✨ CABPK can now read file contents from a Secret

[alexeldeib]

What this PR does / why we need it:
related to #1739

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):

revised from #3038 after offline discussion

still needs some manual testing

[alexeldeib]

/hold

for some additional manual testing

[alexeldeib]

/test pull-cluster-api-e2e

[vincepri]

We should still restore it when we go v1alpha3 -> v1alpha2 -> v1alpha3, there is an example in other files, or I can help tomorrow

[alexeldeib]

will add

[vincepri]

This shouldn't be optional I think? If one specifies a FileSource in file.contentFrom: {} it should fail validation saying that secret is required

[alexeldeib]

Since we only have one I was thinking if in the future we change this from required to optional it'd be breaking? But I think you mentioned today it's fine, and I concur that makes sense. Will make required.

The webhook does validate the stricter scenario already, I think you're correct regardless.

[vincepri]

/test pull-cluster-api-test

[vincepri]

Only reviewed ~40% for now, will continue later

[alexeldeib]

I tried to reorder commits so all the functional stuff is in one because it's fairly small compared to total changes. Moved the rest into separate Go/yaml commits, hope that's easier to review.

[alexeldeib]

How this looks for Azure now, if anyone is interested:

apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3
kind: KubeadmConfigTemplate
metadata:
  name: ${CLUSTER_NAME}-md-0
spec:
  template:
    spec:
      files:
      - contentFrom:
          secret:
            name: azure-secret
            key: azure.json
        owner: root:root
        path: /etc/kubernetes/azure.json
        permissions: "0644"
      joinConfiguration:
        nodeRegistration:
          kubeletExtraArgs:
            cloud-config: /etc/kubernetes/azure.json
            cloud-provider: azure
          name: '{{ ds.meta_data["local_hostname"] }}'
---
apiVersion: v1
kind: Secret
metadata:
  name: azure-secret
data:
  "azure.json": |
    ${AZURE_JSON_B64}

definitely nicer than the previous example IMO

[alexeldeib]

I think this is what we want? Otherwise we have to match files based on some property field to match array items?

[vincepri]

We should only restore the files that have ContentFrom populated (non-nil)

[alexeldeib]

Is this because the restored version might be stale where conversion was possible?

[vincepri]

Correct, in case a v1alpha2 controller modified some of the files (even though unlikely because bootstrap should only happen once), we need to make sure to restore those that have the new schema.

[CecileRobertMichon]

I'm not sure I follow what this is doing... we're setting dst.Spec.Files to restored.Spec.Files and then appending some of the restored files to dst.Spec.Files? Isn't that going to result in duplicates?

[alexeldeib]

Nice catch.

I think the first line dst.Spec.Files = restores.Spec.Files is leftover from my first revision, it should only be the loop. The intent is to look at restored files with contentFrom and append them. We shouldn’t append restored files with content set.

Will PR shortly

[alexeldeib]

/hold cancel

[vincepri]

Suggested change

	func (c *KubeadmConfig) validate() error {
	func (c *KubeadmConfigSpec) validate() error {

If we add this method to KubeadmConfigSpec instead of KubeadmConfig we should be able to call it from the webhooks defined under controlplane/kubeadm as well.

[alexeldeib]

better?

[alexeldeib]

/retest

[alexeldeib]

/retest

[vincepri]

One other thing that came to mind when I was reading the conversion is that today files has no checks on whether the path for each added file is actually unique.

Would that cause a configuration error?

[vincepri]

Just to double check, this logic is only changing the content of the struct at runtime, but it won't be stored in the KubeadmConfig at the end when we patch.

[alexeldeib]

That's the intent. I could probably make this a little bit more explicit by newing up a slice, copying, and returning? Plus comments

[vincepri]

/milestone v0.3.7

[alexeldeib]

Files not validating path uniqueness is a problem, yes. This PR matches the existing behavior in files which is effectively "last file wins". I can validate uniqueness on path and adjust the conversion logic to account?

The main effect of this right now is loss of conversion fidelity: conversion from v1a3 to v1a2, then adding a raw content file with the same path as a contentFrom file and then converting back to v1a3 would prefer the contentFrom file, even though the raw content file is newer.

[alexeldeib]

We should probably also validate that via webhooks at create time

[fabriziopandini]

@alexeldeib I like very much this new approach
Only one minor not from my side, otherwise lgtm

[vincepri]

@alexeldeib I'm fine doing the validation in a different PR / later

[vincepri]

/retitle ✨ CABPK can now read file contents from a Secret

[fabriziopandini]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeldeib, fabriziopandini

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [fabriziopandini]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[alexeldeib]

@vincepri I'm happy either way. Might make more sense to snapshot as-is and iterate, but the additional code change isn't too big. I'll have a chance to wrap up the additional changes today/tomorrow.

@fabriziopandini thanks for review! 👍

[vincepri]

/lgtm