Merge pull request #1841 from vincepri/add-data-secret-name-cabpk

⚠️ Move Bootstrap data to a secret

Author: k8s-ci-robot

api/v1alpha2/conversion.go

@@ -265,3 +265,12 @@ func Convert_v1alpha3_MachineSetSpec_To_v1alpha2_MachineSetSpec(in *v1alpha3.Mac
 func Convert_v1alpha3_MachineSpec_To_v1alpha2_MachineSpec(in *v1alpha3.MachineSpec, out *MachineSpec, s apiconversion.Scope) error {
 	return errors.New("cannot recover removed MachineSpec Cluster Name")
 }
+
+func Convert_v1alpha3_Bootstrap_To_v1alpha2_Bootstrap(in *v1alpha3.Bootstrap, out *Bootstrap, s apiconversion.Scope) error {
+	// We need to fail early here given that we don't want to leak information from secrets back to the inline / plaintext field in v1alpha2.
+	if in.Data == nil && in.DataSecretName != nil {
+		return errors.New("cannot convert Machine's bootstrap data from Secret reference to inline field")
+	}
+
+	return autoConvert_v1alpha3_Bootstrap_To_v1alpha2_Bootstrap(in, out, s)
+}

api/v1alpha2/zz_generated.conversion.go

@@ -190,8 +190,17 @@ type Bootstrap struct {
 
 	// Data contains the bootstrap data, such as cloud-init details scripts.
 	// If nil, the Machine should remain in the Pending state.
+	//
+	// Deprecated: This field has been deprecated in v1alpha3 and
+	// will be removed in a future version. Switch to DataSecretName.
+	//
 	// +optional
 	Data *string `json:"data,omitempty"`
+
+	// DataSecretName is the name of the secret that stores the bootstrap data script.
+	// If nil, the Machine should remain in the Pending state.
+	// +optional
+	DataSecretName *string `json:"dataSecretName,omitempty"`
 }
 
 // ANCHOR_END: Bootstrap

api/v1alpha3/machine_types.go

@@ -17,6 +17,8 @@ limitations under the License.
 package v1alpha2
 
 import (
+	"errors"
+
 	apiconversion "k8s.io/apimachinery/pkg/conversion"
 	kubeadmbootstrapv1alpha3 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1alpha3"
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
@@ -85,6 +87,11 @@ func Convert_v1alpha2_KubeadmConfigStatus_To_v1alpha3_KubeadmConfigStatus(in *Ku
 
 // Convert_v1alpha3_KubeadmConfigStatus_To_v1alpha2_KubeadmConfigStatus converts from the Hub version (v1alpha3) of the KubeadmConfigStatus to this version.
 func Convert_v1alpha3_KubeadmConfigStatus_To_v1alpha2_KubeadmConfigStatus(in *kubeadmbootstrapv1alpha3.KubeadmConfigStatus, out *KubeadmConfigStatus, s apiconversion.Scope) error { // nolint
+	// We need to fail early here given that we don't want to leak information from secrets back to the inline / plaintext field in v1alpha2.
+	if in.BootstrapData == nil && in.DataSecretName != nil {
+		return errors.New("cannot convert KubeadmConfigStatus's bootstrap data from Secret reference to inline field")
+	}
+
 	if err := autoConvert_v1alpha3_KubeadmConfigStatus_To_v1alpha2_KubeadmConfigStatus(in, out, s); err != nil {
 		return err
 	}

