Support loading credentials from extra file

To allow the user of our driver to inject credentials from different sources we now support to load the credentials from an extra file. If the driver_config_credentials_path is defined, the driver will load it and patch credentials used inside the driver config where appropriate. This was implemented to load credentials from a Kubernetes secret, while keeping the rest of the config inside a config map.
sapcc · Apr 8, 2024 · b47f34a · b47f34a
1 parent 1d6cf1a
commit b47f34a
Show file tree

Hide file tree

Showing 4 changed files with 87 additions and 2 deletions.
diff --git a/networking_ccloud/common/config/__init__.py b/networking_ccloud/common/config/__init__.py
@@ -16,7 +16,7 @@
 from oslo_config import cfg
 import yaml
 
-from networking_ccloud.common.config.config_driver import DriverConfig
+from networking_ccloud.common.config.config_driver import DriverConfig, DriverCredentials
 from networking_ccloud.common.config import config_oslo  # noqa: F401
 from networking_ccloud.common import exceptions as cc_exc
 _FABRIC_CONF = None
@@ -51,6 +51,17 @@ def get_driver_config(path=None, cached=True):
         with open(path) as f:
             conf_data = yaml.safe_load(f)
 
+        if cfg.CONF.ml2_cc_fabric.driver_config_credentials_path:
+            with open(cfg.CONF.ml2_cc_fabric.driver_config_credentials_path) as f:
+                creds_data = yaml.safe_load(f)
+                creds = DriverCredentials.parse_obj(creds_data)
+            if creds.switch_credentials:
+                for sg in conf_data.get('switchgroups', []):
+                    for sw in sg.get('members'):
+                        if cred := creds.switch_credentials.get(sw.get('name')):
+                            sw['user'] = cred.user
+                            sw['password'] = cred.password
+
         # FIXME: error handling
         _FABRIC_CONF = DriverConfig.parse_obj(conf_data)
 

diff --git a/networking_ccloud/common/config/config_driver.py b/networking_ccloud/common/config/config_driver.py
@@ -756,3 +756,12 @@ def get_azs_for_hosts(self, binding_hosts, ignore_special=False):
 
     def list_availability_zones(self):
         return sorted(az.name for az in self.global_config.availability_zones)
+
+
+class Credentials(pydantic.BaseModel):
+    user: str
+    password: str
+
+
+class DriverCredentials(pydantic.BaseModel):
+    switch_credentials: Dict[str, Credentials] = None
diff --git a/networking_ccloud/common/config/config_oslo.py b/networking_ccloud/common/config/config_oslo.py
@@ -21,6 +21,8 @@
 cc_fabric_opts = [
     cfg.StrOpt("driver_config_path",
                help="Path to yaml config file"),
+    cfg.StrOpt("driver_config_credentials_path",
+               help="Extra config file to store crendentials in. The driver config will be updated with "),
     cfg.BoolOpt("handle_all_l3_gateways", default=True,
                 help="Spawn l3 gateways for all external networks. If this is disabled only networks with "
                      "the tag 'gateway-host::cc-fabric' will be considered"),

diff --git a/networking_ccloud/tests/unit/common/test_driver_config.py b/networking_ccloud/tests/unit/common/test_driver_config.py
@@ -12,7 +12,13 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-from networking_ccloud.common.config import _override_driver_config
+import copy
+import json
+import tempfile
+
+from oslo_config import cfg
+
+from networking_ccloud.common.config import _override_driver_config, get_driver_config
 from networking_ccloud.common.config import config_driver as config
 from networking_ccloud.common import constants as cc_const
 from networking_ccloud.tests import base
@@ -292,3 +298,60 @@ def test_get_switchgroup_managed_vlans(self):
         self.assertEqual({2000, 2001, 2002}, sgs[0].get_managed_vlans(drv_conf, with_infra_nets=False))
         self.assertEqual({42, 2000, 2001, 2002}, sgs[0].get_managed_vlans(drv_conf, with_infra_nets=True))
         self.assertEqual({1337, 1338, 1339, 3333}, sgs[1].get_managed_vlans(drv_conf, with_infra_nets=False))
+
+
+class TestDriverConfigLoading(base.TestCase):
+    def setUp(self):
+        super().setUp()
+        switchgroups = [
+            cfix.make_switchgroup("seagull", availability_zone="qa-de-1a"),
+            cfix.make_switchgroup("crow", availability_zone="qa-de-1b"),
+            cfix.make_switchgroup("bgw2", availability_zone="qa-de-1b"),
+        ]
+        hg_seagull = cfix.make_metagroup("seagull")
+        hg_crow = cfix.make_hostgroups("crow")
+        hostgroups = hg_seagull + hg_crow
+
+        self.drv_conf = cfix.make_config(switchgroups=switchgroups, hostgroups=hostgroups)
+        self.drv_conf_data = self.drv_conf.dict(exclude_unset=True, exclude_defaults=True)
+
+    def test_config_loading(self):
+        with tempfile.NamedTemporaryFile(mode="w", delete=False) as f:
+            f.write(json.dumps(self.drv_conf_data))
+            f.close()
+            c = get_driver_config(f.name, cached=False)
+        self.assertEqual(3, len(c.switchgroups))
+
+    def test_credentials_loading(self):
+        drv_conf_data = copy.deepcopy(self.drv_conf_data)
+        for sg in drv_conf_data['switchgroups']:
+            for sw in sg['members']:
+                del sw['user']
+                del sw['password']
+
+        creds = {
+            "seagull-sw1": {"user": "herring-gull", "password": "fries"},
+            "seagull-sw2": {"user": "mew-gull", "password": "fish"},
+            "crow-sw1": {"user": "hooded-crow", "password": "walnut"},
+            "crow-sw2": {"user": "rook", "password": "seeds"},
+            "bgw2-sw1": {"user": "weesiknich", "password": "weesikochnich"},
+            "bgw2-sw2": {"user": "watsolls", "password": "bestimmtwatjutes"},
+        }
+
+        with tempfile.NamedTemporaryFile(mode="w", delete=False) as f, \
+                tempfile.NamedTemporaryFile(mode="w", delete=False) as creds_file:
+            f.write(json.dumps(drv_conf_data))
+            f.close()
+            creds_file.write(json.dumps({"switch_credentials": creds}))
+            creds_file.close()
+            cfg.CONF.set_override('driver_config_credentials_path', creds_file.name, group='ml2_cc_fabric')
+            c = get_driver_config(f.name, cached=False)
+        self.assertEqual(3, len(c.switchgroups))
+
+        checked_switches = set()
+        for sg in c.switchgroups:
+            for sw in sg.members:
+                self.assertEqual(creds[sw.name], dict(user=sw.user, password=sw.password))
+                checked_switches.add(sw.name)
+
+        self.assertEqual(set(creds), checked_switches)