Provide user data secrets to ignition template

bastjan · bastjan · commit de57c7b2d7db · 2025-11-20T16:41:07.000+01:00
diff --git a/api/cloudscale/provider/v1beta1/cloudscaleprovider_types.go b/api/cloudscale/provider/v1beta1/cloudscaleprovider_types.go
@@ -29,8 +29,17 @@ type CloudscaleMachineProviderSpec struct {
 	// The Jsonnet template has access to the following variables:
 	// - std.extVar('context').machine: the Machine object. The name can be accessed via std.extVar('context').machine.metadata.name for example.
 	// - std.extVar('context').data: all keys from the UserDataSecret. For example, std.extVar('context').data.foo will access the value of the key foo.
+	// - std.extVar('context').secrets: all secrets matching UserDataSecretSelector. For example, std.extVar('context').secrets[0].metadata.name will access the name of the first secret.
+	// Also see UserDataSecretSelector.
 	// +optional
 	UserDataSecret *corev1.LocalObjectReference `json:"userDataSecret,omitempty"`
+	// UserDataSecretSelector allows passing secrets with the matching selector into the user data Jsonnet context.
+	// Only secrets in the same namespace as the controller are considered.
+	// +optional
+	// `null` means no secrets are passed.
+	// And empty selector means all secrets in the namespace are passed.
+	UserDataSecretSelector *metav1.LabelSelector `json:"userDataSecretSelector,omitempty"`
+
 	// TokenSecret is a reference to the secret with the cloudscale API token.
 	// The secret must contain a key named token.
 	// If no token is provided, the operator will try to use the default token from CLOUDSCALE_API_TOKEN.
diff --git a/api/cloudscale/provider/v1beta1/zz_generated.deepcopy.go b/api/cloudscale/provider/v1beta1/zz_generated.deepcopy.go
diff --git a/pkg/machine/actuator.go b/pkg/machine/actuator.go
@@ -13,6 +13,7 @@ import (
 	machinecontroller "github.com/openshift/machine-api-operator/pkg/controller/machine"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -477,7 +478,23 @@ func (a *Actuator) loadAndRenderUserDataSecret(ctx context.Context, mctx *machin
 		data[k] = string(v)
 	}
 
-	jvm, err := jsonnetVMWithContext(mctx.machine, data)
+	var userDataSecrets corev1.SecretList
+	if mctx.spec.UserDataSecretSelector != nil {
+		sel, err := metav1.LabelSelectorAsSelector(mctx.spec.UserDataSecretSelector)
+		if err != nil {
+			return "", fmt.Errorf("failed to parse UserDataSecretSelector: %w", err)
+		}
+		if err := a.k8sClient.List(
+			ctx,
+			&userDataSecrets,
+			client.InNamespace(mctx.machine.Namespace),
+			client.MatchingLabelsSelector{Selector: sel},
+		); err != nil {
+			return "", fmt.Errorf("failed to list secrets in namespace %q: %w", mctx.machine.Namespace, err)
+		}
+	}
+
+	jvm, err := jsonnetVMWithContext(mctx.machine, data, userDataSecrets)
 	if err != nil {
 		return "", fmt.Errorf("userData: failed to create jsonnet VM: %w", err)
 	}
@@ -494,10 +511,11 @@ func (a *Actuator) loadAndRenderUserDataSecret(ctx context.Context, mctx *machin
 	return compacted.String(), nil
 }
 
-func jsonnetVMWithContext(machine *machinev1beta1.Machine, data map[string]string) (*jsonnet.VM, error) {
+func jsonnetVMWithContext(machine *machinev1beta1.Machine, data map[string]string, userDataSecrets corev1.SecretList) (*jsonnet.VM, error) {
 	jcr, err := json.Marshal(map[string]any{
 		"machine": machine,
 		"data":    data,
+		"secrets": userDataSecrets.Items,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("unable to marshal jsonnet context: %w", err)
diff --git a/pkg/machine/actuator_test.go b/pkg/machine/actuator_test.go
@@ -42,8 +42,30 @@ func Test_Actuator_Create_ComplexMachineE2E(t *testing.T) {
 			},
 		},
 	}
+	appUserDataSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "user-data-managed",
+			Labels: map[string]string{
+				"test.com/user-data-secret": "",
+			},
+		},
+		Data: map[string][]byte{
+			"userData": []byte("{}"),
+		},
+	}
+	unrelatedSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "unrelated-secret",
+		},
+		Data: map[string][]byte{
+			"foo": []byte("bar"),
+		},
+	}
 	providerSpec := csv1beta1.CloudscaleMachineProviderSpec{
-		UserDataSecret:   &corev1.LocalObjectReference{Name: "app-user-data"},
+		UserDataSecret: &corev1.LocalObjectReference{Name: "app-user-data"},
+		UserDataSecretSelector: &metav1.LabelSelector{
+			MatchLabels: appUserDataSecret.Labels,
+		},
 		TokenSecret:      &corev1.LocalObjectReference{Name: "cloudscale-token"},
 		BaseDomain:       "cluster.example.com",
 		Zone:             "rma1",
@@ -81,11 +103,11 @@ func Test_Actuator_Create_ComplexMachineE2E(t *testing.T) {
 		},
 		Data: map[string][]byte{
 			"ignitionCA": []byte("CADATA"),
-			"userData":   []byte("{ca: std.extVar('context').data.ignitionCA}"),
+			"userData":   []byte("{ca: std.extVar('context').data.ignitionCA, udsecrets: std.map(function(s) s.metadata.name,std.extVar('context').secrets)}"),
 		},
 	}
 
-	c := newFakeClient(t, machine, tokenSecret, userDataSecret)
+	c := newFakeClient(t, machine, tokenSecret, userDataSecret, appUserDataSecret, unrelatedSecret)
 	ss := csmock.NewMockServerService(ctrl)
 	sgs := csmock.NewMockServerGroupService(ctrl)
 	actuator := newActuator(c, ss, sgs)
@@ -145,7 +167,7 @@ func Test_Actuator_Create_ComplexMachineE2E(t *testing.T) {
 			SSHKeys:      []string{},
 			UseIPV6:      providerSpec.UseIPV6,
 			ServerGroups: []string{"created-server-group-uuid"},
-			UserData:     "{\"ca\":\"CADATA\"}",
+			UserData:     "{\"ca\":\"CADATA\",\"udsecrets\":[\"user-data-managed\"]}",
 		}),
 	).DoAndReturn(cloudscaleServerFromServerRequest(func(s *cloudscale.Server) {
 		s.UUID = "created-server-uuid"
