cyborg: Generate agent config secret for dataplane deployment

The Cyborg controller now generates a `{name}-agent-config` secret
containing the rendered configuration for the cyborg-agent service
running on EDPM compute nodes. This secret is consumed by the
edpm-ansible cyborg role to configure the agent on the dataplane.

The shared 00-default.conf template is updated to guard the
[database] section with a conditional, allowing reuse for the
agent config without a separate template.

Assisted-By: claude
Signed-off-by: Alfredo Moralejo <amoralej@redhat.com>

Author: amoralej

api/cyborg/v1beta1/conditions.go

@@ -32,6 +32,9 @@ const (
 
 	// CyborgConductorReadyCondition indicates whether the CyborgConductor is ready
 	CyborgConductorReadyCondition condition.Type = "CyborgConductorReady"
+
+	// CyborgAgentConfigReadyCondition indicates whether the Cyborg agent config secret is ready
+	CyborgAgentConfigReadyCondition condition.Type = "CyborgAgentConfigReady"
 )
 
 const (
@@ -58,4 +61,10 @@ const (
 
 	// CyborgApplicationCredentialSecretErrorMessage -
 	CyborgApplicationCredentialSecretErrorMessage = "Error with application credential secret"
+
+	// CyborgAgentConfigReadyInitMessage -
+	CyborgAgentConfigReadyInitMessage = "CyborgAgent config not started"
+
+	// CyborgAgentConfigReadyErrorMessage -
+	CyborgAgentConfigReadyErrorMessage = "CyborgAgent config error occurred %s"
 )

internal/controller/cyborg/cyborg_controller.go

@@ -337,6 +337,16 @@ func (r *CyborgReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 
 	instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)
 
+	//
+	// Generate agent config secret for dataplane
+	//
+	ctrlResult, err := r.ensureAgentConfig(ctx, h, instance, transporturlSecret, inputSecret, acData, keystoneAuthURL, keystoneRegion)
+	if err != nil {
+		return ctrl.Result{}, err
+	} else if (ctrlResult != ctrl.Result{}) {
+		return ctrlResult, nil
+	}
+
 	//
 	// Create Keystone Service
 	//
@@ -366,7 +376,7 @@ func (r *CyborgReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 	//
 	// Create dbsync job
 	//
-	ctrlResult, err := r.ensureDBSync(ctx, h, instance, serviceLabels)
+	ctrlResult, err = r.ensureDBSync(ctx, h, instance, serviceLabels)
 	if err != nil {
 		return ctrl.Result{}, err
 	} else if (ctrlResult != ctrl.Result{}) {
@@ -494,6 +504,10 @@ func (r *CyborgReconciler) initConditions(instance *cyborgv1beta1.Cyborg) error
 			cyborgv1beta1.CyborgConductorReadyCondition,
 			condition.InitReason,
 			cyborgv1beta1.CyborgConductorReadyInitMessage),
+		condition.UnknownCondition(
+			cyborgv1beta1.CyborgAgentConfigReadyCondition,
+			condition.InitReason,
+			cyborgv1beta1.CyborgAgentConfigReadyInitMessage),
 	)
 