api/v1alpha3/zz_generated.deepcopy.go

@@ -36,27 +36,35 @@ type KubeadmConfigSpec struct {
 	// ClusterConfiguration along with InitConfiguration are the configurations necessary for the init command
 	// +optional
 	ClusterConfiguration *kubeadmv1beta1.ClusterConfiguration `json:"clusterConfiguration,omitempty"`
+
 	// InitConfiguration along with ClusterConfiguration are the configurations necessary for the init command
 	// +optional
 	InitConfiguration *kubeadmv1beta1.InitConfiguration `json:"initConfiguration,omitempty"`
+
 	// JoinConfiguration is the kubeadm configuration for the join command
 	// +optional
 	JoinConfiguration *kubeadmv1beta1.JoinConfiguration `json:"joinConfiguration,omitempty"`
+
 	// Files specifies extra files to be passed to user_data upon creation.
 	// +optional
 	Files []File `json:"files,omitempty"`
+
 	// PreKubeadmCommands specifies extra commands to run before kubeadm runs
 	// +optional
 	PreKubeadmCommands []string `json:"preKubeadmCommands,omitempty"`
+
 	// PostKubeadmCommands specifies extra commands to run after kubeadm runs
 	// +optional
 	PostKubeadmCommands []string `json:"postKubeadmCommands,omitempty"`
+
 	// Users specifies extra users to add
 	// +optional
 	Users []User `json:"users,omitempty"`
+
 	// NTP specifies NTP configuration
 	// +optional
 	NTP *NTP `json:"ntp,omitempty"`
+
 	// Format specifies the output format of the bootstrap data
 	// +optional
 	Format Format `json:"format,omitempty"`
@@ -67,7 +75,15 @@ type KubeadmConfigStatus struct {
 	// Ready indicates the BootstrapData field is ready to be consumed
 	Ready bool `json:"ready,omitempty"`
 
-	// BootstrapData will be a cloud-init script for now
+	// DataSecretName is the name of the secret that stores the bootstrap data script.
+	// +optional
+	DataSecretName *string `json:"dataSecretName,omitempty"`
+
+	// BootstrapData will be a cloud-init script for now.
+	//
+	// Deprecated: This field has been deprecated in v1alpha3 and
+	// will be removed in a future version. Switch to DataSecretName.
+	//
 	// +optional
 	BootstrapData []byte `json:"bootstrapData,omitempty"`
 

bootstrap/kubeadm/api/v1alpha2/conversion.go

@@ -24,9 +24,11 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
+	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/pointer"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1alpha3"
 	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1alpha3"
 	"sigs.k8s.io/cluster-api/bootstrap/kubeadm/cloudinit"
@@ -151,25 +153,30 @@ func (r *KubeadmConfigReconciler) Reconcile(req ctrl.Request) (_ ctrl.Result, re
 		return ctrl.Result{}, err
 	}
 
+	// Initialize the patch helper.
+	patchHelper, err := patch.NewHelper(config, r.Client)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+
 	switch {
-	// Wait patiently for the infrastructure to be ready
+	// Wait for the infrastructure to be ready.
 	case !cluster.Status.InfrastructureReady:
-		log.Info("Infrastructure is not ready, waiting until ready.")
+		log.Info("Cluster infrastructure is not ready, waiting")
 		return ctrl.Result{}, nil
-	// bail super early if it's already ready
+	// Migrate plaintext data to secret.
+	case config.Status.BootstrapData != nil && config.Status.DataSecretName == nil:
+		if err := r.storeBootstrapData(ctx, config, config.Status.BootstrapData); err != nil {
+			return ctrl.Result{}, err
+		}
+		return ctrl.Result{}, patchHelper.Patch(ctx, config)
+	// Return early if the configuration and Machine's infrastructure are ready.
 	case config.Status.Ready && machine.Status.InfrastructureReady:
-		log.Info("ignoring config for an already ready machine")
 		return ctrl.Result{}, nil
 	// Reconcile status for machines that have already copied bootstrap data
-	case machine.Spec.Bootstrap.Data != nil && !config.Status.Ready:
+	case machine.Spec.Bootstrap.DataSecretName != nil && !config.Status.Ready:
 		config.Status.Ready = true
-		// Initialize the patch helper
-		patchHelper, err := patch.NewHelper(config, r.Client)
-		if err != nil {
-			return ctrl.Result{}, err
-		}
-		err = patchHelper.Patch(ctx, config)
-		return ctrl.Result{}, err
+		return ctrl.Result{}, patchHelper.Patch(ctx, config)
 	// If we've already embedded a time-limited join token into a config, but are still waiting for the token to be used, refresh it
 	case config.Status.Ready && (config.Spec.JoinConfiguration != nil && config.Spec.JoinConfiguration.Discovery.BootstrapToken != nil):
 		token := config.Spec.JoinConfiguration.Discovery.BootstrapToken.Token
@@ -192,11 +199,6 @@ func (r *KubeadmConfigReconciler) Reconcile(req ctrl.Request) (_ ctrl.Result, re
 		}, nil
 	}
 
