✨ Add transport secret for global hub manager and agent

operator/pkg/controllers/addon/addon_controller_manifests.go

@@ -41,14 +41,18 @@ type ManifestsConfig struct {
 	ImagePullSecretData    string
 	ImagePullPolicy        string
 	LeafHubID              string
+	KafkaAgentSecretName   string
 	KafkaBootstrapServer   string
+	KafkaBootstrapServers  string
 	TransportType          string
 	KafkaCACert            string
 	KafkaClientCert        string
 	KafkaClientKey         string
 	KafkaClientCertSecret  string
 	KafkaConsumerTopic     string
 	KafkaProducerTopic     string
+	KafkaSpecTopic         string
+	KafkaStatusTopic       string
 	MessageCompressionType string
 	InstallACMHub          bool
 	Channel                string
@@ -223,13 +227,17 @@ func (a *HohAgentAddon) GetValues(cluster *clusterv1.ManagedCluster,
 		HoHAgentImage:          image,
 		ImagePullPolicy:        string(imagePullPolicy),
 		LeafHubID:              cluster.Name,
+		KafkaAgentSecretName:   constants.GHAgentTransportSecret,
 		KafkaBootstrapServer:   kafkaConnection.BootstrapServer,
+		KafkaBootstrapServers:  base64.StdEncoding.EncodeToString([]byte(kafkaConnection.BootstrapServer)),
 		KafkaCACert:            kafkaConnection.CACert,
 		KafkaClientCert:        kafkaConnection.ClientCert,
 		KafkaClientKey:         kafkaConnection.ClientKey,
 		KafkaClientCertSecret:  certificates.AgentCertificateSecretName(),
 		KafkaConsumerTopic:     clusterTopic.SpecTopic,
+		KafkaSpecTopic:         base64.StdEncoding.EncodeToString([]byte(clusterTopic.SpecTopic)),
 		KafkaProducerTopic:     clusterTopic.StatusTopic,
+		KafkaStatusTopic:       base64.StdEncoding.EncodeToString([]byte(clusterTopic.StatusTopic)),
 		MessageCompressionType: string(operatorconstants.GzipCompressType),
 		TransportType:          string(transport.Kafka),
 		LeaseDuration:          strconv.Itoa(electionConfig.LeaseDuration),

operator/pkg/controllers/addon/manifests/templates/agent/multicluster-global-hub-agent-kafka-certs-secret.yaml

@@ -4,10 +4,18 @@ kind: Secret
 metadata:
   name: kafka-certs-secret
   namespace: {{ .AddonInstallNamespace }}
+  annotations:
+    transport-type: {{.TransportType}}
+    client-cert-secret: {{.KafkaClientCertSecret}}
+    cluster-ca-secret: kafka-cluster-ca-cert
   labels:
     addon.open-cluster-management.io/hosted-manifest-location: none
+    name: {{.KafkaAgentSecretName}}
 type: Opaque
 data:
+  "bootstrap_server": {{.KafkaBootstrapServers}}
+  "status_topic":  {{.KafkaStatusTopic}}
+  "spec_topic": {{.KafkaSpecTopic}}
   "ca.crt": "{{.KafkaCACert}}"
   "client.crt": "{{.KafkaClientCert}}"
   "client.key": "{{.KafkaClientKey}}"

operator/pkg/controllers/addon/manifests/templates/agent/multicluster-global-hub-agent-kafka-cluster-ca-cert.yaml

@@ -6,6 +6,7 @@ metadata:
   namespace: {{ .AddonInstallNamespace }}
   labels:
     addon.open-cluster-management.io/hosted-manifest-location: none
+    name: {{.KafkaAgentSecretName}}
 type: Opaque
 data:
   "ca.crt": "{{.KafkaCACert}}"

operator/pkg/controllers/hubofhubs/manager/manager_reconciler.go

@@ -121,13 +121,18 @@ func (r *ManagerReconciler) Reconcile(ctx context.Context,
 			DatabaseURL: base64.StdEncoding.EncodeToString(
 				[]byte(storageConn.SuperuserDatabaseURI)),
 			PostgresCACert:         base64.StdEncoding.EncodeToString(storageConn.CACert),
+			ManagerTransportSecret: constants.GHManagerTransportSecret,
 			KafkaClusterIdentity:   transportConn.Identity,
-			KafkaCACert:            transportConn.CACert,
-			KafkaClientCert:        transportConn.ClientCert,
-			KafkaClientKey:         transportConn.ClientKey,
+			KafkaClusterID:         base64.StdEncoding.EncodeToString([]byte(transportConn.Identity)),
 			KafkaBootstrapServer:   transportConn.BootstrapServer,
+			KafkaBootstrapServers:  base64.StdEncoding.EncodeToString([]byte(transportConn.BootstrapServer)),
 			KafkaConsumerTopic:     config.ManagerStatusTopic(),
+			KafkaStatusTopic:       base64.StdEncoding.EncodeToString([]byte(config.ManagerStatusTopic())),
 			KafkaProducerTopic:     config.GetSpecTopic(),
+			KafkaSpecTopic:         base64.StdEncoding.EncodeToString([]byte(config.GetSpecTopic())),
+			KafkaCACert:            transportConn.CACert,
+			KafkaClientCert:        transportConn.ClientCert,
+			KafkaClientKey:         transportConn.ClientKey,
 			Namespace:              mgh.Namespace,
 			MessageCompressionType: string(operatorconstants.GzipCompressType),
 			TransportType:          string(transport.Kafka),
@@ -193,13 +198,18 @@ type ManagerVariables struct {
 	ProxySessionSecret     string
 	DatabaseURL            string
 	PostgresCACert         string
+	ManagerTransportSecret string
 	KafkaClusterIdentity   string
+	KafkaClusterID         string
 	KafkaCACert            string
 	KafkaConsumerTopic     string
 	KafkaProducerTopic     string
+	KafkaStatusTopic       string
+	KafkaSpecTopic         string
 	KafkaClientCert        string
 	KafkaClientKey         string
 	KafkaBootstrapServer   string
+	KafkaBootstrapServers  string
 	MessageCompressionType string
 	TransportType          string
 	Namespace              string

