Replace carriage return when getting provider secrets for registry + E2E changes (openshift#652)

* Replace carriage return when getting provider secrets for registry

Co-authored-by: GitHub Co-pilot <[email protected]>

* add tests

* replaceCarriageReturn unit test

* Registry credentials can use other secret names

Co-authored-by: GitHub Co-pilot <[email protected]>

Author: kaovilai

controllers/registry.go

@@ -285,14 +285,14 @@ func (r *DPAReconciler) buildRegistryDeployment(registryDeployment *appsv1.Deplo
 
 	// attach secret volume for cloud providers
 	if _, ok := bsl.Spec.Config["credentialsFile"]; ok {
-		if cloudProviderMap, bslCredOk := credentials.PluginSpecificFields[oadpv1alpha1.DefaultPlugin(bsl.Spec.Provider)]; bslCredOk {
+		if secretName, err := credentials.GetSecretNameFromCredentialsFileConfigString(bsl.Spec.Config["credentialsFile"]); err == nil {
 			registryDeployment.Spec.Template.Spec.Volumes = append(
 				registryDeployment.Spec.Template.Spec.Volumes,
 				corev1.Volume{
-					Name: cloudProviderMap.BslSecretName,
+					Name: secretName,
 					VolumeSource: corev1.VolumeSource{
 						Secret: &corev1.SecretVolumeSource{
-							SecretName: cloudProviderMap.BslSecretName,
+							SecretName: secretName,
 						},
 					},
 				},
@@ -387,12 +387,14 @@ func (r *DPAReconciler) buildRegistryContainer(bsl *velerov1.BackupStorageLocati
 
 	// check for secret name
 	if _, ok := bsl.Spec.Config["credentialsFile"]; ok { // If credentialsFile config is used, then mount the bsl secret
-		if _, bslCredOk := credentials.PluginSpecificFields[oadpv1alpha1.DefaultPlugin(bsl.Spec.Provider)]; bslCredOk {
-			containers[0].VolumeMounts = []corev1.VolumeMount{
-				{
-					Name:      credentials.PluginSpecificFields[oadpv1alpha1.DefaultPlugin(bsl.Spec.Provider)].BslSecretName,
-					MountPath: credentials.PluginSpecificFields[oadpv1alpha1.DefaultPlugin(bsl.Spec.Provider)].BslMountPath,
-				},
+		if secretName, err := credentials.GetSecretNameFromCredentialsFileConfigString(bsl.Spec.Config["credentialsFile"]); err == nil {
+			if _, bslCredOk := credentials.PluginSpecificFields[oadpv1alpha1.DefaultPlugin(bsl.Spec.Provider)]; bslCredOk {
+				containers[0].VolumeMounts = []corev1.VolumeMount{
+					{
+						Name:      secretName,
+						MountPath: credentials.PluginSpecificFields[oadpv1alpha1.DefaultPlugin(bsl.Spec.Provider)].BslMountPath,
+					},
+				}
 			}
 		}
 	} else if bsl.Spec.Provider == GCPProvider { // append secret volumes if the BSL provider is GCP
@@ -557,8 +559,22 @@ func (r *DPAReconciler) getProviderSecret(secretName string) (corev1.Secret, err
 		return secret, err
 	}
 	r.Log.Info(fmt.Sprintf("got provider secret name: %s", secret.Name))
+	// replace carriage return with new line
+	secret.Data = replaceCarriageReturn(secret.Data, r.Log)
 	return secret, nil
 }
+
+func replaceCarriageReturn(data map[string][]byte, logger logr.Logger) map[string][]byte {
+	for k, v := range data {
+		// report if carriage return is found
+		if strings.Contains(string(v), "\r\n") {
+			logger.Info("carriage return replaced")
+			data[k] = []byte(strings.ReplaceAll(string(v), "\r\n", "\n"))
+		}
+	}
+	return data
+}
+
 func (r *DPAReconciler) getSecretNameAndKeyforBackupLocation(bslspec oadpv1alpha1.BackupLocation) (string, string) {
 
 	if bslspec.CloudStorage != nil {
@@ -578,11 +594,12 @@ func (r *DPAReconciler) getSecretNameAndKey(bslSpec *velerov1.BackupStorageLocat
 	secretName := credentials.PluginSpecificFields[plugin].SecretName
 	secretKey := credentials.PluginSpecificFields[plugin].PluginSecretKey
 	if _, ok := bslSpec.Config["credentialsFile"]; ok {
-		secretName = credentials.PluginSpecificFields[plugin].BslSecretName
-		secretKey = credentials.PluginSpecificFields[plugin].PluginSecretKey
+		if secretName, secretKey, err :=
+			credentials.GetSecretNameKeyFromCredentialsFileConfigString(bslSpec.Config["credentialsFile"]); err == nil {
+			r.Log.Info(fmt.Sprintf("credentialsFile secret: %s, key: %s", secretName, secretKey))
+			return secretName, secretKey
+		}
 	}
-	r.Log.Info(fmt.Sprintf("secret: %s", secretName))
-	r.Log.Info(fmt.Sprintf("key: %s", secretKey))
 	// check if user specified the Credential Name and Key
 	credential := bslSpec.Credential
 	if credential != nil {

controllers/registry_test.go

@@ -1,28 +1,26 @@
 package controllers
 
 import (
-	"github.com/go-logr/logr"
-	routev1 "github.com/openshift/api/route/v1"
-	oadpv1alpha1 "github.com/openshift/oadp-operator/api/v1alpha1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
-
-	//"k8s.io/apimachinery/pkg/types"
+	"context"
 	"reflect"
 	"testing"
 
-	"k8s.io/client-go/tools/record"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-
+	"github.com/go-logr/logr"
+	routev1 "github.com/openshift/api/route/v1"
+	oadpv1alpha1 "github.com/openshift/oadp-operator/api/v1alpha1"
 	"github.com/openshift/oadp-operator/pkg/common"
 	velerov1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/tools/record"
 	"k8s.io/utils/pointer"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
 
