added docs, rename vars for better mgt-cluster vs wl-cluster understanding.

Author: guettli

api/v1beta1/types.go

@@ -101,9 +101,16 @@ type HCloudPlacementGroupStatus struct {
 
 // HetznerSecretRef defines all the names of the secret and the relevant keys needed to access Hetzner API.
 type HetznerSecretRef struct {
-	// Name defines the name of the secret.
+	// Name defines the name of the secret. The name gets used for reading the credential in the
+	// mgt-cluster, and it gets used for creating a secret in the wl-cluster. About the secret in
+	// the wl-cluster: Attention, the upstream hcloud-ccm helm chart expects the name to be
+	// "hcloud". The Syself ccm defaults to "hetzner". The secret will be created in the namespace
+	// "mgt-system" of the workload-cluster. Set `spec.skipCreatingHetznerSecretInWorkloadCluster`,
+	// if you don't want that secret in the wl-cluster to be created.
+	//
 	// +kubebuilder:default=hetzner
 	Name string `json:"name"`
+
 	// Key defines the keys that are used in the secret.
 	// Need to specify either HCloudToken or both HetznerRobotUser and HetznerRobotPassword.
 	Key HetznerSecretKeyRef `json:"key"`

controllers/hetznercluster_controller.go

@@ -226,7 +226,7 @@ func (r *HetznerClusterReconciler) reconcileNormal(ctx context.Context, clusterS
 	// target cluster is ready
 	conditions.MarkTrue(hetznerCluster, infrav1.TargetClusterReadyCondition)
 
-	result, err = reconcileTargetSecret(ctx, clusterScope)
+	result, err = reconcileWorkloadClusterSecret(ctx, clusterScope)
 	if err != nil {
 		reterr := fmt.Errorf("failed to reconcile target secret: %w", err)
 		conditions.MarkFalse(
@@ -472,21 +472,24 @@ func hcloudTokenErrorResult(
 	return res, nil
 }
 
-func reconcileTargetSecret(ctx context.Context, clusterScope *scope.ClusterScope) (res reconcile.Result, reterr error) {
+// reconcileWorkloadClusterSecret ensures that the workload-cluster has the secret needed by the ccm. The
+// name of the secret is read from HetznerCluster.Spec.HetznerSecret.Name. Creating the secret gets
+// skipped, if HetznerCluster.Spec.SkipCreatingHetznerSecretInWorkloadCluster is set.
+func reconcileWorkloadClusterSecret(ctx context.Context, clusterScope *scope.ClusterScope) (res reconcile.Result, reterr error) {
 	if clusterScope.HetznerCluster.Spec.SkipCreatingHetznerSecretInWorkloadCluster {
 		// If the secret should not be created in the workload cluster, we just return.
 		// This means the ccm is running outside of the workload cluster (or getting the secret differently).
 		return reconcile.Result{}, nil
 	}
 
 	// Checking if control plane is ready
-	clientConfig, err := clusterScope.ClientConfig(ctx)
+	wlClientConfig, err := clusterScope.ClientConfig(ctx)
 	if err != nil {
 		clusterScope.V(1).Info("failed to get clientconfig with api endpoint")
 		return reconcile.Result{}, err
 	}
 
-	if err := scope.IsControlPlaneReady(ctx, clientConfig); err != nil {
+	if err := scope.IsControlPlaneReady(ctx, wlClientConfig); err != nil {
 		conditions.MarkFalse(
 			clusterScope.HetznerCluster,
 			infrav1.TargetClusterSecretReadyCondition,
@@ -500,65 +503,66 @@ func reconcileTargetSecret(ctx context.Context, clusterScope *scope.ClusterScope
 	// Control plane ready, so we can check if the secret exists already
 
 	// getting client
-	restConfig, err := clientConfig.ClientConfig()
+	restConfig, err := wlClientConfig.ClientConfig()
 	if err != nil {
 		return reconcile.Result{}, fmt.Errorf("failed to get rest config: %w", err)
 	}
 
-	client, err := client.New(restConfig, client.Options{})
+	// workload cluster client
+	wlClient, err := client.New(restConfig, client.Options{})
 	if err != nil {
 		return reconcile.Result{}, fmt.Errorf("failed to get client: %w", err)
 	}
 
-	secret := &corev1.Secret{
+	wlSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      clusterScope.HetznerCluster.Spec.HetznerSecret.Name,
 			Namespace: metav1.NamespaceSystem,
 		},
 	}
 
