Adopt app credentials in the infrastructure controller

gardener · May 18, 2022 · 83f7430 · 83f7430
1 parent ead65c5
commit 83f7430
Show file tree

Hide file tree

Showing 7 changed files with 93 additions and 16 deletions.
diff --git a/cmd/gardener-extension-provider-openstack/app/app.go b/cmd/gardener-extension-provider-openstack/app/app.go
@@ -191,6 +191,7 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command {
 
 			configFileOpts.Completed().ApplyETCDStorage(&openstackcontrolplaneexposure.DefaultAddOptions.ETCDStorage)
 			configFileOpts.Completed().ApplyHealthCheckConfig(&healthcheck.DefaultAddOptions.HealthCheckConfig)
+			configFileOpts.Completed().ApplyAppCredentialConfig(&openstackinfrastructure.DefaultAddOptions.AppCredentialConfig)
 			healthCheckCtrlOpts.Completed().Apply(&healthcheck.DefaultAddOptions.Controller)
 			backupBucketCtrlOpts.Completed().Apply(&openstackbackupbucket.DefaultAddOptions.Controller)
 			backupEntryCtrlOpts.Completed().Apply(&openstackbackupentry.DefaultAddOptions.Controller)

diff --git a/pkg/cmd/config.go b/pkg/cmd/config.go
@@ -88,9 +88,16 @@ func (c *Config) Options() config.ControllerConfiguration {
 	return cfg
 }
 
-// ApplyHealthCheckConfig applies the HealthCheckConfig to the config
+// ApplyHealthCheckConfig applies the HealthCheckConfig to the config.
 func (c *Config) ApplyHealthCheckConfig(config *healthcheckconfig.HealthCheckConfig) {
 	if c.Config.HealthCheckConfig != nil {
 		*config = *c.Config.HealthCheckConfig
 	}
 }
+
+// ApplyAppCredentialConfig applies the ApplicationCrendentialConfig to the config.
+func (c *Config) ApplyAppCredentialConfig(config *config.ApplicationCredentialConfig) {
+	if c.Config.ApplicationCredentialConfig != nil {
+		*config = *c.Config.ApplicationCredentialConfig
+	}
+}
diff --git a/pkg/controller/infrastructure/actuator.go b/pkg/controller/infrastructure/actuator.go
@@ -17,6 +17,7 @@ package infrastructure
 import (
 	"context"
 
+	controllerconfig "github.com/gardener/gardener-extension-provider-openstack/pkg/apis/config"
 	api "github.com/gardener/gardener-extension-provider-openstack/pkg/apis/openstack"
 	infrainternal "github.com/gardener/gardener-extension-provider-openstack/pkg/internal/infrastructure"
 
@@ -34,13 +35,15 @@ type actuator struct {
 	logger logr.Logger
 	common.RESTConfigContext
 	disableProjectedTokenMount bool
+	appCredentialConfig        *controllerconfig.ApplicationCredentialConfig
 }
 
 // NewActuator creates a new Actuator that updates the status of the handled Infrastructure resources.
-func NewActuator(disableProjectedTokenMount bool) infrastructure.Actuator {
+func NewActuator(disableProjectedTokenMount bool, appCredentialConfig *controllerconfig.ApplicationCredentialConfig) infrastructure.Actuator {
 	return &actuator{
 		logger:                     log.Log.WithName("infrastructure-actuator"),
 		disableProjectedTokenMount: disableProjectedTokenMount,
+		appCredentialConfig:        appCredentialConfig,
 	}
 }
 

diff --git a/pkg/controller/infrastructure/actuator_delete.go b/pkg/controller/infrastructure/actuator_delete.go
@@ -21,9 +21,11 @@ import (
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/apis/openstack/helper"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/internal"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/internal/infrastructure"
+	"github.com/gardener/gardener-extension-provider-openstack/pkg/internal/managedappcredential"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/openstack"
-
+	openstackclient "github.com/gardener/gardener-extension-provider-openstack/pkg/openstack/client"
 	extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller"
+	extensionsinfracontroller "github.com/gardener/gardener/extensions/pkg/controller/infrastructure"
 	"github.com/gardener/gardener/extensions/pkg/terraformer"
 	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -32,6 +34,38 @@ import (
 func (a *actuator) Delete(ctx context.Context, infra *extensionsv1alpha1.Infrastructure, cluster *extensionscontroller.Cluster) error {
 	logger := a.logger.WithValues("infrastructure", client.ObjectKeyFromObject(infra), "operation", "delete")
 
