From be41737256d8a75488c9631ce28968ab1ceb65aa Mon Sep 17 00:00:00 2001
From: Chris Sibbitt <csibbitt@redhat.com>
Date: Fri, 29 Sep 2023 08:45:13 -0400
Subject: [PATCH] Initial changes for QDR basicAuth (#481)

* Initial changes for QDR basicAuth

* Update roles/servicetelemetry/tasks/pre.yml

Co-authored-by: Leif Madsen <lmadsen@redhat.com>

* correct API version on secret

* Touchups from fresh environment test

* swap ansible_date_time for a filter that doesnt required facts

...and adheres to the rules for label text

* Update CSV

* Disable qdr auth in smoketests

See: https://github.com/infrawatch/service-telemetry-operator/pull/492

---------

Co-authored-by: Leif Madsen <lmadsen@redhat.com>
---
 Jenkinsfile                                   |  1 +
 .../infra.watch_servicetelemetrys_crd.yaml    |  6 +++
 ...fra.watch_v1beta1_servicetelemetry_cr.yaml |  1 +
 .../infra.watch_servicetelemetrys_crd.yaml    |  7 +++
 ...emetry-operator.clusterserviceversion.yaml |  1 +
 roles/servicetelemetry/defaults/main.yml      |  1 +
 .../servicetelemetry/tasks/component_qdr.yml  | 31 +++++++++++++
 roles/servicetelemetry/tasks/pre.yml          | 45 +++++++++++++++++++
 tests/smoketest/smoketest.sh                  |  7 +++
 9 files changed, 100 insertions(+)

diff --git a/Jenkinsfile b/Jenkinsfile
index f94b64b1e..f3a13d571 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -36,6 +36,7 @@ spec:
           strategy: ephemeral
   transports:
     qdr:
+      auth: none
       enabled: true
       deploymentSize: 1
       web:
diff --git a/deploy/crds/infra.watch_servicetelemetrys_crd.yaml b/deploy/crds/infra.watch_servicetelemetrys_crd.yaml
index f45dc44bd..286d2c74b 100644
--- a/deploy/crds/infra.watch_servicetelemetrys_crd.yaml
+++ b/deploy/crds/infra.watch_servicetelemetrys_crd.yaml
@@ -248,6 +248,12 @@ spec:
                       enabled:
                         description: Enable QDR data transort
                         type: boolean
+                      auth:
+                        description: 'Auth type to use for incoming OSP connections. Options are "none", or "basic"'
+                        type: string
+                        enum:
+                        - none
+                        - basic
                       web:
                         description: QDR web configuration
                         properties:
diff --git a/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml b/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml
index 8c1bf5b0c..e311546ce 100644
--- a/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml
+++ b/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml
@@ -102,6 +102,7 @@ spec:
   transports:
     qdr:
       enabled: true
+      auth: basic
       web:
         enabled: false
       certificates:
diff --git a/deploy/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml b/deploy/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml
index f6cf302b2..f26cbc7b9 100644
--- a/deploy/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml
+++ b/deploy/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml
@@ -429,6 +429,13 @@ spec:
                   qdr:
                     description: QDR configuration for data transport
                     properties:
+                      auth:
+                        description: Auth type to use for incoming OSP connections.
+                          Options are "none", or "basic"
+                        enum:
+                        - none
+                        - basic
+                        type: string
                       certificates:
                         properties:
                           caCertDuration:
diff --git a/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml b/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml
index 86fd01669..8ba230536 100644
--- a/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml
+++ b/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml
@@ -153,6 +153,7 @@ metadata:
             "observabilityStrategy": "use_redhat",
             "transports": {
               "qdr": {
+                "auth": "basic",
                 "certificates": {
                   "caCertDuration": "70080h",
                   "endpointCertDuration": "70080h"
diff --git a/roles/servicetelemetry/defaults/main.yml b/roles/servicetelemetry/defaults/main.yml
index 5ac3b31c7..e8e92d855 100644
--- a/roles/servicetelemetry/defaults/main.yml
+++ b/roles/servicetelemetry/defaults/main.yml
@@ -74,6 +74,7 @@ servicetelemetry_defaults:
       deployment_size: 1
       web:
         enabled: false
+      auth: basic
       certificates:
         endpoint_cert_duration: 70080h
         ca_cert_duration: 70080h
diff --git a/roles/servicetelemetry/tasks/component_qdr.yml b/roles/servicetelemetry/tasks/component_qdr.yml
index 84fcd1beb..64489ff74 100644
--- a/roles/servicetelemetry/tasks/component_qdr.yml
+++ b/roles/servicetelemetry/tasks/component_qdr.yml
@@ -149,6 +149,32 @@
           sasldb_path: /tmp/qdrouterd.sasldb
   when: interconnect_manifest is not defined
 
