*: Replace PullSecretPath with PullSecret

Instead of passing the pull secret around as a path, pass it around as
a JSON string.  This makes it easier to embed in Kubernetes, since
we're punting the file-reading to callers at config-YAML-creation
time.

Store it as a string (like the SSH pubkey) instead of parsing it out
into a more detailed structure, because we expect to consume it as an
opaque string (just pass it to the registry without peaking inside).

I've left some deprecated handling for folks who are still using
pullSecretPath in their YAML.  I'll file a follow-up pull request to
drop it once we get the CI template in openshift/release updated to
use pullSecret.

Author: wking

Documentation/dev/libvirt-howto.md

@@ -64,7 +64,7 @@ EOF
     1. Set the `imagePath` to the **absolute** path of the operating system image you downloaded
     1. Set the `name` (e.g. test1)
     1. Look at the `podCIDR` and `serviceCIDR` fields in the `networking` section. Make sure they don't conflict with anything important.
-    1. Set the `pullSecretPath` to the **absolute** path of your downloaded pull secret file.
+    1. Set the `pullSecret` to your JSON pull secret.
 
 #### 1.7 Set up NetworkManager DNS overlay
 This step is optional, but useful for being able to resolve cluster-internal hostnames from your host.

config.tf

@@ -174,12 +174,12 @@ Note: This field MUST be set manually prior to creating the cluster.
 EOF
 }
 
-variable "tectonic_pull_secret_path" {
+variable "tectonic_pull_secret" {
   type    = "string"
   default = ""
 
   description = <<EOF
-The path the pull secret file in JSON format.
+The pull secret in JSON format.
 This is known to be a "Docker pull secret" as produced by the docker login [1] command.
 A sample JSON content is shown in [2].
 You can download the pull secret from your Account overview page at [3].

examples/tectonic.aws.yaml

@@ -230,7 +230,7 @@ nodePools:
 # The platform used for deploying.
 platform: aws
 
-# The path the pull secret file in JSON format.
+# The pull secret in JSON format.
 # This is known to be a "Docker pull secret" as produced by the docker login [1] command.
 # A sample JSON content is shown in [2].
 # You can download the pull secret from your Account overview page at [3].
@@ -240,7 +240,7 @@ platform: aws
 # [2] https://coreos.com/os/docs/latest/registry-authentication.html#manual-registry-auth-setup
 #
 # [3] https://account.coreos.com/overview
-pullSecretPath:
+pullSecret: '{"auths": {}}'
 
 worker:
   # The name of the node pool(s) to use for workers

examples/tectonic.libvirt.yaml

@@ -98,7 +98,7 @@ nodePools:
 # The platform used for deploying.
 platform: libvirt
 
-# The path the pull secret file in JSON format.
+# The pull secret in JSON format.
 # This is known to be a "Docker pull secret" as produced by the docker login [1] command.
 # A sample JSON content is shown in [2].
 # You can download the pull secret from your Account overview page at [3].
@@ -108,7 +108,7 @@ platform: libvirt
 # [2] https://coreos.com/os/docs/latest/registry-authentication.html#manual-registry-auth-setup
 #
 # [3] https://account.coreos.com/overview
-pullSecretPath:
+pullSecret: '{"auths": {}}'
 
 worker:
   nodePools:

installer/pkg/config-generator/fixtures/test-aws.yaml

@@ -12,7 +12,7 @@ master:
 worker:
   nodePools:
     - worker
-pullSecretPath: /path/config.json
+pullSecret: '{"auths": {}}'
 containerLinux:
   channel: stable
   version: latest

installer/pkg/config/cluster.go

@@ -88,7 +88,8 @@ type Cluster struct {
 	Networking      `json:",inline" yaml:"networking,omitempty"`
 	NodePools       `json:"-" yaml:"nodePools"`
 	Platform        Platform `json:"tectonic_platform" yaml:"platform,omitempty"`
-	PullSecretPath  string   `json:"tectonic_pull_secret_path,omitempty" yaml:"pullSecretPath,omitempty"`
+	PullSecret      string   `json:"tectonic_pull_secret,omitempty" yaml:"pullSecret,omitempty"`
+	PullSecretPath  string   `json:"-" yaml:"pullSecretPath,omitempty"` // Deprecated: remove after openshift/release is ported to pullSecret
 	Worker          `json:",inline" yaml:"worker,omitempty"`
 }
 

installer/pkg/config/parser.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"errors"
 	"io/ioutil"
 
 	"gopkg.in/yaml.v2"
@@ -14,6 +15,19 @@ func ParseConfig(data []byte) (*Cluster, error) {
 		return nil, err
 	}
 
+	// Deprecated: remove after openshift/release is ported to pullSecret
+	if cluster.PullSecretPath != "" {
+		if cluster.PullSecret != "" {
+			return nil, errors.New("pullSecretPath is deprecated; just set pullSecret")
+		}
+
+		data, err := ioutil.ReadFile(cluster.PullSecretPath)
+		if err != nil {
+			return nil, err
+		}
+		cluster.PullSecret = string(data)
+	}
+
 	return &cluster, nil
 }
 

installer/pkg/config/validate.go

@@ -83,7 +83,7 @@ func (c *Cluster) Validate() []error {
 	errs = append(errs, c.validateNetworking()...)
 	errs = append(errs, c.validateAWS()...)
 	errs = append(errs, c.validateCL()...)
-	errs = append(errs, c.validateTectonicFiles()...)
+	errs = append(errs, c.validatePullSecret()...)
 	errs = append(errs, c.validateLibvirt()...)
 	errs = append(errs, c.validateCA()...)
 	if err := validate.PrefixError("cluster name", validate.ClusterName(c.Name)); err != nil {
@@ -280,9 +280,9 @@ func (c *Cluster) validateTNCS3Bucket() error {
 	return nil
 }
 
-func (c *Cluster) validateTectonicFiles() []error {
+func (c *Cluster) validatePullSecret() []error {
 	var errs []error
-	if err := validate.JSONFile(c.PullSecretPath); err != nil {
+	if err := validate.JSON([]byte(c.PullSecret)); err != nil {
 		errs = append(errs, err)
 	}
 	return errs

installer/pkg/workflow/fixtures/aws.basic.yaml

@@ -32,7 +32,7 @@ nodePools:
   - name: worker
     count: 3
 platform: aws
-pullSecretPath:
+pullSecret: '{"auths": {}}'
 worker:
   nodePools:
     - worker

installer/pkg/workflow/fixtures/terraform.tfvars

@@ -29,5 +29,6 @@
   "tectonic_service_cidr": "10.3.0.0/16",
   "tectonic_cluster_cidr": "10.2.0.0/16",
   "tectonic_platform": "aws",
+  "tectonic_pull_secret": "{\"auths\": {}}",
   "tectonic_worker_count": 3
 }