Feature/CSPL-4360 Secret reference for Index & Ingestion separation

.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml

@@ -146,6 +146,8 @@ jobs:
       DEPLOYMENT_TYPE: ""
       ARM64: "true"
       GRAVITON_TESTING: "true"
+      AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID: ${{ secrets.AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID }}
+      AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY: ${{ secrets.AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY }}
     steps:
       - name: Chekcout code
         uses: actions/checkout@v2

.github/workflows/arm-AL2023-int-test-workflow.yml

@@ -94,6 +94,8 @@ jobs:
       DEPLOYMENT_TYPE: ""
       ARM64: "true"
       GRAVITON_TESTING: "true"
+      AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID: ${{ secrets.AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID }}
+      AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY: ${{ secrets.AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY }}
     steps:
       - name: Set Test Cluster Nodes and Parallel Runs
         run: >-

.github/workflows/arm-RHEL-build-test-push-workflow.yml

@@ -94,6 +94,8 @@ jobs:
       DEPLOYMENT_TYPE: ""
       ARM64: "true"
       GRAVITON_TESTING: "true"
+      AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID: ${{ secrets.AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID }}
+      AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY: ${{ secrets.AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY }}
     steps:
       - name: Set Test Cluster Nodes and Parallel Runs
         run: >-

.github/workflows/arm-RHEL-int-test-workflow.yml

@@ -94,6 +94,8 @@ jobs:
       DEPLOYMENT_TYPE: ""
       ARM64: "true"
       GRAVITON_TESTING: "true"
+      AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID: ${{ secrets.AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID }}
+      AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY: ${{ secrets.AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY }}
     steps:
       - name: Set Test Cluster Nodes and Parallel Runs
         run: >-

.github/workflows/arm-Ubuntu-build-test-push-workflow.yml

@@ -146,6 +146,8 @@ jobs:
       DEPLOYMENT_TYPE: ""
       ARM64: "true"
       GRAVITON_TESTING: "true"
+      AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID: ${{ secrets.AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID }}
+      AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY: ${{ secrets.AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY }}
     steps:
       - name: Chekcout code
         uses: actions/checkout@v2

.github/workflows/arm-Ubuntu-int-test-workflow.yml

@@ -94,6 +94,8 @@ jobs:
       DEPLOYMENT_TYPE: ""
       ARM64: "true"
       GRAVITON_TESTING: "true"
+      AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID: ${{ secrets.AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID }}
+      AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY: ${{ secrets.AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY }}
     steps:
       - name: Set Test Cluster Nodes and Parallel Runs
         run: >-

.github/workflows/build-test-push-workflow.yml

@@ -190,6 +190,8 @@ jobs:
       EKS_SSH_PUBLIC_KEY: ${{ secrets.EKS_SSH_PUBLIC_KEY }}
       CLUSTER_WIDE: "true"
       DEPLOYMENT_TYPE: ""
+      AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID: ${{ secrets.AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID }}
+      AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY: ${{ secrets.AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY }}
     steps:
       - name: Chekcout code
         uses: actions/checkout@v2

.github/workflows/distroless-build-test-push-workflow.yml

@@ -191,6 +191,8 @@ jobs:
       EKS_SSH_PUBLIC_KEY: ${{ secrets.EKS_SSH_PUBLIC_KEY }}
       CLUSTER_WIDE: "true"
       DEPLOYMENT_TYPE: ""
+      AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID: ${{ secrets.AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID }}
+      AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY: ${{ secrets.AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY }}
     steps:
       - name: Chekcout code
         uses: actions/checkout@v2

.github/workflows/distroless-int-test-workflow.yml

@@ -88,6 +88,8 @@ jobs:
       S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
       CLUSTER_WIDE: "true"
       DEPLOYMENT_TYPE: ""
+      AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID: ${{ secrets.AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID }}
+      AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY: ${{ secrets.AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY }}
     steps:
       - name: Set Test Cluster Nodes and Parallel Runs
         run: >-

.github/workflows/helm-test-workflow.yml

@@ -65,6 +65,8 @@ jobs:
       HELM_REPO_PATH: "../../../../helm-chart"
       INSTALL_OPERATOR: "true"
       TEST_VPC_ENDPOINT_URL: ${{ secrets.TEST_VPC_ENDPOINT_URL }}
+      AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID: ${{ secrets.AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID }}
+      AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY: ${{ secrets.AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY }}
     steps:
       - uses: chrisdickinson/setup-yq@3d931309f27270ebbafd53f2daee773a82ea1822
       - name: Checking YQ installation

.github/workflows/int-test-workflow.yml

@@ -84,6 +84,8 @@ jobs:
       S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
       CLUSTER_WIDE: "true"
       DEPLOYMENT_TYPE: ""
+      AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID: ${{ secrets.AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID }}
+      AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY: ${{ secrets.AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY }}
     steps:
       - name: Set Test Cluster Nodes and Parallel Runs
         run: >-

.github/workflows/manual-int-test-workflow.yml

@@ -45,6 +45,8 @@ jobs:
       PRIVATE_REGISTRY: ${{ secrets.ECR_REPOSITORY }}
       S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
       CLUSTER_WIDE: ${{ github.event.inputs.CLUSTER_WIDE }}
+      AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID: ${{ secrets.AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID }}
+      AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY: ${{ secrets.AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY }}
     steps:
       - name: Set Test Cluster Nodes and Parallel Runs
         run: >-

.github/workflows/namespace-scope-int-workflow.yml

@@ -40,6 +40,8 @@ jobs:
       PRIVATE_REGISTRY: ${{ secrets.ECR_REPOSITORY }}
       S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
       CLUSTER_WIDE: "false"
+      AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID: ${{ secrets.AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID }}
+      AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY: ${{ secrets.AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY }}
     steps:
       - name: Set Test Cluster Nodes and Parallel Runs
         run: >-

.github/workflows/nightly-int-test-workflow.yml

@@ -81,6 +81,8 @@ jobs:
       PRIVATE_REGISTRY: ${{ secrets.ECR_REPOSITORY }}
       S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
       CLUSTER_WIDE: "true"
+      AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID: ${{ secrets.AWS_INDEX_INGEST_SEP_ACCESS_KEY_ID }}
+      AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY: ${{ secrets.AWS_INDEX_INGEST_SEP_SECRET_ACCESS_KEY }}
     steps:
       - name: Set Test Cluster Nodes and Parallel Runs
         run: >-

api/v4/indexercluster_types.go

@@ -35,6 +35,8 @@ const (
 )
 
 // +kubebuilder:validation:XValidation:rule="has(self.queueRef) == has(self.objectStorageRef)",message="queueRef and objectStorageRef must both be set or both be empty"
+// +kubebuilder:validation:XValidation:rule="self.queueRef == oldSelf.queueRef",message="queueRef is immutable once created"
+// +kubebuilder:validation:XValidation:rule="self.objectStorageRef == oldSelf.objectStorageRef",message="objectStorageRef is immutable once created"
 // IndexerClusterSpec defines the desired state of a Splunk Enterprise indexer cluster
 type IndexerClusterSpec struct {
 	CommonSplunkSpec `json:",inline"`
@@ -121,11 +123,8 @@ type IndexerClusterStatus struct {
 	// Auxillary message describing CR status
 	Message string `json:"message"`
 
-	// Queue
-	Queue *QueueSpec `json:"queue,omitempty"`
-
-	// Object Storage
-	ObjectStorage *ObjectStorageSpec `json:"objectStorage,omitempty"`
+	// Queue and bucket access secret version
+	QueueBucketAccessSecretVersion string `json:"queueBucketAccessSecretVersion,omitempty"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

api/v4/ingestorcluster_types.go

@@ -28,6 +28,8 @@ const (
 	IngestorClusterPausedAnnotation = "ingestorcluster.enterprise.splunk.com/paused"
 )
 
+// +kubebuilder:validation:XValidation:rule="self.queueRef == oldSelf.queueRef",message="queueRef is immutable once created"
+// +kubebuilder:validation:XValidation:rule="self.objectStorageRef == oldSelf.objectStorageRef",message="objectStorageRef is immutable once created"
 // IngestorClusterSpec defines the spec of Ingestor Cluster
 type IngestorClusterSpec struct {
 	// Common Splunk spec
@@ -74,11 +76,8 @@ type IngestorClusterStatus struct {
 	// Auxillary message describing CR status
 	Message string `json:"message"`
 
-	// Queue
-	Queue *QueueSpec `json:"queue,omitempty"`
-
-	// Object Storage
-	ObjectStorage *ObjectStorageSpec `json:"objectStorage,omitempty"`
+	// Queue and bucket access secret version
+	QueueBucketAccessSecretVersion string `json:"queueBucketAccessSecretVersion,omitempty"`
 }
 
 // +kubebuilder:object:root=true

api/v4/objectstorage_types.go

@@ -17,7 +17,6 @@ limitations under the License.
 package v4
 
 import (
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
@@ -28,6 +27,8 @@ const (
 	ObjectStoragePausedAnnotation = "objectstorage.enterprise.splunk.com/paused"
 )
 