 	instance.Status.Conditions.Init(&cl)
@@ -1221,3 +1235,78 @@ func ensureSecret(
 
 	return hash, ctrl.Result{}, *s, nil
 }
+
+func (r *CyborgReconciler) ensureAgentConfig(
+	ctx context.Context,
+	h *helper.Helper,
+	instance *cyborgv1beta1.Cyborg,
+	transporturlSecret corev1.Secret,
+	inputSecret corev1.Secret,
+	acData *keystonev1.ApplicationCredentialData,
+	keystoneAuthURL string,
+	keystoneRegion string,
+) (ctrl.Result, error) {
+	err := r.generateAgentConfig(ctx, h, instance, transporturlSecret, inputSecret, acData, keystoneAuthURL, keystoneRegion)
+	if err != nil {
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			cyborgv1beta1.CyborgAgentConfigReadyCondition,
+			condition.ErrorReason,
+			condition.SeverityWarning,
+			cyborgv1beta1.CyborgAgentConfigReadyErrorMessage,
+			err.Error()))
+		return ctrl.Result{}, err
+	}
+	instance.Status.Conditions.MarkTrue(
+		cyborgv1beta1.CyborgAgentConfigReadyCondition, condition.ServiceConfigReadyMessage,
+	)
+	return ctrl.Result{}, nil
+}
+
+func (r *CyborgReconciler) generateAgentConfig(
+	ctx context.Context,
+	h *helper.Helper,
+	instance *cyborgv1beta1.Cyborg,
+	transporturlSecret corev1.Secret,
+	inputSecret corev1.Secret,
+	acData *keystonev1.ApplicationCredentialData,
+	keystoneAuthURL string,
+	keystoneRegion string,
+) error {
+	servicePassword := string(inputSecret.Data[instance.Spec.PasswordSelectors.Service])
+
+	templateParameters := map[string]any{
+		"TransportURL":    string(transporturlSecret.Data[TransportURLSelector]),
+		"QuorumQueues":    string(transporturlSecret.Data[QuorumQueuesSelector]) == "true",
+		"KeystoneAuthURL": keystoneAuthURL,
+		"ServiceUser":     *instance.Spec.ServiceUser,
+		"ServicePassword": servicePassword,
+		"Region":          keystoneRegion,
+	}
+
+	if acData != nil {
+		templateParameters["ACID"] = acData.ID
+		templateParameters["ACSecret"] = acData.Secret
+	}
+
+	if instance.Spec.APIServiceTemplate.TLS.CaBundleSecretName != "" {
+		templateParameters["CaFilePath"] = tls.DownstreamTLSCABundlePath
+	}
+
+	serviceLabels := labels.GetLabels(instance, labels.GetGroupLabel(cyborgservice.ServiceName), map[string]string{})
+
+	cms := []util.Template{
+		{
+			Name:          instance.GetName() + "-agent-config",
+			Namespace:     instance.GetNamespace(),
+			Type:          util.TemplateTypeConfig,
+			InstanceType:  instance.GetObjectKind().GroupVersionKind().Kind,
+			ConfigOptions: templateParameters,
+			Labels:        serviceLabels,
+			AdditionalTemplate: map[string]string{
+				"00-default.conf": "/cyborg/00-default.conf",
+			},
+		},
+	}
+
+	return secret.EnsureSecrets(ctx, h, instance, cms, nil)
+}

templates/cyborg/00-default.conf

@@ -8,8 +8,10 @@ transport_url = {{ .TransportURL }}
 log_file = {{ .LogFile }}
 {{ end }}
 
+{{ if (index . "DatabaseConnection") }}
 [database]
 connection = {{ .DatabaseConnection }}
+{{ end }}
 
 {{ if (index . "TransportURL") }}
 [oslo_messaging_rabbit]

test/functional/cyborg/cyborg_controller_test.go

@@ -67,6 +67,7 @@ type CyborgNames struct {
 	ConductorName            types.NamespacedName
 	ConductorStatefulSetName types.NamespacedName
 	ConductorConfigDataName  types.NamespacedName
+	AgentConfigSecretName    types.NamespacedName
 }
 
 func GetCyborgNames(cyborgName types.NamespacedName) CyborgNames {
@@ -140,6 +141,10 @@ func GetCyborgNames(cyborgName types.NamespacedName) CyborgNames {
 			Namespace: cyborgName.Namespace,
 			Name:      cyborgName.Name + "-conductor-config-data",
 		},
+		AgentConfigSecretName: types.NamespacedName{
+			Namespace: cyborgName.Namespace,
+			Name:      cyborgName.Name + "-agent-config",
+		},
 	}
 }
 
@@ -164,6 +169,7 @@ var _ = Describe("Cyborg controller", func() {
 				g.Expect(cyborg.Status.Conditions.Has(condition.DBSyncReadyCondition)).To(BeTrue())
 				g.Expect(cyborg.Status.Conditions.Has(condition.KeystoneServiceReadyCondition)).To(BeTrue())
 				g.Expect(cyborg.Status.Conditions.Has(cyborgv1beta1.CyborgAPIReadyCondition)).To(BeTrue())
+				g.Expect(cyborg.Status.Conditions.Has(cyborgv1beta1.CyborgAgentConfigReadyCondition)).To(BeTrue())
 			}, timeout, interval).Should(Succeed())
 		})
 
@@ -274,6 +280,32 @@ var _ = Describe("Cyborg controller", func() {
 			}, timeout, interval).Should(Succeed())
 		})
 
+		It("creates an agent config secret for the dataplane", func() {
+			mariadb.SimulateMariaDBAccountCompleted(cyborgNames.MariaDBAccountName)
+			mariadb.SimulateMariaDBDatabaseCompleted(cyborgNames.MariaDBDatabaseName)
+			infra.SimulateTransportURLReady(cyborgNames.TransportURLName)
+
+			Eventually(func(g Gomega) {
+				agentSecret := th.GetSecret(cyborgNames.AgentConfigSecretName)
+				g.Expect(agentSecret.Data).To(HaveKey("00-default.conf"))
+
+				defaultConf := string(agentSecret.Data["00-default.conf"])
+				g.Expect(defaultConf).To(ContainSubstring("transport_url"))
+				g.Expect(defaultConf).To(ContainSubstring("[keystone_authtoken]"))
+				g.Expect(defaultConf).To(ContainSubstring("[placement]"))
+				g.Expect(defaultConf).To(ContainSubstring("[nova]"))
+				g.Expect(defaultConf).To(ContainSubstring("username = cyborg"))
+				g.Expect(defaultConf).NotTo(ContainSubstring("[database]"))
+			}, timeout, interval).Should(Succeed())
+
+			th.ExpectCondition(
+				cyborgNames.CyborgName,
+				ConditionGetterFunc(CyborgConditionGetter),
+				cyborgv1beta1.CyborgAgentConfigReadyCondition,
+				corev1.ConditionTrue,
+			)
+		})
+
 		It("creates a config data secret for dbsync", func() {
 			mariadb.SimulateMariaDBAccountCompleted(cyborgNames.MariaDBAccountName)
 			mariadb.SimulateMariaDBDatabaseCompleted(cyborgNames.MariaDBDatabaseName)
@@ -314,6 +346,13 @@ var _ = Describe("Cyborg controller", func() {
 				corev1.ConditionTrue,
 			)
 
+			th.ExpectCondition(
+				cyborgNames.CyborgName,
+				ConditionGetterFunc(CyborgConditionGetter),
+				cyborgv1beta1.CyborgAgentConfigReadyCondition,
+				corev1.ConditionTrue,
+			)
+
 			keystone.SimulateKeystoneServiceReady(cyborgNames.KeystoneServiceName)
 
 			th.ExpectCondition(
@@ -440,6 +479,23 @@ var _ = Describe("Cyborg controller", func() {
 			)
 		})
 
+		It("creates an agent config secret with application credentials and TLS CA", func() {
+			mariadb.SimulateMariaDBAccountCompleted(cyborgNames.MariaDBAccountName)
+			mariadb.SimulateMariaDBTLSDatabaseCompleted(cyborgNames.MariaDBDatabaseName)
+			infra.SimulateTransportURLReady(cyborgNames.TransportURLName)
+
+			Eventually(func(g Gomega) {
+				agentSecret := th.GetSecret(cyborgNames.AgentConfigSecretName)
+				defaultConf := string(agentSecret.Data["00-default.conf"])
+				g.Expect(defaultConf).To(ContainSubstring("auth_type = v3applicationcredential"))
+				g.Expect(defaultConf).To(ContainSubstring("application_credential_id = " + appCredID))
+				g.Expect(defaultConf).To(ContainSubstring("application_credential_secret = " + appCredSecretValue))
+				g.Expect(defaultConf).To(ContainSubstring("cafile ="))
+				g.Expect(defaultConf).To(ContainSubstring("ssl_ca_file ="))
+				g.Expect(defaultConf).NotTo(ContainSubstring("[database]"))
+			}, timeout, interval).Should(Succeed())
+		})
+
 		It("creates dbsync job, TLS-aware config secret, and application credential data in the sub-level secret", func() {
 			mariadb.SimulateMariaDBAccountCompleted(cyborgNames.MariaDBAccountName)
 			mariadb.SimulateMariaDBTLSDatabaseCompleted(cyborgNames.MariaDBDatabaseName)

test/kuttl/test-suites/default/cyborg-tests/01-assert.yaml

@@ -40,6 +40,11 @@ commands:
 - script: |
     oc get secret cyborg-kuttl-conductor-config-data -n $NAMESPACE \
       -o jsonpath='{.data.cyborg-conductor-config\.json}' | base64 -d | grep -q 'cyborg-conductor'
+# --- Cyborg agent config secret (cyborg-kuttl-agent-config) content ---
+# 00-default.conf must contain the [DEFAULT] OpenStack config section
+- script: |
+    oc get secret cyborg-kuttl-agent-config -n $NAMESPACE \
+      -o jsonpath='{.data.00-default\.conf}' | base64 -d | grep -q '\[DEFAULT\]'
 # --- DB sync Job volumes ---
 # config-data volume in the Job pod must reference the Cyborg config-data secret
 - script: |
@@ -112,6 +117,10 @@ status:
     reason: Ready
     status: "True"
     type: CyborgAPIReady
+  - message: Service config create completed
+    reason: Ready
+    status: "True"
+    type: CyborgAgentConfigReady
   - message: Deployment completed
     reason: Ready
     status: "True"
@@ -486,3 +495,11 @@ status:
   - name: cyborg-conductor
     ready: true
     started: true
+---
+# Assert the Cyborg agent config-data secret exists.
+# Expected files: 00-default.conf
+# Content checks are performed via the commands block above.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cyborg-kuttl-agent-config