Skip to content

Commit

Permalink
Add CCM secrets propagation
Browse files Browse the repository at this point in the history
  • Loading branch information
a13x5 committed Oct 2, 2024
1 parent 7dca223 commit d299e98
Show file tree
Hide file tree
Showing 20 changed files with 243 additions and 39 deletions.
4 changes: 4 additions & 0 deletions api/v1alpha1/managedcluster_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ const (

// CredentialReadyCondition indicates if referenced Credential exists and has Ready state
CredentialReadyCondition = "CredentialReady"
// CredentialPropagatedCondition indicates that CCM credentials were delivered to managed cluster
CredentialsPropagatedCondition = "CredentialsApplied"
// TemplateReadyCondition indicates the referenced Template exists and valid.
TemplateReadyCondition = "TemplateReady"
// HelmChartReadyCondition indicates the corresponding HelmChart is valid and ready.
Expand Down Expand Up @@ -110,6 +112,8 @@ type ManagedClusterStatus struct {
Conditions []metav1.Condition `json:"conditions,omitempty"`
// ObservedGeneration is the last observed generation.
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
// CCMSecretReconciled signify if CCM secret was reconciled on managed cluster
CCMSecretReconciled bool `json:"ccmSecretCreated,omitempty"`
}

// +kubebuilder:object:root=true
Expand Down
2 changes: 2 additions & 0 deletions cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (
"k8s.io/client-go/dynamic"
clientgoscheme "k8s.io/client-go/kubernetes/scheme"
_ "k8s.io/client-go/plugin/pkg/client/auth"
capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/healthz"
"sigs.k8s.io/controller-runtime/pkg/log/zap"
Expand Down Expand Up @@ -56,6 +57,7 @@ func init() {
utilruntime.Must(sourcev1.AddToScheme(scheme))
utilruntime.Must(hcv2.AddToScheme(scheme))
utilruntime.Must(sveltosv1beta1.AddToScheme(scheme))
utilruntime.Must(capz.AddToScheme(scheme))
// +kubebuilder:scaffold:scheme
}

Expand Down
7 changes: 7 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ module github.com/Mirantis/hmc

go 1.22.7

toolchain go1.22.8

require (
github.com/a8m/envsubst v1.4.2
github.com/cert-manager/cert-manager v1.15.3
Expand All @@ -26,13 +28,17 @@ require (
k8s.io/client-go v0.31.1
k8s.io/utils v0.0.0-20240902221715-702e33fdd3c3
sigs.k8s.io/cluster-api v1.8.3
sigs.k8s.io/cluster-api-provider-azure v1.17.0
sigs.k8s.io/controller-runtime v0.19.0
sigs.k8s.io/yaml v1.4.0
)

