Merge pull request #12560 from sbueringer/pr-passwd-ssa

k8s-ci-robot · web-flow · commit 37e50335fd16 · 2025-08-01T02:39:38.000-07:00
⚠️ Change User.PasswdFrom from *PasswdSource to PasswdSource + add omitzero, extend SSA patch helper to handle arrays
diff --git a/api/bootstrap/kubeadm/v1beta1/conversion.go b/api/bootstrap/kubeadm/v1beta1/conversion.go
@@ -859,6 +859,31 @@ func Convert_v1beta2_ClusterConfiguration_To_v1beta1_ClusterConfiguration(in *bo
 	return autoConvert_v1beta2_ClusterConfiguration_To_v1beta1_ClusterConfiguration(in, out, s)
 }
 
+func Convert_v1beta1_User_To_v1beta2_User(in *User, out *bootstrapv1.User, s apimachineryconversion.Scope) error {
+	if err := autoConvert_v1beta1_User_To_v1beta2_User(in, out, s); err != nil {
+		return err
+	}
+	if in.PasswdFrom != nil {
+		if err := Convert_v1beta1_PasswdSource_To_v1beta2_PasswdSource(in.PasswdFrom, &out.PasswdFrom, s); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func Convert_v1beta2_User_To_v1beta1_User(in *bootstrapv1.User, out *User, s apimachineryconversion.Scope) error {
+	if err := autoConvert_v1beta2_User_To_v1beta1_User(in, out, s); err != nil {
+		return err
+	}
+	if in.PasswdFrom.IsDefined() {
+		out.PasswdFrom = &PasswdSource{}
+		if err := Convert_v1beta2_PasswdSource_To_v1beta1_PasswdSource(&in.PasswdFrom, out.PasswdFrom, s); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func Convert_v1beta1_File_To_v1beta2_File(in *File, out *bootstrapv1.File, s apimachineryconversion.Scope) error {
 	if err := autoConvert_v1beta1_File_To_v1beta2_File(in, out, s); err != nil {
 		return err
diff --git a/api/bootstrap/kubeadm/v1beta1/conversion_test.go b/api/bootstrap/kubeadm/v1beta1/conversion_test.go
@@ -168,6 +168,12 @@ func spokeKubeadmConfigSpec(in *KubeadmConfigSpec, c randfill.Continue) {
 		}
 		in.Files[i] = file
 	}
+	for i, user := range in.Users {
+		if user.PasswdFrom != nil && reflect.DeepEqual(user.PasswdFrom, &PasswdSource{}) {
+			user.PasswdFrom = nil
+		}
+		in.Users[i] = user
+	}
 }
 
 func spokeClusterConfiguration(in *ClusterConfiguration, c randfill.Continue) {
diff --git a/api/bootstrap/kubeadm/v1beta1/zz_generated.conversion.go b/api/bootstrap/kubeadm/v1beta1/zz_generated.conversion.go
diff --git a/api/bootstrap/kubeadm/v1beta2/kubeadmconfig_types.go b/api/bootstrap/kubeadm/v1beta2/kubeadmconfig_types.go
@@ -256,7 +256,7 @@ func (c *KubeadmConfigSpec) validateUsers(pathPrefix *field.Path) field.ErrorLis
 
 	for i := range c.Users {
 		user := c.Users[i]
-		if user.Passwd != "" && user.PasswdFrom != nil {
+		if user.Passwd != "" && user.PasswdFrom.IsDefined() {
 			allErrs = append(
 				allErrs,
 				field.Invalid(
@@ -269,7 +269,7 @@ func (c *KubeadmConfigSpec) validateUsers(pathPrefix *field.Path) field.ErrorLis
 		// n.b.: if we ever add types besides Secret as a PasswdFrom
 		// Source, we must add webhook validation here for one of the
 		// sources being non-nil.
-		if user.PasswdFrom != nil {
+		if user.PasswdFrom.IsDefined() {
 			if user.PasswdFrom.Secret.Name == "" {
 				allErrs = append(
 					allErrs,
@@ -681,6 +681,11 @@ type PasswdSource struct {
 	Secret SecretPasswdSource `json:"secret,omitempty,omitzero"`
 }
 
+// IsDefined returns true if the PasswdSource is defined.
+func (r *PasswdSource) IsDefined() bool {
+	return !reflect.DeepEqual(r, &PasswdSource{})
+}
+
 // SecretPasswdSource adapts a Secret into a PasswdSource.
 //
 // The contents of the target Secret's Data field will be presented
@@ -743,7 +748,7 @@ type User struct {
 
