tigera · asincu · May 17, 2024 · May 17, 2024
@@ -346,6 +346,19 @@ func (r *LinseedSubController) Reconcile(ctx context.Context, request reconcile.
 		}
 	}
 
+	// Query the username and password this Linseed instance should use to authenticate with Elasticsearch.
+	// For multi-tenant systems, credentials are created by the elasticsearch users controller.
+	// For single-tenant system, these are created by es-kube-controllers.
+	key = types.NamespacedName{Name: render.ElasticsearchLinseedUserSecret, Namespace: helper.InstallNamespace()}
+	credentials := corev1.Secret{}
+	if err = r.client.Get(ctx, key, &credentials); err != nil && !errors.IsNotFound(err) {
+		r.status.SetDegraded(operatorv1.ResourceReadError, fmt.Sprintf("Error getting Secret %s", key), err, reqLogger)
+		return reconcile.Result{}, err
+	} else if errors.IsNotFound(err) {
+		r.status.SetDegraded(operatorv1.ResourceNotFound, fmt.Sprintf("Waiting for Linseed credential Secret %s", key), err, reqLogger)
+		return reconcile.Result{RequeueAfter: utils.StandardRetry}, nil
+	}
+
 	// Collect the certificates we need to provision Linseed. These will have been provisioned already by the ES secrets controller.
 	opts := []certificatemanager.Option{
 		certificatemanager.WithLogger(reqLogger),
@@ -418,24 +431,25 @@ func (r *LinseedSubController) Reconcile(ctx context.Context, request reconcile.
 	}
 
 	cfg := &linseed.Config{
-		Installation:        install,
-		PullSecrets:         pullSecrets,
-		Namespace:           helper.InstallNamespace(),
-		BindNamespaces:      bindNamespaces,
-		TrustedBundle:       trustedBundle,
-		ClusterDomain:       r.clusterDomain,
-		KeyPair:             linseedKeyPair,
-		TokenKeyPair:        tokenKeyPair,
-		UsePSP:              r.usePSP,
-		ESClusterConfig:     esClusterConfig,
-		HasDPIResource:      hasDPIResource,
-		ManagementCluster:   managementCluster != nil,
-		Tenant:              tenant,
-		ExternalElastic:     r.elasticExternal,
-		ElasticHost:         elasticHost,
-		ElasticPort:         elasticPort,
-		ElasticClientSecret: esClientSecret,
-		LogStorage:          logStorage,
+		Installation:                   install,
+		PullSecrets:                    pullSecrets,
+		Namespace:                      helper.InstallNamespace(),
+		BindNamespaces:                 bindNamespaces,
+		TrustedBundle:                  trustedBundle,
+		ClusterDomain:                  r.clusterDomain,
+		KeyPair:                        linseedKeyPair,
+		TokenKeyPair:                   tokenKeyPair,
+		UsePSP:                         r.usePSP,
+		ESClusterConfig:                esClusterConfig,
+		HasDPIResource:                 hasDPIResource,
+		ManagementCluster:              managementCluster != nil,
+		Tenant:                         tenant,
+		ExternalElastic:                r.elasticExternal,
+		ElasticHost:                    elasticHost,
+		ElasticPort:                    elasticPort,
+		ElasticClientSecret:            esClientSecret,
+		ElasticClientCredentialsSecret: &credentials,
+		LogStorage:                     logStorage,
 	}
 	linseedComponent := linseed.Linseed(cfg)
 

@@ -123,6 +123,11 @@ type Config struct {
 	// mTLS is used between Linseed and the external Elastic cluster.
 	ElasticClientSecret *corev1.Secret
 
+	// Secret containing the user linseed connects to Elasticsearch
+	// In a zero tenant setup, es-kubecontrollers create this secret
+	// In a multi-tenant setup, users controllers create this secret
+	ElasticClientCredentialsSecret *corev1.Secret
+
 	ElasticHost string
 	ElasticPort string
 
@@ -427,6 +432,9 @@ func (l *linseed) linseedDeployment() *appsv1.Deployment {
 	if l.cfg.ElasticClientSecret != nil {
 		annotations["hash.operator.tigera.io/elastic-client-secret"] = rmeta.SecretsAnnotationHash(l.cfg.ElasticClientSecret)
 	}
+	if l.cfg.ElasticClientCredentialsSecret != nil {
+		annotations[fmt.Sprintf("hash.operator.tigera.io/%s", render.ElasticsearchLinseedUserSecret)] = rmeta.SecretsAnnotationHash(l.cfg.ElasticClientCredentialsSecret)
+	}
 
 	if l.cfg.TokenKeyPair != nil {
 		envVars = append(envVars,

@@ -92,21 +92,35 @@ var _ = Describe("Linseed rendering tests", func() {
 			replicas = 2
 			kp, tokenKP, bundle := getTLS(installation)
 
+			// Create the ES user secret. Generally this is created by either es-kube-controllers or the user controller in this operator.
+			userSecret := &corev1.Secret{
+				TypeMeta: metav1.TypeMeta{Kind: "Secret", APIVersion: "v1"},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      render.ElasticsearchLinseedUserSecret,
+					Namespace: render.ElasticsearchNamespace,
+				},
+				Data: map[string][]byte{
+					"username": []byte("test-username"),
+					"password": []byte("test-username"),
+				},
+			}
+
 			cfg = &Config{
 				Installation: installation,
 				PullSecrets: []*corev1.Secret{
 					{ObjectMeta: metav1.ObjectMeta{Name: "tigera-pull-secret"}},
 				},
-				KeyPair:         kp,
-				TokenKeyPair:    tokenKP,
-				TrustedBundle:   bundle,
-				ClusterDomain:   clusterDomain,
-				UsePSP:          true,
-				ESClusterConfig: esClusterConfig,
-				Namespace:       render.ElasticsearchNamespace,
-				BindNamespaces:  []string{render.ElasticsearchNamespace},
-				ElasticHost:     "tigera-secure-es-http.tigera-elasticsearch.svc",
-				ElasticPort:     "9200",
+				KeyPair:                        kp,
+				TokenKeyPair:                   tokenKP,
+				TrustedBundle:                  bundle,
+				ClusterDomain:                  clusterDomain,
+				UsePSP:                         true,
+				ESClusterConfig:                esClusterConfig,
+				Namespace:                      render.ElasticsearchNamespace,
+				BindNamespaces:                 []string{render.ElasticsearchNamespace},
+				ElasticHost:                    "tigera-secure-es-http.tigera-elasticsearch.svc",
+				ElasticPort:                    "9200",
+				ElasticClientCredentialsSecret: userSecret,
 			}
 		})
 
@@ -150,6 +164,7 @@ var _ = Describe("Linseed rendering tests", func() {
 
 			// The deployment should have the hash annotation set, as well as a volume and volume mount for the client secret.
 			Expect(d.Spec.Template.Annotations["hash.operator.tigera.io/elastic-client-secret"]).To(Equal("ae1a6776a81bf1fc0ee4aac936a90bd61a07aea7"))
+			Expect(d.Spec.Template.Annotations[fmt.Sprintf("hash.operator.tigera.io/%s", render.ElasticsearchLinseedUserSecret)]).To(Equal("465c25d580ea36d8e7cda470a0c34afd05eae6f7"))
 			Expect(d.Spec.Template.Spec.Volumes).To(ContainElement(corev1.Volume{
 				Name: logstorage.ExternalCertsVolumeName,
 				VolumeSource: corev1.VolumeSource{