Use user data secret in template if available

Author: bastjan

Makefile

@@ -11,6 +11,8 @@ MAKEFLAGS += --no-builtin-variables
 PROJECT_ROOT_DIR = .
 include Makefile.vars.mk
 
+JSONNET_FILES   ?= $(shell find . -type f -not -path './vendor/*' \( -name '*.*jsonnet' -or -name '*.libsonnet' \))
+
 .PHONY: help
 help: ## Show this help
 	@grep -E -h '\s##\s' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}'
@@ -37,6 +39,7 @@ generate: ## Generate e.g. CRD, RBAC etc.
 .PHONY: fmt
 fmt: ## Run go fmt against code
 	go fmt ./...
+	go tool github.com/google/go-jsonnet/cmd/jsonnetfmt -i -- $(JSONNET_FILES)
 
 .PHONY: vet
 vet: ## Run go vet against code

go.mod

@@ -124,3 +124,5 @@ require (
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
+
+tool github.com/google/go-jsonnet/cmd/jsonnetfmt

pkg/machine/actuator_test.go

@@ -103,7 +103,7 @@ func Test_Actuator_Create_ComplexMachineE2E(t *testing.T) {
 		},
 		Data: map[string][]byte{
 			"ignitionCA": []byte("CADATA"),
-			"userData":   []byte("{ca: std.extVar('context').data.ignitionCA, udsecrets: std.map(function(s) s.metadata.name,std.extVar('context').secrets)}"),
+			"userData":   []byte("{ca: std.extVar('context').data.ignitionCA, udsecrets: std.map(function(s) [s.metadata.name,s.data],std.extVar('context').secrets)}"),
 		},
 	}
 
@@ -167,7 +167,7 @@ func Test_Actuator_Create_ComplexMachineE2E(t *testing.T) {
 			SSHKeys:      []string{},
 			UseIPV6:      providerSpec.UseIPV6,
 			ServerGroups: []string{"created-server-group-uuid"},
-			UserData:     "{\"ca\":\"CADATA\",\"udsecrets\":[\"user-data-managed\"]}",
+			UserData:     "{\"ca\":\"CADATA\",\"udsecrets\":[[\"user-data-managed\",{\"userData\":\"e30=\"}]]}",
 		}),
 	).DoAndReturn(cloudscaleServerFromServerRequest(func(s *cloudscale.Server) {
 		s.UUID = "created-server-uuid"

pkg/machine/userdata/userdata.jsonnet

@@ -1,36 +1,63 @@
 local context = std.extVar('context');
 
-{
-  ignition: {
-    version: '3.1.0',
-    config: {
-      merge: [ {
-        source: 'https://%s:22623/config/%s' % [ context.data.ignitionHost, std.get(context.data, 'ignitionConfigName', 'worker') ],
-      } ],
-    },
-    security: {
-      tls: {
-        certificateAuthorities: [ {
-          source: 'data:text/plain;charset=utf-8;base64,%s' % [ std.base64(context.data.ignitionCA) ],
-        } ],
+// Tries to load user data from a secret specific to the machineset.
+// The variable contains `null` if the secret is not found.
+// The secret is expected to be named `<machineset>-user-data-managed`.
+// The machine set name is read from the machine labels.
+local userData =
+  local machineSet =
+    std.get(
+      std.get(context.machine.metadata, 'labels', {}),
+      'machine.openshift.io/cluster-api-machineset'
+    );
+  if machineSet != null then
+    local secretName = std.trace("Looking for '%s-user-data-managed'", '%s-user-data-managed' % machineSet);
+    local uds = std.filter(function(s) s.metadata.name == secretName, context.secrets);
+    if std.length(uds) == 1 && std.objectHas(uds[0].data, 'userData') then
+      std.trace("Found user data secret for machineset '%s'",
+                machineSet,
+                std.parseJson(std.decodeUTF8(std.base64DecodeBytes(uds[0].data.userData))))
+    else
+      std.trace("No user data secret found for machineset '%s'", machineSet, null)
+;
+
+(
+  if userData != null then
+    userData
+  else
+    {
+      ignition: {
+        version: '3.1.0',
+        config: {
+          merge: [{
+            source: 'https://%s:22623/config/%s' % [context.data.ignitionHost, std.get(context.data, 'ignitionConfigName', 'worker')],
+          }],
+        },
+        security: {
+          tls: {
+            certificateAuthorities: [{
+              source: 'data:text/plain;charset=utf-8;base64,%s' % [std.base64(context.data.ignitionCA)],
+            }],
+          },
+        },
       },
-    },
-  },
-  systemd: {
-    units: [ {
+    }
+) {
+  systemd+: {
+    units+: [{
       name: 'cloudscale-hostkeys.service',
       enabled: true,
       contents: "[Unit]\nDescription=Print SSH Public Keys to tty\nAfter=sshd-keygen.target\n\n[Install]\nWantedBy=multi-user.target\n\n[Service]\nType=oneshot\nStandardOutput=tty\nTTYPath=/dev/ttyS0\nExecStart=/bin/sh -c \"echo '-----BEGIN SSH HOST KEY KEYS-----'; cat /etc/ssh/ssh_host_*key.pub; echo '-----END SSH HOST KEY KEYS-----'\"",
-    } ],
+    }],
   },
-  storage: {
-    files: [ {
+  storage+: {
+    files+: [{
       filesystem: 'root',
       path: '/etc/hostname',
       mode: 420,
       contents: {
         source: 'data:,%s' % context.machine.metadata.name,
       },
-    } ],
+    }],
   },
 }