Create internal secret to consume in sub-crs

Create an internal secret in the watcher controller to pass to the
sub CRs (atm only for WatcherAPI). Initially, this secret contains the
service password and the transport url. Eventually, this secret will be
set as the Secret field in the sub CRs specs, once they are created from
the Watcher controller.

controllers/watcher_controller.go

@@ -40,6 +40,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/job"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/labels"
 	common_rbac "github.com/openstack-k8s-operators/lib-common/modules/common/rbac"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -214,7 +215,7 @@ func (r *WatcherReconciler) Reconcile(ctx context.Context, req ctrl.Request) (re
 	// end of TransportURL creation
 
 	// Check we have the required inputs
-	hash, _, _, err := ensureSecret(
+	hash, _, inputSecret, err := ensureSecret(
 		ctx,
 		types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Secret},
 		[]string{
@@ -244,6 +245,14 @@ func (r *WatcherReconciler) Reconcile(ctx context.Context, req ctrl.Request) (re
 		return ctrl.Result{}, errors.New("error retrieving required data from transporturl secret")
 	}
 
+	subLevelSecretName, err := r.createSubLevelSecret(ctx, helper, instance, transporturlSecret, inputSecret)
+	if err != nil {
+		return ctrl.Result{}, nil
+	}
+	// the subLevelSecretName will be the value for the Secret field in the
+	// subCrs spec, once they are created by Watcher
+	_ = subLevelSecretName
+
 	instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)
 	// End of Input Ready check
 
@@ -683,6 +692,35 @@ func (r *WatcherReconciler) ensureDBSync(
 	return ctrlResult, nil
 }
 
+func (r *WatcherReconciler) createSubLevelSecret(
+	ctx context.Context,
+	helper *helper.Helper,
+	instance *watcherv1beta1.Watcher,
+	transportURLSecret corev1.Secret,
+	inputSecret corev1.Secret,
+) (string, error) {
+	data := map[string]string{
+		instance.Spec.PasswordSelectors.Service: string(inputSecret.Data[instance.Spec.PasswordSelectors.Service]),
+		TransportURLSelector:                    string(transportURLSecret.Data[TransportURLSelector]),
+	}
+	secretName := instance.Name
+
+	labels := labels.GetLabels(instance, labels.GetGroupLabel(watcher.ServiceName), map[string]string{})
+
+	template := util.Template{
+		Name:         secretName,
+		Namespace:    instance.Namespace,
+		Type:         util.TemplateTypeNone,
+		InstanceType: instance.GetObjectKind().GroupVersionKind().Kind,
+		Labels:       labels,
+		CustomData:   data,
+	}
+
+	err := secret.EnsureSecrets(ctx, helper, instance, []util.Template{template}, nil)
+
+	return secretName, err
+}
+
 func (r *WatcherReconciler) reconcileDelete(ctx context.Context, instance *watcherv1beta1.Watcher, helper *helper.Helper) (ctrl.Result, error) {
 	Log := r.GetLogger(ctx)
 	Log.Info(fmt.Sprintf("Reconcile Service '%s' delete started", instance.Name))
@@ -735,5 +773,6 @@ func (r *WatcherReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Owns(&rbacv1.Role{}).
 		Owns(&rbacv1.RoleBinding{}).
 		Owns(&batchv1.Job{}).
+		Owns(&corev1.Secret{}).
 		Complete(r)
 }

tests/functional/watcher_controller_test.go

@@ -313,6 +313,12 @@ var _ = Describe("Watcher controller", func() {
 			Watcher := GetWatcher(watcherTest.Instance)
 			Expect(Watcher.Status.Hash[watcherv1beta1.DbSyncHash]).ShouldNot(BeNil())
 
+			// assert that the top level secret is created
+			createdSecret := th.GetSecret(watcherTest.Watcher)
+			Expect(createdSecret).ShouldNot(BeNil())
+			Expect(createdSecret.Data["WatcherPassword"]).To(Equal([]byte("password")))
+			Expect(createdSecret.Data["transport_url"]).To(Equal([]byte("rabbit://rabbitmq-secret/fake")))
+
 		})
 
 		It("Should fail to register watcher service to keystone when has not the expected secret", func() {

tests/kuttl/test-suites/default/watcher-api/03-assert.yaml

@@ -9,7 +9,7 @@ spec:
   databaseInstance: openstack
   passwordSelectors:
     service: WatcherPassword
-  secret: watcherapi-secret
+  secret: watcher-kuttl
 status:
   conditions:
   - message: Setup complete
@@ -32,5 +32,5 @@ status:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: watcherapi-kuttl-config-data
+  name: watcher-kuttl
 type: Opaque

tests/kuttl/test-suites/default/watcher-api/03-deploy-watcher-api.yaml

@@ -1,17 +1,8 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: watcherapi-secret
-type: Opaque
-stringData:
-  WatcherPassword: password
-  transport_url: rabbitmq-transport-url-watcher-kuttl-watcher-transport
----
 apiVersion: watcher.openstack.org/v1beta1
 kind: WatcherAPI
 metadata:
   name: watcherapi-kuttl
 spec:
   databaseInstance: openstack
-  secret: watcherapi-secret
+  secret: watcher-kuttl
   memcachedInstance: "memcached"

tests/kuttl/test-suites/default/watcher/01-assert.yaml

@@ -121,6 +121,11 @@ metadata:
   name: rabbitmq-transport-url-watcher-kuttl-watcher-transport
   namespace: watcher-kuttl-default
 ---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: watcher-kuttl
+---
 apiVersion: keystone.openstack.org/v1beta1
 kind: KeystoneService
 metadata:

tests/kuttl/test-suites/default/watcher/04-assert.yaml

@@ -66,6 +66,11 @@ metadata:
   finalizers:
   - openstack.org/watcher
 ---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: watcher-kuttl
+---
 apiVersion: mariadb.openstack.org/v1beta1
 kind: MariaDBAccount
 metadata:

tests/kuttl/test-suites/default/watcher/05-errors.yaml

@@ -13,6 +13,11 @@ kind: Secret
 metadata:
   name: rabbitmq-transport-url-watcher-kuttl-watcher-transport
 ---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: watcher-kuttl
+---
 apiVersion: rabbitmq.openstack.org/v1beta1
 kind: TransportURL
 metadata: