From 83cd4dabc6cff645a447d08d161f8a0dd655aa68 Mon Sep 17 00:00:00 2001
From: Kaustav Majumder <kaustav.majumder@ibm.com>
Date: Tue, 9 Jul 2024 12:57:32 +0530
Subject: [PATCH] Added support to join external noobaa system from hosted
 clusters

Signed-off-by: Kaustav Majumder <kaustav.majumder@ibm.com>
---
 pkg/noobaaaccount/reconciler.go  | 47 +++++++++++++++++++++++---------
 pkg/system/phase1_verifying.go   | 27 ++++++++++--------
 pkg/system/phase4_configuring.go | 18 ++++++++----
 pkg/util/util.go                 | 12 ++++++++
 4 files changed, 73 insertions(+), 31 deletions(-)

diff --git a/pkg/noobaaaccount/reconciler.go b/pkg/noobaaaccount/reconciler.go
index 90eac5364..eda3abc76 100644
--- a/pkg/noobaaaccount/reconciler.go
+++ b/pkg/noobaaaccount/reconciler.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"reflect"
+	"strings"
 	"time"
 
 	nbv1 "github.com/noobaa/noobaa-operator/v5/pkg/apis/noobaa/v1alpha1"
@@ -24,6 +25,10 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
+const (
+	strTrue string = "true"
+)
+
 // Reconciler is the context for loading or reconciling a noobaa system
 type Reconciler struct {
 	Request  types.NamespacedName
@@ -351,22 +356,38 @@ func (r *Reconciler) CreateNooBaaAccount() error {
 		return err
 	}
 
-	var accessKeys nb.S3AccessKeys
-	// if we didn't get the access keys in the create_account reply we might be talking to an older noobaa version (prior to 5.1)
-	// in that case try to get it using read account
-	if len(accountInfo.AccessKeys) == 0 {
-		log.Info("CreateAccountAPI did not return access keys. calling ReadAccountAPI to get keys..")
-		readAccountReply, err := r.NBClient.ReadAccountAPI(nb.ReadAccountParams{Email: r.NooBaaAccount.Name})
-		if err != nil {
-			return err
+	annotationValue, exists := util.GetAnnotationValue(r.NooBaaAccount.Annotations, "remote-operator")
+	if exists {
+		if strings.ToLower(annotationValue) == strTrue {
+			// create join secret conatining auth token for remote noobaa account
+			res, err := r.NBClient.CreateAuthAPI(nb.CreateAuthParams{
+				System: r.NooBaa.Name,
+				Role:   "operator",
+				Email:  options.OperatorAccountEmail,
+			})
+			if err != nil {
+				return fmt.Errorf("cannot create an auth token for remote operator, error: %v", err)
+			}
+			r.Secret.StringData["auth_token"] = res.Token
 		}
-		accessKeys = readAccountReply.AccessKeys[0]
 	} else {
-		accessKeys = accountInfo.AccessKeys[0]
+		var accessKeys nb.S3AccessKeys
+		// if we didn't get the access keys in the create_account reply we might be talking to an older noobaa version (prior to 5.1)
+		// in that case try to get it using read account
+		if len(accountInfo.AccessKeys) == 0 {
+			log.Info("CreateAccountAPI did not return access keys. calling ReadAccountAPI to get keys..")
+			readAccountReply, err := r.NBClient.ReadAccountAPI(nb.ReadAccountParams{Email: r.NooBaaAccount.Name})
+			if err != nil {
+				return err
+			}
+			accessKeys = readAccountReply.AccessKeys[0]
+		} else {
+			accessKeys = accountInfo.AccessKeys[0]
+		}
+		r.Secret.StringData = map[string]string{}
+		r.Secret.StringData["AWS_ACCESS_KEY_ID"] = string(accessKeys.AccessKey)
+		r.Secret.StringData["AWS_SECRET_ACCESS_KEY"] = string(accessKeys.SecretKey)
 	}
-	r.Secret.StringData = map[string]string{}
-	r.Secret.StringData["AWS_ACCESS_KEY_ID"] = string(accessKeys.AccessKey)
-	r.Secret.StringData["AWS_SECRET_ACCESS_KEY"] = string(accessKeys.SecretKey)
 	r.Own(r.Secret)
 	err = r.Client.Create(r.Ctx, r.Secret)
 	if err != nil {
diff --git a/pkg/system/phase1_verifying.go b/pkg/system/phase1_verifying.go
index 463b55206..b4011cf97 100644
--- a/pkg/system/phase1_verifying.go
+++ b/pkg/system/phase1_verifying.go
@@ -190,22 +190,25 @@ func (r *Reconciler) CheckJoinSecret() error {
 		return util.NewPersistentError("InvalidJoinSecert",
 			"JoinSecret is missing mgmt_addr")
 	}
-	if r.JoinSecret.StringData["bg_addr"] == "" {
-		return util.NewPersistentError("InvalidJoinSecert",
-			"JoinSecret is missing bg_addr")
-	}
-	if r.JoinSecret.StringData["md_addr"] == "" {
-		return util.NewPersistentError("InvalidJoinSecert",
-			"JoinSecret is missing md_addr")
-	}
-	if r.JoinSecret.StringData["hosted_agents_addr"] == "" {
-		return util.NewPersistentError("InvalidJoinSecert",
-			"JoinSecret is missing hosted_agents_addr")
-	}
 	if r.JoinSecret.StringData["auth_token"] == "" {
 		return util.NewPersistentError("InvalidJoinSecert",
 			"JoinSecret is missing auth_token")
 	}
+
+	if !util.IsRemoteClientNoobaa(r.NooBaa.GetAnnotations()) {
+		if r.JoinSecret.StringData["bg_addr"] == "" {
+			return util.NewPersistentError("InvalidJoinSecert",
+				"JoinSecret is missing bg_addr")
+		}
+		if r.JoinSecret.StringData["md_addr"] == "" {
+			return util.NewPersistentError("InvalidJoinSecert",
+				"JoinSecret is missing md_addr")
+		}
+		if r.JoinSecret.StringData["hosted_agents_addr"] == "" {
+			return util.NewPersistentError("InvalidJoinSecert",
+				"JoinSecret is missing hosted_agents_addr")
+		}
+	}
 	return nil
 }
 
diff --git a/pkg/system/phase4_configuring.go b/pkg/system/phase4_configuring.go
index 5a0b81e74..fa9e88520 100644
--- a/pkg/system/phase4_configuring.go
+++ b/pkg/system/phase4_configuring.go
@@ -64,12 +64,15 @@ func (r *Reconciler) ReconcilePhaseConfiguring() error {
 	if err := r.ReconcileSystemSecrets(); err != nil {
 		return err
 	}
-	util.KubeCreateOptional(util.KubeObject(bundle.File_deploy_scc_endpoint_yaml).(*secv1.SecurityContextConstraints))
-	if err := r.ReconcileObject(r.DeploymentEndpoint, r.SetDesiredDeploymentEndpoint); err != nil {
-		return err
-	}
-	if err := r.ReconcileHPAEndpoint(); err != nil {
-		return err
+	// No endpoint creation is required for remote noobaa client
+	if !util.IsRemoteClientNoobaa(r.NooBaa.GetAnnotations()) {
+		util.KubeCreateOptional(util.KubeObject(bundle.File_deploy_scc_endpoint_yaml).(*secv1.SecurityContextConstraints))
+		if err := r.ReconcileObject(r.DeploymentEndpoint, r.SetDesiredDeploymentEndpoint); err != nil {
+			return err
+		}
+		if err := r.ReconcileHPAEndpoint(); err != nil {
+			return err
+		}
 	}
 	if err := r.RegisterToCluster(); err != nil {
 		return err
@@ -1644,6 +1647,9 @@ func (r *Reconciler) UpdateBucketClassesPhase(Buckets []nb.BucketInfo) {
 
 // ReconcileDeploymentEndpointStatus creates/updates the endpoints deployment
 func (r *Reconciler) ReconcileDeploymentEndpointStatus() error {
+	if util.IsRemoteClientNoobaa(r.NooBaa.GetAnnotations()) {
+		return nil
+	}
 	if !util.KubeCheck(r.DeploymentEndpoint) {
 		return fmt.Errorf("Could not load endpoint deployment")
 	}
diff --git a/pkg/util/util.go b/pkg/util/util.go
index fc638c3fd..d023dee07 100644
--- a/pkg/util/util.go
+++ b/pkg/util/util.go
@@ -79,6 +79,7 @@ const (
 	obcMaxSizeUpperLimit = petabyte * 1023
 
 	topologyConstraintsEnabledKubeVersion = "1.26.0"
+	trueStr                               = "true"
 )
 
 // OAuth2Endpoints holds OAuth2 endpoints information.
@@ -1435,6 +1436,17 @@ func GetAnnotationValue(annotations map[string]string, name string) (string, boo
 	return "", false
 }
 
+// IsRemoteClientNoobaa checks for the existance and value of the remote-client-noobaa annotation
+// within an annotation map, if the annotation doesnt exist it's the same as if its value is false.
+func IsRemoteClientNoobaa(annotations map[string]string) bool {
+	annotationValue, exists := GetAnnotationValue(annotations, "remote-client-noobaa")
+	annotationBoolVal := false
+	if exists {
+		annotationBoolVal = strings.ToLower(annotationValue) == trueStr
+	}
+	return annotationBoolVal
+}
+
 // ReflectEnvVariable will add, update or remove an env variable base on the existence and value of an
 // env variable with the same name on the container running this function.
 func ReflectEnvVariable(env *[]corev1.EnvVar, name string) {