require (
dario.cat/mergo v1.0.1 // indirect
github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.7.0 // indirect
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
github.com/BurntSushi/toml v1.4.0 // indirect
github.com/MakeNowJust/heredoc v1.0.0 // indirect
Expand Down Expand Up @@ -153,6 +159,7 @@ require (
go.uber.org/zap v1.27.0 // indirect
golang.org/x/crypto v0.27.0 // indirect
golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
golang.org/x/mod v0.21.0 // indirect
golang.org/x/net v0.29.0 // indirect
golang.org/x/oauth2 v0.23.0 // indirect
golang.org/x/sync v0.8.0 // indirect
Expand Down
31 changes: 28 additions & 3 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,25 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 h1:nyQWyZvwGTvunIMxi1Y9uXkcyr+I7TeNrr/foo4Kpk8=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.7.0 h1:LkHbJbgF3YyvC53aqYGR+wWQDn2Rdp9AQdGndf9QvY4=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.7.0/go.mod h1:QyiQdW4f4/BIfB8ZutZ2s+28RAgfa/pT+zS++ZHyM1I=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0 h1:PTFGRSlMKCQelWwxUyYVEUqseBJVemLyqWJjvMyt0do=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0/go.mod h1:LRr2FzBTQlONPPa5HREE5+RjSCTXl7BwOvYOaWTqCaI=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 h1:Dd+RhdJn0OTtVGaeDLZpcumkIVCtA/3/Fo42+eoYvVM=
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE=
github.com/Azure/azure-service-operator/v2 v2.8.0 h1:BcyB8LvRmtgVIIUaXwWIJz5eHvknyno0qq5LkDuvM/s=
github.com/Azure/azure-service-operator/v2 v2.8.0/go.mod h1:ezbJS56PcORFFqLV8XZmM9xZ12m6aGAkg353fQhWD/8=
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU=
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU=
Expand All @@ -32,6 +49,8 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
github.com/benbjohnson/clock v1.3.5 h1:VvXlSJBzZpA/zum6Sj74hxwYI2DIxRWuNIoXAzHZz5o=
github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
Expand Down Expand Up @@ -158,6 +177,8 @@ github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJA
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
Expand Down Expand Up @@ -206,7 +227,7 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c=
github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGNJAg1dcN2Fpfw=
github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU=
github.com/hashicorp/golang-lru/v2 v2.0.5 h1:wW7h1TG88eUIJ2i69gaE3uNVtEPIagzhGvHgwfx2Vm4=
Expand Down Expand Up @@ -305,6 +326,8 @@ github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+v
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI=
github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
Expand Down Expand Up @@ -427,8 +450,8 @@ go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4Q
go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ=
go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE=
go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg=
go.opentelemetry.io/otel/sdk/metric v1.21.0 h1:smhI5oD714d6jHE6Tie36fPx4WDFIg+Y6RfAY4ICcR0=
go.opentelemetry.io/otel/sdk/metric v1.21.0/go.mod h1:FJ8RAsoPGv/wYMgBdUJXOm+6pzFY3YdljnXtv1SBE8Q=
go.opentelemetry.io/otel/sdk/metric v1.27.0 h1:5uGNOlpXi+Hbo/DRoI31BSb1v+OGcpv2NemcCrOL8gI=
go.opentelemetry.io/otel/sdk/metric v1.27.0/go.mod h1:we7jJVrYN2kh3mVBlswtPU22K0SA+769l93J6bsyvqw=
go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc=
go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o=
go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
Expand Down Expand Up @@ -558,6 +581,8 @@ oras.land/oras-go v1.2.6 h1:z8cmxQXBU8yZ4mkytWqXfo6tZcamPwjsuxYU81xJ8Lk=
oras.land/oras-go v1.2.6/go.mod h1:OVPc1PegSEe/K8YiLfosrlqlqTN9PUyFvOw5Y9gwrT8=
sigs.k8s.io/cluster-api v1.8.3 h1:N6i25rF5QMadwVg2UPfuO6CzmNXjqnF2r1MAO+kcsro=
sigs.k8s.io/cluster-api v1.8.3/go.mod h1:pXv5LqLxuIbhGIXykyNKiJh+KrLweSBajVHHitPLyoY=
sigs.k8s.io/cluster-api-provider-azure v1.17.0 h1:joiKhPM2E0WDtiESRCODgwEliDCWgNIldBVKVMZb6Hw=
sigs.k8s.io/cluster-api-provider-azure v1.17.0/go.mod h1:+mHDLC7mm7YXst0j0/R9PvEuRHibuhz+mVqJne544go=
sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q=
sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4=
sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM=
Expand Down
1 change: 0 additions & 1 deletion internal/controller/credential_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ func (r *CredentialReconciler) Reconcile(ctx context.Context, req ctrl.Request)

cred := &hmc.Credential{}
if err := r.Client.Get(ctx, req.NamespacedName, cred); err != nil {
l.Error(err, "unable to fetch Credential")
return ctrl.Result{}, client.IgnoreNotFound(err)
}

Expand Down
173 changes: 171 additions & 2 deletions internal/controller/managedcluster_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,10 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/dynamic"
clientgoscheme "k8s.io/client-go/kubernetes/scheme"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
Expand Down Expand Up @@ -365,6 +368,10 @@ func (r *ManagedClusterReconciler) Update(ctx context.Context, l logr.Logger, ma
return ctrl.Result{RequeueAfter: DefaultRequeueInterval}, nil
}

if !managedCluster.Status.CCMSecretReconciled {
return r.reconcileCredentialPropagation(ctx, l, managedCluster)
}

return r.updateServices(ctx, managedCluster)
}

Expand Down Expand Up @@ -592,7 +599,7 @@ func (r *ManagedClusterReconciler) Delete(ctx context.Context, l logr.Logger, ma
}

func (r *ManagedClusterReconciler) releaseCluster(ctx context.Context, namespace, name, templateName string) error {
providers, err := r.getProviders(ctx, namespace, templateName)
providers, err := r.getInfraProviders(ctx, namespace, templateName)
if err != nil {
return err
}
Expand Down Expand Up @@ -627,7 +634,7 @@ func (r *ManagedClusterReconciler) releaseCluster(ctx context.Context, namespace
return nil
}

func (r *ManagedClusterReconciler) getProviders(ctx context.Context, templateNamespace, templateName string) ([]string, error) {
func (r *ManagedClusterReconciler) getInfraProviders(ctx context.Context, templateNamespace, templateName string) ([]string, error) {
template := &hmc.ClusterTemplate{}
templateRef := client.ObjectKey{Name: templateName, Namespace: templateNamespace}
if err := r.Get(ctx, templateRef, template); err != nil {
Expand Down Expand Up @@ -681,6 +688,168 @@ func (r *ManagedClusterReconciler) machinesAvailable(ctx context.Context, namesp
return len(itemsList.Items) != 0, nil
}

func (r *ManagedClusterReconciler) reconcileCredentialPropagation(ctx context.Context, l logr.Logger, managedCluster *hmc.ManagedCluster) (ctrl.Result, error) {
var err error
l.Info("Reconciling CCM credentials propagation")
defer func() {
err = errors.Join(err, r.updateStatus(ctx, managedCluster))
}()
providers, err := r.getInfraProviders(ctx, managedCluster.Namespace, managedCluster.Spec.Template)
if err != nil {
managedCluster.Status.CCMSecretReconciled = false
return ctrl.Result{},
fmt.Errorf("failed to get cluster providers for cluster %s/%s: %s", managedCluster.Namespace, managedCluster.Name, err)
}
kubeconfSecret := &corev1.Secret{}
if err := r.Client.Get(ctx, client.ObjectKey{
Name: fmt.Sprintf("%s-kubeconfig", managedCluster.Name),
Namespace: managedCluster.Namespace,
}, kubeconfSecret); err != nil {
managedCluster.Status.CCMSecretReconciled = false
return ctrl.Result{},
fmt.Errorf("failed to get kubeconfig secret for cluster %s/%s: %s", managedCluster.Namespace, managedCluster.Name, err)
}
for _, provider := range providers {
switch provider {
case "aws":
l.Info("Skipping creds propagation for AWS")
continue
case "azure":
l.Info("Azure creds propagation start")
err := r.propagateAzureSecrets(ctx, managedCluster, kubeconfSecret)
if err != nil {
managedCluster.Status.CCMSecretReconciled = false
errMsg := fmt.Sprintf("failed to create Azure CCM credentials: %s", err)
apimeta.SetStatusCondition(managedCluster.GetConditions(), metav1.Condition{
Type: hmc.CredentialsPropagatedCondition,
Status: metav1.ConditionFalse,
Reason: hmc.FailedReason,
Message: errMsg,
})
return ctrl.Result{}, errors.New(errMsg)
}
apimeta.SetStatusCondition(managedCluster.GetConditions(), metav1.Condition{
Type: hmc.CredentialsPropagatedCondition,
Status: metav1.ConditionTrue,
Reason: hmc.SucceededReason,
Message: "Azure CCM credentials created",
})
continue
default:
managedCluster.Status.CCMSecretReconciled = true
errMsg := fmt.Sprintf("unsupported infrastructure provider %s", provider)
apimeta.SetStatusCondition(managedCluster.GetConditions(), metav1.Condition{
Type: hmc.CredentialsPropagatedCondition,
Status: metav1.ConditionFalse,
Reason: hmc.FailedReason,
Message: errMsg,
})
return ctrl.Result{}, errors.New(errMsg)
}
}
managedCluster.Status.CCMSecretReconciled = true
l.Info("CCM credentials reconcile finished")
return ctrl.Result{}, nil
}

func (r *ManagedClusterReconciler) propagateAzureSecrets(ctx context.Context, managedCluster *hmc.ManagedCluster, kubeconfSecret *corev1.Secret) error {
azureJSON, err := r.generateAzureJSON(ctx, managedCluster)
if err != nil {
return fmt.Errorf("failed to generate azure.json: %s", err)
}
ccmSecret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "azure-cloud-provider",
Namespace: "kube-system",
},
Data: map[string][]byte{
"cloud-config": azureJSON,
},
}
ccmSecret.SetGroupVersionKind(corev1.SchemeGroupVersion.WithKind("Secret"))

