Provide user data secrets to ignition template (#41)

* Provide user data secrets to ignition template

* Use user data secret in template if available

Only uses the ignition url and CA from upstream,
this helps keeping the ignition compatible with older RHCOS
images by controlling the ignition version used.

* Add secret JSON decode sample to test

Author: bastjan

Makefile

@@ -11,6 +11,8 @@ MAKEFLAGS += --no-builtin-variables
 PROJECT_ROOT_DIR = .
 include Makefile.vars.mk
 
+JSONNET_FILES   ?= $(shell find . -type f -not -path './vendor/*' \( -name '*.*jsonnet' -or -name '*.libsonnet' \))
+
 .PHONY: help
 help: ## Show this help
 	@grep -E -h '\s##\s' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}'
@@ -37,6 +39,7 @@ generate: ## Generate e.g. CRD, RBAC etc.
 .PHONY: fmt
 fmt: ## Run go fmt against code
 	go fmt ./...
+	go tool github.com/google/go-jsonnet/cmd/jsonnetfmt -i -- $(JSONNET_FILES)
 
 .PHONY: vet
 vet: ## Run go vet against code

api/cloudscale/provider/v1beta1/cloudscaleprovider_types.go

@@ -29,8 +29,17 @@ type CloudscaleMachineProviderSpec struct {
 	// The Jsonnet template has access to the following variables:
 	// - std.extVar('context').machine: the Machine object. The name can be accessed via std.extVar('context').machine.metadata.name for example.
 	// - std.extVar('context').data: all keys from the UserDataSecret. For example, std.extVar('context').data.foo will access the value of the key foo.
+	// - std.extVar('context').secrets: all secrets matching UserDataSecretSelector. For example, std.extVar('context').secrets[0].metadata.name will access the name of the first secret.
+	// Also see UserDataSecretSelector.
 	// +optional
 	UserDataSecret *corev1.LocalObjectReference `json:"userDataSecret,omitempty"`
+	// UserDataSecretSelector allows passing secrets with the matching selector into the user data Jsonnet context.
+	// Only secrets in the same namespace as the controller are considered.
+	// +optional
+	// `null` means no secrets are passed.
+	// And empty selector means all secrets in the namespace are passed.
+	UserDataSecretSelector *metav1.LabelSelector `json:"userDataSecretSelector,omitempty"`
+
 	// TokenSecret is a reference to the secret with the cloudscale API token.
 	// The secret must contain a key named token.
 	// If no token is provided, the operator will try to use the default token from CLOUDSCALE_API_TOKEN.

api/cloudscale/provider/v1beta1/zz_generated.deepcopy.go

@@ -124,3 +124,5 @@ require (
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
+
+tool github.com/google/go-jsonnet/cmd/jsonnetfmt

go.mod

@@ -13,6 +13,7 @@ import (
 	machinecontroller "github.com/openshift/machine-api-operator/pkg/controller/machine"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -477,7 +478,23 @@ func (a *Actuator) loadAndRenderUserDataSecret(ctx context.Context, mctx *machin
 		data[k] = string(v)
 	}
 
-	jvm, err := jsonnetVMWithContext(mctx.machine, data)
+	var userDataSecrets corev1.SecretList
+	if mctx.spec.UserDataSecretSelector != nil {
+		sel, err := metav1.LabelSelectorAsSelector(mctx.spec.UserDataSecretSelector)
+		if err != nil {
+			return "", fmt.Errorf("failed to parse UserDataSecretSelector: %w", err)
+		}
+		if err := a.k8sClient.List(
+			ctx,
+			&userDataSecrets,
+			client.InNamespace(mctx.machine.Namespace),
+			client.MatchingLabelsSelector{Selector: sel},
+		); err != nil {
+			return "", fmt.Errorf("failed to list secrets in namespace %q: %w", mctx.machine.Namespace, err)
+		}
+	}
+
+	jvm, err := jsonnetVMWithContext(mctx.machine, data, userDataSecrets)
 	if err != nil {
 		return "", fmt.Errorf("userData: failed to create jsonnet VM: %w", err)
 	}
@@ -494,10 +511,11 @@ func (a *Actuator) loadAndRenderUserDataSecret(ctx context.Context, mctx *machin
 	return compacted.String(), nil
 }
 
-func jsonnetVMWithContext(machine *machinev1beta1.Machine, data map[string]string) (*jsonnet.VM, error) {
+func jsonnetVMWithContext(machine *machinev1beta1.Machine, data map[string]string, userDataSecrets corev1.SecretList) (*jsonnet.VM, error) {
 	jcr, err := json.Marshal(map[string]any{
 		"machine": machine,
 		"data":    data,
+		"secrets": userDataSecrets.Items,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("unable to marshal jsonnet context: %w", err)

pkg/machine/actuator.go

@@ -42,8 +42,30 @@ func Test_Actuator_Create_ComplexMachineE2E(t *testing.T) {
 			},
 		},
 	}
+	appUserDataSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "user-data-managed",
+			Labels: map[string]string{
+				"test.com/user-data-secret": "",
+			},
+		},
+		Data: map[string][]byte{
+			"userData": []byte("{\"ignition\": {}}"),
+		},
+	}
+	unrelatedSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "unrelated-secret",
+		},
+		Data: map[string][]byte{
+			"foo": []byte("bar"),
+		},
+	}
 	providerSpec := csv1beta1.CloudscaleMachineProviderSpec{
-		UserDataSecret:   &corev1.LocalObjectReference{Name: "app-user-data"},
+		UserDataSecret: &corev1.LocalObjectReference{Name: "app-user-data"},
+		UserDataSecretSelector: &metav1.LabelSelector{
+			MatchLabels: appUserDataSecret.Labels,
+		},
 		TokenSecret:      &corev1.LocalObjectReference{Name: "cloudscale-token"},
 		BaseDomain:       "cluster.example.com",
 		Zone:             "rma1",
@@ -81,11 +103,20 @@ func Test_Actuator_Create_ComplexMachineE2E(t *testing.T) {
 		},
 		Data: map[string][]byte{
 			"ignitionCA": []byte("CADATA"),
-			"userData":   []byte("{ca: std.extVar('context').data.ignitionCA}"),
+			"userData": []byte(`
+{
+	ca: std.extVar('context').data.ignitionCA,
+	udsecrets: std.map(function(s) [
+		s.metadata.name,
+		std.parseJson(std.decodeUTF8(std.base64DecodeBytes(s.data.userData))),
+	],
+	std.extVar('context').secrets)
+}
+`),
 		},
 	}
 
