. It detects hardware capable PTP devices on each node, and configures
       linuxptp processes such as ptp4l, phc2sys and timemaster.

bundle/manifests/ptp-operator.clusterserviceversion.yaml

@@ -90,8 +90,6 @@ spec:
                       maximum: 65
                       minimum: 1
                       type: integer
-                    ptpSecretName:
-                      type: string
                     ptpSettings:
                       additionalProperties:
                         type: string

bundle/manifests/ptp.openshift.io_ptpconfigs.yaml

@@ -90,8 +90,6 @@ spec:
                       maximum: 65
                       minimum: 1
                       type: integer
-                    ptpSecretName:
-                      type: string
                     ptpSettings:
                       additionalProperties:
                         type: string