+	// need to known if application credentials are used
+	credentials, err := openstack.GetCredentials(ctx, a.Client(), infra.Spec.SecretRef, false)
+	if err != nil {
+		return err
+	}
+	userCredentials := credentials
+
+	appCredentialManager := managedappcredential.NewManager(
+		openstackclient.FactoryFactoryFunc(openstackclient.NewOpenstackClientFromCredentials),
+		a.appCredentialConfig,
+		a.Client(),
+		infra.Namespace,
+		infra.Name,
+		extensionsinfracontroller.FinalizerName,
+		a.logger,
+	)
+
+	if err = appCredentialManager.Ensure(ctx, userCredentials); err != nil {
+		return err
+	}
+
+	appCredentialCredentials, appCredentialSecretRef, err := managedappcredential.GetCredentials(ctx, a.Client(), infra.Namespace)
+	if err != nil {
+		return err
+	}
+
+	secretRef := &infra.Spec.SecretRef
+	if appCredentialCredentials != nil && appCredentialSecretRef != nil {
+		credentials = appCredentialCredentials
+		secretRef = appCredentialSecretRef
+	}
+
 	tf, err := internal.NewTerraformer(logger, a.RESTConfig(), infrastructure.TerraformerPurpose, infra, a.disableProjectedTokenMount)
 	if err != nil {
 		return fmt.Errorf("could not create the Terraformer: %+v", err)
@@ -44,8 +78,11 @@ func (a *actuator) Delete(ctx context.Context, infra *extensionsv1alpha1.Infrast
 
 	// If the Terraform state is empty then we can exit early as we didn't create anything. Though, we clean up potentially
 	// created configmaps/secrets related to the Terraformer.
-	stateIsEmpty := tf.IsStateEmpty(ctx)
-	if stateIsEmpty {
+	if tf.IsStateEmpty(ctx) {
+		if err := appCredentialManager.Delete(ctx, userCredentials); err != nil {
+			return err
+		}
+
 		a.logger.Info("exiting early as infrastructure state is empty - nothing to do")
 		return tf.CleanupConfiguration(ctx)
 	}
@@ -60,15 +97,13 @@ func (a *actuator) Delete(ctx context.Context, infra *extensionsv1alpha1.Infrast
 		return err
 	}
 
-	// need to known if application credentials are used
-	credentials, err := openstack.GetCredentials(ctx, a.Client(), infra.Spec.SecretRef, false)
-	if err != nil {
+	stateInitializer := terraformer.StateConfigMapInitializerFunc(terraformer.CreateState)
+	if err := tf.
+		InitializeWith(ctx, terraformer.DefaultInitializer(a.Client(), terraformFiles.Main, terraformFiles.Variables, terraformFiles.TFVars, stateInitializer)).
+		SetEnvVars(internal.TerraformerEnvVars(*secretRef, credentials)...).
+		Destroy(ctx); err != nil {
 		return err
 	}
 
-	stateInitializer := terraformer.StateConfigMapInitializerFunc(terraformer.CreateState)
-	return tf.
-		InitializeWith(ctx, terraformer.DefaultInitializer(a.Client(), terraformFiles.Main, terraformFiles.Variables, terraformFiles.TFVars, stateInitializer)).
-		SetEnvVars(internal.TerraformerEnvVars(infra.Spec.SecretRef, credentials)...).
-		Destroy(ctx)
+	return appCredentialManager.Delete(ctx, userCredentials)
 }
diff --git a/pkg/controller/infrastructure/actuator_reconcile.go b/pkg/controller/infrastructure/actuator_reconcile.go
@@ -21,9 +21,12 @@ import (
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/apis/openstack/helper"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/internal"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/internal/infrastructure"
+	"github.com/gardener/gardener-extension-provider-openstack/pkg/internal/managedappcredential"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/openstack"
+	openstackclient "github.com/gardener/gardener-extension-provider-openstack/pkg/openstack/client"
 
 	extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller"
+	extensionsinfracontroller "github.com/gardener/gardener/extensions/pkg/controller/infrastructure"
 	"github.com/gardener/gardener/extensions/pkg/terraformer"
 	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
 	"github.com/go-logr/logr"
@@ -52,7 +55,31 @@ func (a *actuator) reconcile(ctx context.Context, logger logr.Logger, infra *ext
 		return err
 	}
 
