Revert "Use Secret instead of ConfigMap for pod env" (#382)

This reverts commit d5176b0.

Author: eberlep

controllers/postgres_controller.go

@@ -376,14 +376,14 @@ func (r *PostgresReconciler) ensureZalandoDependencies(ctx context.Context, p *p
 		}
 	}
 
-	if err := r.updatePodEnvironmentSecret(ctx, p); err != nil {
+	if err := r.updatePodEnvironmentConfigMap(ctx, p); err != nil {
 		return fmt.Errorf("error while updating backup config: %w", err)
 	}
 
 	return nil
 }
 
-func (r *PostgresReconciler) updatePodEnvironmentSecret(ctx context.Context, p *pg.Postgres) error {
+func (r *PostgresReconciler) updatePodEnvironmentConfigMap(ctx context.Context, p *pg.Postgres) error {
 	log := r.Log.WithValues("postgres", p.UID)
 	if p.Spec.BackupSecretRef == "" {
 		log.Info("No configured backupSecretRef found, skipping configuration of postgres backup")
@@ -424,37 +424,37 @@ func (r *PostgresReconciler) updatePodEnvironmentSecret(ctx context.Context, p *
 		walgSSE = *backupConfig.S3EncryptionKey
 	}
 
-	// create updated content for pod environment secret
-	data := map[string][]byte{
-		"USE_WALG_BACKUP":                  []byte("true"),
-		"USE_WALG_RESTORE":                 []byte("true"),
-		"WALE_S3_PREFIX":                   []byte("s3://" + bucketName + "/$(SCOPE)"),
-		"WALG_S3_PREFIX":                   []byte("s3://" + bucketName + "/$(SCOPE)"),
-		"CLONE_WALG_S3_PREFIX":             []byte("s3://" + bucketName + "/$(CLONE_SCOPE)"),
-		"WALE_BACKUP_THRESHOLD_PERCENTAGE": []byte("100"),
-		"AWS_ENDPOINT":                     []byte(awsEndpoint),
-		"WALE_S3_ENDPOINT":                 []byte(walES3Endpoint), // same as above, but slightly modified
-		"AWS_ACCESS_KEY_ID":                []byte(awsAccessKeyID),
-		"AWS_SECRET_ACCESS_KEY":            []byte(awsSecretAccessKey),
-		"AWS_S3_FORCE_PATH_STYLE":          []byte("true"),
-		"AWS_REGION":                       []byte(region),         // now we can use AWS S3
-		"WALG_DISABLE_S3_SSE":              []byte(walgDisableSSE), // disable server side encryption if key is nil
-		"WALG_S3_SSE":                      []byte(walgSSE),        // server side encryption key
-		"BACKUP_SCHEDULE":                  []byte(backupSchedule),
-		"BACKUP_NUM_TO_RETAIN":             []byte(backupNumToRetain),
-	}
-
-	s := &corev1.Secret{}
+	// create updated content for pod environment configmap
+	data := map[string]string{
+		"USE_WALG_BACKUP":                  "true",
+		"USE_WALG_RESTORE":                 "true",
+		"WALE_S3_PREFIX":                   "s3://" + bucketName + "/$(SCOPE)",
+		"WALG_S3_PREFIX":                   "s3://" + bucketName + "/$(SCOPE)",
+		"CLONE_WALG_S3_PREFIX":             "s3://" + bucketName + "/$(CLONE_SCOPE)",
+		"WALE_BACKUP_THRESHOLD_PERCENTAGE": "100",
+		"AWS_ENDPOINT":                     awsEndpoint,
+		"WALE_S3_ENDPOINT":                 walES3Endpoint, // same as above, but slightly modified
+		"AWS_ACCESS_KEY_ID":                awsAccessKeyID,
+		"AWS_SECRET_ACCESS_KEY":            awsSecretAccessKey,
+		"AWS_S3_FORCE_PATH_STYLE":          "true",
+		"AWS_REGION":                       region,         // now we can use AWS S3
+		"WALG_DISABLE_S3_SSE":              walgDisableSSE, // disable server side encryption if key is nil
+		"WALG_S3_SSE":                      walgSSE,        // server side encryption key
+		"BACKUP_SCHEDULE":                  backupSchedule,
+		"BACKUP_NUM_TO_RETAIN":             backupNumToRetain,
+	}
+
+	cm := &corev1.ConfigMap{}
 	ns := types.NamespacedName{
-		Name:      operatormanager.PodEnvSecretName,
+		Name:      operatormanager.PodEnvCMName,
 		Namespace: p.ToPeripheralResourceNamespace(),
 	}
-	if err := r.SvcClient.Get(ctx, ns, s); err != nil {
-		return fmt.Errorf("error while getting the pod environment secret from service cluster: %w", err)
+	if err := r.SvcClient.Get(ctx, ns, cm); err != nil {
+		return fmt.Errorf("error while getting the pod environment configmap from service cluster: %w", err)
 	}
-	s.Data = data
-	if err := r.SvcClient.Update(ctx, s); err != nil {
-		return fmt.Errorf("error while updating the pod environment secret in service cluster: %w", err)
+	cm.Data = data
+	if err := r.SvcClient.Update(ctx, cm); err != nil {
+		return fmt.Errorf("error while updating the pod environment configmap in service cluster: %w", err)
 	}
 
 	return nil

pkg/operatormanager/operatormanager.go

@@ -35,8 +35,8 @@ const (
 	// TODO: use different account for operator and database
 	serviceAccountName string = "postgres-operator"
 
-	// PodEnvSecretName Name of the pod environment secret to create and use
-	PodEnvSecretName string = "postgres-pod-config" //nolint:gosec
+	// PodEnvCMName Name of the pod environment configmap to create and use
+	PodEnvCMName string = "postgres-pod-config"
 
 	operatorPodLabelName  string = "name"
 	operatorPodLabelValue string = "postgres-operator"
@@ -117,9 +117,9 @@ func (m *OperatorManager) InstallOrUpdateOperator(ctx context.Context, namespace
 		return fmt.Errorf("error while ensuring the existence of namespace %v: %w", namespace, err)
 	}
 
-	// Add our (initially empty) custom pod environment secret
-	if err := m.createPodEnvironmentSecret(ctx, namespace); err != nil {
-		return fmt.Errorf("error while creating pod environment secret %v: %w", namespace, err)
+	// Add our (initially empty) custom pod environment configmap
+	if err := m.createPodEnvironmentConfigMap(ctx, namespace); err != nil {
+		return fmt.Errorf("error while creating pod environment configmap %v: %w", namespace, err)
 	}
 
 	// Add our sidecars configmap
@@ -239,7 +239,7 @@ func (m *OperatorManager) UninstallOperator(ctx context.Context, namespace strin
 	}
 
 	// delete the pod environment configmap
-	if err := m.deletePodEnvironmentSecret(ctx, namespace); client.IgnoreNotFound(err) != nil {
+	if err := m.deletePodEnvironmentConfigMap(ctx, namespace); client.IgnoreNotFound(err) != nil {
 		return fmt.Errorf("error while deleting pod environment configmap: %w", err)
 	}
 
@@ -392,8 +392,8 @@ func (m *OperatorManager) editConfigMap(cm *corev1.ConfigMap, namespace string,
 	cm.Data["watched_namespace"] = namespace
 	// TODO don't use the same serviceaccount for operator and databases, see #88
 	cm.Data["pod_service_account_name"] = serviceAccountName
-	// set the reference to our custom pod environment secret
-	cm.Data["pod_environment_secret"] = PodEnvSecretName
+	// set the reference to our custom pod environment configmap
+	cm.Data["pod_environment_configmap"] = PodEnvCMName
 	// set the list of inherited labels that will be passed on to the pods
 	s := []string{pg.TenantLabelName, pg.ProjectIDLabelName, pg.UIDLabelName, pg.NameLabelName}
 	// TODO maybe use a precompiled string here
@@ -460,31 +460,31 @@ func (m *OperatorManager) createNamespace(ctx context.Context, namespace string)
 	return nil
 }
 
-// createPodEnvironmentSecret creates a new Secret with additional environment variables for the pods
-func (m *OperatorManager) createPodEnvironmentSecret(ctx context.Context, namespace string) error {
+// createPodEnvironmentConfigMap creates a new ConfigMap with additional environment variables for the pods
+func (m *OperatorManager) createPodEnvironmentConfigMap(ctx context.Context, namespace string) error {
 	ns := types.NamespacedName{
 		Namespace: namespace,
-		Name:      PodEnvSecretName,
+		Name:      PodEnvCMName,
 	}
-	if err := m.Get(ctx, ns, &corev1.Secret{}); err == nil {
-		// secret already exists, nothing to do here
-		// we will update the secret with the correct S3 config in the postgres controller
-		m.log.Info("Pod Environment Secret already exists")
+	if err := m.Get(ctx, ns, &corev1.ConfigMap{}); err == nil {
+		// configmap already exists, nothing to do here
+		// we will update the configmap with the correct S3 config in the postgres controller
+		m.log.Info("Pod Environment ConfigMap already exists")
 		return nil
 	}
 
-	s := &corev1.Secret{}
-	if err := m.SetName(s, PodEnvSecretName); err != nil {
-		return fmt.Errorf("error while setting the name of the new Pod Environment Secret to %v: %w", namespace, err)
+	cm := &corev1.ConfigMap{}
+	if err := m.SetName(cm, PodEnvCMName); err != nil {
+		return fmt.Errorf("error while setting the name of the new Pod Environment ConfigMap to %v: %w", namespace, err)
 	}
-	if err := m.SetNamespace(s, namespace); err != nil {
-		return fmt.Errorf("error while setting the namespace of the new Pod Environment Secret to %v: %w", namespace, err)
+	if err := m.SetNamespace(cm, namespace); err != nil {
+		return fmt.Errorf("error while setting the namespace of the new Pod Environment ConfigMap to %v: %w", namespace, err)
 	}
 
-	if err := m.Create(ctx, s); err != nil {
-		return fmt.Errorf("error while creating the new Pod Environment Secret: %w", err)
+	if err := m.Create(ctx, cm); err != nil {
+		return fmt.Errorf("error while creating the new Pod Environment ConfigMap: %w", err)
 	}
-	m.log.Info("new Pod Environment Secret created")
+	m.log.Info("new Pod Environment ConfigMap created")
 
 	return nil
 }
@@ -560,18 +560,18 @@ func (m *OperatorManager) createOrUpdateSidecarsConfigMap(ctx context.Context, n
 	return nil
 }
 
-func (m *OperatorManager) deletePodEnvironmentSecret(ctx context.Context, namespace string) error {
-	s := &corev1.Secret{}
-	if err := m.SetName(s, PodEnvSecretName); err != nil {
-		return fmt.Errorf("error while setting the name of the Pod Environment Secret to delete to %v: %w", PodEnvSecretName, err)
+func (m *OperatorManager) deletePodEnvironmentConfigMap(ctx context.Context, namespace string) error {
+	cm := &corev1.ConfigMap{}
+	if err := m.SetName(cm, PodEnvCMName); err != nil {
+		return fmt.Errorf("error while setting the name of the Pod Environment ConfigMap to delete to %v: %w", PodEnvCMName, err)
 	}
-	if err := m.SetNamespace(s, namespace); err != nil {
-		return fmt.Errorf("error while setting the namespace of the Pod Environment Secret to delete to %v: %w", namespace, err)
+	if err := m.SetNamespace(cm, namespace); err != nil {
+		return fmt.Errorf("error while setting the namespace of the Pod Environment ConfigMap to delete to %v: %w", namespace, err)
 	}
-	if err := m.Delete(ctx, s); err != nil {
-		return fmt.Errorf("error while deleting the Pod Environment Secret: %w", err)
+	if err := m.Delete(ctx, cm); err != nil {
+		return fmt.Errorf("error while deleting the Pod Environment ConfigMap: %w", err)
 	}
-	m.log.Info("Pod Environment Secret deleted")
+	m.log.Info("Pod Environment ConfigMap deleted")
 
 	return nil
 }