Add conversion for SecretReference to string

Signed-off-by: Tobias Giese <[email protected]>

api/v1alpha3/conversion.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha3
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	ctrlconversion "sigs.k8s.io/controller-runtime/pkg/conversion"
 
@@ -113,20 +114,37 @@ func Convert_v1alpha3_OpenStackClusterSpec_To_v1alpha4_OpenStackClusterSpec(in *
 	return autoConvert_v1alpha3_OpenStackClusterSpec_To_v1alpha4_OpenStackClusterSpec(in, out, s)
 }
 
+// Convert_v1alpha4_OpenStackClusterSpec_To_v1alpha3_OpenStackClusterSpec has to be added by us because we have to
+// convert the Type of CloudsSecret from SecretReference to string.
+func Convert_v1alpha4_OpenStackClusterSpec_To_v1alpha3_OpenStackClusterSpec(in *v1alpha4.OpenStackClusterSpec, out *OpenStackClusterSpec, s conversion.Scope) error {
+	if in.IdentityRef != nil {
+		out.CloudsSecret = &corev1.SecretReference{
+			Name: in.IdentityRef.Name,
+		}
+	}
+	return autoConvert_v1alpha4_OpenStackClusterSpec_To_v1alpha3_OpenStackClusterSpec(in, out, s)
+}
+
 // Convert_v1alpha3_OpenStackMachineSpec_To_v1alpha4_OpenStackMachineSpec is an autogenerated conversion function.
 // v1alpha4 drops the field .UserDataSecret which is why we reuqire to define the function here.
 func Convert_v1alpha3_OpenStackMachineSpec_To_v1alpha4_OpenStackMachineSpec(in *OpenStackMachineSpec, out *v1alpha4.OpenStackMachineSpec, s conversion.Scope) error {
+	if in.CloudsSecret != nil {
+		out.IdentityRef = &v1alpha4.OpenStackIdentityReference{
+			Name: in.CloudsSecret.Name,
+		}
+	}
 	return autoConvert_v1alpha3_OpenStackMachineSpec_To_v1alpha4_OpenStackMachineSpec(in, out, s)
 }
 
-// Convert_v1alpha3_OpenStackClusterSpec_To_v1alpha4_OpenStackClusterSpec has to be added by us for the new portOpts
+// Convert_v1alpha4_Network_To_v1alpha3_Network has to be added by us for the new portOpts
 // parameter in v1alpha4. There is no intention to support this parameter in v1alpha3, so the field is just dropped.
 func Convert_v1alpha4_Network_To_v1alpha3_Network(in *v1alpha4.Network, out *Network, s conversion.Scope) error {
 	return autoConvert_v1alpha4_Network_To_v1alpha3_Network(in, out, s)
 }
 
-// Convert_v1alpha3_OpenStackClusterSpec_To_v1alpha4_OpenStackClusterSpec has to be added by us for the new ports
+// Convert_v1alpha4_OpenStackMachineSpec_To_v1alpha3_OpenStackMachineSpec has to be added by us for the new ports
 // parameter in v1alpha4. There is no intention to support this parameter in v1alpha3, so the field is just dropped.
+// Further, we want to convert the Type of CloudsSecret from SecretReference to string.
 func Convert_v1alpha4_OpenStackMachineSpec_To_v1alpha3_OpenStackMachineSpec(in *v1alpha4.OpenStackMachineSpec, out *OpenStackMachineSpec, s conversion.Scope) error {
 	return autoConvert_v1alpha4_OpenStackMachineSpec_To_v1alpha3_OpenStackMachineSpec(in, out, s)
 }

api/v1alpha3/openstackcluster_types.go

@@ -33,6 +33,7 @@ type OpenStackClusterSpec struct {
 
 	// The name of the secret containing the openstack credentials
 	// +optional
+	// +k8s:conversion-gen=false
 	CloudsSecret *corev1.SecretReference `json:"cloudsSecret"`
 
 	// The name of the cloud to use from the clouds secret

api/v1alpha3/openstackmachine_types.go

@@ -38,6 +38,7 @@ type OpenStackMachineSpec struct {
 
 	// The name of the secret containing the openstack credentials
 	// +optional
+	// +k8s:conversion-gen=false
 	CloudsSecret *corev1.SecretReference `json:"cloudsSecret"`
 
 	// The name of the cloud to use from the clouds secret

api/v1alpha4/identity_types.go

@@ -0,0 +1,33 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha4
+
+const defaultIdentityRefKind = "Secret"
+
+// OpenStackIdentityReference is a reference to an infrastructure
+// provider identity to be used to provision cluster resources.
+type OpenStackIdentityReference struct {
+	// Kind of the identity. Must be supported by the infrastructure
+	// provider and may be either cluster or namespace-scoped.
+	// +kubebuilder:validation:MinLength=1
+	Kind string `json:"kind"`
+
+	// Name of the infrastructure identity to be used.
+	// Must be either a cluster-scoped resource, or namespaced-scoped
+	// resource the same namespace as the resource(s) being provisioned.
+	Name string `json:"name"`
+}

api/v1alpha4/openstackcluster_types.go

@@ -17,7 +17,6 @@ limitations under the License.
 package v1alpha4
 
 import (
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1alpha4"
 	capierrors "sigs.k8s.io/cluster-api/errors"
@@ -31,11 +30,6 @@ const (
 
 // OpenStackClusterSpec defines the desired state of OpenStackCluster.
 type OpenStackClusterSpec struct {
-
-	// The name of the secret containing the openstack credentials
-	// +optional
-	CloudsSecret *corev1.SecretReference `json:"cloudsSecret"`
-
 	// The name of the cloud to use from the clouds secret
 	// +optional
 	CloudName string `json:"cloudName"`
@@ -106,6 +100,11 @@ type OpenStackClusterSpec struct {
 	// Bastion is the OpenStack instance to login the nodes
 	//+optional
 	Bastion *Bastion `json:"bastion,omitempty"`
+
+	// IdentityRef is a reference to a identity to be used when reconciling this cluster
+	// +optional
+	// +k8s:conversion-gen=false
+	IdentityRef *OpenStackIdentityReference `json:"identityRef,omitempty"`
 }
 
 // OpenStackClusterStatus defines the observed state of OpenStackCluster.

api/v1alpha4/openstackcluster_webhook.go

@@ -17,9 +17,12 @@ limitations under the License.
 package v1alpha4
 
 import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 )
 
 // log is for logging in this package.
@@ -30,3 +33,45 @@ func (r *OpenStackCluster) SetupWebhookWithManager(mgr manager.Manager) error {
 		For(r).
 		Complete()
 }
+
+// +kubebuilder:webhook:verbs=create;update,path=/validate-infrastructure-cluster-x-k8s-io-v1alpha4-openstackcluster,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=infrastructure.cluster.x-k8s.io,resources=openstackcluster,versions=v1alpha4,name=validation.openstackcluster.infrastructure.x-k8s.io,sideEffects=None,admissionReviewVersions=v1beta1
+// +kubebuilder:webhook:verbs=create;update,path=/mutate-infrastructure-cluster-x-k8s-io-v1alpha4-openstackcluster,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,groups=infrastructure.cluster.x-k8s.io,resources=openstackcluster,versions=v1alpha4,name=default.openstackcluster.infrastructure.x-k8s.io,sideEffects=None,admissionReviewVersions=v1beta1
+
+var (
+	_ webhook.Defaulter = &OpenStackCluster{}
+	_ webhook.Validator = &OpenStackCluster{}
+)
+
+// Default satisfies the defaulting webhook interface.
+func (r *OpenStackCluster) Default() {
+	if r.Spec.IdentityRef != nil && r.Spec.IdentityRef.Kind == "" {
+		r.Spec.IdentityRef.Kind = defaultIdentityRefKind
+	}
+}
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
+func (r *OpenStackCluster) ValidateCreate() error {
+	var allErrs field.ErrorList
+
+	if r.Spec.IdentityRef != nil && r.Spec.IdentityRef.Kind != defaultIdentityRefKind {
+		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "identityRef", "kind"), "must be a Secret"))
+	}
+
+	return aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type.
+func (r *OpenStackCluster) ValidateUpdate(old runtime.Object) error {
+	var allErrs field.ErrorList
+
+	if r.Spec.IdentityRef != nil && r.Spec.IdentityRef.Kind != defaultIdentityRefKind {
+		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "identityRef", "kind"), "must be a Secret"))
+	}
+
+	return aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
+}
+
+// ValidateDelete implements webhook.Validator so a webhook will be registered for the type.
+func (r *OpenStackCluster) ValidateDelete() error {
+	return nil
+}

api/v1alpha4/openstackmachine_types.go

@@ -36,10 +36,6 @@ type OpenStackMachineSpec struct {
 	// InstanceID is the OpenStack instance ID for this machine.
 	InstanceID *string `json:"instanceID,omitempty"`
 
-	// The name of the secret containing the openstack credentials
-	// +optional
-	CloudsSecret *corev1.SecretReference `json:"cloudsSecret"`
-
 	// The name of the cloud to use from the clouds secret
 	// +optional
 	CloudName string `json:"cloudName"`
@@ -90,6 +86,11 @@ type OpenStackMachineSpec struct {
 
 	// The server group to assign the machine to
 	ServerGroupID string `json:"serverGroupID,omitempty"`
+
+	// IdentityRef is a reference to a identity to be used when reconciling this cluster
+	// +optional
+	// +k8s:conversion-gen=false
+	IdentityRef *OpenStackIdentityReference `json:"identityRef,omitempty"`
 }
 
 // OpenStackMachineStatus defines the observed state of OpenStackMachine.

api/v1alpha4/openstackmachine_webhook.go

@@ -39,13 +39,28 @@ func (r *OpenStackMachine) SetupWebhookWithManager(mgr manager.Manager) error {
 }
 
 // +kubebuilder:webhook:verbs=create;update,path=/validate-infrastructure-cluster-x-k8s-io-v1alpha4-openstackmachine,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=infrastructure.cluster.x-k8s.io,resources=openstackmachines,versions=v1alpha4,name=validation.openstackmachine.infrastructure.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1beta1
+// +kubebuilder:webhook:verbs=create;update,path=/mutate-infrastructure-cluster-x-k8s-io-v1alpha4-openstackmachine,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,groups=infrastructure.cluster.x-k8s.io,resources=openstackmachines,versions=v1alpha4,name=default.openstackmachine.infrastructure.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1beta1
 
-var _ webhook.Validator = &OpenStackMachine{}
+var (
+	_ webhook.Defaulter = &OpenStackMachine{}
+	_ webhook.Validator = &OpenStackMachine{}
+)
+
+// Default satisfies the defaulting webhook interface.
+func (r *OpenStackMachine) Default() {
+	if r.Spec.IdentityRef != nil && r.Spec.IdentityRef.Kind == "" {
+		r.Spec.IdentityRef.Kind = defaultIdentityRefKind
+	}
+}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
 func (r *OpenStackMachine) ValidateCreate() error {
 	var allErrs field.ErrorList
 
+	if r.Spec.IdentityRef != nil && r.Spec.IdentityRef.Kind != defaultIdentityRefKind {
+		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "identityRef", "kind"), "must be a Secret"))
+	}
+
 	return aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
 }
 
@@ -66,6 +81,10 @@ func (r *OpenStackMachine) ValidateUpdate(old runtime.Object) error {
 
 	var allErrs field.ErrorList
 
+	if r.Spec.IdentityRef != nil && r.Spec.IdentityRef.Kind != defaultIdentityRefKind {
+		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "identityRef", "kind"), "must be a Secret"))
+	}
+
 	newOpenStackMachineSpec := newOpenStackMachine["spec"].(map[string]interface{})
 	oldOpenStackMachineSpec := oldOpenStackMachine["spec"].(map[string]interface{})
 

api/v1alpha4/openstackmachinetemplate_webhook.go

@@ -61,11 +61,7 @@ func (r *OpenStackMachineTemplate) ValidateUpdate(old runtime.Object) error {
 		)
 	}
 
-	if len(allErrs) != 0 {
-		return aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
-	}
-
-	return nil
+	return aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type.