mClient, err := makeClientFromSecret(kubeconfSecret)
if err != nil {
return fmt.Errorf("failed to create client for managed cluster %s/%s: %s", managedCluster.Namespace, managedCluster.Name, err)
}
if err := mClient.Patch(
ctx,
ccmSecret,
client.Apply,
client.FieldOwner("hmc-controller"),
); err != nil {
return fmt.Errorf("failed to apply Azure CCM secret for cluster %s/%s: %s", managedCluster.Namespace, managedCluster.Name, err)
}
return nil
}

func (r *ManagedClusterReconciler) generateAzureJSON(ctx context.Context, managedCluster *hmc.ManagedCluster) ([]byte, error) {
azureCluster := &capz.AzureCluster{}
if err := r.Client.Get(ctx, client.ObjectKey{
Name: managedCluster.Name,
Namespace: managedCluster.Namespace,
}, azureCluster); err != nil {
return nil, fmt.Errorf("failed to get AzureCluster %s: %s", managedCluster.Name, err)
}
azureClIdty := &capz.AzureClusterIdentity{}
if err := r.Client.Get(ctx, client.ObjectKey{
Name: azureCluster.Spec.IdentityRef.Name,
Namespace: azureCluster.Spec.IdentityRef.Namespace,
}, azureClIdty); err != nil {
return nil, fmt.Errorf("failed to get AzureClusterIdentity %s: %s", azureCluster.Spec.IdentityRef.Name, err)
}
azureSecret := &corev1.Secret{}
if err := r.Client.Get(ctx, client.ObjectKey{
Name: azureClIdty.Spec.ClientSecret.Name,
Namespace: azureClIdty.Spec.ClientSecret.Namespace,
}, azureSecret); err != nil {
return nil, fmt.Errorf("failed to get azure Secret %s: %s", azureClIdty.Spec.ClientSecret.Name, err)
}
azureJSONMap := map[string]any{
"cloud": azureCluster.Spec.AzureEnvironment,
"tenantId": azureClIdty.Spec.TenantID,
"subscriptionId": azureCluster.Spec.SubscriptionID,
"aadClientId": azureClIdty.Spec.ClientID,
"aadClientSecret": string(azureSecret.Data["clientSecret"]),
"resourceGroup": azureCluster.Spec.ResourceGroup,
"securityGroupName": azureCluster.Spec.NetworkSpec.Subnets[0].SecurityGroup.Name,
"securityGroupResourceGroup": azureCluster.Spec.NetworkSpec.Vnet.ResourceGroup,
"location": azureCluster.Spec.Location,
"vmType": "vmss",
"vnetName": azureCluster.Spec.NetworkSpec.Vnet.Name,
"vnetResourceGroup": azureCluster.Spec.NetworkSpec.Vnet.ResourceGroup,
"subnetName": azureCluster.Spec.NetworkSpec.Subnets[0].Name,
"loadBalancerSku": "Standard",
"loadBalancerName": "",
"maximumLoadBalancerRuleCount": 250,
"useManagedIdentityExtension": false,
"useInstanceMetadata": true,
}
azureJSON, err := json.Marshal(azureJSONMap)
if err != nil {
return nil, fmt.Errorf("error marshalling azure.json: %s", err)
}
return azureJSON, nil
}

func makeClientFromSecret(kubeconfSecret *corev1.Secret) (client.Client, error) {
scheme := runtime.NewScheme()
if err := clientgoscheme.AddToScheme(scheme); err != nil {
return nil, err
}
restConfig, err := clientcmd.RESTConfigFromKubeConfig(kubeconfSecret.Data["value"])
if err != nil {
return nil, err
}
cl, err := client.New(restConfig, client.Options{
Scheme: scheme,
})
if err != nil {
return nil, err
}
return cl, nil
}

func setIdentityHelmValues(values *apiextensionsv1.JSON, idRef *corev1.ObjectReference) (*apiextensionsv1.JSON, error) {
var valuesJSON map[string]any
err := json.Unmarshal(values.Raw, &valuesJSON)
Expand Down
Loading

0 comments on commit d299e98

Please sign in to comment.