read credentials(token) from a referenced secret

Author: muraee

config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml

@@ -72,6 +72,18 @@ spec:
                 type: object
               creatorARN:
                 type: string
+              credentialsSecretRef:
+                description: 'CredentialsSecretRef references a secret with necessary
+                  credentials to connect to the OCM API. The secret should contain
+                  the following data keys: - ocmToken: eyJhbGciOiJIUzI1NiIsI.... -
+                  ocmApiUrl: Optional, defaults to ''https://api.openshift.com'''
+                properties:
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Add other useful fields. apiVersion, kind, uid?'
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               installerRoleARN:
                 type: string
               machineCIDR:

controlplane/rosa/api/v1beta2/rosacontrolplane_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1beta2
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
@@ -66,6 +67,13 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	InstallerRoleARN *string `json:"installerRoleARN"`
 	SupportRoleARN   *string `json:"supportRoleARN"`
 	WorkerRoleARN    *string `json:"workerRoleARN"`
+
+	// CredentialsSecretRef references a secret with necessary credentials to connect to the OCM API.
+	// The secret should contain the following data keys:
+	// - ocmToken: eyJhbGciOiJIUzI1NiIsI....
+	// - ocmApiUrl: Optional, defaults to 'https://api.openshift.com'
+	// +optional
+	CredentialsSecretRef *corev1.LocalObjectReference `json:"credentialsSecretRef,omitempty"`
 }
 
 // AWSRolesRef contains references to various AWS IAM roles required for operators to make calls against the AWS API.

controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go

@@ -20,7 +20,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"os"
 	"strings"
 	"time"
 
@@ -170,18 +169,13 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 		}
 	}
 
-	// TODO: token should be read from a secret: https://github.com/kubernetes-sigs/cluster-api-provider-aws/issues/4460
-	token := os.Getenv("OCM_TOKEN")
-	rosaClient, err := rosa.NewRosaClient(token)
+	rosaClient, err := rosa.NewRosaClient(ctx, rosaScope)
 	if err != nil {
 		return ctrl.Result{}, fmt.Errorf("failed to create a rosa client: %w", err)
 	}
+	defer rosaClient.Close()
 
-	defer func() {
-		rosaClient.Close()
-	}()
-
-	cluster, err := rosaClient.GetCluster(rosaScope.RosaClusterName(), rosaScope.ControlPlane.Spec.CreatorARN)
+	cluster, err := rosaClient.GetCluster()
 	if err != nil {
 		return ctrl.Result{}, err
 	}
@@ -333,22 +327,16 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 	return ctrl.Result{}, nil
 }
 
-func (r *ROSAControlPlaneReconciler) reconcileDelete(_ context.Context, rosaScope *scope.ROSAControlPlaneScope) (res ctrl.Result, reterr error) {
+func (r *ROSAControlPlaneReconciler) reconcileDelete(ctx context.Context, rosaScope *scope.ROSAControlPlaneScope) (res ctrl.Result, reterr error) {
 	rosaScope.Info("Reconciling ROSAControlPlane delete")
 
-	// Create the connection, and remember to close it:
-	// TODO: token should be read from a secret: https://github.com/kubernetes-sigs/cluster-api-provider-aws/issues/4460
-	token := os.Getenv("OCM_TOKEN")
-	rosaClient, err := rosa.NewRosaClient(token)
+	rosaClient, err := rosa.NewRosaClient(ctx, rosaScope)
 	if err != nil {
 		return ctrl.Result{}, fmt.Errorf("failed to create a rosa client: %w", err)
 	}
+	defer rosaClient.Close()
 
-	defer func() {
-		rosaClient.Close()
-	}()
-
-	cluster, err := rosaClient.GetCluster(rosaScope.RosaClusterName(), rosaScope.ControlPlane.Spec.CreatorARN)
+	cluster, err := rosaClient.GetCluster()
 	if err != nil {
 		return ctrl.Result{}, err
 	}

controlplane/rosa/controllers/rosacontrolplane_controller.go

@@ -5,18 +5,25 @@ CAPA controller requires an API token in order to be able to provision ROSA clus
 
 1. Visit [https://console.redhat.com/openshift/token](https://console.redhat.com/openshift/token) to retrieve your API authentication token
 
-2. Edit CAPA controller deployment:
+1. Create a credentials secret with the token to be referenced later by `ROSAControlePlane`
+    ```shell
+    kubectl create secret generic rosa-creds-secret \
+      --from-literal=ocmToken='eyJhbGciOiJIUzI1NiIsI....' \
+      --from-literal=ocmApiUrl='https://api.openshift.com' 
+    ```
+  
+    Alternatively, you can edit CAPA controller deployment to provide the credentials:
     ```shell
     kubectl edit deployment -n capa-system capa-controller-manager
     ```
-    
+
     and add the following environment variables to the manager container:
     ```yaml
-        env:
-        - name: OCM_TOKEN
-          value: "<token>"
-        - name: OCM_API_URL
-          value: "https://api.openshift.com" # or https://api.stage.openshift.com
+      env:
+      - name: OCM_TOKEN
+        value: "<token>"
+      - name: OCM_API_URL
+        value: "https://api.openshift.com" # or https://api.stage.openshift.com
     ```
 
 ## Prerequisites
@@ -45,9 +52,25 @@ Once Step 3 is done, you will be ready to proceed with creating a ROSA cluster u
     export PRIVATE_SUBNET_ID="subnet-05e72222222222222"
     ```
 
-1. Create a cluster using the ROSA cluster template:
-    ```bash
+1. Render the cluster manifest using the ROSA cluster template:
+    ```shell
     cat templates/cluster-template-rosa.yaml | envsubst > rosa-capi-cluster.yaml
+    ```
 
+1. If a credentials secret was created earlier, edit `ROSAControlPlane` to refernce it:
+
+    ```yaml
+    apiVersion: controlplane.cluster.x-k8s.io/v1beta2
+    kind: ROSAControlPlane
+    metadata:
+      name: "capi-rosa-quickstart-control-plane"
+    spec:
+      credentialsSecretRef:
+        name: rosa-creds-secret
+    ...
+    ```
+
+1. Finally apply the manifest to create your Rosa cluster:
+    ```shell
     kubectl apply -f rosa-capi-cluster.yaml
     ```

docs/book/src/topics/rosa/creating-a-cluster.md

@@ -3,7 +3,6 @@ package controllers
 import (
 	"context"
 	"fmt"
-	"os"
 	"time"
 
 	cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
@@ -129,6 +128,16 @@ func (r *ROSAMachinePoolReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		return ctrl.Result{}, errors.Wrap(err, "failed to create scope")
 	}
 
+	rosaControlPlaneScope, err := scope.NewROSAControlPlaneScope(scope.ROSAControlPlaneScopeParams{
+		Client:         r.Client,
+		Cluster:        cluster,
+		ControlPlane:   controlPlane,
+		ControllerName: "rosaControlPlane",
+	})
+	if err != nil {
+		return ctrl.Result{}, errors.Wrap(err, "failed to create control plane scope")
+	}
+
 	if !controlPlane.Status.Ready {
 		log.Info("Control plane is not ready yet")
 		err := machinePoolScope.RosaMchinePoolReadyFalse(expinfrav1.WaitingForRosaControlPlaneReason, "")
@@ -144,14 +153,16 @@ func (r *ROSAMachinePoolReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	}()
 
 	if !rosaMachinePool.ObjectMeta.DeletionTimestamp.IsZero() {
-		return ctrl.Result{}, r.reconcileDelete(ctx, machinePoolScope)
+		return ctrl.Result{}, r.reconcileDelete(ctx, machinePoolScope, rosaControlPlaneScope)
 	}
 
-	return r.reconcileNormal(ctx, machinePoolScope)
+	return r.reconcileNormal(ctx, machinePoolScope, rosaControlPlaneScope)
 }
 
-func (r *ROSAMachinePoolReconciler) reconcileNormal(
-	ctx context.Context, machinePoolScope *scope.RosaMachinePoolScope) (ctrl.Result, error) {
+func (r *ROSAMachinePoolReconciler) reconcileNormal(ctx context.Context,
+	machinePoolScope *scope.RosaMachinePoolScope,
+	rosaControlPlaneScope *scope.ROSAControlPlaneScope,
+) (ctrl.Result, error) {
 	machinePoolScope.Info("Reconciling RosaMachinePool")
 
 	if controllerutil.AddFinalizer(machinePoolScope.RosaMachinePool, expinfrav1.RosaMachinePoolFinalizer) {
@@ -160,16 +171,11 @@ func (r *ROSAMachinePoolReconciler) reconcileNormal(
 		}
 	}
 
