Adapt worker and controlplane controller to use managed app credentials

gardener · May 18, 2022 · 6c127d7 · 6c127d7
1 parent 83f7430
commit 6c127d7
Show file tree

Hide file tree

Showing 6 changed files with 93 additions and 32 deletions.
diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go
@@ -22,6 +22,7 @@ import (
 
 	api "github.com/gardener/gardener-extension-provider-openstack/pkg/apis/openstack"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/apis/openstack/helper"
+	"github.com/gardener/gardener-extension-provider-openstack/pkg/internal/managedappcredential"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/openstack"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/utils"
 
@@ -277,10 +278,19 @@ func (vp *valuesProvider) GetConfigChartValues(
 		return nil, err
 	}
 
-	// Get credentials
-	credentials, err := openstack.GetCredentials(ctx, vp.Client(), cp.Spec.SecretRef, false)
+	// Try to read the credentials of the managed application credential if exists.
+	credentials, _, err := managedappcredential.GetCredentials(ctx, vp.Client(), cp.Namespace)
 	if err != nil {
-		return nil, fmt.Errorf("could not get service account from secret '%s/%s': %w", cp.Spec.SecretRef.Namespace, cp.Spec.SecretRef.Name, err)
+		return nil, err
+	}
+
+	if credentials == nil {
+		// If no managed application credential exists take the regular user.
+		userCredentials, err := openstack.GetCredentials(ctx, vp.Client(), cp.Spec.SecretRef, false)
+		if err != nil {
+			return nil, fmt.Errorf("could not get service account from secret '%s/%s': %w", cp.Spec.SecretRef.Namespace, cp.Spec.SecretRef.Name, err)
+		}
+		credentials = userCredentials
 	}
 
 	return getConfigChartValues(cpConfig, infraStatus, cloudProfileConfig, cp, credentials, cluster)

diff --git a/pkg/controller/controlplane/valuesprovider_test.go b/pkg/controller/controlplane/valuesprovider_test.go
@@ -35,6 +35,7 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/utils/pointer"
@@ -299,6 +300,7 @@ var _ = Describe("ValuesProvider", func() {
 		}
 
 		It("should return correct config chart values", func() {
+			expectGetManagedApplicationCredentialSecretToFail(ctx, c)
 			c.EXPECT().Get(ctx, cpSecretKey, &corev1.Secret{}).DoAndReturn(clientGet(cpSecret))
 
 			values, err := vp.GetConfigChartValues(ctx, cp, clusterK8sLessThan119)
@@ -307,6 +309,7 @@ var _ = Describe("ValuesProvider", func() {
 		})
 
 		It("should return correct config chart values with load balancer classes", func() {
+			expectGetManagedApplicationCredentialSecretToFail(ctx, c)
 			c.EXPECT().Get(ctx, cpSecretKey, &corev1.Secret{}).DoAndReturn(clientGet(cpSecret))
 
 			var (
@@ -398,6 +401,7 @@ var _ = Describe("ValuesProvider", func() {
 		})
 
 		It("should return correct config chart values with load balancer classes with purpose", func() {
+			expectGetManagedApplicationCredentialSecretToFail(ctx, c)
 			c.EXPECT().Get(ctx, cpSecretKey, &corev1.Secret{}).DoAndReturn(clientGet(cpSecret))
 
 			var (
@@ -455,6 +459,7 @@ var _ = Describe("ValuesProvider", func() {
 				"applicationCredentialSecret": []byte(`app-secret`),
 			}
 
+			expectGetManagedApplicationCredentialSecretToFail(ctx, c)
 			c.EXPECT().Get(ctx, cpSecretKey, &corev1.Secret{}).DoAndReturn(clientGet(&secret2))
 
 			expectedValues := utils.MergeMaps(configChartValues, map[string]interface{}{
@@ -647,3 +652,15 @@ func clientGet(result runtime.Object) interface{} {
 		return nil
 	}
 }
+
+func expectGetManagedApplicationCredentialSecretToFail(ctx context.Context, c *mockclient.MockClient) {
+	c.EXPECT().Get(
+		ctx,
+		client.ObjectKey{Namespace: namespace, Name: "cloudprovider-application-credential"},
+		gomock.AssignableToTypeOf(&corev1.Secret{}),
+	).Return(&apierrors.StatusError{
+		ErrStatus: metav1.Status{
+			Reason: metav1.StatusReasonNotFound,
+		},
+	})
+}
diff --git a/pkg/controller/worker/actuator.go b/pkg/controller/worker/actuator.go
@@ -21,6 +21,7 @@ import (
 	api "github.com/gardener/gardener-extension-provider-openstack/pkg/apis/openstack"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/apis/openstack/helper"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/imagevector"
+	"github.com/gardener/gardener-extension-provider-openstack/pkg/internal/managedappcredential"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/openstack"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/openstack/client"
 
@@ -32,6 +33,7 @@ import (
 	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
 	gardener "github.com/gardener/gardener/pkg/client/kubernetes"
 	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
@@ -85,7 +87,17 @@ func (d *delegateFactory) WorkerDelegate(ctx context.Context, worker *extensions
 		return nil, err
 	}
 
-	openstackClient, err := client.NewOpenStackClientFromSecretRef(ctx, d.Client(), worker.Spec.SecretRef, &keyStoneURL)
+	secretRef := &worker.Spec.SecretRef
+	_, appCredentialSecretRef, err := managedappcredential.GetCredentials(ctx, d.Client(), worker.Namespace)
+	if err != nil {
+		return nil, err
+	}
+
+	if appCredentialSecretRef != nil {
+		secretRef = appCredentialSecretRef
+	}
+
+	openstackClient, err := client.NewOpenStackClientFromSecretRef(ctx, d.Client(), *secretRef, &keyStoneURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create openstack client: %w", err)
 	}
@@ -99,6 +111,7 @@ func (d *delegateFactory) WorkerDelegate(ctx context.Context, worker *extensions
 		worker,
 		cluster,
 		openstackClient,
+		secretRef,
 	)
 }
 
@@ -116,7 +129,8 @@ type workerDelegate struct {
 	machineDeployments worker.MachineDeployments
 	machineImages      []api.MachineImage
 
-	openstackClient client.Factory
+	openstackClient    client.Factory
+	openstackSecretRef *corev1.SecretReference
 }
 
 // NewWorkerDelegate creates a new context for a worker reconciliation.
@@ -129,6 +143,7 @@ func NewWorkerDelegate(
 	worker *extensionsv1alpha1.Worker,
 	cluster *extensionscontroller.Cluster,
 	openstackClient client.Factory,
+	openstackSecretRef *corev1.SecretReference,
 ) (genericactuator.WorkerDelegate, error) {
 	config, err := helper.CloudProfileConfigFromCluster(cluster)
 	if err != nil {
@@ -145,5 +160,6 @@ func NewWorkerDelegate(
 		cluster:            cluster,
 		worker:             worker,
 		openstackClient:    openstackClient,
+		openstackSecretRef: openstackSecretRef,
 	}, nil
 }
diff --git a/pkg/controller/worker/machine_dependencies_test.go b/pkg/controller/worker/machine_dependencies_test.go
@@ -39,6 +39,7 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	. "github.com/onsi/gomega/gstruct"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
@@ -83,7 +84,9 @@ var _ = Describe("#MachineDependencies", func() {
 		var (
 			clusterName = "shoot--foobar--openstack"
 			namespace   = clusterName
-			w           *extensionsv1alpha1.Worker
+
+			w                  *extensionsv1alpha1.Worker
+			openstackSecretRef *corev1.SecretReference
 		)
 
 		BeforeEach(func() {
@@ -92,6 +95,12 @@ var _ = Describe("#MachineDependencies", func() {
 					Namespace: namespace,
 				},
 			}
+
+			openstackSecretRef = &corev1.SecretReference{
+				Name:      "secret",
+				Namespace: namespace,
+			}
+
 			osFactory.EXPECT().Compute().AnyTimes().Return(computeClient, nil)
 		})
 
@@ -103,6 +112,7 @@ var _ = Describe("#MachineDependencies", func() {
 				w,
 				newClusterWithDefaultCloudProfileConfig(clusterName),
 				osFactory,
+				openstackSecretRef,
 			)
 
 			ctx := context.Background()
@@ -137,6 +147,7 @@ var _ = Describe("#MachineDependencies", func() {
 				w,
 				newClusterWithDefaultCloudProfileConfig(clusterName),
 				osFactory,
+				openstackSecretRef,
 			)
 
 			computeClient.EXPECT().CreateServerGroup(prefixMatch(serverGroupPrefix(clusterName, pool1)), policy).Return(&servergroups.ServerGroup{
@@ -182,6 +193,7 @@ var _ = Describe("#MachineDependencies", func() {
 				w,
 				newClusterWithDefaultCloudProfileConfig(clusterName),
 				osFactory,
+				openstackSecretRef,
 			)
 
 			computeClient.EXPECT().CreateServerGroup(prefixMatch(serverGroupPrefix(clusterName, poolName)), policy).Return(&servergroups.ServerGroup{
@@ -251,6 +263,7 @@ var _ = Describe("#MachineDependencies", func() {
 				w,
 				newClusterWithDefaultCloudProfileConfig(clusterName),
 				osFactory,
+				openstackSecretRef,
 			)
 
 			computeClient.EXPECT().ListServerGroups().Return([]servergroups.ServerGroup{
@@ -305,6 +318,7 @@ var _ = Describe("#MachineDependencies", func() {
 				w,
 				newClusterWithDefaultCloudProfileConfig(clusterName),
 				osFactory,
+				openstackSecretRef,
 			)
 
 			computeClient.EXPECT().ListServerGroups().Return([]servergroups.ServerGroup{
@@ -367,6 +381,7 @@ var _ = Describe("#MachineDependencies", func() {
 				w,
 				newClusterWithDefaultCloudProfileConfig(clusterName),
 				osFactory,
+				openstackSecretRef,
 			)
 
 			computeClient.EXPECT().ListServerGroups().Return([]servergroups.ServerGroup{

diff --git a/pkg/controller/worker/machines.go b/pkg/controller/worker/machines.go
@@ -148,8 +148,8 @@ func (w *workerDelegate) generateMachineConfig(ctx context.Context) error {
 					"kubernetes.io-role-node":                                   "1",
 				},
 				"credentialsSecretRef": map[string]interface{}{
-					"name":      w.worker.Spec.SecretRef.Name,
-					"namespace": w.worker.Spec.SecretRef.Namespace,
+					"name":      w.openstackSecretRef.Name,
+					"namespace": w.openstackSecretRef.Namespace,
 				},
 				"secret": map[string]interface{}{
 					"cloudConfig": string(pool.UserData),