add passwdFrom to kubeadm v1beta1

kubernetes-sigs · Apr 11, 2022 · ffa4348 · ffa4348
1 parent bf89e4b
commit ffa4348
Show file tree

Hide file tree

Showing 16 changed files with 607 additions and 27 deletions.
diff --git a/bootstrap/kubeadm/api/v1alpha3/conversion.go b/bootstrap/kubeadm/api/v1alpha3/conversion.go
@@ -38,6 +38,15 @@ func (src *KubeadmConfig) ConvertTo(dstRaw conversion.Hub) error {
 		return err
 	}
 
+	dst.Spec.Users = restored.Spec.Users
+	if restored.Spec.Users != nil {
+		for i := range restored.Spec.Users {
+			if restored.Spec.Users[i].PasswdFrom != nil {
+				dst.Spec.Users[i].PasswdFrom = restored.Spec.Users[i].PasswdFrom
+			}
+		}
+	}
+
 	if restored.Spec.JoinConfiguration != nil && restored.Spec.JoinConfiguration.NodeRegistration.IgnorePreflightErrors != nil {
 		if dst.Spec.JoinConfiguration == nil {
 			dst.Spec.JoinConfiguration = &bootstrapv1.JoinConfiguration{}
@@ -111,6 +120,15 @@ func (src *KubeadmConfigTemplate) ConvertTo(dstRaw conversion.Hub) error {
 		return err
 	}
 
+	dst.Spec.Template.Spec.Users = restored.Spec.Template.Spec.Users
+	if restored.Spec.Template.Spec.Users != nil {
+		for i := range restored.Spec.Template.Spec.Users {
+			if restored.Spec.Template.Spec.Users[i].PasswdFrom != nil {
+				dst.Spec.Template.Spec.Users[i].PasswdFrom = restored.Spec.Template.Spec.Users[i].PasswdFrom
+			}
+		}
+	}
+
 	if restored.Spec.Template.Spec.JoinConfiguration != nil && restored.Spec.Template.Spec.JoinConfiguration.NodeRegistration.IgnorePreflightErrors != nil {
 		if dst.Spec.Template.Spec.JoinConfiguration == nil {
 			dst.Spec.Template.Spec.JoinConfiguration = &bootstrapv1.JoinConfiguration{}
@@ -215,3 +233,8 @@ func Convert_v1beta1_KubeadmConfigSpec_To_v1alpha3_KubeadmConfigSpec(in *bootstr
 	// KubeadmConfigSpec.Ignition does not exist in kubeadm v1alpha3 API.
 	return autoConvert_v1beta1_KubeadmConfigSpec_To_v1alpha3_KubeadmConfigSpec(in, out, s)
 }
+
+func Convert_v1beta1_User_To_v1alpha3_User(in *bootstrapv1.User, out *User, s apiconversion.Scope) error {
+	// User.PasswdFrom does not exist in kubeadm v1alpha3 API.
+	return autoConvert_v1beta1_User_To_v1alpha3_User(in, out, s)
+}
diff --git a/bootstrap/kubeadm/api/v1alpha3/zz_generated.conversion.go b/bootstrap/kubeadm/api/v1alpha3/zz_generated.conversion.go
diff --git a/bootstrap/kubeadm/api/v1alpha4/conversion.go b/bootstrap/kubeadm/api/v1alpha4/conversion.go
@@ -37,6 +37,15 @@ func (src *KubeadmConfig) ConvertTo(dstRaw conversion.Hub) error {
 		return err
 	}
 
+	dst.Spec.Users = restored.Spec.Users
+	if restored.Spec.Users != nil {
+		for i := range restored.Spec.Users {
+			if restored.Spec.Users[i].PasswdFrom != nil {
+				dst.Spec.Users[i].PasswdFrom = restored.Spec.Users[i].PasswdFrom
+			}
+		}
+	}
+
 	dst.Spec.Ignition = restored.Spec.Ignition
 	if restored.Spec.InitConfiguration != nil {
 		if dst.Spec.InitConfiguration == nil {
@@ -91,6 +100,15 @@ func (src *KubeadmConfigTemplate) ConvertTo(dstRaw conversion.Hub) error {
 		return err
 	}
 