-	// TODO: token should be read from a secret: https://github.com/kubernetes-sigs/cluster-api-provider-aws/issues/4460
-	token := os.Getenv("OCM_TOKEN")
-	rosaClient, err := rosa.NewRosaClient(token)
+	rosaClient, err := rosa.NewRosaClient(ctx, rosaControlPlaneScope)
 	if err != nil {
 		return ctrl.Result{}, fmt.Errorf("failed to create a rosa client: %w", err)
 	}
-
-	defer func() {
-		rosaClient.Close()
-	}()
+	defer rosaClient.Close()
 
 	rosaMachinePool := machinePoolScope.RosaMachinePool
 	machinePool := machinePoolScope.MachinePool
@@ -211,7 +217,7 @@ func (r *ROSAMachinePoolReconciler) reconcileNormal(
 				MinReplica(rosaMachinePool.Spec.Autoscaling.MinReplicas).
 				MaxReplica(rosaMachinePool.Spec.Autoscaling.MaxReplicas))
 	} else {
-		var replicas int = 1
+		replicas := 1
 		if machinePool.Spec.Replicas != nil {
 			replicas = int(*machinePool.Spec.Replicas)
 		}
@@ -240,19 +246,16 @@ func (r *ROSAMachinePoolReconciler) reconcileNormal(
 }
 
 func (r *ROSAMachinePoolReconciler) reconcileDelete(
-	_ context.Context, machinePoolScope *scope.RosaMachinePoolScope) error {
+	ctx context.Context, machinePoolScope *scope.RosaMachinePoolScope,
+	rosaControlPlaneScope *scope.ROSAControlPlaneScope,
+) error {
 	machinePoolScope.Info("Reconciling deletion of RosaMachinePool")
 
-	// TODO: token should be read from a secret: https://github.com/kubernetes-sigs/cluster-api-provider-aws/issues/4460
-	token := os.Getenv("OCM_TOKEN")
-	rosaClient, err := rosa.NewRosaClient(token)
+	rosaClient, err := rosa.NewRosaClient(ctx, rosaControlPlaneScope)
 	if err != nil {
 		return fmt.Errorf("failed to create a rosa client: %w", err)
 	}
-
-	defer func() {
-		rosaClient.Close()
-	}()
+	defer rosaClient.Close()
 
 	nodePool, found, err := rosaClient.GetNodePool(*machinePoolScope.ControlPlane.Status.ID, machinePoolScope.NodePoolName())
 	if err != nil {

exp/controllers/rosamachinepool_controller.go

@@ -20,6 +20,8 @@ import (
 	"context"
 
 	"github.com/pkg/errors"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/klog/v2"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -95,12 +97,29 @@ func (s *ROSAControlPlaneScope) Namespace() string {
 	return s.Cluster.Namespace
 }
 
+// CredentialsSecret returns the CredentialsSecret object.
+func (s *ROSAControlPlaneScope) CredentialsSecret() *corev1.Secret {
+	secretRef := s.ControlPlane.Spec.CredentialsSecretRef
+	if secretRef == nil {
+		return nil
+	}
+
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      s.ControlPlane.Spec.CredentialsSecretRef.Name,
+			Namespace: s.ControlPlane.Namespace,
+		},
+	}
+}
+
 // PatchObject persists the control plane configuration and status.
 func (s *ROSAControlPlaneScope) PatchObject() error {
 	return s.patchHelper.Patch(
 		context.TODO(),
 		s.ControlPlane,
-		patch.WithOwnedConditions{Conditions: []clusterv1.ConditionType{}})
+		patch.WithOwnedConditions{Conditions: []clusterv1.ConditionType{
+			rosacontrolplanev1.ROSAControlPlaneReadyCondition,
+		}})
 }
 
 // Close closes the current scope persisting the control plane configuration and status.

pkg/cloud/scope/rosacontrolplane.go

@@ -109,7 +109,7 @@ func (s *RosaMachinePoolScope) NodePoolName() string {
 	return s.RosaMachinePool.Spec.NodePoolName
 }
 
-// ClusterName returns the cluster name.
+// RosaClusterName returns the cluster name.
 func (s *RosaMachinePoolScope) RosaClusterName() string {
 	return s.ControlPlane.Spec.RosaClusterName
 }