+// +kubebuilder:validation:XValidation:rule="self.provider == oldSelf.provider",message="provider is immutable once created"
+// +kubebuilder:validation:XValidation:rule="self.s3 == oldSelf.s3",message="s3 is immutable once created"
 // +kubebuilder:validation:XValidation:rule="self.provider != 's3' || has(self.s3)",message="s3 must be provided when provider is s3"
 // ObjectStorageSpec defines the desired state of ObjectStorage
 type ObjectStorageSpec struct {
@@ -55,7 +56,7 @@ type S3Spec struct {
 
 // ObjectStorageStatus defines the observed state of ObjectStorage.
 type ObjectStorageStatus struct {
-	// Phase of the large message store
+	// Phase of the object storage
 	Phase Phase `json:"phase"`
 
 	// Resource revision tracker
@@ -107,32 +108,3 @@ type ObjectStorageList struct {
 func init() {
 	SchemeBuilder.Register(&ObjectStorage{}, &ObjectStorageList{})
 }
-
-// NewEvent creates a new event associated with the object and ready
-// to be published to Kubernetes API
-func (os *ObjectStorage) NewEvent(eventType, reason, message string) corev1.Event {
-	t := metav1.Now()
-	return corev1.Event{
-		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: reason + "-",
-			Namespace:    os.ObjectMeta.Namespace,
-		},
-		InvolvedObject: corev1.ObjectReference{
-			Kind:       "ObjectStorage",
-			Namespace:  os.Namespace,
-			Name:       os.Name,
-			UID:        os.UID,
-			APIVersion: GroupVersion.String(),
-		},
-		Reason:  reason,
-		Message: message,
-		Source: corev1.EventSource{
-			Component: "splunk-object-storage-controller",
-		},
-		FirstTimestamp:      t,
-		LastTimestamp:       t,
-		Count:               1,
-		Type:                eventType,
-		ReportingController: "enterprise.splunk.com/object-storage-controller",
-	}
-}

api/v4/queue_types.go

@@ -17,7 +17,6 @@ limitations under the License.
 package v4
 
 import (
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
@@ -28,6 +27,11 @@ const (
 	QueuePausedAnnotation = "queue.enterprise.splunk.com/paused"
 )
 
+// +kubebuilder:validation:XValidation:rule="self.provider == oldSelf.provider",message="provider is immutable once created"
+// +kubebuilder:validation:XValidation:rule="self.sqs.name == oldSelf.sqs.name",message="sqs.name is immutable once created"
+// +kubebuilder:validation:XValidation:rule="self.sqs.authRegion == oldSelf.sqs.authRegion",message="sqs.authRegion is immutable once created"
+// +kubebuilder:validation:XValidation:rule="self.sqs.dlq == oldSelf.sqs.dlq",message="sqs.dlq is immutable once created"
+// +kubebuilder:validation:XValidation:rule="self.sqs.endpoint == oldSelf.sqs.endpoint",message="sqs.endpoint is immutable once created"
 // +kubebuilder:validation:XValidation:rule="self.provider != 'sqs' || has(self.sqs)",message="sqs must be provided when provider is sqs"
 // QueueSpec defines the desired state of Queue
 type QueueSpec struct {
@@ -61,6 +65,10 @@ type SQSSpec struct {
 	// +kubebuilder:validation:Pattern=`^https?://[^\s/$.?#].[^\s]*$`
 	// Amazon SQS Service endpoint
 	Endpoint string `json:"endpoint"`
+
+	// +optional
+	// List of remote storage volumes
+	VolList []VolumeSpec `json:"volumes,omitempty"`
 }
 
 // QueueStatus defines the observed state of Queue
@@ -117,32 +125,3 @@ type QueueList struct {
 func init() {
 	SchemeBuilder.Register(&Queue{}, &QueueList{})
 }
-
-// NewEvent creates a new event associated with the object and ready
-// to be published to Kubernetes API
-func (os *Queue) NewEvent(eventType, reason, message string) corev1.Event {
-	t := metav1.Now()
-	return corev1.Event{
-		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: reason + "-",
-			Namespace:    os.ObjectMeta.Namespace,
-		},
-		InvolvedObject: corev1.ObjectReference{
-			Kind:       "Queue",
-			Namespace:  os.Namespace,
-			Name:       os.Name,
-			UID:        os.UID,
-			APIVersion: GroupVersion.String(),
-		},
-		Reason:  reason,
-		Message: message,
-		Source: corev1.EventSource{
-			Component: "splunk-queue-controller",
-		},
-		FirstTimestamp:      t,
-		LastTimestamp:       t,
-		Count:               1,
-		Type:                eventType,
-		ReportingController: "enterprise.splunk.com/queue-controller",
-	}
-}

cmd/main.go

@@ -230,20 +230,6 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "IngestorCluster")
 		os.Exit(1)
 	}
-	if err := (&controller.QueueReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "Queue")
-		os.Exit(1)
-	}
-	if err := (&controller.ObjectStorageReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "ObjectStorage")
-		os.Exit(1)
-	}
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {