elastic-worker: Deal with amqp credentials as secrets

This currently read the secrets and installs them properly in our config.yml the loader uses to ingest origins. It's currently convoluted but that's the simpler way for now. Short of changing the swh tids and bits (loader, lister, ...) to actually allow using environment variables instead of configuration here (sure but not right now). Related to T4144

elastic-worker: Deal with amqp credentials as secrets
8dd6f1e2 · Antoine R. Dumont · 1e2c9088 · 8dd6f1e2 · 8dd6f1e2 · 8dd6f1e2
Verified Commit 8dd6f1e2 authored 2 years ago by Antoine R. Dumont
--- a/sysadmin/T3592-elastic-workers/worker/.gitignore
+++ b/sysadmin/T3592-elastic-workers/worker/.gitignore
@@ -4,5 +4,7 @@ loader-git.staging.values.yaml
 loader-maven.staging.values.yaml
 loader-pypi.staging.values.yaml
 loader-svn.staging.values.yaml
-loader-git-metadata-fetcher-credentials.yaml
 loader-npm.staging.values.yaml
+
+loader-git-metadata-fetcher-credentials.yaml
+amqp-access-credentials.yaml
--- a/sysadmin/T3592-elastic-workers/worker/README.md
+++ b/sysadmin/T3592-elastic-workers/worker/README.md
@@ -43,8 +43,6 @@ $ cat ../loader-git.staging.values.yaml
 # Declare variables to be passed into your templates.

 amqp:
-  username: <redacted>
-  password: <redacted>
  host: scheduler0.internal.staging.swh.network
  queue_threshold: 10  # spawn worker per increment of `value` messages
  queues:
@@ -85,18 +83,19 @@ $ TYPE=git; REL=workers-$TYPE; \

 # Secrets

-The current work requires metadata fetcher credentials `metadata-fetcher-credentials`
-installed as secret within the cluster.
+The current work requires credentials (installed as secret within the cluster):
+- metadata fetcher credentials `metadata-fetcher-credentials`
+- amqp credentials ``

-More details:
+More details describing the secrets:
 ```
-$ kubectl describe secrets/metadata-fetcher-credentials
+$ kubectl describe secret metadata-fetcher-credentials
 ```

 Installed through:
 ```
-$ kubectl -f ./loader-git-metadata-fetcher-credentials.yaml apply
-# secret file
+$ kubectl -f $SECRET_FILE apply
+# for secret file in {loader-git-metadata-fetcher-credentials,amqp-access-credentials}.yaml
 $ cat loader-git-metadata-fetcher-credentials.yaml
 apiVersion: v1
 kind: Secret
@@ -111,4 +110,14 @@ stringData:
        - username: <redacted>
          password: <redacted>
        - ...
+$ cat amqp-access-credentials.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: amqp-access-credentials
+type: Opaque
+data:
+  username: <base64-encoded-pass>  # output of: echo -n 'redacted-pass' | base64
+  password: <base64-encoded-pass>
+
 ```
--- a/sysadmin/T3592-elastic-workers/worker/templates/config-map.yaml
+++ b/sysadmin/T3592-elastic-workers/worker/templates/config-map.yaml
@@ -26,7 +26,7 @@ data:
        url: http://{{ .Values.storage.host }}:5002/

    celery:
-      task_broker: amqp://{{ .Values.amqp.username }}:{{ .Values.amqp.password }}@{{ .Values.amqp.host }}//
+      task_broker: amqp://##username##:##password##@{{ .Values.amqp.host }}//
      task_queues:
    {{- range .Values.amqp.queues }}
      - {{ . }}
@@ -40,7 +40,14 @@ data:
    cat /etc/softwareheritage/config.yml > $SWH_CONFIG_FILENAME
    # contains required credentials for git loader (with metadata loader inside)
    # ignored by the other loaders
-    cat /tmp/secret-data/data >> $SWH_CONFIG_FILENAME
+    cat /etc/credentials/metadata-fetcher/data >> $SWH_CONFIG_FILENAME
+
+    # Work around configuration setup
+    amqp_username=$(cat /etc/credentials/amqp/username)
+    amqp_password=$(cat /etc/credentials/amqp/password)
+
+    sed -i 's/##username##/'$amqp_username'/g' $SWH_CONFIG_FILENAME
+    sed -i 's/##password##/'$amqp_password'/g' $SWH_CONFIG_FILENAME

    echo Starting the swh Celery worker
    exec python -m celery \

--- a/sysadmin/T3592-elastic-workers/worker/templates/deployment.yaml
+++ b/sysadmin/T3592-elastic-workers/worker/templates/deployment.yaml
@@ -56,7 +56,10 @@ spec:
            subPath: entrypoint.sh
            readOnly: true
          - name: metadata-fetcher-credentials
-            mountPath: /tmp/secret-data
+            mountPath: /etc/credentials/metadata-fetcher
+            readOnly: true
+          - name: amqp-access-credentials
+            mountPath: /etc/credentials/amqp
            readOnly: true
          - mountPath: /tmp
            name: tmp-volume
@@ -70,3 +73,6 @@ spec:
        - name: metadata-fetcher-credentials
          secret:
            secretName: metadata-fetcher-credentials
+        - name: amqp-access-credentials
+          secret:
+            secretName: amqp-access-credentials
--- a/sysadmin/T3592-elastic-workers/worker/values.yaml
+++ b/sysadmin/T3592-elastic-workers/worker/values.yaml
@@ -3,8 +3,6 @@
 # Declare variables to be passed into your templates.

 amqp:
-  user: guest
-  password: guest
  host: amqp

 storage: