Opensearch supporting new style aivenator secrets (#606)

Kyrremann · x10an14-nav · Reasonable-Solutions · web-flow · commit c6f80e8552de · 2025-04-10T09:54:24.000Z
* Reapply "opensearch gets its own secret (#600)" This reverts commit 0960c5d. * bump deps Co-authored-by: x10an14-nav <christian.chavez@nav.no> Co-authored-by: Kyrre Havik <kyrre.havik@nav.no> --------- Co-authored-by: x10an14-nav <christian.chavez@nav.no> Co-authored-by: carl hedgren <carl.hedgren@nav.no> Co-authored-by: Carl Hedgren <Reasonable-Solutions@users.noreply.github.com>
diff --git a/go.mod b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/imdario/mergo v0.3.16
 	github.com/magiconair/properties v1.8.9
 	github.com/mitchellh/hashstructure v1.1.0
-	github.com/nais/liberator v0.0.0-20250319104751-ae803ff00b4f
+	github.com/nais/liberator v0.0.0-20250408101050-2ffa1b42f7f2
 	github.com/novln/docker-parser v1.0.0
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0
 	github.com/prometheus/client_golang v1.22.0
@@ -24,9 +24,9 @@ require (
 	github.com/stretchr/testify v1.10.0
 	google.golang.org/protobuf v1.36.6
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.32.1
-	k8s.io/apimachinery v0.32.1
-	k8s.io/client-go v0.32.1
+	k8s.io/api v0.32.2
+	k8s.io/apimachinery v0.32.2
+	k8s.io/client-go v0.32.2
 	k8s.io/utils v0.0.0-20241210054802-24370beab758
 	sigs.k8s.io/controller-runtime v0.20.1
 )
@@ -94,7 +94,7 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.32.1 // indirect
+	k8s.io/apiextensions-apiserver v0.32.2 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
diff --git a/go.sum b/go.sum
@@ -117,8 +117,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/nais/liberator v0.0.0-20250319104751-ae803ff00b4f h1:sQkwvc4OPh/vT2Bf6iarIZCxAhh1NZNxcQpeM7WhdMI=
-github.com/nais/liberator v0.0.0-20250319104751-ae803ff00b4f/go.mod h1:F3YcGoCG6HAyX5R2tgGH79/R0LBAU2xtRgRaveSXKiA=
+github.com/nais/liberator v0.0.0-20250408101050-2ffa1b42f7f2 h1:D0sz4dQXye5DdmW1PAMVn9f27eb+ZIoe/+vz9o+uKRo=
+github.com/nais/liberator v0.0.0-20250408101050-2ffa1b42f7f2/go.mod h1:UJvCuiANXCb54BuAIKoHY4EczdVhqxi0JIoj4393lC4=
 github.com/novln/docker-parser v1.0.0 h1:PjEBd9QnKixcWczNGyEdfUrP6GR0YUilAqG7Wksg3uc=
 github.com/novln/docker-parser v1.0.0/go.mod h1:oCeM32fsoUwkwByB5wVjsrsVQySzPWkl3JdlTn1txpE=
 github.com/onsi/ginkgo/v2 v2.22.1 h1:QW7tbJAUDyVDVOM5dFa7qaybo+CRfR7bemlQUN6Z8aM=
@@ -268,14 +268,14 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc=
-k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k=
-k8s.io/apiextensions-apiserver v0.32.1 h1:hjkALhRUeCariC8DiVmb5jj0VjIc1N0DREP32+6UXZw=
-k8s.io/apiextensions-apiserver v0.32.1/go.mod h1:sxWIGuGiYov7Io1fAS2X06NjMIk5CbRHc2StSmbaQto=
-k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs=
-k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU=
-k8s.io/client-go v0.32.1/go.mod h1:aTTKZY7MdxUaJ/KiUs8D+GssR9zJZi77ZqtzcGXIiDg=
+k8s.io/api v0.32.2 h1:bZrMLEkgizC24G9eViHGOPbW+aRo9duEISRIJKfdJuw=
+k8s.io/api v0.32.2/go.mod h1:hKlhk4x1sJyYnHENsrdCWw31FEmCijNGPJO5WzHiJ6Y=
+k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscghPCvV4=
+k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA=
+k8s.io/apimachinery v0.32.2 h1:yoQBR9ZGkA6Rgmhbp/yuT9/g+4lxtsGYwW6dR6BDPLQ=
+k8s.io/apimachinery v0.32.2/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
+k8s.io/client-go v0.32.2 h1:4dYCD4Nz+9RApM2b/3BtVvBHw54QjMFUl1OLcJG5yOA=
+k8s.io/client-go v0.32.2/go.mod h1:fpZ4oJXclZ3r2nDOv+Ux3XcJutfrwjKTCHz2H3sww94=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 h1:hcha5B1kVACrLujCKLbr8XWMxCxzQx42DY8QKYJrDLg=
diff --git a/pkg/resourcecreator/aiven/aiven.go b/pkg/resourcecreator/aiven/aiven.go
@@ -39,6 +39,7 @@ type Config interface {
 	GetAivenGeneration() int
 }
 
+// TODO: Remove once all aiven secrets are per service
 func generateSharedAivenSecretName(name string, generation int) (string, error) {
 	prefixedName := fmt.Sprintf("aiven-%s", name)
 	year, week := time.Now().ISOWeek()
@@ -48,6 +49,15 @@ func generateSharedAivenSecretName(name string, generation int) (string, error)
 	return namegen.SuffixedShortName(prefixedName, suffix, maxLen)
 }
 
+func generateAivenSecretName(name, service, generation string) (string, error) {
+	prefixedName := fmt.Sprintf("aiven-%s-%s", service, name)
+	year, week := time.Now().ISOWeek()
+	suffix := fmt.Sprintf("%d-%d-%s", year, week, generation)
+	maxLen := validation.DNS1035LabelMaxLength
+
+	return namegen.SuffixedShortName(prefixedName, suffix, maxLen)
+}
+
 func Create(source Source, ast *resource.Ast, config Config) error {
 	secretName, err := generateSharedAivenSecretName(source.GetName(), config.GetAivenGeneration())
 	if err != nil {
diff --git a/pkg/resourcecreator/aiven/opensearch.go b/pkg/resourcecreator/aiven/opensearch.go
@@ -18,10 +18,16 @@ func OpenSearch(ast *resource.Ast, openSearch *nais_io_v1.OpenSearch, aivenApp *
 		return false, fmt.Errorf("OpenSearch enabled, but no instance specified")
 	}
 
-	addOpenSearchEnvVariables(ast, aivenApp.Spec.SecretName)
+	secretName, err := generateAivenSecretName(aivenApp.Name, "opensearch", aivenApp.ObjectMeta.Labels["aiven.nais.io/secret-generation"])
+	if err != nil {
+		return false, err
+	}
+
+	addOpenSearchEnvVariables(ast, secretName)
 	aivenApp.Spec.OpenSearch = &aiven_nais_io_v1.OpenSearchSpec{
-		Instance: fmt.Sprintf("opensearch-%s-%s", aivenApp.GetNamespace(), openSearch.Instance),
-		Access:   openSearch.Access,
+		Instance:   fmt.Sprintf("opensearch-%s-%s", aivenApp.GetNamespace(), openSearch.Instance),
+		Access:     openSearch.Access,
+		SecretName: secretName,
 	}
 	ast.Labels["aiven"] = "enabled"
 
diff --git a/pkg/resourcecreator/testdata/naisjob/cronjob_open_search.yaml b/pkg/resourcecreator/testdata/naisjob/cronjob_open_search.yaml
@@ -25,7 +25,8 @@ tests:
         name: "secret name is generated"
         resource:
           spec:
-            secretName: ^aiven-mynaisjob-.{8}-\d{4}-\d\d?-0$
+            openSearch:
+              secretName: ^aiven-opensearch-mynaisjob-.{8}-\d{4}-\d\d?-0$
       - name: "instance and access is propagated"
         type: subset
         resource:
@@ -56,26 +57,26 @@ tests:
                             valueFrom:
                               secretKeyRef:
                                 key: OPEN_SEARCH_USERNAME
-                                name: ^aiven-mynaisjob-.{8}-\d{4}-\d\d?-0$
+                                name: ^aiven-opensearch-mynaisjob-.{8}-\d{4}-\d\d?-0$
                           - name: OPEN_SEARCH_PASSWORD
                             valueFrom:
                               secretKeyRef:
                                 key: OPEN_SEARCH_PASSWORD
-                                name: ^aiven-mynaisjob-.{8}-\d{4}-\d\d?-0$
+                                name: ^aiven-opensearch-mynaisjob-.{8}-\d{4}-\d\d?-0$
                           - name: OPEN_SEARCH_URI
                             valueFrom:
                               secretKeyRef:
                                 key: OPEN_SEARCH_URI
-                                name: ^aiven-mynaisjob-.{8}-\d{4}-\d\d?-0$
+                                name: ^aiven-opensearch-mynaisjob-.{8}-\d{4}-\d\d?-0$
                           - name: OPEN_SEARCH_HOST
                             valueFrom:
                               secretKeyRef:
                                 key: OPEN_SEARCH_HOST
-                                name: ^aiven-mynaisjob-.{8}-\d{4}-\d\d?-0$
+                                name: ^aiven-opensearch-mynaisjob-.{8}-\d{4}-\d\d?-0$
                                 optional: true
                           - name: OPEN_SEARCH_PORT
                             valueFrom:
                               secretKeyRef:
                                 key: OPEN_SEARCH_PORT
-                                name: ^aiven-mynaisjob-.{8}-\d{4}-\d\d?-0$
+                                name: ^aiven-opensearch-mynaisjob-.{8}-\d{4}-\d\d?-0$
                                 optional: true
diff --git a/pkg/resourcecreator/testdata/open_search.yaml b/pkg/resourcecreator/testdata/open_search.yaml
@@ -24,7 +24,8 @@ tests:
         name: "secret name is generated"
         resource:
           spec:
-            secretName: ^aiven-myapplication-.{8}-\d{4}-\d\d?-0$
+            openSearch:
+              secretName: ^aiven-opensearch-myapplication-.{8}-\d{4}-\d\d?-0$
       - name: "instance and access is propagated"
         type: subset
         resource:
@@ -53,26 +54,26 @@ tests:
                         valueFrom:
                           secretKeyRef:
                             key: OPEN_SEARCH_USERNAME
-                            name: ^aiven-myapplication-.{8}-\d{4}-\d\d?-0$
+                            name: ^aiven-opensearch-myapplication-.{8}-\d{4}-\d\d?-0$
                       - name: OPEN_SEARCH_PASSWORD
                         valueFrom:
                           secretKeyRef:
                             key: OPEN_SEARCH_PASSWORD
-                            name: ^aiven-myapplication-.{8}-\d{4}-\d\d?-0$
+                            name: ^aiven-opensearch-myapplication-.{8}-\d{4}-\d\d?-0$
                       - name: OPEN_SEARCH_URI
                         valueFrom:
                           secretKeyRef:
                             key: OPEN_SEARCH_URI
-                            name: ^aiven-myapplication-.{8}-\d{4}-\d\d?-0$
+                            name: ^aiven-opensearch-myapplication-.{8}-\d{4}-\d\d?-0$
                       - name: OPEN_SEARCH_HOST
                         valueFrom:
                           secretKeyRef:
                             key: OPEN_SEARCH_HOST
-                            name: ^aiven-myapplication-.{8}-\d{4}-\d\d?-0$
+                            name: ^aiven-opensearch-myapplication-.{8}-\d{4}-\d\d?-0$
                             optional: true
                       - name: OPEN_SEARCH_PORT
                         valueFrom:
                           secretKeyRef:
                             key: OPEN_SEARCH_PORT
-                            name: ^aiven-myapplication-.{8}-\d{4}-\d\d?-0$
+                            name: ^aiven-opensearch-myapplication-.{8}-\d{4}-\d\d?-0$
                             optional: true
