⚠️ Change User.PasswdFrom from *PasswdSource to PasswdSource + add omitzero, extend SSA patch helper to handle arrays

api/bootstrap/kubeadm/v1beta1/conversion.go

@@ -859,6 +859,31 @@ func Convert_v1beta2_ClusterConfiguration_To_v1beta1_ClusterConfiguration(in *bo
 	return autoConvert_v1beta2_ClusterConfiguration_To_v1beta1_ClusterConfiguration(in, out, s)
 }
 
+func Convert_v1beta1_User_To_v1beta2_User(in *User, out *bootstrapv1.User, s apimachineryconversion.Scope) error {
+	if err := autoConvert_v1beta1_User_To_v1beta2_User(in, out, s); err != nil {
+		return err
+	}
+	if in.PasswdFrom != nil {
+		if err := Convert_v1beta1_PasswdSource_To_v1beta2_PasswdSource(in.PasswdFrom, &out.PasswdFrom, s); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func Convert_v1beta2_User_To_v1beta1_User(in *bootstrapv1.User, out *User, s apimachineryconversion.Scope) error {
+	if err := autoConvert_v1beta2_User_To_v1beta1_User(in, out, s); err != nil {
+		return err
+	}
+	if in.PasswdFrom.IsDefined() {
+		out.PasswdFrom = &PasswdSource{}
+		if err := Convert_v1beta2_PasswdSource_To_v1beta1_PasswdSource(&in.PasswdFrom, out.PasswdFrom, s); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func Convert_v1beta1_File_To_v1beta2_File(in *File, out *bootstrapv1.File, s apimachineryconversion.Scope) error {
 	if err := autoConvert_v1beta1_File_To_v1beta2_File(in, out, s); err != nil {
 		return err

api/bootstrap/kubeadm/v1beta1/conversion_test.go

@@ -168,6 +168,12 @@ func spokeKubeadmConfigSpec(in *KubeadmConfigSpec, c randfill.Continue) {
 		}
 		in.Files[i] = file
 	}
+	for i, user := range in.Users {
+		if user.PasswdFrom != nil && reflect.DeepEqual(user.PasswdFrom, &PasswdSource{}) {
+			user.PasswdFrom = nil
+		}
+		in.Users[i] = user
+	}
 }
 
 func spokeClusterConfiguration(in *ClusterConfiguration, c randfill.Continue) {

api/bootstrap/kubeadm/v1beta2/kubeadmconfig_types.go

@@ -256,7 +256,7 @@ func (c *KubeadmConfigSpec) validateUsers(pathPrefix *field.Path) field.ErrorLis
 
 	for i := range c.Users {
 		user := c.Users[i]
-		if user.Passwd != "" && user.PasswdFrom != nil {
+		if user.Passwd != "" && user.PasswdFrom.IsDefined() {
 			allErrs = append(
 				allErrs,
 				field.Invalid(
@@ -269,7 +269,7 @@ func (c *KubeadmConfigSpec) validateUsers(pathPrefix *field.Path) field.ErrorLis
 		// n.b.: if we ever add types besides Secret as a PasswdFrom
 		// Source, we must add webhook validation here for one of the
 		// sources being non-nil.
-		if user.PasswdFrom != nil {
+		if user.PasswdFrom.IsDefined() {
 			if user.PasswdFrom.Secret.Name == "" {
 				allErrs = append(
 					allErrs,
@@ -681,6 +681,11 @@ type PasswdSource struct {
 	Secret SecretPasswdSource `json:"secret,omitempty,omitzero"`
 }
 
+// IsDefined returns true if the PasswdSource is defined.
+func (r *PasswdSource) IsDefined() bool {
+	return !reflect.DeepEqual(r, &PasswdSource{})
+}
+
 // SecretPasswdSource adapts a Secret into a PasswdSource.
 //
 // The contents of the target Secret's Data field will be presented
@@ -743,7 +748,7 @@ type User struct {
 
 	// passwdFrom is a referenced source of passwd to populate the passwd.
 	// +optional
-	PasswdFrom *PasswdSource `json:"passwdFrom,omitempty"`
+	PasswdFrom PasswdSource `json:"passwdFrom,omitempty,omitzero"`
 
 	// primaryGroup specifies the primary group for the user
 	// +optional

api/controlplane/kubeadm/v1beta1/conversion_test.go

@@ -291,6 +291,12 @@ func spokeKubeadmConfigSpec(in *bootstrapv1beta1.KubeadmConfigSpec, c randfill.C
 		}
 		in.Files[i] = file
 	}
+	for i, user := range in.Users {
+		if user.PasswdFrom != nil && reflect.DeepEqual(user.PasswdFrom, &bootstrapv1beta1.PasswdSource{}) {
+			user.PasswdFrom = nil
+		}
+		in.Users[i] = user
+	}
 }
 
 func spokeClusterConfiguration(in *bootstrapv1beta1.ClusterConfiguration, c randfill.Continue) {

bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go

@@ -1026,12 +1026,12 @@ func (r *KubeadmConfigReconciler) resolveUsers(ctx context.Context, cfg *bootstr
 
 	for i := range cfg.Spec.Users {
 		in := cfg.Spec.Users[i]
-		if in.PasswdFrom != nil {
+		if in.PasswdFrom.IsDefined() {
 			data, err := r.resolveSecretPasswordContent(ctx, cfg.Namespace, in)
 			if err != nil {
 				return nil, errors.Wrapf(err, "failed to resolve passwd source")
 			}
-			in.PasswdFrom = nil
+			in.PasswdFrom = bootstrapv1.PasswdSource{}
 			passwdContent := string(data)
 			in.Passwd = passwdContent
 		}

bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller_test.go

@@ -2445,7 +2445,7 @@ func TestKubeadmConfigReconciler_ResolveUsers(t *testing.T) {
 					Users: []bootstrapv1.User{
 						{
 							Name: "foo",
-							PasswdFrom: &bootstrapv1.PasswdSource{
+							PasswdFrom: bootstrapv1.PasswdSource{
 								Secret: bootstrapv1.SecretPasswdSource{
 									Name: "source",
 									Key:  "key",
@@ -2473,7 +2473,7 @@ func TestKubeadmConfigReconciler_ResolveUsers(t *testing.T) {
 						},
 						{
 							Name: "bar",
-							PasswdFrom: &bootstrapv1.PasswdSource{
+							PasswdFrom: bootstrapv1.PasswdSource{
 								Secret: bootstrapv1.SecretPasswdSource{
 									Name: "source",
 									Key:  "key",
@@ -2514,7 +2514,7 @@ func TestKubeadmConfigReconciler_ResolveUsers(t *testing.T) {
 			// from secret still are.
 			passwdFrom := map[string]bool{}
 			for _, user := range tc.cfg.Spec.Users {
-				if user.PasswdFrom != nil {
+				if user.PasswdFrom.IsDefined() {
 					passwdFrom[user.Name] = true
 				}
 			}
@@ -2524,7 +2524,7 @@ func TestKubeadmConfigReconciler_ResolveUsers(t *testing.T) {
 			g.Expect(users).To(BeComparableTo(tc.expect))
 			for _, user := range tc.cfg.Spec.Users {
 				if passwdFrom[user.Name] {
-					g.Expect(user.PasswdFrom).NotTo(BeNil())
+					g.Expect(user.PasswdFrom.IsDefined()).To(BeTrue())
 					g.Expect(user.Passwd).To(BeEmpty())
 				}
 			}

bootstrap/kubeadm/internal/webhooks/kubeadmconfig_test.go

@@ -178,7 +178,7 @@ func TestKubeadmConfigValidate(t *testing.T) {
 				Spec: bootstrapv1.KubeadmConfigSpec{
 					Users: []bootstrapv1.User{
 						{
-							PasswdFrom: &bootstrapv1.PasswdSource{
+							PasswdFrom: bootstrapv1.PasswdSource{
 								Secret: bootstrapv1.SecretPasswdSource{
 									Name: "foo",
 									Key:  "bar",
@@ -198,8 +198,12 @@ func TestKubeadmConfigValidate(t *testing.T) {
 				Spec: bootstrapv1.KubeadmConfigSpec{
 					Users: []bootstrapv1.User{
 						{
-							PasswdFrom: &bootstrapv1.PasswdSource{},
-							Passwd:     "foo",
+							PasswdFrom: bootstrapv1.PasswdSource{
+								Secret: bootstrapv1.SecretPasswdSource{
+									Name: "secret",
+								},
+							},
+							Passwd: "foo",
 						},
 					},
 				},
@@ -215,7 +219,7 @@ func TestKubeadmConfigValidate(t *testing.T) {
 				Spec: bootstrapv1.KubeadmConfigSpec{
 					Users: []bootstrapv1.User{
 						{
-							PasswdFrom: &bootstrapv1.PasswdSource{
+							PasswdFrom: bootstrapv1.PasswdSource{
 								Secret: bootstrapv1.SecretPasswdSource{
 									Key: "bar",
 								},
@@ -236,7 +240,7 @@ func TestKubeadmConfigValidate(t *testing.T) {
 				Spec: bootstrapv1.KubeadmConfigSpec{
 					Users: []bootstrapv1.User{
 						{
-							PasswdFrom: &bootstrapv1.PasswdSource{
+							PasswdFrom: bootstrapv1.PasswdSource{
 								Secret: bootstrapv1.SecretPasswdSource{
 									Name: "foo",
 								},

internal/api/bootstrap/kubeadm/v1alpha3/conversion.go

@@ -86,7 +86,7 @@ func RestoreKubeadmConfigSpec(dst *bootstrapv1.KubeadmConfigSpec, restored *boot
 	dst.Users = restored.Users
 	if restored.Users != nil {
 		for i := range restored.Users {
-			if restored.Users[i].PasswdFrom != nil {
+			if restored.Users[i].PasswdFrom.IsDefined() {
 				dst.Users[i].PasswdFrom = restored.Users[i].PasswdFrom
 			}
 		}

internal/api/bootstrap/kubeadm/v1alpha4/conversion.go

@@ -86,7 +86,7 @@ func RestoreKubeadmConfigSpec(dst *bootstrapv1.KubeadmConfigSpec, restored *boot
 	dst.Users = restored.Users
 	if restored.Users != nil {
 		for i := range restored.Users {
-			if restored.Users[i].PasswdFrom != nil {
+			if restored.Users[i].PasswdFrom.IsDefined() {
 				dst.Users[i].PasswdFrom = restored.Users[i].PasswdFrom
 			}
 		}