feat: add secrets validation

linoyaslan · tsorya · commit a6e46e7abd8f · 2026-01-15T07:55:22.000-05:00
- Validate SSH key and pull secrets exist with required keys

Generated with Claude Code
diff --git a/api/v1alpha1/dpfhcpbridge_types.go b/api/v1alpha1/dpfhcpbridge_types.go
@@ -66,7 +66,7 @@ type DPFHCPBridgeSpec struct {
 	OCPReleaseImage string `json:"ocpReleaseImage"`
 
 	// SSHKeySecretRef is a reference to a Secret containing the SSH public key for cluster node access
-	// Secret must be in the same namespace as the DPFHCPBridge CR and contain key 'ssh-publickey'
+	// Secret must be in the same namespace as the DPFHCPBridge CR and contain key 'id_rsa.pub'
 	// This field is immutable.
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="sshKeySecretRef is immutable"
@@ -75,7 +75,7 @@ type DPFHCPBridgeSpec struct {
 	SSHKeySecretRef corev1.LocalObjectReference `json:"sshKeySecretRef"`
 
 	// PullSecretRef is a reference to a Secret containing the container registry pull secret
-	// Secret must be in the same namespace as the DPFHCPBridge CR and contain key 'pullsecret'
+	// Secret must be in the same namespace as the DPFHCPBridge CR and contain key '.dockerconfigjson'
 	// This field is immutable.
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="pullSecretRef is immutable"
diff --git a/cmd/main.go b/cmd/main.go
@@ -42,6 +42,7 @@ import (
 	"github.com/rh-ecosystem-edge/dpf-hcp-bridge-operator/internal/controller"
 	"github.com/rh-ecosystem-edge/dpf-hcp-bridge-operator/internal/controller/bluefield"
 	"github.com/rh-ecosystem-edge/dpf-hcp-bridge-operator/internal/controller/dpucluster"
+	"github.com/rh-ecosystem-edge/dpf-hcp-bridge-operator/internal/controller/secrets"
 	// +kubebuilder:scaffold:imports
 )
 
@@ -212,12 +213,16 @@ func main() {
 	// Initialize DPUCluster Validator
 	dpuClusterValidator := dpucluster.NewValidator(mgr.GetClient(), mgr.GetEventRecorderFor("dpfhcpbridge-controller"))
 
+	// Initialize Secrets Validator
+	secretsValidator := secrets.NewValidator(mgr.GetClient(), mgr.GetEventRecorderFor("dpfhcpbridge-controller"))
+
 	if err := (&controller.DPFHCPBridgeReconciler{
 		Client:              mgr.GetClient(),
 		Scheme:              mgr.GetScheme(),
 		Recorder:            mgr.GetEventRecorderFor("dpfhcpbridge-controller"),
 		ImageResolver:       imageResolver,
 		DPUClusterValidator: dpuClusterValidator,
+		SecretsValidator:    secretsValidator,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "DPFHCPBridge")
 		os.Exit(1)
diff --git a/config/crd/bases/provisioning.dpu.hcp.io_dpfhcpbridges.yaml b/config/crd/bases/provisioning.dpu.hcp.io_dpfhcpbridges.yaml
@@ -131,7 +131,7 @@ spec:
               pullSecretRef:
                 description: |-
                   PullSecretRef is a reference to a Secret containing the container registry pull secret
-                  Secret must be in the same namespace as the DPFHCPBridge CR and contain key 'pullsecret'
+                  Secret must be in the same namespace as the DPFHCPBridge CR and contain key '.dockerconfigjson'
                   This field is immutable.
                 properties:
                   name:
@@ -151,7 +151,7 @@ spec:
               sshKeySecretRef:
                 description: |-
                   SSHKeySecretRef is a reference to a Secret containing the SSH public key for cluster node access
-                  Secret must be in the same namespace as the DPFHCPBridge CR and contain key 'ssh-publickey'
+                  Secret must be in the same namespace as the DPFHCPBridge CR and contain key 'id_rsa.pub'
                   This field is immutable.
                 properties:
                   name:
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -8,6 +8,7 @@ rules:
   - ""
   resources:
   - configmaps
+  - secrets
   verbs:
   - get
   - list
diff --git a/helm/dpf-hcp-bridge-operator/INSTALL.md b/helm/dpf-hcp-bridge-operator/INSTALL.md
@@ -114,12 +114,12 @@ oc create namespace my-dpu-clusters
 
 # Create pull secret
 oc create secret generic my-pull-secret \
-  --from-file=pullsecret=$HOME/.docker/config.json \
+  --from-file=.dockerconfigjson=$HOME/.docker/config.json \
   -n my-dpu-clusters
 
 # Create SSH public key secret
 oc create secret generic my-ssh-key \
-  --from-file=ssh-publickey=$HOME/.ssh/id_rsa.pub \
+  --from-file=id_rsa.pub=$HOME/.ssh/id_rsa.pub \
   -n my-dpu-clusters
 ```
 
diff --git a/helm/dpf-hcp-bridge-operator/README.md b/helm/dpf-hcp-bridge-operator/README.md
@@ -251,12 +251,12 @@ Before creating a DPFHCPBridge CR, create the required secrets:
 ```bash
 # Create pull secret
 kubectl create secret generic my-pull-secret \
-  --from-file=pullsecret=/path/to/pull-secret.json \
+  --from-file=.dockerconfigjson=/path/to/pull-secret.json \
   -n default
 
 # Create SSH key secret
 kubectl create secret generic my-ssh-key \
-  --from-file=ssh-publickey=/path/to/id_rsa.pub \
+  --from-file=id_rsa.pub=/path/to/id_rsa.pub \
   -n default
 ```
 
diff --git a/helm/dpf-hcp-bridge-operator/crds/provisioning.dpu.hcp.io_dpfhcpbridges.yaml b/helm/dpf-hcp-bridge-operator/crds/provisioning.dpu.hcp.io_dpfhcpbridges.yaml
@@ -117,7 +117,7 @@ spec:
               pullSecretRef:
                 description: |-
                   PullSecretRef is a reference to a Secret containing the container registry pull secret
-                  Secret must be in the same namespace as the DPFHCPBridge CR and contain key 'pullsecret'
+                  Secret must be in the same namespace as the DPFHCPBridge CR and contain key '.dockerconfigjson'
                   This field is immutable.
                 properties:
                   name:
@@ -137,7 +137,7 @@ spec:
               sshKeySecretRef:
                 description: |-
                   SSHKeySecretRef is a reference to a Secret containing the SSH public key for cluster node access
-                  Secret must be in the same namespace as the DPFHCPBridge CR and contain key 'ssh-publickey'
+                  Secret must be in the same namespace as the DPFHCPBridge CR and contain key 'id_rsa.pub'
                   This field is immutable.
                 properties:
                   name:
diff --git a/helm/dpf-hcp-bridge-operator/examples/dpfhcpbridge-basic.yaml b/helm/dpf-hcp-bridge-operator/examples/dpfhcpbridge-basic.yaml
@@ -26,12 +26,12 @@ spec:
   ocpReleaseImage: quay.io/openshift-release-dev/ocp-release:4.19.0-ec.5-x86_64
 
   # Pull secret reference (must exist in same namespace as this CR)
-  # Secret must contain key 'pullsecret' with container registry credentials
+  # Secret must contain key '.dockerconfigjson' with container registry credentials
   pullSecretRef:
     name: my-pull-secret
 
   # SSH public key reference (must exist in same namespace as this CR)
-  # Secret must contain key 'ssh-publickey' with SSH public key
+  # Secret must contain key 'id_rsa.pub' with SSH public key
   sshKeySecretRef:
     name: my-ssh-key
 
diff --git a/helm/dpf-hcp-bridge-operator/examples/secrets-example.yaml b/helm/dpf-hcp-bridge-operator/examples/secrets-example.yaml
@@ -12,7 +12,7 @@ metadata:
   namespace: default
 type: Opaque
 stringData:
-  pullsecret: |
+  .dockerconfigjson: |
     {
       "auths": {
         "quay.io": {
@@ -37,29 +37,29 @@ metadata:
   namespace: default
 type: Opaque
 stringData:
-  ssh-publickey: |
+  id_rsa.pub: |
     ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC... user@example.com
 
 ---
 # Example: Creating secrets from files using kubectl
 #
 # Pull secret from Docker config:
 # kubectl create secret generic my-pull-secret \
-#   --from-file=pullsecret=$HOME/.docker/config.json \
+#   --from-file=.dockerconfigjson=$HOME/.docker/config.json \