 func getSchemeForFakeClientForRegistry() (*runtime.Scheme, error) {
@@ -91,6 +89,19 @@ var (
 				"aws_secret_access_key=" + testSecretAccessKey + "=" + testSecretAccessKey,
 		),
 	}
+	secretDataWithCarriageReturnInSecret = map[string][]byte{
+		"cloud": []byte(
+			"\n[" + testBslProfile + "]\r\n" +
+				"aws_access_key_id=" + testBslAccessKey + "\n" +
+				"aws_secret_access_key=" + testBslSecretAccessKey + "=" + testBslSecretAccessKey +
+				"\n[default]" + "\n" +
+				"aws_access_key_id=" + testAccessKey + "\n" +
+				"aws_secret_access_key=" + testSecretAccessKey + "=" + testSecretAccessKey +
+				"\r\n[test-profile]\n" +
+				"aws_access_key_id=" + testAccessKey + "\r\n" +
+				"aws_secret_access_key=" + testSecretAccessKey + "=" + testSecretAccessKey,
+		),
+	}
 	secretDataWithMixedQuotesAndSpacesInSecret = map[string][]byte{
 		"cloud": []byte(
 			"\n[" + testBslProfile + "]\n" +
@@ -261,6 +272,56 @@ func TestDPAReconciler_buildRegistryDeployment(t *testing.T) {
 			},
 			dpa: &oadpv1alpha1.DataProtectionApplication{},
 		},
+		{
+			name: "given a valid bsl with carriageReturn in secret val get appropriate registry deployment",
+			registryDeployment: &appsv1.Deployment{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-registry",
+					Namespace: "test-ns",
+				},
+				Spec: appsv1.DeploymentSpec{
+					Selector: &metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							"component": "oadp-" + "test-bsl" + "-" + "aws" + "-registry",
+						},
+					},
+				},
+			},
+			bsl: &velerov1.BackupStorageLocation{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-bsl",
+					Namespace: "test-ns",
+				},
+				Spec: velerov1.BackupStorageLocationSpec{
+					Provider: AWSProvider,
+					StorageType: velerov1.StorageType{
+						ObjectStorage: &velerov1.ObjectStorageLocation{
+							Bucket: "aws-bucket",
+						},
+					},
+					Config: map[string]string{
+						Region:                "aws-region",
+						S3URL:                 "https://sr-url-aws-domain.com",
+						InsecureSkipTLSVerify: "false",
+					},
+				},
+			},
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "cloud-credentials",
+					Namespace: "test-ns",
+				},
+				Data: secretDataWithCarriageReturnInSecret,
+			},
+			registrySecret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "oadp-test-bsl-aws-registry-secret",
+					Namespace: "test-ns",
+				},
+				Data: secretDataWithCarriageReturnInSecret,
+			},
+			dpa: &oadpv1alpha1.DataProtectionApplication{},
+		},
 		{
 			name: "given a valid bsl with use of quotes in secret val get appropriate registry deployment",
 			registryDeployment: &appsv1.Deployment{
@@ -1851,3 +1912,43 @@ func TestDPAReconciler_populateAzureRegistrySecret(t *testing.T) {
 		})
 	}
 }
+
+func Test_replaceCarriageReturn(t *testing.T) {
+	type args struct {
+		data   map[string][]byte
+		logger logr.Logger
+	}
+	tests := []struct {
+		name string
+		args args
+		want map[string][]byte
+	}{
+		{
+			name: "Given a map with carriage return, carriage return is replaced with new line",
+			args: args{
+				data: map[string][]byte{
+					"test": []byte("test\r\n"),
+				},
+				logger: logr.FromContextOrDiscard(context.TODO()),
+			},
+			want: map[string][]byte{
+				"test": []byte("test\n"),
+			},
+		},
+		{
+			name: "Given secret data with carriage return, carriage return is replaced with new line",
+			args: args{
+				data: secretDataWithCarriageReturnInSecret,
+				logger: logr.FromContextOrDiscard(context.TODO()),
+			},
+			want: secretDataWithEqualInSecret,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := replaceCarriageReturn(tt.args.data, tt.args.logger); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("replaceCarriageReturn() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

pkg/credentials/credentials.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"strings"
 
 	oadpv1alpha1 "github.com/openshift/oadp-operator/api/v1alpha1"
 	"github.com/openshift/oadp-operator/pkg/common"
@@ -15,7 +16,6 @@ type DefaultPluginFields struct {
 	IsCloudProvider    bool
 	SecretName         string
 	MountPath          string
-	BslSecretName      string
 	BslMountPath       string
 	EnvCredentialsFile string
 	PluginImage        string
@@ -33,7 +33,6 @@ var (
 			IsCloudProvider:    true,
 			SecretName:         "cloud-credentials",
 			MountPath:          "/credentials",
-			BslSecretName:      "bsl-cloud-credentials-aws",
 			BslMountPath:       "/bsl-cloud-credentials-aws",
 			EnvCredentialsFile: common.AWSSharedCredentialsFileEnvKey,
 			PluginName:         common.VeleroPluginForAWS,
@@ -43,7 +42,6 @@ var (
 			IsCloudProvider:    true,
 			SecretName:         "cloud-credentials-gcp",
 			MountPath:          "/credentials-gcp",
-			BslSecretName:      "bsl-cloud-credentials-gcp",
 			BslMountPath:       "/bsl-cloud-credentials-gcp",
 			EnvCredentialsFile: common.GCPCredentialsEnvKey,
 			PluginName:         common.VeleroPluginForGCP,
@@ -53,7 +51,6 @@ var (
 			IsCloudProvider:    true,
 			SecretName:         "cloud-credentials-azure",
 			MountPath:          "/credentials-azure",
-			BslSecretName:      "bsl-cloud-credentials-azure",
 			BslMountPath:       "/bsl-cloud-credentials-azure",
 			EnvCredentialsFile: common.AzureCredentialsFileEnvKey,
 			PluginName:         common.VeleroPluginForAzure,
@@ -75,6 +72,24 @@ var (
 	}
 )
 