-	tf, err := internal.NewTerraformerWithAuth(logger, a.RESTConfig(), infrastructure.TerraformerPurpose, infra, credentials, a.disableProjectedTokenMount)
+	appCredentialManager := managedappcredential.NewManager(
+		openstackclient.FactoryFactoryFunc(openstackclient.NewOpenstackClientFromCredentials),
+		a.appCredentialConfig,
+		a.Client(),
+		infra.Namespace,
+		infra.Name,
+		extensionsinfracontroller.FinalizerName,
+		a.logger,
+	)
+
+	if err = appCredentialManager.Ensure(ctx, credentials); err != nil {
+		return err
+	}
+
+	appCredentialCredentials, appCredentialSecretRef, err := managedappcredential.GetCredentials(ctx, a.Client(), infra.Namespace)
+	if err != nil {
+		return err
+	}
+	secretReference := &infra.Spec.SecretRef
+	if appCredentialCredentials != nil && appCredentialSecretRef != nil {
+		credentials = appCredentialCredentials
+		secretReference = appCredentialSecretRef
+	}
+
+	tf, err := internal.NewTerraformerWithAuth(logger, a.RESTConfig(), infrastructure.TerraformerPurpose, infra, credentials, secretReference, a.disableProjectedTokenMount)
 	if err != nil {
 		return err
 	}

diff --git a/pkg/controller/infrastructure/add.go b/pkg/controller/infrastructure/add.go
@@ -15,6 +15,7 @@
 package infrastructure
 
 import (
+	controllerconfig "github.com/gardener/gardener-extension-provider-openstack/pkg/apis/config"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/openstack"
 	openstackclient "github.com/gardener/gardener-extension-provider-openstack/pkg/openstack/client"
 
@@ -38,13 +39,15 @@ type AddOptions struct {
 	// DisableProjectedTokenMount specifies whether the projected token mount shall be disabled for the terraformer.
 	// Used for testing only.
 	DisableProjectedTokenMount bool
+	// AppCredentialConfig specifies the configuration for application credential usage.
+	AppCredentialConfig controllerconfig.ApplicationCredentialConfig
 }
 
 // AddToManagerWithOptions adds a controller with the given AddOptions to the given manager.
 // The opts.Reconciler is being set with a newly instantiated actuator.
 func AddToManagerWithOptions(mgr manager.Manager, options AddOptions) error {
 	return infrastructure.Add(mgr, infrastructure.AddArgs{
-		Actuator:          NewActuator(options.DisableProjectedTokenMount),
+		Actuator:          NewActuator(options.DisableProjectedTokenMount, &options.AppCredentialConfig),
 		ConfigValidator:   NewConfigValidator(openstackclient.FactoryFactoryFunc(openstackclient.NewOpenstackClientFromCredentials), log.Log),
 		ControllerOptions: options.Controller,
 		Predicates:        infrastructure.DefaultPredicates(options.IgnoreOperationAnnotation),

diff --git a/pkg/internal/terraform.go b/pkg/internal/terraform.go
@@ -106,6 +106,7 @@ func NewTerraformerWithAuth(
 	purpose string,
 	infra *extensionsv1alpha1.Infrastructure,
 	credentials *openstack.Credentials,
+	secretRef *corev1.SecretReference,
 	disableProjectedTokenMount bool,
 ) (
 	terraformer.Terraformer,
@@ -116,7 +117,7 @@ func NewTerraformerWithAuth(
 		return nil, err
 	}
 
-	return tf.SetEnvVars(TerraformerEnvVars(infra.Spec.SecretRef, credentials)...), nil
+	return tf.SetEnvVars(TerraformerEnvVars(*secretRef, credentials)...), nil
 }
 
 func createEnvVar(secretRef corev1.SecretReference, name, key string) corev1.EnvVar {