 #   -n default
 #
 # Pull secret from OpenShift pull secret file:
 # kubectl create secret generic my-pull-secret \
-#   --from-file=pullsecret=/path/to/pull-secret.json \
+#   --from-file=.dockerconfigjson=/path/to/pull-secret.json \
 #   -n default
 #
 # SSH public key:
 # kubectl create secret generic my-ssh-key \
-#   --from-file=ssh-publickey=$HOME/.ssh/id_rsa.pub \
+#   --from-file=id_rsa.pub=$HOME/.ssh/id_rsa.pub \
 #   -n default
 #
 # Generate new SSH key pair:
 # ssh-keygen -t rsa -b 4096 -f /tmp/cluster-key -N ""
 # kubectl create secret generic my-ssh-key \
-#   --from-file=ssh-publickey=/tmp/cluster-key.pub \
+#   --from-file=id_rsa.pub=/tmp/cluster-key.pub \
 #   -n default
diff --git a/helm/dpf-hcp-bridge-operator/templates/NOTES.txt b/helm/dpf-hcp-bridge-operator/templates/NOTES.txt
@@ -93,8 +93,8 @@ TROUBLESHOOTING:
 - Common issues:
   * Missing BlueField image mapping: Add to ocp-bluefield-images ConfigMap
   * DPUCluster not found: Ensure DPUCluster CR exists and is referenced correctly
-  * Pull secret missing: Create secret with 'pullsecret' key in CR namespace
-  * SSH key missing: Create secret with 'ssh-publickey' key in CR namespace
+  * Pull secret missing: Create secret with '.dockerconfigjson' key in CR namespace
+  * SSH key missing: Create secret with 'id_rsa.pub' key in CR namespace
 
 For more information:
 - Documentation: https://github.com/rh-ecosystem-edge/dpf-hcp-bridge-operator
diff --git a/helm/dpf-hcp-bridge-operator/templates/clusterrole.yaml b/helm/dpf-hcp-bridge-operator/templates/clusterrole.yaml
@@ -56,11 +56,12 @@ rules:
   - create
   - patch
 
-# ConfigMap read permissions (for BlueField image mapping)
+# ConfigMap and Secret read permissions (for BlueField image mapping and secret validation)
 - apiGroups:
   - ""
   resources:
   - configmaps
+  - secrets
   verbs:
   - get
   - list
diff --git a/internal/controller/dpfhcpbridge_controller.go b/internal/controller/dpfhcpbridge_controller.go
@@ -38,6 +38,7 @@ import (
 	provisioningv1alpha1 "github.com/rh-ecosystem-edge/dpf-hcp-bridge-operator/api/v1alpha1"
 	"github.com/rh-ecosystem-edge/dpf-hcp-bridge-operator/internal/controller/bluefield"
 	"github.com/rh-ecosystem-edge/dpf-hcp-bridge-operator/internal/controller/dpucluster"
+	"github.com/rh-ecosystem-edge/dpf-hcp-bridge-operator/internal/controller/secrets"
 )
 
 // DPFHCPBridgeReconciler reconciles a DPFHCPBridge object
@@ -47,6 +48,7 @@ type DPFHCPBridgeReconciler struct {
 	Recorder            record.EventRecorder
 	ImageResolver       *bluefield.ImageResolver
 	DPUClusterValidator *dpucluster.Validator
+	SecretsValidator    *secrets.Validator
 }
 
 // +kubebuilder:rbac:groups=provisioning.dpu.hcp.io,resources=dpfhcpbridges,verbs=get;list;watch;create;update;patch;delete
@@ -56,6 +58,7 @@ type DPFHCPBridgeReconciler struct {
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
 // +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch
 // +kubebuilder:rbac:groups=provisioning.dpu.nvidia.com,resources=dpuclusters,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -93,6 +96,15 @@ func (r *DPFHCPBridgeReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		return result, err
 	}
 
+	// Feature: Secrets Validation
+	log.V(1).Info("Running secrets validation feature")
+	if result, err := r.SecretsValidator.ValidateSecrets(ctx, &cr); err != nil || result.Requeue || result.RequeueAfter > 0 {
+		if err != nil {
+			log.Error(err, "Secrets validation failed")
+		}
+		return result, err
+	}
+
 	// Feature: Resolve BlueField Image
 	// Only validate image during initial creation/retry (Pending/Failed phases)
 	// Once cluster is provisioned (Provisioning/Ready), skip validation to avoid
@@ -135,6 +147,11 @@ func (r *DPFHCPBridgeReconciler) SetupWithManager(mgr ctrl.Manager) error {
 			handler.EnqueueRequestsFromMapFunc(r.dpuClusterToRequests),
 			builder.WithPredicates(dpuClusterPredicate()),
 		).
+		Watches(
+			&corev1.Secret{},
+			handler.EnqueueRequestsFromMapFunc(r.secretToRequests),
+			builder.WithPredicates(secretPredicate()),
+		).
 		Named("dpfhcpbridge").
 		Complete(r)
 }
@@ -266,6 +283,80 @@ func (r *DPFHCPBridgeReconciler) dpuClusterToRequests(ctx context.Context, obj c
 	return requests
 }
 
+// secretPredicate filters Secret events to watch for changes to referenced secrets
+func secretPredicate() predicate.Predicate {
+	return predicate.Funcs{
+		CreateFunc: func(e event.CreateEvent) bool {
+			// Watch creation - reconcile affected DPFHCPBridge CRs
+			return true
+		},
+		UpdateFunc: func(e event.UpdateEvent) bool {
+			// Watch updates - reconcile affected DPFHCPBridge CRs
+			return true
+		},
+		DeleteFunc: func(e event.DeleteEvent) bool {
+			// Watch deletion - reconcile affected DPFHCPBridge CRs
+			return true
+		},
+	}
+}
+
+// secretToRequests maps Secret events to reconcile requests for DPFHCPBridge CRs
+// that reference the secret via sshKeySecretRef or pullSecretRef
+func (r *DPFHCPBridgeReconciler) secretToRequests(ctx context.Context, obj client.Object) []reconcile.Request {
+	log := logf.FromContext(ctx)
+
+	secret, ok := obj.(*corev1.Secret)
+	if !ok {
+		log.Error(nil, "Failed to convert object to Secret", "object", obj)
+		return []reconcile.Request{}
+	}
+
+	// List all DPFHCPBridge CRs cluster-wide
+	var bridgeList provisioningv1alpha1.DPFHCPBridgeList
+	if err := r.List(ctx, &bridgeList); err != nil {
+		log.Error(err, "Failed to list DPFHCPBridge CRs for Secret watch")
+		return []reconcile.Request{}
+	}
+
+	// Find all DPFHCPBridge CRs that reference this secret
+	requests := make([]reconcile.Request, 0)
+	for _, bridge := range bridgeList.Items {
+		// Check if this secret is referenced by sshKeySecretRef or pullSecretRef
+		// Note: Secrets are namespace-scoped, so we need to check both name and namespace
+		isSSHKeySecret := bridge.Spec.SSHKeySecretRef.Name == secret.Name &&
+			bridge.Namespace == secret.Namespace
+		isPullSecret := bridge.Spec.PullSecretRef.Name == secret.Name &&
+			bridge.Namespace == secret.Namespace
+
+		if isSSHKeySecret || isPullSecret {
+			requests = append(requests, reconcile.Request{
+				NamespacedName: types.NamespacedName{
+					Name:      bridge.Name,
+					Namespace: bridge.Namespace,
+				},
+			})
+
+			log.V(1).Info("Secret referenced by DPFHCPBridge CR",
+				"secret", secret.Name,
+				"secretNamespace", secret.Namespace,
+				"bridge", bridge.Name,
+				"bridgeNamespace", bridge.Namespace,
+				"isSSHKey", isSSHKeySecret,
+				"isPullSecret", isPullSecret)
+		}
+	}
+
+	if len(requests) > 0 {
+		log.Info("Secret changed, reconciling DPFHCPBridge CRs",
+			"secret", secret.Name,
+			"secretNamespace", secret.Namespace,
+			"affectedCRs", len(requests))
+	}
+
+	return requests
+}
+
 // updatePhaseFromConditions computes the phase based on all conditions
 // This follows the Kubernetes pattern where phase is derived from conditions,
 // not set by individual features (similar to NVIDIA DPUCluster controller)
@@ -279,6 +370,7 @@ func (r *DPFHCPBridgeReconciler) updatePhaseFromConditions(cr *provisioningv1alp
 		{"DPUClusterMissing", true},       // True = cluster missing = bad
 		{"ClusterTypeValid", false},       // False = type invalid = bad
 		{"DPUClusterInUse", true},         // True = cluster already in use = bad
+		{"SecretsValid", false},           // False = secrets invalid = bad
 		{"BlueFieldImageResolved", false}, // False = image not resolved = bad
 	}
 
diff --git a/internal/controller/secrets/validator.go b/internal/controller/secrets/validator.go
diff --git a/internal/controller/secrets/validator_test.go b/internal/controller/secrets/validator_test.go
