Introduce .spec.credentialsSecretRef for out-of-tree machine class

kubernetes/crds/machine.sapcloud.io_machineclasses.yaml

@@ -25,6 +25,21 @@ spec:
             of an object. Servers should convert recognized schemas to the latest
             internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
           type: string
+        credentialsSecretRef:
+          description: CredentialsSecretRef can optionally store the credentials (in
+            this case the SecretRef does not need to store them). This might be useful
+            if multiple machine classes with the same credentials but different user-datas
+            are used.
+          properties:
+            name:
+              description: Name is unique within a namespace to reference a secret
+                resource.
+              type: string
+            namespace:
+              description: Namespace defines the space within which the secret name
+                must be unique.
+              type: string
+          type: object
         kind:
           description: 'Kind is a string value representing the REST resource this
             object represents. Servers may infer this from the endpoint the client
@@ -40,8 +55,8 @@ spec:
           description: Provider-specific configuration to use during node creation.
           type: object
         secretRef:
-          description: SecretRef stores the necessary secrets such as credetials or
-            userdata.
+          description: SecretRef stores the necessary secrets such as credentials
+            or userdata.
           properties:
             name:
               description: Name is unique within a namespace to reference a secret

pkg/apis/machine/types.go

@@ -1206,8 +1206,11 @@ type MachineClass struct {
 	metav1.ObjectMeta
 	// Provider-specific configuration to use during node creation.
 	ProviderSpec runtime.RawExtension
-	// SecretRef stores the necessary secrets such as credetials or userdata.
+	// SecretRef stores the necessary secrets such as credentials or userdata.
 	SecretRef *corev1.SecretReference
+	// CredentialsSecretRef can optionally store the credentials (in this case the SecretRef does not need to store them).
+	// This might be useful if multiple machine classes with the same credentials but different user-datas are used.
+	CredentialsSecretRef *corev1.SecretReference
 	// Provider is the combination of name and location of cloud-specific drivers.
 	// eg. awsdriver//127.0.0.1:8080
 	Provider string

pkg/apis/machine/v1alpha1/machineclass_types.go

@@ -39,8 +39,11 @@ type MachineClass struct {
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	// Provider-specific configuration to use during node creation.
 	ProviderSpec runtime.RawExtension `json:"providerSpec"`
-	// SecretRef stores the necessary secrets such as credetials or userdata.
+	// SecretRef stores the necessary secrets such as credentials or userdata.
 	SecretRef *corev1.SecretReference `json:"secretRef,omitempty"`
+	// CredentialsSecretRef can optionally store the credentials (in this case the SecretRef does not need to store them).
+	// This might be useful if multiple machine classes with the same credentials but different user-datas are used.
+	CredentialsSecretRef *corev1.SecretReference `json:"credentialsSecretRef,omitempty"`
 	// Provider is the combination of name and location of cloud-specific drivers.
 	Provider string `json:"provider,omitempty"`
 }

pkg/util/provider/machinecontroller/machine.go

@@ -134,7 +134,7 @@ func (c *controller) reconcileClusterMachine(machine *v1alpha1.Machine) (machine
 		return machineutils.LongRetry, err
 	}
 
-	machineClass, secret, retry, err := c.ValidateMachineClass(&machine.Spec.Class)
+	machineClass, secretData, retry, err := c.ValidateMachineClass(&machine.Spec.Class)
 	if err != nil {
 		klog.Error(err)
 		return retry, err
@@ -145,7 +145,7 @@ func (c *controller) reconcileClusterMachine(machine *v1alpha1.Machine) (machine
 		return c.triggerDeletionFlow(&driver.DeleteMachineRequest{
 			Machine:      machine,
 			MachineClass: machineClass,
-			Secret:       secret,
+			Secret:       &corev1.Secret{Data: secretData},
 		})
 	}
 
@@ -161,12 +161,11 @@ func (c *controller) reconcileClusterMachine(machine *v1alpha1.Machine) (machine
 			return retry, err
 		}
 	}
-
 	if machine.Spec.ProviderID == "" || machine.Status.CurrentStatus.Phase == "" || machine.Status.Node == "" {
 		return c.triggerCreationFlow(&driver.CreateMachineRequest{
 			Machine:      machine,
 			MachineClass: machineClass,
-			Secret:       secret,
+			Secret:       &corev1.Secret{Data: secretData},
 		})
 	}
 

pkg/util/provider/machinecontroller/machine_safety.go

@@ -170,10 +170,7 @@ func (c *controller) checkMachineClasses() (machineutils.RetryPeriod, error) {
 	}
 
 	for _, machineClass := range MachineClasses {
-		retry, err := c.checkMachineClass(
-			machineClass,
-			machineClass.SecretRef,
-		)
+		retry, err := c.checkMachineClass(machineClass)
 		if err != nil {
 			return retry, err
 		}
@@ -183,20 +180,18 @@ func (c *controller) checkMachineClasses() (machineutils.RetryPeriod, error) {
 }
 
 // checkMachineClass checks a particular machineClass for orphan instances
-func (c *controller) checkMachineClass(
-	machineClass *v1alpha1.MachineClass,
-	secretRef *corev1.SecretReference) (machineutils.RetryPeriod, error) {
-
-	// Get secret
-	secret, err := c.getSecret(secretRef, machineClass.Name)
-	if err != nil || secret == nil {
-		klog.Errorf("SafetyController: Secret reference not found for MachineClass: %q", machineClass.Name)
+func (c *controller) checkMachineClass(machineClass *v1alpha1.MachineClass) (machineutils.RetryPeriod, error) {
+
+	// Get secret data
+	secretData, err := c.getSecretData(machineClass.Name, machineClass.SecretRef, machineClass.CredentialsSecretRef)
+	if err != nil {
+		klog.Errorf("SafetyController: Secret Data could not be computed for MachineClass: %q", machineClass.Name)
 		return machineutils.LongRetry, err
 	}
 
 	listMachineResponse, err := c.driver.ListMachines(context.TODO(), &driver.ListMachinesRequest{
 		MachineClass: machineClass,
-		Secret:       secret,
+		Secret:       &corev1.Secret{Data: secretData},
 	})
 	if err != nil {
 		klog.Errorf("SafetyController: Failed to LIST VMs at provider. Error: %s", err)
@@ -242,7 +237,7 @@ func (c *controller) checkMachineClass(
 			_, err := c.driver.DeleteMachine(context.TODO(), &driver.DeleteMachineRequest{
 				Machine:      machine,
 				MachineClass: machineClass,
-				Secret:       secret,
+				Secret:       &corev1.Secret{Data: secretData},
 			})
 			if err != nil {
 				klog.Errorf("SafetyController: Error while trying to DELETE VM on CP - %s. Shall retry in next safety controller sync.", err)

pkg/util/provider/machinecontroller/machine_test.go

@@ -229,7 +229,7 @@ var _ = Describe("machine", func() {
 		}
 		type expect struct {
 			machineClass interface{}
-			secret       *corev1.Secret
+			secretData   map[string][]byte
 			err          bool
 		}
 		type data struct {
@@ -262,17 +262,17 @@ var _ = Describe("machine", func() {
 				defer trackers.Stop()
 
 				waitForCacheSync(stop, controller)
-				machineClass, secret, _, err := controller.ValidateMachineClass(data.action)
+				machineClass, secretData, _, err := controller.ValidateMachineClass(data.action)
 
 				if data.expect.machineClass == nil {
 					Expect(machineClass).To(BeNil())
 				} else {
 					Expect(machineClass).To(Equal(data.expect.machineClass))
 				}
-				if data.expect.secret == nil {
-					Expect(secret).To(BeNil())
+				if data.expect.secretData == nil {
+					Expect(secretData).To(BeNil())
 				} else {
-					Expect(secret).To(Equal(data.expect.secret))
+					Expect(secretData).To(Equal(data.expect.secretData))
 				}
 				if !data.expect.err {
 					Expect(err).To(BeNil())
@@ -323,6 +323,7 @@ var _ = Describe("machine", func() {
 					secrets: []*corev1.Secret{
 						{
 							ObjectMeta: *newObjectMeta(objMeta, 0),
+							Data:       map[string][]byte{"foo": []byte("bar")},
 						},
 					},
 					aws: []*v1alpha1.MachineClass{
@@ -341,10 +342,8 @@ var _ = Describe("machine", func() {
 						ObjectMeta: *newObjectMeta(objMeta, 0),
 						SecretRef:  newSecretReference(objMeta, 0),
 					},
-					secret: &corev1.Secret{
-						ObjectMeta: *newObjectMeta(objMeta, 0),
-					},
-					err: false,
+					secretData: map[string][]byte{"foo": []byte("bar")},
+					err:        false,
 				},
 			}),
 		)

pkg/util/provider/machinecontroller/machine_util.go

@@ -93,10 +93,9 @@ func UpdateMachineWithRetries(machineClient v1alpha1client.MachineInterface, mac
 */
 