 	// passwdFrom is a referenced source of passwd to populate the passwd.
 	// +optional
-	PasswdFrom *PasswdSource `json:"passwdFrom,omitempty"`
+	PasswdFrom PasswdSource `json:"passwdFrom,omitempty,omitzero"`
 
 	// primaryGroup specifies the primary group for the user
 	// +optional
diff --git a/api/bootstrap/kubeadm/v1beta2/zz_generated.deepcopy.go b/api/bootstrap/kubeadm/v1beta2/zz_generated.deepcopy.go
diff --git a/api/controlplane/kubeadm/v1beta1/conversion_test.go b/api/controlplane/kubeadm/v1beta1/conversion_test.go
@@ -291,6 +291,12 @@ func spokeKubeadmConfigSpec(in *bootstrapv1beta1.KubeadmConfigSpec, c randfill.C
 		}
 		in.Files[i] = file
 	}
+	for i, user := range in.Users {
+		if user.PasswdFrom != nil && reflect.DeepEqual(user.PasswdFrom, &bootstrapv1beta1.PasswdSource{}) {
+			user.PasswdFrom = nil
+		}
+		in.Users[i] = user
+	}
 }
 
 func spokeClusterConfiguration(in *bootstrapv1beta1.ClusterConfiguration, c randfill.Continue) {
diff --git a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
@@ -1026,12 +1026,12 @@ func (r *KubeadmConfigReconciler) resolveUsers(ctx context.Context, cfg *bootstr
 
