fix: use ObjectReference for secretRef in API

dkoshkin · dkoshkin · commit 2488f2f6a738 · 2023-09-25T11:22:39.000-07:00
diff --git a/api/v1alpha1/clusterconfig_types.go b/api/v1alpha1/clusterconfig_types.go
@@ -4,6 +4,7 @@
 package v1alpha1
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 
 	"github.com/d2iq-labs/capi-runtime-extensions/common/pkg/capi/clustertopology/variables"
@@ -185,11 +186,11 @@ type ImageRegistryCredentials struct {
 	// Registry URL.
 	URL string `json:"url"`
 
-	// Name of the Secret containing the registry credentials.
+	// The Secret containing the registry credentials.
 	// The Secret should have keys 'username' and 'password'.
 	// This credentials Secret is not required for some registries, e.g. ECR.
 	// +optional
-	Secret string `json:"secret,omitempty"`
+	Secret *corev1.ObjectReference `json:"secretRef,omitempty"`
 }
 
 func (ImageRegistryCredentials) VariableSchema() clusterv1.VariableSchema {
@@ -202,11 +203,23 @@ func (ImageRegistryCredentials) VariableSchema() clusterv1.VariableSchema {
 					Description: "Registry URL.",
 					Type:        "string",
 				},
-				"secret": {
-					Description: "Name of the Secret containing the registry credentials. " +
+				"secretRef": {
+					Description: "The Secret containing the registry credentials. " +
 						"The Secret should have keys 'username' and 'password'. " +
 						"This credentials Secret is not required for some registries, e.g. ECR.",
-					Type: "string",
+					Type: "object",
+					Properties: map[string]clusterv1.JSONSchemaProps{
+						"name": {
+							Description: "The name of the Secret containing the registry credentials.",
+							Type:        "string",
+						},
+						"namespace": {
+							Description: "The namespace of the Secret containing the registry credentials. " +
+								"Defaults to the namespace of the KubeadmControlPlaneTemplate and KubeadmConfigTemplate" +
+								" that reference this variable.",
+							Type: "string",
+						},
+					},
 				},
 			},
 			Required: []string{"url"},
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/docs/content/customization/_index.md b/docs/content/customization/_index.md
@@ -41,7 +41,8 @@ spec:
               - no-proxy-2.example.com
           imageRegistryCredentials:
             url: https://my-registry.io
-            secret: my-registry-credentials
+            secretRef:
+              name: my-registry-credentials
           cni:
             provider: calico
 ```
diff --git a/docs/content/customization/generic/image-registry-credentials.md b/docs/content/customization/generic/image-registry-credentials.md
@@ -37,7 +37,8 @@ spec:
         value:
           imageRegistryCredentials:
             url: https://my-registry.io
-            secret: my-registry-credentials
+            secretRef:
+              name: my-registry-credentials
 ```
 
 Applying this configuration will result in new files and preKubeadmCommands
diff --git a/pkg/handlers/generic/mutation/imageregistrycredentials/inject.go b/pkg/handlers/generic/mutation/imageregistrycredentials/inject.go
@@ -296,14 +296,19 @@ func secretForImageRegistryCredentials(
 	ctx context.Context,
 	c ctrlclient.Reader,
 	credentials v1alpha1.ImageRegistryCredentials,
-	namespace string,
+	objectNamespace string,
 ) (*corev1.Secret, error) {
-	if credentials.Secret == "" {
+	if credentials.Secret == nil {
 		return nil, nil
 	}
 
+	namespace := objectNamespace
+	if credentials.Secret.Namespace != "" {
+		namespace = credentials.Secret.Namespace
+	}
+
 	key := ctrlclient.ObjectKey{
-		Name:      credentials.Secret,
+		Name:      credentials.Secret.Name,
 		Namespace: namespace,
 	}
 	secret := &corev1.Secret{}
diff --git a/pkg/handlers/generic/mutation/imageregistrycredentials/inject_test.go b/pkg/handlers/generic/mutation/imageregistrycredentials/inject_test.go
@@ -72,8 +72,10 @@ func TestGeneratePatches(t *testing.T) {
 				capitest.VariableWithValue(
 					variableName,
 					v1alpha1.ImageRegistryCredentials{
-						URL:    "https://my-registry.io",
-						Secret: validSecretName,
+						URL: "https://my-registry.io",
+						Secret: &corev1.ObjectReference{
+							Name: validSecretName,
+						},
 					},
 				),
 			},
@@ -129,8 +131,10 @@ func TestGeneratePatches(t *testing.T) {
 				capitest.VariableWithValue(
 					variableName,
 					v1alpha1.ImageRegistryCredentials{
-						URL:    "https://my-registry.io",
-						Secret: validSecretName,
+						URL: "https://my-registry.io",
+						Secret: &corev1.ObjectReference{
+							Name: validSecretName,
+						},
 					},
 				),
 				capitest.VariableWithValue(
diff --git a/pkg/handlers/generic/mutation/imageregistrycredentials/variables_test.go b/pkg/handlers/generic/mutation/imageregistrycredentials/variables_test.go
@@ -6,6 +6,7 @@ package imageregistrycredentials
 import (
 	"testing"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/utils/ptr"
 
 	"github.com/d2iq-labs/capi-runtime-extensions/api/v1alpha1"
@@ -28,8 +29,10 @@ func TestVariableValidation(t *testing.T) {
 		capitest.VariableTestDef{
 			Name: "with a Secret",
 			Vals: v1alpha1.ImageRegistryCredentials{
-				URL:    "http://a.b.c.example.com",
-				Secret: "a.b.c.example.com-creds",
+				URL: "http://a.b.c.example.com",
+				Secret: &corev1.ObjectReference{
+					Name: "a.b.c.example.com-creds",
+				},
 			},
 		},
 	)
