be explicit: recommend the defaults of upstream hcloud-ccm.

Author: guettli

Makefile

@@ -202,8 +202,8 @@ else
 	helm repo add hcloud https://charts.hetzner.cloud
 	helm repo update hcloud
 	KUBECONFIG=$(WORKER_CLUSTER_KUBECONFIG) helm install hccm \
-		hcloud/ cloud-cloud-controller-manager -n kube-system \
-		--set privateNetwork.enabled=$(PRIVATE_NETWORK)
+		hcloud/hcloud-cloud-controller-manager -n kube-system \
+		--set privateNetwork.enabled=$(PRIVATE_NETWORK) \
 		--set robot.enabled=true
 	@echo 'run "kubectl --kubeconfig=$(WORKER_CLUSTER_KUBECONFIG) ..." to work with the new target cluster'
 endif

api/v1beta1/types.go

@@ -107,9 +107,9 @@ type HetznerSecretRef struct {
 	// "hcloud". The Syself ccm defaults to "hetzner". For compatibility with upstream hcloud-ccm
 	// the controller creates two secrets, if the name is different from "hcloud" (one with name
 	// "hcloud", one with name being the value of this setting). The secret will be created in the
-	// namespace "mgt-system" of the workload-cluster. Set
-	// `spec.skipCreatingHetznerSecretInWorkloadCluster`, if you don't want that secret in the
-	// wl-cluster to be created.
+	// namespace "kube-system" of the workload-cluster. We recommend to use "hcloud", because this is
+	// the default of upstream hcloud-ccm. Set `spec.skipCreatingHetznerSecretInWorkloadCluster`, if
+	// you don't want that secret in the wl-cluster to be created.
 	//
 	// +kubebuilder:default=hcloud
 	Name string `json:"name"`
@@ -123,18 +123,29 @@ type HetznerSecretRef struct {
 // Need to specify either HCloudToken or both HetznerRobotUser and HetznerRobotPassword.
 type HetznerSecretKeyRef struct {
 	// HCloudToken defines the name of the key where the token for the Hetzner Cloud API is stored.
+	// We recommend to use "token", because this is the default of upstream hcloud-ccm.
+	//
 	// +optional
 	// +kubebuilder:default=token
 	HCloudToken string `json:"hcloudToken"`
-	// HetznerRobotUser defines the name of the key where the username for the Hetzner Robot API is stored.
+
+	// HetznerRobotUser defines the name of the key where the username for the Hetzner Robot API is
+	// stored. We recommend to use "robot-user", because this is the default of upstream hcloud-ccm.
+	//
 	// +optional
 	// +kubebuilder:default=robot-user
 	HetznerRobotUser string `json:"hetznerRobotUser"`
-	// HetznerRobotPassword defines the name of the key where the password for the Hetzner Robot API is stored.
+
+	// HetznerRobotPassword defines the name of the key where the password for the Hetzner Robot API
+	// is stored. We recommend to use "robot-password", because this is the default of upstream
+	// hcloud-ccm.
+	//
 	// +optional
 	// +kubebuilder:default=robot-password
 	HetznerRobotPassword string `json:"hetznerRobotPassword"`
+
 	// SSHKey defines the name of the ssh key.
+	//
 	// +optional
 	// +kubebuilder:default=hcloud-ssh-key-name
 	SSHKey string `json:"sshKey"`

config/crd/bases/infrastructure.cluster.x-k8s.io_hetznerclusters.yaml

@@ -247,18 +247,22 @@ spec:
                     properties:
                       hcloudToken:
                         default: token
-                        description: HCloudToken defines the name of the key where
-                          the token for the Hetzner Cloud API is stored.
+                        description: |-
+                          HCloudToken defines the name of the key where the token for the Hetzner Cloud API is stored.
+                          We recommend to use "token", because this is the default of upstream hcloud-ccm.
                         type: string
                       hetznerRobotPassword:
                         default: robot-password
-                        description: HetznerRobotPassword defines the name of the
-                          key where the password for the Hetzner Robot API is stored.
+                        description: |-
+                          HetznerRobotPassword defines the name of the key where the password for the Hetzner Robot API
+                          is stored. We recommend to use "robot-password", because this is the default of upstream
+                          hcloud-ccm.
                         type: string
                       hetznerRobotUser:
                         default: robot-user
-                        description: HetznerRobotUser defines the name of the key
-                          where the username for the Hetzner Robot API is stored.
+                        description: |-
+                          HetznerRobotUser defines the name of the key where the username for the Hetzner Robot API is
+                          stored. We recommend to use "robot-user", because this is the default of upstream hcloud-ccm.
                         type: string
                       sshKey:
                         default: hcloud-ssh-key-name
@@ -274,9 +278,9 @@ spec:
                       "hcloud". The Syself ccm defaults to "hetzner". For compatibility with upstream hcloud-ccm
                       the controller creates two secrets, if the name is different from "hcloud" (one with name
                       "hcloud", one with name being the value of this setting). The secret will be created in the
-                      namespace "mgt-system" of the workload-cluster. Set
-                      `spec.skipCreatingHetznerSecretInWorkloadCluster`, if you don't want that secret in the
-                      wl-cluster to be created.
+                      namespace "kube-system" of the workload-cluster. We recommend to use "hcloud", because this is
+                      the default of upstream hcloud-ccm. Set `spec.skipCreatingHetznerSecretInWorkloadCluster`, if
+                      you don't want that secret in the wl-cluster to be created.
                     type: string
                 required:
                 - key

