Merge pull request #177 from alexander-demicev/secretnamespace

✨  Add ability to specify a namespace for provider secret

Author: k8s-ci-robot

Makefile

@@ -294,6 +294,7 @@ generate-manifests: $(CONTROLLER_GEN) ## Generate manifests for the operator e.g
 	$(CONTROLLER_GEN) \
 		paths=./api/... \
 		paths=./internal/controller/... \
+		paths=./internal/webhook/... \
 		crd:crdVersions=v1 \
 		rbac:roleName=manager-role \
 		output:crd:dir=./config/crd/bases \

api/v1alpha1/provider_types.go

@@ -51,6 +51,10 @@ type ProviderSpec struct {
 	// +optional
 	SecretName string `json:"secretName,omitempty"`
 
+	// SecretNamespace is the namespace of the Secret providing the configuration variables. If not specified,
+	// the namespace of the provider will be used.
+	SecretNamespace string `json:"secretNamespace,omitempty"`
+
 	// FetchConfig determines how the operator will fetch the components and metadata for the provider.
 	// If nil, the operator will try to fetch components according to default
 	// embedded fetch configuration for the given kind and `ObjectMeta.Name`.

config/chart/webhookcainjection_patch.yaml

@@ -1,6 +1,13 @@
 # This patch add annotation to admission webhook config and
 # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
 apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: mutating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+---
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration

config/crd/bases/operator.cluster.x-k8s.io_bootstrapproviders.yaml

@@ -1450,6 +1450,11 @@ spec:
                   name should be updated. The contents should be in the form of key:value.
                   This secret must be in the same namespace as the provider.
                 type: string
+              secretNamespace:
+                description: SecretNamespace is the namespace of the Secret providing
+                  the configuration variables. If not specified, the namespace of
+                  the provider will be used.
+                type: string
               version:
                 description: Version indicates the provider version.
                 type: string

config/crd/bases/operator.cluster.x-k8s.io_controlplaneproviders.yaml

@@ -1451,6 +1451,11 @@ spec:
                   name should be updated. The contents should be in the form of key:value.
                   This secret must be in the same namespace as the provider.
                 type: string
+              secretNamespace:
+                description: SecretNamespace is the namespace of the Secret providing
+                  the configuration variables. If not specified, the namespace of
+                  the provider will be used.
+                type: string
               version:
                 description: Version indicates the provider version.
                 type: string

config/crd/bases/operator.cluster.x-k8s.io_coreproviders.yaml

@@ -1450,6 +1450,11 @@ spec:
                   name should be updated. The contents should be in the form of key:value.
                   This secret must be in the same namespace as the provider.
                 type: string
+              secretNamespace:
+                description: SecretNamespace is the namespace of the Secret providing
+                  the configuration variables. If not specified, the namespace of
+                  the provider will be used.
+                type: string
               version:
                 description: Version indicates the provider version.
                 type: string

config/crd/bases/operator.cluster.x-k8s.io_infrastructureproviders.yaml

@@ -1451,6 +1451,11 @@ spec:
                   name should be updated. The contents should be in the form of key:value.
                   This secret must be in the same namespace as the provider.
                 type: string
+              secretNamespace:
+                description: SecretNamespace is the namespace of the Secret providing
+                  the configuration variables. If not specified, the namespace of
+                  the provider will be used.
+                type: string
               version:
                 description: Version indicates the provider version.
                 type: string

config/default/webhookcainjection_patch.yaml

@@ -1,6 +1,13 @@
 # This patch add annotation to admission webhook config and
 # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
 apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: mutating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+---
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration

config/webhook/manifests.yaml

@@ -1,18 +1,113 @@
 ---
 apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-operator-cluster-x-k8s-io-v1alpha1-bootstrapprovider
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: vbootstrapprovider.kb.io
+  rules:
+  - apiGroups:
+    - operator.cluster.x-k8s.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - bootstrapproviders
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-operator-cluster-x-k8s-io-v1alpha1-controlplaneprovider
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: vcontrolplaneprovider.kb.io
+  rules:
+  - apiGroups:
+    - operator.cluster.x-k8s.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - controlplaneproviders
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-operator-cluster-x-k8s-io-v1alpha1-coreprovider
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: vcoreprovider.kb.io
+  rules:
+  - apiGroups:
+    - operator.cluster.x-k8s.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - coreproviders
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-operator-cluster-x-k8s-io-v1alpha1-infrastructureprovider
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: vinfrastructureprovider.kb.io
+  rules:
+  - apiGroups:
+    - operator.cluster.x-k8s.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - infrastructureproviders
+  sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration
 webhooks:
 - admissionReviewVersions:
   - v1
-  - v1alpha1
+  - v1beta1
   clientConfig:
     service:
       name: webhook-service
       namespace: system
       path: /validate-operator-cluster-x-k8s-io-v1alpha1-bootstrapprovider
   failurePolicy: Fail
+  matchPolicy: Equivalent
   name: vbootstrapprovider.kb.io
   rules:
   - apiGroups:
@@ -27,13 +122,14 @@ webhooks:
   sideEffects: None
 - admissionReviewVersions:
   - v1
-  - v1alpha1
+  - v1beta1
   clientConfig:
     service:
       name: webhook-service
       namespace: system
       path: /validate-operator-cluster-x-k8s-io-v1alpha1-controlplaneprovider
   failurePolicy: Fail
+  matchPolicy: Equivalent
   name: vcontrolplaneprovider.kb.io
   rules:
   - apiGroups:
@@ -48,13 +144,14 @@ webhooks:
   sideEffects: None
 - admissionReviewVersions:
   - v1
-  - v1alpha1
+  - v1beta1
   clientConfig:
     service:
       name: webhook-service
       namespace: system
       path: /validate-operator-cluster-x-k8s-io-v1alpha1-coreprovider
   failurePolicy: Fail
+  matchPolicy: Equivalent
   name: vcoreprovider.kb.io
   rules:
   - apiGroups:
@@ -69,13 +166,14 @@ webhooks:
   sideEffects: None
 - admissionReviewVersions:
   - v1
-  - v1alpha1
+  - v1beta1
   clientConfig:
     service:
       name: webhook-service
       namespace: system
       path: /validate-operator-cluster-x-k8s-io-v1alpha1-infrastructureprovider
   failurePolicy: Fail
+  matchPolicy: Equivalent
   name: vinfrastructureprovider.kb.io
   rules:
   - apiGroups:

internal/controller/phases.go

@@ -195,7 +195,7 @@ func (p *phaseReconciler) secretReader(ctx context.Context) (configclient.Reader
 	// Fetch configuration variables from the secret. See API field docs for more info.
 	if p.provider.GetSpec().SecretName != "" {
 		secret := &corev1.Secret{}
-		key := types.NamespacedName{Namespace: p.provider.GetNamespace(), Name: p.provider.GetSpec().SecretName}
+		key := types.NamespacedName{Namespace: p.provider.GetSpec().SecretNamespace, Name: p.provider.GetSpec().SecretName}
 
 		if err := p.ctrlClient.Get(ctx, key, secret); err != nil {
 			return nil, err