 	// Make sure secret exists and has the expected values
-	_, err = controllerutil.CreateOrUpdate(ctx, client, secret, func() error {
-		tokenSecretName := types.NamespacedName{
+	_, err = controllerutil.CreateOrUpdate(ctx, wlClient, wlSecret, func() error {
+		mgtSecretName := types.NamespacedName{
 			Namespace: clusterScope.HetznerCluster.Namespace,
 			Name:      clusterScope.HetznerCluster.Spec.HetznerSecret.Name,
 		}
 		secretManager := secretutil.NewSecretManager(clusterScope.Logger, clusterScope.Client, clusterScope.APIReader)
-		tokenSecret, err := secretManager.AcquireSecret(ctx, tokenSecretName, clusterScope.HetznerCluster, false, clusterScope.HetznerCluster.DeletionTimestamp.IsZero())
+		mgtSecret, err := secretManager.AcquireSecret(ctx, mgtSecretName, clusterScope.HetznerCluster, false, clusterScope.HetznerCluster.DeletionTimestamp.IsZero())
 		if err != nil {
 			return fmt.Errorf("failed to acquire secret: %w", err)
 		}
 
-		hetznerToken, keyExists := tokenSecret.Data[clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HCloudToken]
+		hetznerToken, keyExists := mgtSecret.Data[clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HCloudToken]
 		if !keyExists {
 			return fmt.Errorf("error key %s does not exist in secret/%s: %w",
 				clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HCloudToken,
-				tokenSecretName,
+				mgtSecretName,
 				err,
 			)
 		}
 
-		if secret.Data == nil {
-			secret.Data = make(map[string][]byte)
+		if wlSecret.Data == nil {
+			wlSecret.Data = make(map[string][]byte)
 		}
 
-		secret.Data[clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HCloudToken] = hetznerToken
+		wlSecret.Data[clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HCloudToken] = hetznerToken
 
 		// Save robot credentials if available
 		if clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HetznerRobotUser != "" {
-			robotUserName := tokenSecret.Data[clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HetznerRobotUser]
-			secret.Data[clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HetznerRobotUser] = robotUserName
-			robotPassword := tokenSecret.Data[clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HetznerRobotPassword]
-			secret.Data[clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HetznerRobotPassword] = robotPassword
+			robotUserName := mgtSecret.Data[clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HetznerRobotUser]
+			wlSecret.Data[clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HetznerRobotUser] = robotUserName
+			robotPassword := mgtSecret.Data[clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HetznerRobotPassword]
+			wlSecret.Data[clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HetznerRobotPassword] = robotPassword
 		}
 
 		// Save network ID in secret
 		if clusterScope.HetznerCluster.Spec.HCloudNetwork.Enabled {
-			secret.Data["network"] = []byte(strconv.FormatInt(clusterScope.HetznerCluster.Status.Network.ID, 10))
+			wlSecret.Data["network"] = []byte(strconv.FormatInt(clusterScope.HetznerCluster.Status.Network.ID, 10))
 		}
 		// Save api server information
-		secret.Data["apiserver-host"] = []byte(clusterScope.HetznerCluster.Spec.ControlPlaneEndpoint.Host)
-		secret.Data["apiserver-port"] = []byte(strconv.Itoa(int(clusterScope.HetznerCluster.Spec.ControlPlaneEndpoint.Port)))
+		wlSecret.Data["apiserver-host"] = []byte(clusterScope.HetznerCluster.Spec.ControlPlaneEndpoint.Host)
+		wlSecret.Data["apiserver-port"] = []byte(strconv.Itoa(int(clusterScope.HetznerCluster.Spec.ControlPlaneEndpoint.Port)))
 
 		return nil
 	})

pkg/scope/cluster.go

@@ -145,7 +145,7 @@ func (s *ClusterScope) ControlPlaneAPIEndpointPort() int32 {
 	return int32(s.HetznerCluster.Spec.ControlPlaneLoadBalancer.Port) //nolint:gosec // Validation for the port range (1 to 65535) is already done via kubebuilder.
 }
 
-// ClientConfig return a kubernetes client config for the cluster context.
+// ClientConfig return a kubernetes client config for the workload cluster.
 func (s *ClusterScope) ClientConfig(ctx context.Context) (clientcmd.ClientConfig, error) {
 	return workloadClientConfigFromKubeconfigSecret(ctx, s.Logger, s.Client, s.APIReader, s.Cluster, s.HetznerCluster)
 }