 	for i := range cfg.Spec.Users {
 		in := cfg.Spec.Users[i]
-		if in.PasswdFrom != nil {
+		if in.PasswdFrom.IsDefined() {
 			data, err := r.resolveSecretPasswordContent(ctx, cfg.Namespace, in)
 			if err != nil {
 				return nil, errors.Wrapf(err, "failed to resolve passwd source")
 			}
-			in.PasswdFrom = nil
+			in.PasswdFrom = bootstrapv1.PasswdSource{}
 			passwdContent := string(data)
 			in.Passwd = passwdContent
 		}
diff --git a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller_test.go b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller_test.go
@@ -2445,7 +2445,7 @@ func TestKubeadmConfigReconciler_ResolveUsers(t *testing.T) {
 					Users: []bootstrapv1.User{
 						{
 							Name: "foo",
-							PasswdFrom: &bootstrapv1.PasswdSource{
+							PasswdFrom: bootstrapv1.PasswdSource{
 								Secret: bootstrapv1.SecretPasswdSource{
 									Name: "source",
 									Key:  "key",
@@ -2473,7 +2473,7 @@ func TestKubeadmConfigReconciler_ResolveUsers(t *testing.T) {
 						},
 						{
 							Name: "bar",
-							PasswdFrom: &bootstrapv1.PasswdSource{
+							PasswdFrom: bootstrapv1.PasswdSource{
 								Secret: bootstrapv1.SecretPasswdSource{
 									Name: "source",
 									Key:  "key",
@@ -2514,7 +2514,7 @@ func TestKubeadmConfigReconciler_ResolveUsers(t *testing.T) {
 			// from secret still are.
 			passwdFrom := map[string]bool{}
 			for _, user := range tc.cfg.Spec.Users {
-				if user.PasswdFrom != nil {
+				if user.PasswdFrom.IsDefined() {
 					passwdFrom[user.Name] = true
 				}
 			}
@@ -2524,7 +2524,7 @@ func TestKubeadmConfigReconciler_ResolveUsers(t *testing.T) {
 			g.Expect(users).To(BeComparableTo(tc.expect))
 			for _, user := range tc.cfg.Spec.Users {
 				if passwdFrom[user.Name] {
-					g.Expect(user.PasswdFrom).NotTo(BeNil())
+					g.Expect(user.PasswdFrom.IsDefined()).To(BeTrue())
 					g.Expect(user.Passwd).To(BeEmpty())
 				}
 			}
diff --git a/bootstrap/kubeadm/internal/webhooks/kubeadmconfig_test.go b/bootstrap/kubeadm/internal/webhooks/kubeadmconfig_test.go
@@ -178,7 +178,7 @@ func TestKubeadmConfigValidate(t *testing.T) {
 				Spec: bootstrapv1.KubeadmConfigSpec{
 					Users: []bootstrapv1.User{
 						{
-							PasswdFrom: &bootstrapv1.PasswdSource{
+							PasswdFrom: bootstrapv1.PasswdSource{
 								Secret: bootstrapv1.SecretPasswdSource{
 									Name: "foo",
 									Key:  "bar",
@@ -198,8 +198,12 @@ func TestKubeadmConfigValidate(t *testing.T) {
 				Spec: bootstrapv1.KubeadmConfigSpec{
 					Users: []bootstrapv1.User{
 						{
-							PasswdFrom: &bootstrapv1.PasswdSource{},
-							Passwd:     "foo",
+							PasswdFrom: bootstrapv1.PasswdSource{
+								Secret: bootstrapv1.SecretPasswdSource{
+									Name: "secret",
+								},
+							},
+							Passwd: "foo",
 						},
 					},
 				},
@@ -215,7 +219,7 @@ func TestKubeadmConfigValidate(t *testing.T) {
 				Spec: bootstrapv1.KubeadmConfigSpec{
 					Users: []bootstrapv1.User{
 						{
-							PasswdFrom: &bootstrapv1.PasswdSource{
+							PasswdFrom: bootstrapv1.PasswdSource{
 								Secret: bootstrapv1.SecretPasswdSource{
 									Key: "bar",
 								},
@@ -236,7 +240,7 @@ func TestKubeadmConfigValidate(t *testing.T) {
 				Spec: bootstrapv1.KubeadmConfigSpec{
 					Users: []bootstrapv1.User{
 						{
-							PasswdFrom: &bootstrapv1.PasswdSource{
+							PasswdFrom: bootstrapv1.PasswdSource{
 								Secret: bootstrapv1.SecretPasswdSource{
 									Name: "foo",
 								},
diff --git a/internal/api/bootstrap/kubeadm/v1alpha3/conversion.go b/internal/api/bootstrap/kubeadm/v1alpha3/conversion.go
@@ -86,7 +86,7 @@ func RestoreKubeadmConfigSpec(dst *bootstrapv1.KubeadmConfigSpec, restored *boot
 	dst.Users = restored.Users
 	if restored.Users != nil {
 		for i := range restored.Users {
-			if restored.Users[i].PasswdFrom != nil {
+			if restored.Users[i].PasswdFrom.IsDefined() {
 				dst.Users[i].PasswdFrom = restored.Users[i].PasswdFrom
 			}
 		}
diff --git a/internal/api/bootstrap/kubeadm/v1alpha4/conversion.go b/internal/api/bootstrap/kubeadm/v1alpha4/conversion.go
@@ -86,7 +86,7 @@ func RestoreKubeadmConfigSpec(dst *bootstrapv1.KubeadmConfigSpec, restored *boot
 	dst.Users = restored.Users
 	if restored.Users != nil {
 		for i := range restored.Users {
-			if restored.Users[i].PasswdFrom != nil {
+			if restored.Users[i].PasswdFrom.IsDefined() {
 				dst.Users[i].PasswdFrom = restored.Users[i].PasswdFrom
 			}
 		}
diff --git a/internal/util/ssa/filterintent.go b/internal/util/ssa/filterintent.go
diff --git a/internal/util/ssa/filterintent_test.go b/internal/util/ssa/filterintent_test.go

Original file line number	Diff line number	Diff line change
`@@ -168,6 +168,12 @@ func spokeKubeadmConfigSpec(in *KubeadmConfigSpec, c randfill.Continue) {`
`168`	`168`	`}`
`169`	`169`	`in.Files[i] = file`
`170`	`170`	`}`
	`171`	`+ for i, user := range in.Users {`
	`172`	`+ if user.PasswdFrom != nil && reflect.DeepEqual(user.PasswdFrom, &PasswdSource{}) {`
	`173`	`+ user.PasswdFrom = nil`
	`174`	`+ }`
	`175`	`+ in.Users[i] = user`
	`176`	`+ }`
`171`	`177`	`}`
`172`	`178`
`173`	`179`	`func spokeClusterConfiguration(in *ClusterConfiguration, c randfill.Continue) {`
Original file line number	Diff line number	Diff line change
`@@ -291,6 +291,12 @@ func spokeKubeadmConfigSpec(in *bootstrapv1beta1.KubeadmConfigSpec, c randfill.C`
`291`	`291`	`}`
`292`	`292`	`in.Files[i] = file`
`293`	`293`	`}`
	`294`	`+ for i, user := range in.Users {`
	`295`	`+ if user.PasswdFrom != nil && reflect.DeepEqual(user.PasswdFrom, &bootstrapv1beta1.PasswdSource{}) {`
	`296`	`+ user.PasswdFrom = nil`
	`297`	`+ }`
	`298`	`+ in.Users[i] = user`
	`299`	`+ }`
`294`	`300`	`}`
`295`	`301`
`296`	`302`	`func spokeClusterConfiguration(in *bootstrapv1beta1.ClusterConfiguration, c randfill.Continue) {`
Original file line number	Diff line number	Diff line change
`@@ -1026,12 +1026,12 @@ func (r KubeadmConfigReconciler) resolveUsers(ctx context.Context, cfg bootstr`
`1026`	`1026`
`1027`	`1027`	`for i := range cfg.Spec.Users {`
`1028`	`1028`	`in := cfg.Spec.Users[i]`
`1029`		`- if in.PasswdFrom != nil {`
	`1029`	`+ if in.PasswdFrom.IsDefined() {`
`1030`	`1030`	`data, err := r.resolveSecretPasswordContent(ctx, cfg.Namespace, in)`
`1031`	`1031`	`if err != nil {`
`1032`	`1032`	`return nil, errors.Wrapf(err, "failed to resolve passwd source")`
`1033`	`1033`	`}`
`1034`		`- in.PasswdFrom = nil`
	`1034`	`+ in.PasswdFrom = bootstrapv1.PasswdSource{}`
`1035`	`1035`	`passwdContent := string(data)`
`1036`	`1036`	`in.Passwd = passwdContent`
`1037`	`1037`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2445,7 +2445,7 @@ func TestKubeadmConfigReconciler_ResolveUsers(t *testing.T) {`
`2445`	`2445`	`Users: []bootstrapv1.User{`
`2446`	`2446`	`{`
`2447`	`2447`	`Name: "foo",`
`2448`		`- PasswdFrom: &bootstrapv1.PasswdSource{`
	`2448`	`+ PasswdFrom: bootstrapv1.PasswdSource{`
`2449`	`2449`	`Secret: bootstrapv1.SecretPasswdSource{`
`2450`	`2450`	`Name: "source",`
`2451`	`2451`	`Key: "key",`
`@@ -2473,7 +2473,7 @@ func TestKubeadmConfigReconciler_ResolveUsers(t *testing.T) {`
`2473`	`2473`	`},`
`2474`	`2474`	`{`
`2475`	`2475`	`Name: "bar",`
`2476`		`- PasswdFrom: &bootstrapv1.PasswdSource{`
	`2476`	`+ PasswdFrom: bootstrapv1.PasswdSource{`
`2477`	`2477`	`Secret: bootstrapv1.SecretPasswdSource{`
`2478`	`2478`	`Name: "source",`
`2479`	`2479`	`Key: "key",`
`@@ -2514,7 +2514,7 @@ func TestKubeadmConfigReconciler_ResolveUsers(t *testing.T) {`
`2514`	`2514`	`// from secret still are.`
`2515`	`2515`	`passwdFrom := map[string]bool{}`
`2516`	`2516`	`for _, user := range tc.cfg.Spec.Users {`
`2517`		`- if user.PasswdFrom != nil {`
	`2517`	`+ if user.PasswdFrom.IsDefined() {`
`2518`	`2518`	`passwdFrom[user.Name] = true`
`2519`	`2519`	`}`
`2520`	`2520`	`}`
`@@ -2524,7 +2524,7 @@ func TestKubeadmConfigReconciler_ResolveUsers(t *testing.T) {`
`2524`	`2524`	`g.Expect(users).To(BeComparableTo(tc.expect))`
`2525`	`2525`	`for _, user := range tc.cfg.Spec.Users {`
`2526`	`2526`	`if passwdFrom[user.Name] {`
`2527`		`- g.Expect(user.PasswdFrom).NotTo(BeNil())`
	`2527`	`+ g.Expect(user.PasswdFrom.IsDefined()).To(BeTrue())`
`2528`	`2528`	`g.Expect(user.Passwd).To(BeEmpty())`
`2529`	`2529`	`}`
`2530`	`2530`	`}`
Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ func RestoreKubeadmConfigSpec(dst bootstrapv1.KubeadmConfigSpec, restored boot`
`86`	`86`	`dst.Users = restored.Users`
`87`	`87`	`if restored.Users != nil {`
`88`	`88`	`for i := range restored.Users {`
`89`		`- if restored.Users[i].PasswdFrom != nil {`
	`89`	`+ if restored.Users[i].PasswdFrom.IsDefined() {`
`90`	`90`	`dst.Users[i].PasswdFrom = restored.Users[i].PasswdFrom`
`91`	`91`	`}`
`92`	`92`	`}`