Fall back to cluster identityRef in absence of machine

The 'identityRef' attribute is marked as optional but without it we have
no ability to talk to the cloud. In a future API version, we may wish to
make this a required attribute but for now, provide the ability to
retrieve credentials from the cluster in the absence of the machine.

Signed-off-by: Stephen Finucane <[email protected]>

Author: stephenfin

api/v1alpha7/openstackmachine_types.go

@@ -89,7 +89,8 @@ type OpenStackMachineSpec struct {
 	// The server group to assign the machine to
 	ServerGroupID string `json:"serverGroupID,omitempty"`
 
-	// IdentityRef is a reference to a identity to be used when reconciling this cluster
+	// IdentityRef is a reference to a identity to be used when reconciling this cluster.
+	// If not specified, the identity ref of the cluster will be used instead.
 	// +optional
 	IdentityRef *OpenStackIdentityReference `json:"identityRef,omitempty"`
 }

config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml

@@ -3849,7 +3849,8 @@ spec:
                         type: string
                       identityRef:
                         description: IdentityRef is a reference to a identity to be
-                          used when reconciling this cluster
+                          used when reconciling this cluster. If not specified, the
+                          identity ref of the cluster will be used instead.
                         properties:
                           kind:
                             description: Kind of the identity. Must be supported by

config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml

@@ -1695,7 +1695,9 @@ spec:
                                 type: string
                               identityRef:
                                 description: IdentityRef is a reference to a identity
-                                  to be used when reconciling this cluster
+                                  to be used when reconciling this cluster. If not
+                                  specified, the identity ref of the cluster will
+                                  be used instead.
                                 properties:
                                   kind:
                                     description: Kind of the identity. Must be supported

config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachines.yaml

@@ -1228,7 +1228,8 @@ spec:
                 type: string
               identityRef:
                 description: IdentityRef is a reference to a identity to be used when
-                  reconciling this cluster
+                  reconciling this cluster. If not specified, the identity ref of
+                  the cluster will be used instead.
                 properties:
                   kind:
                     description: Kind of the identity. Must be supported by the infrastructure

config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachinetemplates.yaml

@@ -1032,7 +1032,8 @@ spec:
                         type: string
                       identityRef:
                         description: IdentityRef is a reference to a identity to be
-                          used when reconciling this cluster
+                          used when reconciling this cluster. If not specified, the
+                          identity ref of the cluster will be used instead.
                         properties:
                           kind:
                             description: Kind of the identity. Must be supported by

controllers/openstackmachine_controller.go

@@ -140,7 +140,7 @@ func (r *OpenStackMachineReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		}
 	}()
 
-	scope, err := r.ScopeFactory.NewClientScopeFromMachine(ctx, r.Client, openStackMachine, r.CaCertificates, log)
+	scope, err := r.ScopeFactory.NewClientScopeFromMachine(ctx, r.Client, openStackMachine, infraCluster, r.CaCertificates, log)
 	if err != nil {
 		return reconcile.Result{}, err
 	}

pkg/scope/mock.go

@@ -66,7 +66,7 @@ func (f *MockScopeFactory) SetClientScopeCreateError(err error) {
 	f.clientScopeCreateError = err
 }
 
-func (f *MockScopeFactory) NewClientScopeFromMachine(_ context.Context, _ client.Client, _ *infrav1.OpenStackMachine, _ []byte, _ logr.Logger) (Scope, error) {
+func (f *MockScopeFactory) NewClientScopeFromMachine(_ context.Context, _ client.Client, _ *infrav1.OpenStackMachine, _ *infrav1.OpenStackCluster, _ []byte, _ logr.Logger) (Scope, error) {
 	if f.clientScopeCreateError != nil {
 		return nil, f.clientScopeCreateError
 	}

pkg/scope/provider.go

@@ -52,7 +52,7 @@ type providerScopeFactory struct {
 	clientCache *cache.LRUExpireCache
 }
 
-func (f *providerScopeFactory) NewClientScopeFromMachine(ctx context.Context, ctrlClient client.Client, openStackMachine *infrav1.OpenStackMachine, defaultCACert []byte, logger logr.Logger) (Scope, error) {
+func (f *providerScopeFactory) NewClientScopeFromMachine(ctx context.Context, ctrlClient client.Client, openStackMachine *infrav1.OpenStackMachine, openStackCluster *infrav1.OpenStackCluster, defaultCACert []byte, logger logr.Logger) (Scope, error) {
 	var cloud clientconfig.Cloud
 	var caCert []byte
 
@@ -62,6 +62,12 @@ func (f *providerScopeFactory) NewClientScopeFromMachine(ctx context.Context, ct
 		if err != nil {
 			return nil, err
 		}
+	} else if openStackCluster.Spec.IdentityRef != nil {
+		var err error
+		cloud, caCert, err = getCloudFromSecret(ctx, ctrlClient, openStackCluster.Namespace, openStackCluster.Spec.IdentityRef.Name, openStackCluster.Spec.CloudName)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	if caCert == nil {

pkg/scope/scope.go

@@ -41,7 +41,7 @@ func NewFactory(maxCacheSize int) Factory {
 
 // Factory instantiates a new Scope using credentials from either a cluster or a machine.
 type Factory interface {
-	NewClientScopeFromMachine(ctx context.Context, ctrlClient client.Client, openStackMachine *infrav1.OpenStackMachine, defaultCACert []byte, logger logr.Logger) (Scope, error)
+	NewClientScopeFromMachine(ctx context.Context, ctrlClient client.Client, openStackMachine *infrav1.OpenStackMachine, openStackCluster *infrav1.OpenStackCluster, defaultCACert []byte, logger logr.Logger) (Scope, error)
 	NewClientScopeFromCluster(ctx context.Context, ctrlClient client.Client, openStackCluster *infrav1.OpenStackCluster, defaultCACert []byte, logger logr.Logger) (Scope, error)
 }