-	c := newFakeClient(t, machine, tokenSecret, userDataSecret)
+	c := newFakeClient(t, machine, tokenSecret, userDataSecret, appUserDataSecret, unrelatedSecret)
 	ss := csmock.NewMockServerService(ctrl)
 	sgs := csmock.NewMockServerGroupService(ctrl)
 	actuator := newActuator(c, ss, sgs)
@@ -145,7 +176,7 @@ func Test_Actuator_Create_ComplexMachineE2E(t *testing.T) {
 			SSHKeys:      []string{},
 			UseIPV6:      providerSpec.UseIPV6,
 			ServerGroups: []string{"created-server-group-uuid"},
-			UserData:     "{\"ca\":\"CADATA\"}",
+			UserData:     "{\"ca\":\"CADATA\",\"udsecrets\":[[\"user-data-managed\",{\"ignition\":{}}]]}",
 		}),
 	).DoAndReturn(cloudscaleServerFromServerRequest(func(s *cloudscale.Server) {
 		s.UUID = "created-server-uuid"

pkg/machine/actuator_test.go

@@ -1,36 +1,72 @@
 local context = std.extVar('context');
 
-{
+local isMaster = std.objectHas(std.get(context.machine.metadata, 'labels', {}), 'node-role.kubernetes.io/master');
+
+// Tries to load user data from a secret specific to the machineset.
+// The variable contains `null` if the secret is not found.
+// The secret is expected to be named `<machineset>-user-data-managed`.
+// The machine set name is read from the machine labels.
+local userData =
+  local machineSet =
+    std.get(
+      std.get(context.machine.metadata, 'labels', {}),
+      'machine.openshift.io/cluster-api-machineset'
+    );
+  if machineSet != null && std.get(context, 'secrets') != null then
+    local secretName = std.trace("Looking for '%s-user-data-managed'" % machineSet, '%s-user-data-managed' % machineSet);
+    local uds = std.filter(function(s) s.metadata.name == secretName, context.secrets);
+    if std.length(uds) == 1 && std.objectHas(uds[0].data, 'userData') then
+      std.trace("Found user data secret for machineset '%s'" % machineSet,
+                std.parseJson(std.decodeUTF8(std.base64DecodeBytes(uds[0].data.userData))))
+    else
+      std.trace("No user data secret found for machineset '%s'" % machineSet, null)
+;
+
+local ignition = {
   ignition: {
     version: '3.1.0',
     config: {
-      merge: [ {
-        source: 'https://%s:22623/config/%s' % [ context.data.ignitionHost, std.get(context.data, 'ignitionConfigName', 'worker') ],
-      } ],
+      local sources = if userData != null then
+        // Use the user data source URL from the secret if available
+        std.map(function(s) { source: s.source }, userData.ignition.config.merge)
+      else
+        // Fallback to the default upstream source
+        std.trace('no upstream sources, falling back to default', [{
+          source: 'https://%s:22623/config/%s' % [context.data.ignitionHost, if isMaster then 'master' else 'worker'],
+        }]),
+      merge: sources,
     },
     security: {
       tls: {
-        certificateAuthorities: [ {
-          source: 'data:text/plain;charset=utf-8;base64,%s' % [ std.base64(context.data.ignitionCA) ],
-        } ],
+        local certificateAuthorities = if userData != null then
+          // Use the CA from the user data secret if available
+          std.map(function(ca) { source: ca.source }, userData.ignition.security.tls.certificateAuthorities)
+        else
+          // Fallback to the default CA
+          std.trace('no upstream certificateAuthorities, falling back to default', [{
+            source: 'data:text/plain;charset=utf-8;base64,%s' % [std.base64(context.data.ignitionCA)],
+          }]),
+        certificateAuthorities: certificateAuthorities,
       },
     },
   },
-  systemd: {
-    units: [ {
+  systemd+: {
+    units+: [{
       name: 'cloudscale-hostkeys.service',
       enabled: true,
       contents: "[Unit]\nDescription=Print SSH Public Keys to tty\nAfter=sshd-keygen.target\n\n[Install]\nWantedBy=multi-user.target\n\n[Service]\nType=oneshot\nStandardOutput=tty\nTTYPath=/dev/ttyS0\nExecStart=/bin/sh -c \"echo '-----BEGIN SSH HOST KEY KEYS-----'; cat /etc/ssh/ssh_host_*key.pub; echo '-----END SSH HOST KEY KEYS-----'\"",
-    } ],
+    }],
   },
-  storage: {
-    files: [ {
+  storage+: {
+    files+: [{
       filesystem: 'root',
       path: '/etc/hostname',
       mode: 420,
       contents: {
         source: 'data:,%s' % context.machine.metadata.name,
       },
-    } ],
+    }],
   },
-}
+};
+
+std.trace('Rendered ignition: %s' % std.manifestJson(ignition), ignition)