operator/pkg/controllers/hubofhubs/manager/manifests/manager-transport-secret.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{.ManagerTransportSecret}}
+  namespace: {{.Namespace}}
+  labels:
+    name: multicluster-global-hub-manager
+type: Opaque
+data:
+  "cluster_id": {{.KafkaClusterID}}
+  "bootstrap_server": {{.KafkaBootstrapServers}}
+  "status_topic":  {{.KafkaStatusTopic}}
+  "spec_topic": {{.KafkaSpecTopic}}
+  "ca.crt": {{.KafkaCACert}}
+  "client.crt": {{.KafkaClientCert}}
+  "client.key": {{.KafkaClientKey}}

operator/pkg/controllers/hubofhubs/transporter/protocol/strimzi_transporter.go

@@ -419,19 +419,19 @@ func (k *strimziTransporter) GetConnCredential(clusterName string) (*transport.C
 		return nil, err
 	}
 
-	userName := config.GetKafkaUserName(clusterName)
-	if !k.enableTLS {
-		k.log.Info("the kafka cluster hasn't enable tls for user", "username", userName)
-		return credential, nil
-	}
-
 	// don't need to load the client cert/key from the kafka user, since it use the external kafkaUser
+	// userName := config.GetKafkaUserName(clusterName)
+	// if !k.enableTLS {
+	// 	k.log.Info("the kafka cluster hasn't enable tls for user", "username", userName)
+	// 	return credential, nil
+	// }
 	// if err := k.loadUserCredentail(userName, credential); err != nil {
 	// 	return nil, err
 	// }
 	return credential, nil
 }
 
+// loadUserCredentail add credential with client cert, and key
 func (k *strimziTransporter) loadUserCredentail(kafkaUserName string, credential *transport.ConnCredential) error {
 	kafkaUserSecret := &corev1.Secret{}
 	err := k.runtimeClient.Get(k.ctx, types.NamespacedName{
@@ -446,6 +446,7 @@ func (k *strimziTransporter) loadUserCredentail(kafkaUserName string, credential
 	return nil
 }
 
+// getConnCredentailByCluster gets credential with clusterId, bootstrapServer, and serverCA
 func (k *strimziTransporter) getConnCredentailByCluster() (*transport.ConnCredential, error) {
 	kafkaCluster := &kafkav1beta2.Kafka{}
 	err := k.runtimeClient.Get(k.ctx, types.NamespacedName{

pkg/constants/constants.go

@@ -63,6 +63,12 @@ const (
 	PostgresCAConfigMap        = "multicluster-global-hub-postgres-ca"
 )
 
+// the global hub transport secret for manager and agent
+const (
+	GHManagerTransportSecret = "multicluster-global-hub-manager-transport" // #nosec G101
+	GHAgentTransportSecret   = "multicluster-global-hub-agent-transport"   // #nosec G101
+)
+
 // global hub console secret/configmap names
 const (
 	CustomAlertName      = "multicluster-global-hub-custom-alerting"

pkg/transport/type.go

@@ -76,7 +76,8 @@ type ClusterTopic struct {
 	StatusTopic string
 }
 
-// ConnCredential is used to connect the transporter instance
+// ConnCredential is used to connect the transporter instance. The field is persisted to secret
+// need to be encode with base64.StdEncoding.EncodeToString
 type ConnCredential struct {
 	Identity        string
 	BootstrapServer string

test/integration/operator/hubofhubs/transporter_test.go

@@ -407,7 +407,9 @@ var _ = Describe("transporter", Ordered, func() {
 
 		// topic: update
 		_, err = trans.EnsureTopic(clusterName)
-		Expect(err).To(Succeed())
+		if !errors.IsAlreadyExists(err) {
+			Expect(err).To(Succeed())
+		}
 
 		err = trans.Prune(clusterName)
 		Expect(err).To(Succeed())