Remove credentials from the API

kubermatic · Aug 26, 2019 · 5f09061 · 5f09061
1 parent 026cdb6
commit 5f09061
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 57 deletions.
diff --git a/pkg/apis/kubeone/config/config.go b/pkg/apis/kubeone/config/config.go
@@ -28,36 +28,11 @@ import (
 	kubeonescheme "github.com/kubermatic/kubeone/pkg/apis/kubeone/scheme"
 	kubeonev1alpha1 "github.com/kubermatic/kubeone/pkg/apis/kubeone/v1alpha1"
 	"github.com/kubermatic/kubeone/pkg/apis/kubeone/validation"
-	"github.com/kubermatic/kubeone/pkg/credentials"
 	"github.com/kubermatic/kubeone/pkg/terraform"
 
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
-// SetKubeOneClusterDynamicDefaults sets the dynamic defaults for a given KubeOneCluster object
-func SetKubeOneClusterDynamicDefaults(cfg *kubeoneapi.KubeOneCluster) error {
-	if err := SetKubeOneClusterCredentials(cfg); err != nil {
-		return errors.Wrap(err, "unable to set dynamic defaults for a given KubeOneCluster object")
-	}
-	return nil
-}
-
-// SetKubeOneClusterCredentials populates credentials used for machine-controller and external CCM
-func SetKubeOneClusterCredentials(cfg *kubeoneapi.KubeOneCluster) error {
-	// Only populate credentials if machine-controller is deployed or cloud provider is external
-	if (cfg.MachineController != nil && !cfg.MachineController.Deploy) && !cfg.CloudProvider.External {
-		return nil
-	}
-
-	creds, err := credentials.ProviderCredentials(cfg.CloudProvider.Name)
-	if err != nil {
-		return errors.Wrap(err, "unable to fetch cloud provider credentials")
-	}
-	cfg.Credentials = creds
-
-	return nil
-}
-
 // SourceKubeOneClusterFromTerraformOutput sources information about the cluster from the Terraform output
 func SourceKubeOneClusterFromTerraformOutput(terraformOutput []byte, cluster *kubeonev1alpha1.KubeOneCluster) error {
 	tfConfig, err := terraform.NewConfigFromJSON(terraformOutput)
@@ -85,11 +60,6 @@ func DefaultedKubeOneCluster(versionedCluster *kubeonev1alpha1.KubeOneCluster, t
 		return nil, errors.Wrap(err, "unable to convert versioned to internal cluster object")
 	}
 
-	// Apply the dynamic defaults
-	if err := SetKubeOneClusterDynamicDefaults(internalCfg); err != nil {
-		return nil, err
-	}
-
 	// Validate the configuration
 	if err := validation.ValidateKubeOneCluster(*internalCfg).ToAggregate(); err != nil {
 		return nil, errors.Wrap(err, "unable to validate the given KubeOneCluster object")

diff --git a/pkg/templates/machinecontroller/deployment.go b/pkg/templates/machinecontroller/deployment.go
@@ -58,7 +58,7 @@ func Deploy(s *state.State) error {
 
 	ctx := context.Background()
 
-	deployment, err := machineControllerDeployment(s.Cluster)
+	deployment, err := machineControllerDeployment(s.Cluster, s.CredentialsFilePath)
 	if err != nil {
 		return errors.Wrap(err, "failed to generate machine-controller deployment")
 	}
@@ -672,7 +672,7 @@ func machineControllerMachineDeploymentCRD() *apiextensions.CustomResourceDefini
 	}
 }
 
-func machineControllerDeployment(cluster *kubeoneapi.KubeOneCluster) (*appsv1.Deployment, error) {
+func machineControllerDeployment(cluster *kubeoneapi.KubeOneCluster, credentialsFilePath string) (*appsv1.Deployment, error) {
 	var replicas int32 = 1
 
 	clusterDNS, err := clusterDNSIP(cluster)
@@ -699,6 +699,11 @@ func machineControllerDeployment(cluster *kubeoneapi.KubeOneCluster) (*appsv1.De
 		args = append(args, "-external-cloud-provider")
 	}
 
+	envVar, err := credentials.EnvVarBindings(cluster.CloudProvider.Name, credentialsFilePath)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to get env var bindings for a secret")
+	}
+
 	return &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "machine-controller",
@@ -763,7 +768,7 @@ func machineControllerDeployment(cluster *kubeoneapi.KubeOneCluster) (*appsv1.De
 							ImagePullPolicy:          corev1.PullIfNotPresent,
 							Command:                  []string{"/usr/local/bin/machine-controller"},
 							Args:                     args,
-							Env:                      getEnvVarCredentials(cluster),
+							Env:                      envVar,
 							TerminationMessagePath:   corev1.TerminationMessagePathDefault,
 							TerminationMessagePolicy: corev1.TerminationMessageReadFile,
 							ReadinessProbe: &corev1.Probe{
@@ -799,26 +804,6 @@ func machineControllerDeployment(cluster *kubeoneapi.KubeOneCluster) (*appsv1.De
 	}, nil
 }
 
-func getEnvVarCredentials(cluster *kubeoneapi.KubeOneCluster) []corev1.EnvVar {
-	env := make([]corev1.EnvVar, 0)
-
-	for k := range cluster.Credentials {
-		env = append(env, corev1.EnvVar{
-			Name: k,
-			ValueFrom: &corev1.EnvVarSource{
-				SecretKeyRef: &corev1.SecretKeySelector{
-					LocalObjectReference: corev1.LocalObjectReference{
-						Name: credentials.SecretName,
-					},
-					Key: k,
-				},
-			},
-		})
-	}
-
-	return env
-}
-
 // clusterDNSIP returns the IP address of ClusterDNS Service,
 // which is 10th IP of the Services CIDR.
 func clusterDNSIP(cluster *kubeoneapi.KubeOneCluster) (*net.IP, error) {

diff --git a/pkg/templates/machinecontroller/webhook.go b/pkg/templates/machinecontroller/webhook.go
@@ -28,6 +28,7 @@ import (
 	kubeoneapi "github.com/kubermatic/kubeone/pkg/apis/kubeone"
 	"github.com/kubermatic/kubeone/pkg/certificate"
 	"github.com/kubermatic/kubeone/pkg/clientutil"
+	"github.com/kubermatic/kubeone/pkg/credentials"
 	"github.com/kubermatic/kubeone/pkg/state"
 
 	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
@@ -68,10 +69,15 @@ func DeployWebhookConfiguration(s *state.State) error {
 		return errors.Wrap(err, "failed to generate machine-controller webhook TLS secret")
 	}
 
+	deployment, err := webhookDeployment(s.Cluster, s.CredentialsFilePath)
+	if err != nil {
+		return errors.Wrap(err, "failed to generate machine-controller webhook deployment")
+	}
+
 	ctx := context.Background()
 
 	k8sobjects := []runtime.Object{
-		webhookDeployment(s.Cluster),
+		deployment,
 		service(),
 		servingCert,
 		mutatingwebhookConfiguration(caCert),
@@ -122,9 +128,14 @@ func WaitForWebhook(client dynclient.Client) error {
 }
 
 // webhookDeployment returns the deployment for the machine-controllers MutatignAdmissionWebhook
-func webhookDeployment(cluster *kubeoneapi.KubeOneCluster) *appsv1.Deployment {
+func webhookDeployment(cluster *kubeoneapi.KubeOneCluster, credentialsFilePath string) (*appsv1.Deployment, error) {
 	var replicas int32 = 1
 
+	envVar, err := credentials.EnvVarBindings(cluster.CloudProvider.Name, credentialsFilePath)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to get env var bindings for a secret")
+	}
+
 	return &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "machine-controller-webhook",
@@ -190,7 +201,7 @@ func webhookDeployment(cluster *kubeoneapi.KubeOneCluster) *appsv1.Deployment {
 								"-v", "4",
 								"-listen-address", "0.0.0.0:9876",
 							},
-							Env:                      getEnvVarCredentials(cluster),
+							Env:                      envVar,
 							TerminationMessagePath:   corev1.TerminationMessagePathDefault,
 							TerminationMessagePolicy: corev1.TerminationMessageReadFile,
 							ReadinessProbe: &corev1.Probe{
@@ -232,7 +243,7 @@ func webhookDeployment(cluster *kubeoneapi.KubeOneCluster) *appsv1.Deployment {
 				},
 			},
 		},
-	}
+	}, nil
 }
 
 // service returns the internal service for the machine-controller webhook