+	dst.Spec.Template.Spec.Users = restored.Spec.Template.Spec.Users
+	if restored.Spec.Template.Spec.Users != nil {
+		for i := range restored.Spec.Template.Spec.Users {
+			if restored.Spec.Template.Spec.Users[i].PasswdFrom != nil {
+				dst.Spec.Template.Spec.Users[i].PasswdFrom = restored.Spec.Template.Spec.Users[i].PasswdFrom
+			}
+		}
+	}
+
 	dst.Spec.Template.Spec.Ignition = restored.Spec.Template.Spec.Ignition
 	if restored.Spec.Template.Spec.InitConfiguration != nil {
 		if dst.Spec.Template.Spec.InitConfiguration == nil {
@@ -147,3 +165,8 @@ func Convert_v1beta1_JoinConfiguration_To_v1alpha4_JoinConfiguration(in *bootstr
 	// InitConfiguration.Patches does not exist in kubeadm v1alpha4 API.
 	return autoConvert_v1beta1_JoinConfiguration_To_v1alpha4_JoinConfiguration(in, out, s)
 }
+
+func Convert_v1beta1_User_To_v1alpha4_User(in *bootstrapv1.User, out *User, s apiconversion.Scope) error {
+	// User.PasswdFrom does not exist in kubeadm v1alpha4 API.
+	return autoConvert_v1beta1_User_To_v1alpha4_User(in, out, s)
+}
diff --git a/bootstrap/kubeadm/api/v1alpha4/zz_generated.conversion.go b/bootstrap/kubeadm/api/v1alpha4/zz_generated.conversion.go
diff --git a/bootstrap/kubeadm/api/v1beta1/kubeadmconfig_types.go b/bootstrap/kubeadm/api/v1beta1/kubeadmconfig_types.go
@@ -252,6 +252,26 @@ type SecretFileSource struct {
 	Key string `json:"key"`
 }
 
+// PasswdSource is a union of all possible external source types for passwd data.
+// Only one field may be populated in any given instance. Developers adding new
+// sources of data for target systems should add them here.
+type PasswdSource struct {
+	// Secret represents a secret that should populate this password.
+	Secret SecretPasswdSource `json:"secret"`
+}
+
+// SecretPasswdSource adapts a Secret into a PasswdSource.
+//
+// The contents of the target Secret's Data field will be presented
+// as passwd using the keys in the Data field as the file names.
+type SecretPasswdSource struct {
+	// Name of the secret in the KubeadmBootstrapConfig's namespace to use.
+	Name string `json:"name"`
+
+	// Key is the key in the secret's data map for this value.
+	Key string `json:"key"`
+}
+
 // User defines the input for a generated user in cloud-init.
 type User struct {
 	// Name specifies the user name
@@ -281,6 +301,10 @@ type User struct {
 	// +optional
 	Passwd *string `json:"passwd,omitempty"`
 
+	// PasswdFrom is a referenced source of passwd to populate the passwd.
+	// +optional
+	PasswdFrom *PasswdSource `json:"passwdFrom,omitempty"`
+
 	// PrimaryGroup specifies the primary group for the user
 	// +optional
 	PrimaryGroup *string `json:"primaryGroup,omitempty"`

diff --git a/bootstrap/kubeadm/api/v1beta1/kubeadmconfig_webhook.go b/bootstrap/kubeadm/api/v1beta1/kubeadmconfig_webhook.go
@@ -31,6 +31,7 @@ import (
 var (
 	cannotUseWithIgnition                            = fmt.Sprintf("not supported when spec.format is set to %q", Ignition)
 	conflictingFileSourceMsg                         = "only one of content or contentFrom may be specified for a single file"
+	conflictingUserSourceMsg                         = "only one of passwd or passwdFrom may be specified for a single user"
 	kubeadmBootstrapFormatIgnitionFeatureDisabledMsg = "can be set only if the KubeadmBootstrapFormatIgnition feature gate is enabled"
 	missingSecretNameMsg                             = "secret file source must specify non-empty secret name"
 	missingSecretKeyMsg                              = "secret file source must specify non-empty secret key"
@@ -93,6 +94,7 @@ func (c *KubeadmConfigSpec) Validate(pathPrefix *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
 
 	allErrs = append(allErrs, c.validateFiles(pathPrefix)...)
+	allErrs = append(allErrs, c.validateUsers(pathPrefix)...)
 	allErrs = append(allErrs, c.validateIgnition(pathPrefix)...)
 
 	return allErrs
@@ -155,6 +157,49 @@ func (c *KubeadmConfigSpec) validateFiles(pathPrefix *field.Path) field.ErrorLis
 	return allErrs
 }
 
+func (c *KubeadmConfigSpec) validateUsers(pathPrefix *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+
+	for i := range c.Users {
+		user := c.Users[i]
+		if user.Passwd != nil && user.PasswdFrom != nil {
+			allErrs = append(
+				allErrs,
+				field.Invalid(
+					pathPrefix.Child("users").Index(i),
+					user,
+					conflictingUserSourceMsg,
+				),
+			)
+		}
+		// n.b.: if we ever add types besides Secret as a PasswdFrom
+		// Source, we must add webhook validation here for one of the
+		// sources being non-nil.
+		if user.PasswdFrom != nil {
+			if user.PasswdFrom.Secret.Name == "" {
+				allErrs = append(
+					allErrs,
+					field.Required(
+						pathPrefix.Child("users").Index(i).Child("passwdFrom", "secret", "name"),
+						missingSecretNameMsg,
+					),
+				)
+			}
+			if user.PasswdFrom.Secret.Key == "" {
+				allErrs = append(
+					allErrs,
+					field.Required(
+						pathPrefix.Child("users").Index(i).Child("passwdFrom", "secret", "key"),
+						missingSecretKeyMsg,
+					),
+				)
+			}
+		}
+	}
+
+	return allErrs
+}
+
 func (c *KubeadmConfigSpec) validateIgnition(pathPrefix *field.Path) field.ErrorList {
 	var allErrs field.ErrorList