🌱 Add SkipCreatingHetznerSecretInWorkloadCluster to HetznerCluster (#1637)

guettli · web-flow · commit 89adce89f4c3 · 2025-07-30T17:37:02.000+02:00
* 🌱 Add SkipCreatingHetznerSecretInWorkloadCluster to hetznercluster_controller SkipCreatingHetznerSecretInWorkloadCluster indicates whether the Hetzner secret should be created in the workload cluster. By default the secret gets created, so that the ccm (running in the wl-cluster) can use that secret. If you prefer to not reveal the secret in the workload cluster, you can set this to value to false, so that the secret is not created. Be sure to run the ccm outside of the workload cluster in that case, e.g. in the management cluster. Closes #1636
diff --git a/Makefile b/Makefile
@@ -750,8 +750,15 @@ format: format-starlark format-golang format-yaml ## Format Codebase
 
 .PHONY: generate-mocks
 generate-mocks: ## Generate Mocks
+ifeq ($(BUILD_IN_CONTAINER),true)
+	docker run  --rm -t -i \
+		-v $(shell go env GOPATH)/pkg:/go/pkg$(MOUNT_FLAGS) \
+		-v $(shell pwd):/src/cluster-api-provider-$(INFRA_PROVIDER)$(MOUNT_FLAGS) \
+		$(BUILDER_IMAGE):$(BUILDER_IMAGE_VERSION) $@;
+else
 	cd pkg/services/baremetal/client; go run github.com/vektra/mockery/v2@v2.40.2
 	cd pkg/services/hcloud/client; go run github.com/vektra/mockery/v2@v2.40.2 --all
+endif
 
 .PHONY: generate
 generate: generate-manifests generate-go-deepcopy generate-boilerplate generate-modules generate-mocks ## Generate Files
diff --git a/api/v1beta1/hetznercluster_types.go b/api/v1beta1/hetznercluster_types.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2021 The Kubernetes Authors.
+Copyright 2025 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -64,6 +64,14 @@ type HetznerClusterSpec struct {
 	// HetznerSecretRef is a reference to a token to be used when reconciling this cluster.
 	// This is generated in the security section under API TOKENS. Read & write is necessary.
 	HetznerSecret HetznerSecretRef `json:"hetznerSecretRef"`
+
+	// SkipCreatingHetznerSecretInWorkloadCluster indicates whether the Hetzner secret should be
+	// created in the workload cluster. By default the secret gets created, so that the ccm (running
+	// in the wl-cluster) can use that secret. If you prefer to not reveal the secret in the
+	// wl-cluster, you can set this to value to false, so that the secret is not created. Be sure to
+	// run the ccm outside of the wl-cluster in that case, e.g. in the management cluster.
+	// +optional
+	SkipCreatingHetznerSecretInWorkloadCluster bool `json:"skipCreatingHetznerSecretInWorkloadCluster,omitempty"`
 }
 
 // HetznerClusterStatus defines the observed state of HetznerCluster.
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_hetznerclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_hetznerclusters.yaml
@@ -272,6 +272,14 @@ spec:
                 - key
                 - name
                 type: object
+              skipCreatingHetznerSecretInWorkloadCluster:
+                description: |-
+                  SkipCreatingHetznerSecretInWorkloadCluster indicates whether the Hetzner secret should be
+                  created in the workload cluster. By default the secret gets created, so that the ccm (running
+                  in the wl-cluster) can use that secret. If you prefer to not reveal the secret in the
+                  wl-cluster, you can set this to value to false, so that the secret is not created. Be sure to
+                  run the ccm outside of the wl-cluster in that case, e.g. in the management cluster.
+                type: boolean
               sshKeys:
                 description: SSHKeys are cluster wide. Valid values are a valid SSH
                   key name.
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_hetznerclustertemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_hetznerclustertemplates.yaml
@@ -305,6 +305,14 @@ spec:
                         - key
                         - name
                         type: object
+                      skipCreatingHetznerSecretInWorkloadCluster:
+                        description: |-
+                          SkipCreatingHetznerSecretInWorkloadCluster indicates whether the Hetzner secret should be
+                          created in the workload cluster. By default the secret gets created, so that the ccm (running
+                          in the wl-cluster) can use that secret. If you prefer to not reveal the secret in the
+                          wl-cluster, you can set this to value to false, so that the secret is not created. Be sure to
+                          run the ccm outside of the wl-cluster in that case, e.g. in the management cluster.
+                        type: boolean
                       sshKeys:
                         description: SSHKeys are cluster wide. Valid values are a
                           valid SSH key name.
diff --git a/controllers/hetznercluster_controller.go b/controllers/hetznercluster_controller.go
@@ -472,6 +472,12 @@ func hcloudTokenErrorResult(
 }
 
 func reconcileTargetSecret(ctx context.Context, clusterScope *scope.ClusterScope) (res reconcile.Result, reterr error) {
+	if clusterScope.HetznerCluster.Spec.SkipCreatingHetznerSecretInWorkloadCluster {
+		// If the secret should not be created in the workload cluster, we just return.
+		// This means the ccm is running outside of the workload cluster (or getting the secret differently).
+		return reconcile.Result{}, nil
+	}
+
 	// Checking if control plane is ready
 	clientConfig, err := clusterScope.ClientConfig(ctx)
 	if err != nil {
diff --git a/docs/caph/03-reference/02-hetzner-cluster.md b/docs/caph/03-reference/02-hetzner-cluster.md
@@ -70,3 +70,4 @@ If you are using your own load balancer, you need to point towards it and config
 | `hetznerSecret.key.hcloudToken`                          | `string`   |                  | no       | Name of the key where the token for the Hetzner Cloud API is stored                                                                           |
 | `hetznerSecret.key.hetznerRobotUser`                     | `string`   |                  | no       | Name of the key where the username for the Hetzner Robot API is stored                                                                        |
 | `hetznerSecret.key.hetznerRobotPassword`                 | `string`   |                  | no       | Name of the key where the password for the Hetzner Robot API is stored                                                                        |
+| `skipCreatingHetznerSecretInWorkloadCluster`             | `bool`   | `false`            | no       | Indicates whether the Hetzner secret should be created in the workload cluster. By default the secret gets created, so that the ccm (running in the wl-cluster) can use that secret. If you prefer to not reveal the secret in the wl-cluster, you can set this to value to false, so that the secret is not created. Be sure to run the ccm outside of the wl-cluster in that case, e.g. in the management cluster. |
