broker CRD no longer directly embeds secrets, fix liqoctl path in installation.sh, fix for Lint 1.64.2, fix liqoctl version in requirements.sh

Author: AleC-IX

.golangci.yml

@@ -68,7 +68,7 @@ linters-settings:
   dupl:
     threshold: 300
   gocyclo:
-    min-complexity: 34
+    min-complexity: 39
 
 linters:
   disable-all: true

apis/network/v1alpha1/broker_status.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2024 FLUIDOS Project
+// Copyright 2022-2025 FLUIDOS Project
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

apis/network/v1alpha1/broker_types.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2024 FLUIDOS Project
+// Copyright 2022-2025 FLUIDOS Project
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -15,19 +15,18 @@
 package v1alpha1
 
 import (
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // BrokerSpec defines the desired state of Broker.
 type BrokerSpec struct {
 
 	// Address of the Broker.
-	Address string         `json:"address"`
-	Name    string         `json:"name"`
-	ClCert  *corev1.Secret `json:"clcert"`
-	CaCert  *corev1.Secret `json:"cacert"`
-	Role    string         `json:"role"`
+	Address string `json:"address"`
+	Name    string `json:"name"`
+	ClCert  string `json:"clcert"`
+	CaCert  string `json:"cacert"`
+	Role    string `json:"role"`
 }
 
 // BrokerStatus defines the observed state of Broker.

apis/network/v1alpha1/zz_generated.deepcopy.go

@@ -46,153 +46,9 @@ spec:
                 description: Address of the Broker.
                 type: string
               cacert:
-                description: |-
-                  Secret holds secret data of a certain type. The total bytes of the values in
-                  the Data field must be less than MaxSecretSize bytes.
-                properties:
-                  apiVersion:
-                    description: |-
-                      APIVersion defines the versioned schema of this representation of an object.
-                      Servers should convert recognized schemas to the latest internal value, and
-                      may reject unrecognized values.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-                    type: string
-                  data:
-                    additionalProperties:
-                      format: byte
-                      type: string
-                    description: |-
-                      Data contains the secret data. Each key must consist of alphanumeric
-                      characters, '-', '_' or '.'. The serialized form of the secret data is a
-                      base64 encoded string, representing the arbitrary (possibly non-string)
-                      data value here. Described in https://tools.ietf.org/html/rfc4648#section-4
-                    type: object
-                  immutable:
-                    description: |-
-                      Immutable, if set to true, ensures that data stored in the Secret cannot
-                      be updated (only object metadata can be modified).
-                      If not set to true, the field can be modified at any time.
-                      Defaulted to nil.
-                    type: boolean
-                  kind:
-                    description: |-
-                      Kind is a string value representing the REST resource this object represents.
-                      Servers may infer this from the endpoint the client submits requests to.
-                      Cannot be updated.
-                      In CamelCase.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-                    type: string
-                  metadata:
-                    description: |-
-                      Standard object's metadata.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-                    properties:
-                      annotations:
-                        additionalProperties:
-                          type: string
-                        type: object
-                      finalizers:
-                        items:
-                          type: string
-                        type: array
-                      labels:
-                        additionalProperties:
-                          type: string
-                        type: object
-                      name:
-                        type: string
-                      namespace:
-                        type: string
-                    type: object
-                  stringData:
-                    additionalProperties:
-                      type: string
-                    description: |-
-                      stringData allows specifying non-binary secret data in string form.
-                      It is provided as a write-only input field for convenience.
-                      All keys and values are merged into the data field on write, overwriting any existing values.
-                      The stringData field is never output when reading from the API.
-                    type: object
-                  type:
-                    description: |-
-                      Used to facilitate programmatic handling of secret data.
-                      More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
-                    type: string
-                type: object
+                type: string
               clcert:
-                description: |-
-                  Secret holds secret data of a certain type. The total bytes of the values in
-                  the Data field must be less than MaxSecretSize bytes.
-                properties:
-                  apiVersion:
-                    description: |-
-                      APIVersion defines the versioned schema of this representation of an object.
-                      Servers should convert recognized schemas to the latest internal value, and
-                      may reject unrecognized values.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-                    type: string
-                  data:
-                    additionalProperties:
-                      format: byte
-                      type: string
-                    description: |-
-                      Data contains the secret data. Each key must consist of alphanumeric
-                      characters, '-', '_' or '.'. The serialized form of the secret data is a
-                      base64 encoded string, representing the arbitrary (possibly non-string)
-                      data value here. Described in https://tools.ietf.org/html/rfc4648#section-4
-                    type: object
-                  immutable:
-                    description: |-
-                      Immutable, if set to true, ensures that data stored in the Secret cannot
-                      be updated (only object metadata can be modified).
-                      If not set to true, the field can be modified at any time.
-                      Defaulted to nil.
-                    type: boolean
-                  kind:
-                    description: |-
-                      Kind is a string value representing the REST resource this object represents.
-                      Servers may infer this from the endpoint the client submits requests to.
-                      Cannot be updated.
-                      In CamelCase.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-                    type: string
-                  metadata:
-                    description: |-
-                      Standard object's metadata.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-                    properties:
-                      annotations:
-                        additionalProperties:
-                          type: string
-                        type: object
-                      finalizers:
-                        items:
-                          type: string
-                        type: array
-                      labels:
-                        additionalProperties:
-                          type: string
-                        type: object
-                      name:
-                        type: string
-                      namespace:
-                        type: string
-                    type: object
-                  stringData:
-                    additionalProperties:
-                      type: string
-                    description: |-
-                      stringData allows specifying non-binary secret data in string form.
-                      It is provided as a write-only input field for convenience.
-                      All keys and values are merged into the data field on write, overwriting any existing values.
-                      The stringData field is never output when reading from the API.
-                    type: object
-                  type:
-                    description: |-
-                      Used to facilitate programmatic handling of secret data.
-                      More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
-                    type: string
-                type: object
+                type: string
               name:
                 type: string
               role:

deployments/node/crds/network.fluidos.eu_brokers.yaml

@@ -12,15 +12,5 @@ spec:
   # anything else both publisher AND subscriber
   role: both
   #secrets must be created from certificate and key provided by broker server
-  cacert:
-    apiVersion: v1
-    kind: Secret
-    metadata:
-      name: broker-ca-secret
-      namespace: fluidos
-  clcert:
-    apiVersion: v1
-    kind: Secret
-    metadata:
-      name: broker-client-secret
-      namespace: fluidos
+  cacert: brokera-ca-xxxxx
+  clcert: brokera-cl-yyyyy

deployments/node/samples/broker.yaml

@@ -1,4 +1,4 @@
-// Copyright 2022-2024 FLUIDOS Project
+// Copyright 2022-2025 FLUIDOS Project
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -116,15 +116,15 @@ func (bc *BrokerClient) SetupBrokerClient(cl client.Client, broker *networkv1alp
 	bc.clientCert = &corev1.Secret{}
 	bc.rootCert = &corev1.Secret{}
 
-	klog.Infof("Root Secret Name: %s\n", broker.Spec.CaCert.Name)
-	klog.Infof("Client Secret Name: %s\n", broker.Spec.ClCert.Name)
+	klog.Infof("Root Secret Name: %s\n", broker.Spec.CaCert)
+	klog.Infof("Client Secret Name: %s\n", broker.Spec.ClCert)
 	secretNamespace := "fluidos"
 
-	err = bc.extractSecret(cl, broker.Spec.ClCert.Name, secretNamespace, bc.clientCert)
+	err = bc.extractSecret(cl, broker.Spec.ClCert, secretNamespace, bc.clientCert)
 	if err != nil {
 		return err
 	}
-	err = bc.extractSecret(cl, broker.Spec.CaCert.Name, secretNamespace, bc.rootCert)
+	err = bc.extractSecret(cl, broker.Spec.CaCert, secretNamespace, bc.rootCert)
 	if err != nil {
 		return err
 	}
@@ -148,21 +148,21 @@ func (bc *BrokerClient) SetupBrokerClient(cl client.Client, broker *networkv1alp
 	// Load client cert and privKey.
 	cert, err := tls.X509KeyPair(clientCert, clientKey)
 	if err != nil {
-		klog.Error("error X509KeyPair: %v", err)
+		klog.Errorf("error X509KeyPair: %v", err)
 		return err
 	}
 
 	// Load root cert.
 	caCertPool := x509.NewCertPool()
 	ok = caCertPool.AppendCertsFromPEM(caCertData)
 	if !ok {
-		klog.Error("AppendCertsFromPEM error: %v", ok)
+		klog.Errorf("AppendCertsFromPEM error: %v", ok)
 	}
 
 	// Routing key for topic.
 	bc.brokerConn.routingKey, err = extractCNfromCert(&clientCert)
 	if err != nil {
-		klog.Error("Common Name extraction error: %v", err)
+		klog.Errorf("Common Name extraction error: %v", err)
 	}
 	bc.brokerConn.queueName = bc.brokerConn.routingKey
 
@@ -219,7 +219,7 @@ func (bc *BrokerClient) publishOnBroker() {
 					Expiration:  "30000", // TTL ms
 				})
 			if err != nil {
-				klog.Error("Error pub message: %v", err)
+				klog.Errorf("Error pub message: %v", err)
 			}
 
 			select {
@@ -295,7 +295,7 @@ func extractCNfromCert(certPEM *[]byte) (string, error) {
 		// Parsing X.509
 		cert, err = x509.ParseCertificate(block.Bytes)
 		if err != nil {
-			klog.Error("Error parsing certificate X.509 in CN extraction: %v", err)
+			klog.Errorf("Error parsing certificate X.509 in CN extraction: %v", err)
 		} else {
 			CN = cert.Subject.CommonName
 		}
@@ -317,14 +317,14 @@ func (bc *BrokerClient) brokerConnectionConfig(tlsConfig *tls.Config) error {
 
 	bc.brokerConn.amqpConn, err = amqp.DialConfig(serverURL, config)
 	if err != nil {
-		klog.Error("RabbitMQ connection error: %v", err)
+		klog.Errorf("RabbitMQ connection error: %v", err)
 		return err
 	}
 
 	// Channel creation
 	bc.brokerConn.amqpChan, err = bc.brokerConn.amqpConn.Channel()
 	if err != nil {
-		klog.Error("channel creation error: %v", err)
+		klog.Errorf("channel creation error: %v", err)
 		return err
 	}
 
@@ -339,13 +339,13 @@ func (bc *BrokerClient) brokerConnectionConfig(tlsConfig *tls.Config) error {
 		nil,                     // Arguments
 	)
 	if err != nil {
-		klog.Error("Error subscribing queue: %s", err)
+		klog.Errorf("Error subscribing queue: %s", err)
 		return err
 	}
 
 	// Write confirm broker
 	if err := bc.brokerConn.amqpChan.Confirm(false); err != nil {
-		klog.Error("Failed to enable publisher confirms: %v", err)
+		klog.Errorf("Failed to enable publisher confirms: %v", err)
 		return err
 	}
 
@@ -363,7 +363,7 @@ func (bc *BrokerClient) extractSecret(cl client.Client, secretName, secretNamesp
 		Namespace: secretNamespace,
 	}, secretDest)
 	if err != nil {
-		klog.Error("Error retrieving Secret: %v\n", err)
+		klog.Errorf("Error retrieving Secret: %v\n", err)
 		return err
 	}
 	return nil