+- when:
+  - servicetelemetry_vars.transports.qdr.auth == "basic"
+  block:
+    - name: Get QDR BasicAuth secret
+      k8s_info:
+        api_version: interconnectedcloud.github.io/v1alpha1
+        kind: Interconnect
+        name: "{{ ansible_operator_meta.name }}-interconnect"
+        namespace: "{{ ansible_operator_meta.namespace }}"
+      register: _qdr_basicauth_object
+
+    # Because https://github.com/interconnectedcloud/qdr-operator/blob/576d2b33dac71437ea2b165caaaf6413220767fe/pkg/controller/interconnect/interconnect_controller.go#L634
+    - name: Perform a one-time upgrade to the default generated password for QDR BasicAuth
+      k8s:
+        definition:
+          kind: Secret
+          apiVersion: v1
+          metadata:
+            name: "{{ ansible_operator_meta.name }}-interconnect-users"
+            namespace: "{{ ansible_operator_meta.namespace }}"
+            labels:
+              stf_one_time_upgrade: "{{ lookup('pipe', 'date +%s') }}"
+          stringData:
+            guest: "{{ lookup('password', '/dev/null') }}"
+      when:
+        - _qdr_basicauth_object.resources[0] is defined and _qdr_basicauth_object[0].metadata.labels.stf_one_time_upgrade is not defined
 
 - name: Set default Interconnect manifest
   set_fact:
@@ -183,7 +209,12 @@
           - expose: true
             host: 0.0.0.0
             port: 5671
+      {% if servicetelemetry_vars.transports.qdr.auth == "basic" %}
+            saslMechanisms: PLAIN
+            authenticatePeer: true
+      {% elif servicetelemetry_vars.transports.qdr.auth == "none" %}
             saslMechanisms: ANONYMOUS
+      {% endif %}
             sslProfile: openstack
           - port: 5673
             linkCapacity: 25000
diff --git a/roles/servicetelemetry/tasks/pre.yml b/roles/servicetelemetry/tasks/pre.yml
index 0fd1bb59b..38477b02b 100644
--- a/roles/servicetelemetry/tasks/pre.yml
+++ b/roles/servicetelemetry/tasks/pre.yml
@@ -127,6 +127,51 @@
     - _community_prom_object.resources[0] is not defined
     - _stf_object.resources[0].spec.observabilityStrategy is not defined
 
+- name: Get QDR objects
+  k8s_info:
+    api_version: interconnectedcloud.github.io/v1alpha1
+    kind: Interconnect
+    name: "{{ ansible_operator_meta.name }}-interconnect"
+    namespace: "{{ ansible_operator_meta.namespace }}"
+  register: _qdr_object
+
+- block:
+  - name: Apply legacy auth=none for QDR if missing on the STF object and it's currently deployed that way
+    k8s:
+      definition:
+        apiVersion: infra.watch/v1beta1
+        kind: ServiceTelemetry
+        metadata:
+          name: "{{ ansible_operator_meta.name }}"
+          namespace: "{{ ansible_operator_meta.namespace }}"
+        spec:
+          transports:
+            qdr:
+              auth: none
+
+  - name: Set auth=none for remainder of this run
+    set_fact:
+      servicetelemetry_vars: "{{ servicetelemetry_vars|combine({'transports':{'qdr':{'auth': 'none'}}}, recursive=True) }}" # noqa 206
+  when:
+    - _stf_object.resources[0].spec.transports.qdr.auth is not defined
+    - _qdr_object.resources[0] is defined and _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms == "ANONYMOUS"
+
+- name: Apply default auth for QDR if missing on a new STF object with no associated auth=none QDR
+  k8s:
+    definition:
+      apiVersion: infra.watch/v1beta1
+      kind: ServiceTelemetry
+      metadata:
+        name: "{{ ansible_operator_meta.name }}"
+        namespace: "{{ ansible_operator_meta.namespace }}"
+      spec:
+        transports:
+          qdr:
+            auth: "{{ servicetelemetry_defaults.transports.qdr.auth }}"
+  when:
+    - _stf_object.resources[0].spec.transports.qdr.auth is not defined
+    - _qdr_object.resources[0] is defined and _qdr_object.resources[0].spec.edgeListeners[0].saslMechanisms != "ANONYMOUS"
+
 - name: Set ephemeral_storage_enabled to true when storage strategy is ephemeral
   set_fact:
     _ephemeral_storage_enabled: true
diff --git a/tests/smoketest/smoketest.sh b/tests/smoketest/smoketest.sh
index 4204398f2..2909e694f 100755
--- a/tests/smoketest/smoketest.sh
+++ b/tests/smoketest/smoketest.sh
@@ -27,6 +27,13 @@ if [ "${OC_CLIENT_VERSION_Y}" -lt "${OC_CLIENT_VERSION_Y_REQUIRED}" ] || [ "${OC
     exit 1
 fi
 
+if [ "$(oc get stf default -o=jsonpath='{.spec.transports.qdr.auth}')" != "none" ]; then
+    echo "*** QDR authentication is currently not supported in smoketests."
+    echo "To disable it, use: oc patch stf default --patch '{\"spec\":{\"transports\":{\"qdr\":{\"auth\":\"none\"}}}}' --type=merge"
+    echo "For more info: https://github.com/infrawatch/service-telemetry-operator/pull/492"
+    exit 1
+fi
+
 CLEANUP=${CLEANUP:-true}
 SMOKETEST_VERBOSE=${SMOKETEST_VERBOSE:-true}