 // ValidateMachineClass validates the machine class.
-func (c *controller) ValidateMachineClass(classSpec *v1alpha1.ClassSpec) (*v1alpha1.MachineClass, *v1.Secret, machineutils.RetryPeriod, error) {
+func (c *controller) ValidateMachineClass(classSpec *v1alpha1.ClassSpec) (*v1alpha1.MachineClass, map[string][]byte, machineutils.RetryPeriod, error) {
 	var (
 		machineClass *v1alpha1.MachineClass
-		secretRef    *v1.Secret
 		err          error
 		retry        = machineutils.LongRetry
 	)
@@ -118,16 +117,38 @@ func (c *controller) ValidateMachineClass(classSpec *v1alpha1.ClassSpec) (*v1alp
 		return nil, nil, retry, err
 	}
 
-	secretRef, err = c.getSecret(machineClass.SecretRef, machineClass.Name)
+	secretData, err := c.getSecretData(machineClass.Name, machineClass.SecretRef, machineClass.CredentialsSecretRef)
 	if err != nil {
-		klog.Errorf("Secret not found for %q", machineClass.SecretRef.Name)
+		klog.V(2).Infof("Could not compute secret data: %+v", err)
 		return nil, nil, retry, err
 	}
 
-	return machineClass, secretRef, retry, nil
+	return machineClass, secretData, retry, nil
 }
 
-// getSecret retrives the kubernetes secret if found
+func (c *controller) getSecretData(machineClassName string, secretRefs ...*v1.SecretReference) (map[string][]byte, error) {
+	var secretData map[string][]byte
+
+	for _, secretRef := range secretRefs {
+		if secretRef == nil {
+			continue
+		}
+
+		secretRef, err := c.getSecret(secretRef, machineClassName)
+		if err != nil {
+			klog.V(2).Infof("Secret reference %s/%s not found", secretRef.Namespace, secretRef.Name)
+			return nil, err
+		}
+
+		if secretRef != nil {
+			secretData = mergeDataMaps(secretData, secretRef.Data)
+		}
+	}
+
+	return secretData, nil
+}
+
+// getSecret retrieves the kubernetes secret if found
 func (c *controller) getSecret(ref *v1.SecretReference, MachineClassName string) (*v1.Secret, error) {
 	if ref == nil {
 		// If no secretRef, return nil
@@ -161,6 +182,18 @@ func nodeConditionsHaveChanged(machineConditions []v1.NodeCondition, nodeConditi
 	return false
 }
 
+func mergeDataMaps(in map[string][]byte, maps ...map[string][]byte) map[string][]byte {
+	out := make(map[string][]byte)
+
+	for _, m := range append([]map[string][]byte{in}, maps...) {
+		for k, v := range m {
+			out[k] = v
+		}
+	}
+
+	return out
+}
+
 // syncMachineNodeTemplate syncs nodeTemplates between machine and corresponding node-object.
 // It ensures, that any nodeTemplate element available on Machine should be available on node-object.
 // Although there could be more elements already available on node-object which will not be touched.

pkg/util/provider/machinecontroller/migrate_machineclass.go

@@ -5,17 +5,17 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/gardener/machine-controller-manager/pkg/apis/machine/v1alpha1"
-	"github.com/gardener/machine-controller-manager/pkg/util/provider/driver"
-	"github.com/gardener/machine-controller-manager/pkg/util/provider/machinecodes/codes"
-	"github.com/gardener/machine-controller-manager/pkg/util/provider/machinecodes/status"
-	"github.com/gardener/machine-controller-manager/pkg/util/provider/machineutils"
-	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog"
+
+	"github.com/gardener/machine-controller-manager/pkg/apis/machine/v1alpha1"
+	"github.com/gardener/machine-controller-manager/pkg/util/provider/driver"
+	"github.com/gardener/machine-controller-manager/pkg/util/provider/machinecodes/codes"
+	"github.com/gardener/machine-controller-manager/pkg/util/provider/machinecodes/status"
+	"github.com/gardener/machine-controller-manager/pkg/util/provider/machineutils"
 )
 
 const (
@@ -110,7 +110,7 @@ func (c *controller) createMachineClass(providerSpecificMachineClass interface{}
 		}
 
 	} else if err != nil {
-		// Anyother kind of error while fetching the machineClass object
+		// Another kind of error while fetching the machineClass object
 		return machineutils.ShortRetry, err
 	}
 
@@ -387,7 +387,7 @@ func (c *controller) addMigratedAnnotationForProviderMachineClass(classSpec *v1a
 }
 
 // TryMachineClassMigration tries to migrate the provider-specific machine class to the generic machine-class.
-func (c *controller) TryMachineClassMigration(classSpec *v1alpha1.ClassSpec) (*v1alpha1.MachineClass, *v1.Secret, machineutils.RetryPeriod, error) {
+func (c *controller) TryMachineClassMigration(classSpec *v1alpha1.ClassSpec) (*v1alpha1.MachineClass, map[string][]byte, machineutils.RetryPeriod, error) {
 	var (
 		err                          error
 		providerSpecificMachineClass interface{}