-	// Initialize the patch helper
-	patchHelper, err := patch.NewHelper(config, r.Client)
-	if err != nil {
-		return ctrl.Result{}, err
-	}
 	// Attempt to Patch the KubeadmConfig object and status after each reconciliation if no error occurs.
 	defer func() {
 		if rerr == nil {
@@ -328,8 +330,10 @@ func (r *KubeadmConfigReconciler) handleClusterNotInitialized(ctx context.Contex
 		return ctrl.Result{}, err
 	}
 
-	scope.Config.Status.BootstrapData = cloudInitData
-	scope.Config.Status.Ready = true
+	if err := r.storeBootstrapData(ctx, scope.Config, cloudInitData); err != nil {
+		scope.Error(err, "failed to store bootstrap data")
+		return ctrl.Result{}, err
+	}
 
 	return ctrl.Result{}, nil
 }
@@ -380,8 +384,11 @@ func (r *KubeadmConfigReconciler) joinWorker(ctx context.Context, scope *Scope)
 		scope.Error(err, "failed to create a worker join configuration")
 		return ctrl.Result{}, err
 	}
-	scope.Config.Status.BootstrapData = cloudJoinData
-	scope.Config.Status.Ready = true
+
+	if err := r.storeBootstrapData(ctx, scope.Config, cloudJoinData); err != nil {
+		scope.Error(err, "failed to store bootstrap data")
+		return ctrl.Result{}, err
+	}
 	return ctrl.Result{}, nil
 }
 
@@ -431,8 +438,11 @@ func (r *KubeadmConfigReconciler) joinControlplane(ctx context.Context, scope *S
 		return ctrl.Result{}, err
 	}
 
-	scope.Config.Status.BootstrapData = cloudJoinData
-	scope.Config.Status.Ready = true
+	if err := r.storeBootstrapData(ctx, scope.Config, cloudJoinData); err != nil {
+		scope.Error(err, "failed to store bootstrap data")
+		return ctrl.Result{}, err
+	}
+
 	return ctrl.Result{}, nil
 }
 
@@ -596,3 +606,37 @@ func (r *KubeadmConfigReconciler) reconcileTopLevelObjectSettings(cluster *clust
 		log.Info("Altering ClusterConfiguration", "KubernetesVersion", config.Spec.ClusterConfiguration.KubernetesVersion)
 	}
 }
+
+// storeBootstrapData creates a new secret with the data passed in as input,
+// sets the reference in the configuration status and ready to true.
+func (r *KubeadmConfigReconciler) storeBootstrapData(ctx context.Context, config *bootstrapv1.KubeadmConfig, data []byte) error {
+	secret := &corev1.Secret{
+		ObjectMeta: v1.ObjectMeta{
+			Name:      config.Name,
+			Namespace: config.Namespace,
+			Labels: map[string]string{
+				clusterv1.ClusterLabelName: config.ClusterName,
+			},
+			OwnerReferences: []v1.OwnerReference{
+				{
+					APIVersion: bootstrapv1.GroupVersion.String(),
+					Kind:       "KubeadmConfig",
+					Name:       config.Name,
+					UID:        config.UID,
+					Controller: pointer.BoolPtr(true),
+				},
+			},
+		},
+		Data: map[string][]byte{
+			"value": data,
+		},
+	}
+
+	if err := r.Client.Create(ctx, secret); err != nil {
+		return errors.Wrapf(err, "failed to create kubeconfig secret for KubeadmConfig %s/%s", config.Namespace, config.Name)
+	}
+
+	config.Status.DataSecretName = pointer.StringPtr(secret.Name)
+	config.Status.Ready = true
+	return nil
+}