config/crd/bases/infrastructure.cluster.x-k8s.io_hetznerclustertemplates.yaml

@@ -276,20 +276,22 @@ spec:
                             properties:
                               hcloudToken:
                                 default: token
-                                description: HCloudToken defines the name of the key
-                                  where the token for the Hetzner Cloud API is stored.
+                                description: |-
+                                  HCloudToken defines the name of the key where the token for the Hetzner Cloud API is stored.
+                                  We recommend to use "token", because this is the default of upstream hcloud-ccm.
                                 type: string
                               hetznerRobotPassword:
                                 default: robot-password
-                                description: HetznerRobotPassword defines the name
-                                  of the key where the password for the Hetzner Robot
-                                  API is stored.
+                                description: |-
+                                  HetznerRobotPassword defines the name of the key where the password for the Hetzner Robot API
+                                  is stored. We recommend to use "robot-password", because this is the default of upstream
+                                  hcloud-ccm.
                                 type: string
                               hetznerRobotUser:
                                 default: robot-user
-                                description: HetznerRobotUser defines the name of
-                                  the key where the username for the Hetzner Robot
-                                  API is stored.
+                                description: |-
+                                  HetznerRobotUser defines the name of the key where the username for the Hetzner Robot API is
+                                  stored. We recommend to use "robot-user", because this is the default of upstream hcloud-ccm.
                                 type: string
                               sshKey:
                                 default: hcloud-ssh-key-name
@@ -305,9 +307,9 @@ spec:
                               "hcloud". The Syself ccm defaults to "hetzner". For compatibility with upstream hcloud-ccm
                               the controller creates two secrets, if the name is different from "hcloud" (one with name
                               "hcloud", one with name being the value of this setting). The secret will be created in the
-                              namespace "mgt-system" of the workload-cluster. Set
-                              `spec.skipCreatingHetznerSecretInWorkloadCluster`, if you don't want that secret in the
-                              wl-cluster to be created.
+                              namespace "kube-system" of the workload-cluster. We recommend to use "hcloud", because this is
+                              the default of upstream hcloud-ccm. Set `spec.skipCreatingHetznerSecretInWorkloadCluster`, if
+                              you don't want that secret in the wl-cluster to be created.
                             type: string
                         required:
                         - key

controllers/hetznercluster_controller.go

@@ -590,8 +590,21 @@ func reconcileOneWorkloadClusterSecret(ctx context.Context, clusterScope *scope.
 		wlSecret.Data["apiserver-host"] = []byte(clusterScope.HetznerCluster.Spec.ControlPlaneEndpoint.Host)
 		wlSecret.Data["apiserver-port"] = []byte(strconv.Itoa(int(clusterScope.HetznerCluster.Spec.ControlPlaneEndpoint.Port)))
 
+		notes := []string{
+			"This secret gets reconciled by Cluster API Provider Hetzner.",
+		}
+
+		if clusterScope.HetznerCluster.Spec.HetznerSecret.Name != "hcloud" {
+			notes = append(notes, fmt.Sprintf("We recommend to use 'hcloud' for hetznercluster.spec.hetznerSecret.name(not %q).",
+				clusterScope.HetznerCluster.Spec.HetznerSecret.Name))
+		}
+
+		if clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HCloudToken != "token" {
+			notes = append(notes, fmt.Sprintf("We recommend to use 'token' for hetznercluster.spec.hetznerSecret.key.hcloudToken (not %q).", clusterScope.HetznerCluster.Spec.HetznerSecret.Key.HCloudToken))
+		}
+
 		// Make things more obvious for people new to caph:
-		wlSecret.Data["note"] = []byte("This secret gets reconciled by Cluster API Provider Hetzner")
+		wlSecret.Data["note"] = []byte(strings.Join(notes, " "))
 
 		return nil
 	})