include a shard-base context in kubeconfigs

xrstf · embik · commit 5ef9254faa20 · 2025-06-17T14:30:53.000+02:00
On-behalf-of: @SAP christoph.mewes@sap.com Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
diff --git a/internal/controller/kubeconfig_controller.go b/internal/controller/kubeconfig_controller.go
@@ -20,7 +20,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net/url"
 	"time"
 
 	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
@@ -73,42 +72,39 @@ func (r *KubeconfigReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrl.Result{}, err
 	}
 
+	rootShard := &operatorv1alpha1.RootShard{}
+	shard := &operatorv1alpha1.Shard{}
+
 	var (
-		clientCertIssuer, serverCA, serverURL, serverName string
+		clientCertIssuer string
+		serverCA         string
 	)
 
 	switch {
 	case kc.Spec.Target.RootShardRef != nil:
-		var rootShard operatorv1alpha1.RootShard
-		if err := r.Get(ctx, types.NamespacedName{Name: kc.Spec.Target.RootShardRef.Name, Namespace: req.Namespace}, &rootShard); err != nil {
+		if err := r.Get(ctx, types.NamespacedName{Name: kc.Spec.Target.RootShardRef.Name, Namespace: req.Namespace}, rootShard); err != nil {
 			return ctrl.Result{}, fmt.Errorf("failed to get RootShard: %w", err)
 		}
 
-		clientCertIssuer = resources.GetRootShardCAName(&rootShard, operatorv1alpha1.ClientCA)
-		serverCA = resources.GetRootShardCAName(&rootShard, operatorv1alpha1.ServerCA)
-		serverURL = resources.GetRootShardBaseURL(&rootShard)
-		serverName = rootShard.Name
+		clientCertIssuer = resources.GetRootShardCAName(rootShard, operatorv1alpha1.ClientCA)
+		serverCA = resources.GetRootShardCAName(rootShard, operatorv1alpha1.ServerCA)
 
 	case kc.Spec.Target.ShardRef != nil:
-		var shard operatorv1alpha1.Shard
-		if err := r.Get(ctx, types.NamespacedName{Name: kc.Spec.Target.ShardRef.Name, Namespace: req.Namespace}, &shard); err != nil {
+		if err := r.Get(ctx, types.NamespacedName{Name: kc.Spec.Target.ShardRef.Name, Namespace: req.Namespace}, shard); err != nil {
 			return ctrl.Result{}, fmt.Errorf("failed to get Shard: %w", err)
 		}
 
 		ref := shard.Spec.RootShard.Reference
 		if ref == nil || ref.Name == "" {
 			return ctrl.Result{}, errors.New("the Shard does not reference a (valid) RootShard")
 		}
-		var rootShard operatorv1alpha1.RootShard
-		if err := r.Get(ctx, types.NamespacedName{Name: ref.Name, Namespace: req.Namespace}, &rootShard); err != nil {
+		if err := r.Get(ctx, types.NamespacedName{Name: ref.Name, Namespace: req.Namespace}, rootShard); err != nil {
 			return ctrl.Result{}, fmt.Errorf("failed to get RootShard: %w", err)
 		}
 
 		// The client CA is shared among all shards and owned by the root shard.
-		clientCertIssuer = resources.GetRootShardCAName(&rootShard, operatorv1alpha1.ClientCA)
-		serverCA = resources.GetRootShardCAName(&rootShard, operatorv1alpha1.ServerCA)
-		serverURL = resources.GetShardBaseURL(&shard)
-		serverName = shard.Name
+		clientCertIssuer = resources.GetRootShardCAName(rootShard, operatorv1alpha1.ClientCA)
+		serverCA = resources.GetRootShardCAName(rootShard, operatorv1alpha1.ServerCA)
 
