Merge pull request #1780 from splunk/feature/m1-secrets-redo2

CSPL-4186: Support splunk secret and make it available to Ansible via mount

Author: minjieqiu

pkg/splunk/common/names.go

@@ -131,7 +131,7 @@ func GetNamespaceScopedSecretName(namespace string) string {
 
 // GetSplunkSecretTokenTypes returns all types of Splunk secret tokens
 func GetSplunkSecretTokenTypes() []string {
-	return []string{"hec_token", "password", "pass4SymmKey", "idxc_secret", "shc_secret"}
+	return []string{"hec_token", "password", "pass4SymmKey", "splunk_secret", "idxc_secret", "shc_secret"}
 }
 
 // GetLabelTypes returns a map of label types to strings

pkg/splunk/common/names_test.go

@@ -40,7 +40,7 @@ func TestGetNamespaceScopedSecretName(t *testing.T) {
 }
 
 func TestGetSplunkSecretTokenTypes(t *testing.T) {
-	wantSecretTokens := []string{"hec_token", "password", "pass4SymmKey", "idxc_secret", "shc_secret"}
+	wantSecretTokens := []string{"hec_token", "password", "pass4SymmKey", "splunk_secret", "idxc_secret", "shc_secret"}
 	secretTokens := GetSplunkSecretTokenTypes()
 	if !reflect.DeepEqual(secretTokens, wantSecretTokens) {
 		t.Errorf("Incorrect secret tokens returned got %+v want %+v", secretTokens, wantSecretTokens)

pkg/splunk/util/secrets.go

@@ -355,28 +355,40 @@ func GetSplunkReadableNamespaceScopedSecretData(ctx context.Context, c splcommon
 
 	// Create individual token type data
 	for _, tokenType := range splcommon.GetSplunkSecretTokenTypes() {
-		splunkReadableData[tokenType] = namespaceScopedSecret.Data[tokenType]
+		if _, exists := namespaceScopedSecret.Data[tokenType]; exists {
+			splunkReadableData[tokenType] = namespaceScopedSecret.Data[tokenType]
+		}
 	}
 
-	// Create default.yml
-	splunkReadableData["default.yml"] = []byte(fmt.Sprintf(`
+	// Create default.yml with optional splunk_secret
+	defaultYmlBuilder := fmt.Sprintf(`
 splunk:
     hec_disabled: 0
     hec_enableSSL: 0
     hec_token: "%s"
     password: "%s"
-    pass4SymmKey: "%s"
+    pass4SymmKey: "%s"`,
+		namespaceScopedSecret.Data["hec_token"],
+		namespaceScopedSecret.Data["password"],
+		namespaceScopedSecret.Data["pass4SymmKey"])
+
+	// Add splunk_secret only if it exists
+	if splunkSecret, exists := namespaceScopedSecret.Data["splunk_secret"]; exists {
+		defaultYmlBuilder += fmt.Sprintf(`
+    splunk_secret: "%s"`, splunkSecret)
+	}
+
+	// Add idxc and shc sections
+	defaultYmlBuilder += fmt.Sprintf(`
     idxc:
         secret: "%s"
     shc:
         secret: "%s"
 `,
-		namespaceScopedSecret.Data["hec_token"],
-		namespaceScopedSecret.Data["password"],
-		namespaceScopedSecret.Data["pass4SymmKey"],
 		namespaceScopedSecret.Data["idxc_secret"],
-		namespaceScopedSecret.Data["shc_secret"]))
+		namespaceScopedSecret.Data["shc_secret"])
 
+	splunkReadableData["default.yml"] = []byte(strings.TrimSpace(defaultYmlBuilder))
 	return splunkReadableData, nil
 }
 
@@ -451,9 +463,19 @@ func ApplyNamespaceScopedSecretObject(ctx context.Context, client splcommon.Cont
 	namespacedName := types.NamespacedName{Namespace: namespace, Name: splcommon.GetNamespaceScopedSecretName(namespace)}
 	err := client.Get(ctx, namespacedName, &current)
 	if err == nil {
+		// Validate existing secrets according to PasswordManagement documentation
+		err = validateNamespaceScopedSecrets(scopedLog, &current)
+		if err != nil {
+			return nil, err
+		}
+
 		// Generate values for only missing types of tokens them
 		var updateNeeded bool = false
 		for _, tokenType := range splcommon.GetSplunkSecretTokenTypes() {
+			if tokenType == "splunk_secret" {
+				// splunk_secret is optional, skip if not found
+				continue
+			}
 			if _, ok := current.Data[tokenType]; !ok {
 				scopedLog.Info("Namespace scoped secret exists, missing value for token", "missingTokenType", tokenType)
 				if current.Data == nil || reflect.ValueOf(current.Data).Kind() != reflect.Map {
@@ -491,7 +513,7 @@ func ApplyNamespaceScopedSecretObject(ctx context.Context, client splcommon.Cont
 	for _, tokenType := range splcommon.GetSplunkSecretTokenTypes() {
 		if tokenType == "hec_token" {
 			current.Data[tokenType] = generateHECToken()
-		} else {
+		} else if tokenType != "splunk_secret" {
 			current.Data[tokenType] = splcommon.GenerateSecret(splcommon.SecretBytes, 24)
 		}
 	}
@@ -523,6 +545,40 @@ func ApplyNamespaceScopedSecretObject(ctx context.Context, client splcommon.Cont
 	return &current, nil
 }
 
+// validateNamespaceScopedSecrets validates that all Splunk secret tokens that exist are not empty
+// and meet their specific requirements
+// Validates secrets documented in PasswordManagement: hec_token, password, pass4SymmKey, idxc_secret, shc_secret
+func validateNamespaceScopedSecrets(scopedLog interface {
+	Info(msg string, keysAndValues ...interface{})
+	Error(err error, msg string, keysAndValues ...interface{})
+}, secret *corev1.Secret) error {
+	if secret.Data == nil {
+		scopedLog.Info("Secret data is nil for namespace scoped secret")
+		return nil
+	}
+
+	// Validate each documented secret token type
+	for _, tokenType := range splcommon.GetSplunkSecretTokenTypes() {
+		if secretValue, exists := secret.Data[tokenType]; exists {
+			var err error
+			if tokenType == "hec_token" {
+				err = ValidateHECToken(secretValue)
+			} else {
+				err = ValidateSecret(secretValue)
+			}
+
+			if err != nil {
+				scopedLog.Error(err, "Validation failed for secret", "secret", tokenType)
+				return fmt.Errorf("validation failed for secret %s: %w", tokenType, err)
+			}
+
+			scopedLog.Info("Namespace scoped secret validation passed", "secret", tokenType)
+		}
+	}
+
+	return nil
+}
+
 // GetSecretByName retrieves namespace scoped secret object for a given name
 func GetSecretByName(ctx context.Context, c splcommon.ControllerClient, namespace string, logHandle string, name string) (*corev1.Secret, error) {
 	var namespaceScopedSecret corev1.Secret