+// Get secretName and secretKey from "secretName/secretKey"
+func GetSecretNameKeyFromCredentialsFileConfigString(credentialsFile string) (string, string, error) {
+	credentialsFile = strings.TrimSpace(credentialsFile)
+	if credentialsFile == "" {
+		return "", "", nil
+	}
+	nameKeyArray := strings.Split(credentialsFile, "/")
+	if len(nameKeyArray) != 2 {
+		return "", "", errors.New("credentials file is not supported")
+	}
+	return nameKeyArray[0], nameKeyArray[1], nil
+}
+
+func GetSecretNameFromCredentialsFileConfigString(credentialsFile string) (string, error) {
+	name, _, err := GetSecretNameKeyFromCredentialsFileConfigString(credentialsFile)
+	return name, err
+}
+
 func getAWSPluginImage(dpa *oadpv1alpha1.DataProtectionApplication) string {
 	if dpa.Spec.UnsupportedOverrides[oadpv1alpha1.AWSPluginImageKey] != "" {
 		return dpa.Spec.UnsupportedOverrides[oadpv1alpha1.AWSPluginImageKey]
@@ -225,14 +240,14 @@ func AppendCloudProviderVolumes(dpa *oadpv1alpha1.DataProtectionApplication, ds
 	}
 	for _, bslSpec := range dpa.Spec.BackupLocations {
 		if _, ok := bslSpec.Velero.Config["credentialsFile"]; ok {
-			if cloudProviderMap, bslCredOk := PluginSpecificFields[oadpv1alpha1.DefaultPlugin(bslSpec.Velero.Provider)]; bslCredOk {
+			if secretName, err := GetSecretNameFromCredentialsFileConfigString(bslSpec.Velero.Config["credentialsFile"]); err == nil {
 				ds.Spec.Template.Spec.Volumes = append(
 					ds.Spec.Template.Spec.Volumes,
 					corev1.Volume{
-						Name: cloudProviderMap.BslSecretName,
+						Name: secretName,
 						VolumeSource: corev1.VolumeSource{
 							Secret: &corev1.SecretVolumeSource{
-								SecretName: cloudProviderMap.BslSecretName,
+								SecretName: secretName,
 							},
 						},
 					},
@@ -308,20 +323,20 @@ func AppendPluginSpecificSpecs(dpa *oadpv1alpha1.DataProtectionApplication, vele
 			// append bsl volume secret
 			for _, bslSpec := range dpa.Spec.BackupLocations {
 				if _, ok := bslSpec.Velero.Config["credentialsFile"]; ok {
-					if cloudProviderMap, bslCredOk := PluginSpecificFields[oadpv1alpha1.DefaultPlugin(bslSpec.Velero.Provider)]; bslCredOk {
+					if secretName, err := GetSecretNameFromCredentialsFileConfigString(bslSpec.Velero.Config["credentialsFile"]); err == nil {
 						veleroContainer.VolumeMounts = append(
 							veleroContainer.VolumeMounts,
 							corev1.VolumeMount{
-								Name:      cloudProviderMap.BslSecretName,
+								Name:      secretName,
 								MountPath: pluginSpecificMap.BslMountPath,
 							})
 						veleroDeployment.Spec.Template.Spec.Volumes = append(
 							veleroDeployment.Spec.Template.Spec.Volumes,
 							corev1.Volume{
-								Name: cloudProviderMap.BslSecretName,
+								Name: secretName,
 								VolumeSource: corev1.VolumeSource{
 									Secret: &corev1.SecretVolumeSource{
-										SecretName: cloudProviderMap.BslSecretName,
+										SecretName: secretName,
 									},
 								},
 							},