 	case kc.Spec.Target.FrontProxyRef != nil:
 		var frontProxy operatorv1alpha1.FrontProxy
@@ -120,15 +116,12 @@ func (r *KubeconfigReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		if ref == nil || ref.Name == "" {
 			return ctrl.Result{}, errors.New("the FrontProxy does not reference a (valid) RootShard")
 		}
-		var rootShard operatorv1alpha1.RootShard
-		if err := r.Get(ctx, types.NamespacedName{Name: frontProxy.Spec.RootShard.Reference.Name, Namespace: req.Namespace}, &rootShard); err != nil {
+		if err := r.Get(ctx, types.NamespacedName{Name: frontProxy.Spec.RootShard.Reference.Name, Namespace: req.Namespace}, rootShard); err != nil {
 			return ctrl.Result{}, fmt.Errorf("failed to get RootShard: %w", err)
 		}
 
-		clientCertIssuer = resources.GetRootShardCAName(&rootShard, operatorv1alpha1.FrontProxyClientCA)
-		serverCA = resources.GetRootShardCAName(&rootShard, operatorv1alpha1.ServerCA)
-		serverURL = fmt.Sprintf("https://%s:6443", rootShard.Spec.External.Hostname)
-		serverName = rootShard.Spec.External.Hostname
+		clientCertIssuer = resources.GetRootShardCAName(rootShard, operatorv1alpha1.FrontProxyClientCA)
+		serverCA = resources.GetRootShardCAName(rootShard, operatorv1alpha1.ServerCA)
 
 	default:
 		return ctrl.Result{}, fmt.Errorf("no valid target for kubeconfig found")
@@ -156,14 +149,12 @@ func (r *KubeconfigReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrl.Result{RequeueAfter: time.Second * 5}, nil
 	}
 
-	rootWSURL, err := url.JoinPath(serverURL, "clusters", "root")
+	reconciler, err := kubeconfig.KubeconfigSecretReconciler(&kc, rootShard, shard, serverCASecret, clientCertSecret)
 	if err != nil {
 		return ctrl.Result{}, err
 	}
 
-	if err := k8creconciling.ReconcileSecrets(ctx, []k8creconciling.NamedSecretReconcilerFactory{
-		kubeconfig.KubeconfigSecretReconciler(&kc, serverCASecret, clientCertSecret, serverName, rootWSURL),
-	}, req.Namespace, r.Client); err != nil {
+	if err := k8creconciling.ReconcileSecrets(ctx, []k8creconciling.NamedSecretReconcilerFactory{reconciler}, req.Namespace, r.Client); err != nil {
 		return ctrl.Result{}, err
 	}
 
diff --git a/internal/resources/kubeconfig/secret.go b/internal/resources/kubeconfig/secret.go
@@ -18,49 +18,100 @@ package kubeconfig
 
 import (
 	"fmt"
+	"net/url"
 
 	"k8c.io/reconciler/pkg/reconciling"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 
+	"github.com/kcp-dev/kcp-operator/internal/resources"
 	operatorv1alpha1 "github.com/kcp-dev/kcp-operator/sdk/apis/operator/v1alpha1"
 )
 
-func KubeconfigSecretReconciler(kubeconfig *operatorv1alpha1.Kubeconfig, caSecret, certSecret *corev1.Secret, serverName, serverURL string) reconciling.NamedSecretReconcilerFactory {
-	return func() (string, reconciling.SecretReconciler) {
-		return kubeconfig.Spec.SecretRef.Name, func(secret *corev1.Secret) (*corev1.Secret, error) {
-			var config *clientcmdapi.Config
+func KubeconfigSecretReconciler(
+	kubeconfig *operatorv1alpha1.Kubeconfig,
+	rootShard *operatorv1alpha1.RootShard,
+	shard *operatorv1alpha1.Shard,
+	caSecret, certSecret *corev1.Secret,
+) (reconciling.NamedSecretReconcilerFactory, error) {
+	config := &clientcmdapi.Config{
+		Clusters: map[string]*clientcmdapi.Cluster{},
+		Contexts: map[string]*clientcmdapi.Context{},
+		AuthInfos: map[string]*clientcmdapi.AuthInfo{
+			kubeconfig.Spec.Username: {
+				ClientCertificateData: certSecret.Data["tls.crt"],
+				ClientKeyData:         certSecret.Data["tls.key"],
+			},
+		},
+	}
 
