Add ability to specify a namespace for provider secret

Author: alexander-demicev

Makefile

@@ -294,6 +294,7 @@ generate-manifests: $(CONTROLLER_GEN) ## Generate manifests for the operator e.g
 	$(CONTROLLER_GEN) \
 		paths=./api/... \
 		paths=./internal/controller/... \
+		paths=./internal/webhook/... \
 		crd:crdVersions=v1 \
 		rbac:roleName=manager-role \
 		output:crd:dir=./config/crd/bases \

api/v1alpha1/provider_types.go

@@ -51,6 +51,10 @@ type ProviderSpec struct {
 	// +optional
 	SecretName string `json:"secretName,omitempty"`
 
+	// SecretNamespace is the namespace of the Secret providing the configuration variables. If not specified,
+	// the namespace of the provider will be used.
+	SecretNamespace string `json:"secretNamespace,omitempty"`
+
 	// FetchConfig determines how the operator will fetch the components and metadata for the provider.
 	// If nil, the operator will try to fetch components according to default
 	// embedded fetch configuration for the given kind and `ObjectMeta.Name`.

internal/controller/phases.go

@@ -195,7 +195,7 @@ func (p *phaseReconciler) secretReader(ctx context.Context) (configclient.Reader
 	// Fetch configuration variables from the secret. See API field docs for more info.
 	if p.provider.GetSpec().SecretName != "" {
 		secret := &corev1.Secret{}
-		key := types.NamespacedName{Namespace: p.provider.GetNamespace(), Name: p.provider.GetSpec().SecretName}
+		key := types.NamespacedName{Namespace: p.provider.GetSpec().SecretNamespace, Name: p.provider.GetSpec().SecretName}
 
 		if err := p.ctrlClient.Get(ctx, key, secret); err != nil {
 			return nil, err

internal/controller/phases_test.go

@@ -38,6 +38,7 @@ func TestSecretReader(t *testing.T) {
 	fakeclient := fake.NewClientBuilder().WithObjects().Build()
 
 	secretName := "test-secret"
+	secretNamespace := "test-secret-namespace"
 	namespace := "test-namespace"
 
 	p := &phaseReconciler{
@@ -54,7 +55,8 @@ func TestSecretReader(t *testing.T) {
 				},
 				Spec: operatorv1.CoreProviderSpec{
 					ProviderSpec: operatorv1.ProviderSpec{
-						SecretName: secretName,
+						SecretName:      secretName,
+						SecretNamespace: secretNamespace,
 						FetchConfig: &operatorv1.FetchConfiguration{
 							URL: "https://example.com",
 						},
@@ -72,7 +74,7 @@ func TestSecretReader(t *testing.T) {
 	g.Expect(fakeclient.Create(ctx, &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      secretName,
-			Namespace: namespace,
+			Namespace: secretNamespace,
 		},
 		Data: map[string][]byte{
 			testKey1: []byte(testValue1),

internal/controller/preflight_checks.go

@@ -117,7 +117,7 @@ func preflightChecks(ctx context.Context, c client.Client, provider genericprovi
 	// Validate that provided github token works and has repository access.
 	if spec.SecretName != "" {
 		secret := &corev1.Secret{}
-		key := types.NamespacedName{Namespace: provider.GetNamespace(), Name: provider.GetSpec().SecretName}
+		key := types.NamespacedName{Namespace: provider.GetSpec().SecretNamespace, Name: provider.GetSpec().SecretName}
 
 		if err := c.Get(ctx, key, secret); err != nil {
 			return ctrl.Result{}, fmt.Errorf("failed to get providers secret: %w", err)

internal/webhook/bootstrapprovider_webhook.go

@@ -18,7 +18,9 @@ package webhook
 
 import (
 	"context"
+	"fmt"
 
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
@@ -32,12 +34,17 @@ func (r *BootstrapProviderWebhook) SetupWebhookWithManager(mgr ctrl.Manager) err
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(&operatorv1.BootstrapProvider{}).
 		WithValidator(r).
+		WithDefaulter(r).
 		Complete()
 }
 
-//+kubebuilder:webhook:verbs=create;update,path=/validate-operator-cluster-x-k8s-io-v1alpha1-bootstrapprovider,mutating=false,failurePolicy=fail,groups=operator.cluster.x-k8s.io,resources=bootstrapproviders,versions=v1alpha1,name=vbootstrapprovider.kb.io,sideEffects=None,admissionReviewVersions=v1;v1alpha1
+//+kubebuilder:webhook:verbs=create;update,path=/validate-operator-cluster-x-k8s-io-v1alpha1-bootstrapprovider,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=operator.cluster.x-k8s.io,resources=bootstrapproviders,versions=v1alpha1,name=vbootstrapprovider.kb.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
+//+kubebuilder:webhook:verbs=create;update,path=/mutate-operator-cluster-x-k8s-io-v1alpha1-bootstrapprovider,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,matchPolicy=Equivalent,groups=operator.cluster.x-k8s.io,resources=bootstrapproviders,versions=v1alpha1,name=vbootstrapprovider.kb.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
 
-var _ webhook.CustomValidator = &BootstrapProviderWebhook{}
+var (
+	_ webhook.CustomValidator = &BootstrapProviderWebhook{}
+	_ webhook.CustomDefaulter = &BootstrapProviderWebhook{}
+)
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
 func (r *BootstrapProviderWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) error {
@@ -53,3 +60,15 @@ func (r *BootstrapProviderWebhook) ValidateUpdate(ctx context.Context, oldObj, n
 func (r *BootstrapProviderWebhook) ValidateDelete(_ context.Context, obj runtime.Object) error {
 	return nil
 }
+
+// Default implements webhook.Default so a webhook will be registered for the type.
+func (r *BootstrapProviderWebhook) Default(ctx context.Context, obj runtime.Object) error {
+	bootstrapProvider, ok := obj.(*operatorv1.BootstrapProvider)
+	if !ok {
+		return apierrors.NewBadRequest(fmt.Sprintf("expected a BootstrapProvider but got a %T", obj))
+	}
+
+	setDefaultProviderSpec(&bootstrapProvider.Spec.ProviderSpec, bootstrapProvider.Namespace)
+
+	return nil
+}

internal/webhook/controlplaneprovider_webhook.go

@@ -18,7 +18,9 @@ package webhook
 
 import (
 	"context"
+	"fmt"
 
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
@@ -32,12 +34,17 @@ func (r *ControlPlaneProviderWebhook) SetupWebhookWithManager(mgr ctrl.Manager)
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(&operatorv1.ControlPlaneProvider{}).
 		WithValidator(r).
+		WithDefaulter(r).
 		Complete()
 }
 
-//+kubebuilder:webhook:verbs=create;update,path=/validate-operator-cluster-x-k8s-io-v1alpha1-controlplaneprovider,mutating=false,failurePolicy=fail,groups=operator.cluster.x-k8s.io,resources=controlplaneproviders,versions=v1alpha1,name=vcontrolplaneprovider.kb.io,sideEffects=None,admissionReviewVersions=v1;v1alpha1
+//+kubebuilder:webhook:verbs=create;update,path=/validate-operator-cluster-x-k8s-io-v1alpha1-controlplaneprovider,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=operator.cluster.x-k8s.io,resources=controlplaneproviders,versions=v1alpha1,name=vcontrolplaneprovider.kb.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
+//+kubebuilder:webhook:verbs=create;update,path=/mutate-operator-cluster-x-k8s-io-v1alpha1-controlplaneprovider,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,groups=operator.cluster.x-k8s.io,resources=controlplaneproviders,versions=v1alpha1,name=vcontrolplaneprovider.kb.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
 
-var _ webhook.CustomValidator = &ControlPlaneProviderWebhook{}
+var (
+	_ webhook.CustomValidator = &ControlPlaneProviderWebhook{}
+	_ webhook.CustomDefaulter = &ControlPlaneProviderWebhook{}
+)
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
 func (r *ControlPlaneProviderWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) error {
@@ -53,3 +60,15 @@ func (r *ControlPlaneProviderWebhook) ValidateUpdate(ctx context.Context, oldObj
 func (r *ControlPlaneProviderWebhook) ValidateDelete(_ context.Context, obj runtime.Object) error {
 	return nil
 }
+
+// Default implements webhook.Default so a webhook will be registered for the type.
+func (r *ControlPlaneProviderWebhook) Default(ctx context.Context, obj runtime.Object) error {
+	controlPlaneProvider, ok := obj.(*operatorv1.ControlPlaneProvider)
+	if !ok {
+		return apierrors.NewBadRequest(fmt.Sprintf("expected a ControlPlaneProvider but got a %T", obj))
+	}
+
+	setDefaultProviderSpec(&controlPlaneProvider.Spec.ProviderSpec, controlPlaneProvider.Namespace)
+
+	return nil
+}

internal/webhook/coreprovider_webhook.go

@@ -18,26 +18,32 @@ package webhook
 
 import (
 	"context"
+	"fmt"
 
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	operatorv1 "sigs.k8s.io/cluster-api-operator/api/v1alpha1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
-
-	operatorv1 "sigs.k8s.io/cluster-api-operator/api/v1alpha1"
 )
 
 type CoreProviderWebhook struct{}
 
 func (r *CoreProviderWebhook) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		WithValidator(r).
+		WithDefaulter(r).
 		For(&operatorv1.CoreProvider{}).
 		Complete()
 }
 
-//+kubebuilder:webhook:verbs=create;update,path=/validate-operator-cluster-x-k8s-io-v1alpha1-coreprovider,mutating=false,failurePolicy=fail,groups=operator.cluster.x-k8s.io,resources=coreproviders,versions=v1alpha1,name=vcoreprovider.kb.io,sideEffects=None,admissionReviewVersions=v1;v1alpha1
+//+kubebuilder:webhook:verbs=create;update,path=/validate-operator-cluster-x-k8s-io-v1alpha1-coreprovider,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=operator.cluster.x-k8s.io,resources=coreproviders,versions=v1alpha1,name=vcoreprovider.kb.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
+//+kubebuilder:webhook:verbs=create;update,path=/mutate-operator-cluster-x-k8s-io-v1alpha1-coreprovider,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,failurePolicy=fail,groups=operator.cluster.x-k8s.io,resources=coreproviders,versions=v1alpha1,name=vcoreprovider.kb.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
 
-var _ webhook.CustomValidator = &CoreProviderWebhook{}
+var (
+	_ webhook.CustomValidator = &CoreProviderWebhook{}
+	_ webhook.CustomDefaulter = &CoreProviderWebhook{}
+)
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
 func (r *CoreProviderWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) error {
@@ -53,3 +59,15 @@ func (r *CoreProviderWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj
 func (r *CoreProviderWebhook) ValidateDelete(_ context.Context, obj runtime.Object) error {
 	return nil
 }
+
+// Default implements webhook.Default so a webhook will be registered for the type.
+func (r *CoreProviderWebhook) Default(ctx context.Context, obj runtime.Object) error {
+	coreProvider, ok := obj.(*operatorv1.CoreProvider)
+	if !ok {
+		return apierrors.NewBadRequest(fmt.Sprintf("expected a CoreProvider but got a %T", obj))
+	}
+
+	setDefaultProviderSpec(&coreProvider.Spec.ProviderSpec, coreProvider.Namespace)
+
+	return nil
+}

internal/webhook/infrastructureprovider_webhook.go

@@ -18,7 +18,9 @@ package webhook
 
 import (
 	"context"
+	"fmt"
 
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
@@ -31,13 +33,18 @@ type InfrastructureProviderWebhook struct{}
 func (r *InfrastructureProviderWebhook) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		WithValidator(r).
+		WithDefaulter(r).
 		For(&operatorv1.InfrastructureProvider{}).
 		Complete()
 }
 
-//+kubebuilder:webhook:verbs=create;update,path=/validate-operator-cluster-x-k8s-io-v1alpha1-infrastructureprovider,mutating=false,failurePolicy=fail,groups=operator.cluster.x-k8s.io,resources=infrastructureproviders,versions=v1alpha1,name=vinfrastructureprovider.kb.io,sideEffects=None,admissionReviewVersions=v1;v1alpha1
+//+kubebuilder:webhook:verbs=create;update,path=/validate-operator-cluster-x-k8s-io-v1alpha1-infrastructureprovider,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=operator.cluster.x-k8s.io,resources=infrastructureproviders,versions=v1alpha1,name=vinfrastructureprovider.kb.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
+//+kubebuilder:webhook:verbs=create;update,path=/mutate-operator-cluster-x-k8s-io-v1alpha1-infrastructureprovider,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,failurePolicy=fail,groups=operator.cluster.x-k8s.io,resources=infrastructureproviders,versions=v1alpha1,name=vinfrastructureprovider.kb.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
 
-var _ webhook.CustomValidator = &InfrastructureProviderWebhook{}
+var (
+	_ webhook.CustomValidator = &InfrastructureProviderWebhook{}
+	_ webhook.CustomDefaulter = &InfrastructureProviderWebhook{}
+)
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
 func (r *InfrastructureProviderWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) error {
@@ -53,3 +60,15 @@ func (r *InfrastructureProviderWebhook) ValidateUpdate(ctx context.Context, oldO
 func (r *InfrastructureProviderWebhook) ValidateDelete(_ context.Context, obj runtime.Object) error {
 	return nil
 }
+
+// Default implements webhook.Default so a webhook will be registered for the type.
+func (r *InfrastructureProviderWebhook) Default(ctx context.Context, obj runtime.Object) error {
+	infrastructureProvider, ok := obj.(*operatorv1.InfrastructureProvider)
+	if !ok {
+		return apierrors.NewBadRequest(fmt.Sprintf("expected a InfrastructureProvider but got a %T", obj))
+	}
+
+	setDefaultProviderSpec(&infrastructureProvider.Spec.ProviderSpec, infrastructureProvider.Namespace)
+
+	return nil
+}

internal/webhook/provider_webhook.go

@@ -0,0 +1,28 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package webhook
+
+import (
+	operatorv1 "sigs.k8s.io/cluster-api-operator/api/v1alpha1"
+)
+
+// setDefaultProviderSpec sets the default values for the provider spec.
+func setDefaultProviderSpec(providerSpec *operatorv1.ProviderSpec, providerNamespace string) {
+	if providerSpec.SecretName != "" && providerSpec.SecretNamespace == "" {
+		providerSpec.SecretNamespace = providerNamespace
+	}
+}