-			if secret.Data == nil {
-				secret.Data = make(map[string][]byte)
-			}
+	addCluster := func(name, url string) {
+		config.Clusters[name] = &clientcmdapi.Cluster{
+			Server:                   url,
+			CertificateAuthorityData: caSecret.Data["tls.crt"],
+		}
+		config.Contexts[name] = &clientcmdapi.Context{
+			Cluster:  name,
+			AuthInfo: kubeconfig.Spec.Username,
+		}
+	}
 
-			config = &clientcmdapi.Config{}
+	switch {
+	case kubeconfig.Spec.Target.RootShardRef != nil:
+		if rootShard == nil {
+			panic("RootShard must be provided when kubeconfig targets one.")
+		}
 
-			config.Clusters = map[string]*clientcmdapi.Cluster{
-				serverName: {
-					Server:                   serverURL,
-					CertificateAuthorityData: caSecret.Data["tls.crt"],
-				},
-			}
+		serverURL := resources.GetRootShardBaseURL(rootShard)
+		defaultURL, err := url.JoinPath(serverURL, "clusters", "root")
+		if err != nil {
+			return nil, err
+		}
 
-			contextName := fmt.Sprintf("%s:%s", serverName, kubeconfig.Spec.Username)
+		addCluster("default", defaultURL)
+		addCluster("base", serverURL)
+		config.CurrentContext = "default"
 
-			config.Contexts = map[string]*clientcmdapi.Context{
-				contextName: {
-					Cluster:  serverName,
-					AuthInfo: kubeconfig.Spec.Username,
-				},
-			}
-			config.AuthInfos = map[string]*clientcmdapi.AuthInfo{
-				kubeconfig.Spec.Username: {
-					ClientCertificateData: certSecret.Data["tls.crt"],
-					ClientKeyData:         certSecret.Data["tls.key"],
-				},
+	case kubeconfig.Spec.Target.ShardRef != nil:
+		if shard == nil {
+			panic("Shard must be provided when kubeconfig targets one.")
+		}
+
+		serverURL := resources.GetShardBaseURL(shard)
+		defaultURL, err := url.JoinPath(serverURL, "clusters", "root")
+		if err != nil {
+			return nil, err
+		}
+
+		addCluster("default", defaultURL)
+		addCluster("base", serverURL)
+		config.CurrentContext = "default"
+
+	case kubeconfig.Spec.Target.FrontProxyRef != nil:
+		if rootShard == nil {
+			panic("RootShard must be provided when kubeconfig targets a FrontProxy.")
+		}
+
+		serverURL := fmt.Sprintf("https://%s:6443", rootShard.Spec.External.Hostname)
+		defaultURL, err := url.JoinPath(serverURL, "clusters", "root")
+		if err != nil {
+			return nil, err
+		}
+
+		addCluster("default", defaultURL)
+		config.CurrentContext = "default"
+
+	default:
+		panic("Called reconciler for an invalid kubeconfig, this should not have happened.")
+	}
+
+	return func() (string, reconciling.SecretReconciler) {
+		return kubeconfig.Spec.SecretRef.Name, func(secret *corev1.Secret) (*corev1.Secret, error) {
+			if secret.Data == nil {
+				secret.Data = make(map[string][]byte)
 			}
-			config.CurrentContext = contextName
 
 			data, err := clientcmd.Write(*config)
 			if err != nil {
@@ -71,5 +122,5 @@ func KubeconfigSecretReconciler(kubeconfig *operatorv1alpha1.Kubeconfig, caSecre
 
 			return secret, nil
 		}
-	}
+	}, nil
 }
