feat: use CAREN to set default cert SANS

Author: faiq

api/v1alpha1/clusterconfig_types.go

@@ -4,6 +4,7 @@
 package v1alpha1
 
 import (
+	"fmt"
 	"maps"
 
 	corev1 "k8s.io/api/core/v1"
@@ -28,6 +29,13 @@ const (
 	CCMProviderAWS = "aws"
 )
 
+var DefaultDockerCertSANs = []string{
+	"localhost",
+	"127.0.0.1",
+	"0.0.0.0",
+	"host.docker.internal",
+}
+
 // +kubebuilder:object:root=true
 
 // ClusterConfig is the Schema for the clusterconfigs API.
@@ -243,7 +251,8 @@ type ExtraAPIServerCertSANs []string
 func (ExtraAPIServerCertSANs) VariableSchema() clusterv1.VariableSchema {
 	return clusterv1.VariableSchema{
 		OpenAPIV3Schema: clusterv1.JSONSchemaProps{
-			Description: "Extra Subject Alternative Names for the API Server signing cert",
+			Description: fmt.Sprintf("Extra Subject Alternative Names for the API Server signing cert. For Docker %v are injected automatically.",
+				DefaultDockerCertSANs),
 			Type:        "array",
 			UniqueItems: true,
 			Items: &clusterv1.JSONSchemaProps{

charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml

@@ -65,12 +65,7 @@ spec:
     spec:
       kubeadmConfigSpec:
         clusterConfiguration:
-          apiServer:
-            certSANs:
-            - localhost
-            - 127.0.0.1
-            - 0.0.0.0
-            - host.docker.internal
+          apiServer: {}
           controllerManager:
             extraArgs:
               enable-hostpath-provisioner: "true"

hack/examples/bases/docker/clusterclass/kustomization.yaml.tmpl

@@ -22,6 +22,11 @@ labels:
 
 patches:
 # Delete the patch and variable definitions.
+- target:
+    kind: KubeadmControlPlaneTemplate
+  patch: |-
+    - op: "remove"
+      path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs"
 - target:
     kind: ClusterClass
   patch: |-

pkg/handlers/generic/mutation/extraapiservercertsans/inject.go

@@ -8,11 +8,12 @@ import (
 
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	capiv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
 	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
 	runtimehooksv1 "sigs.k8s.io/cluster-api/exp/runtime/hooks/api/v1alpha1"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/d2iq-labs/cluster-api-runtime-extensions-nutanix/api/v1alpha1"
 	"github.com/d2iq-labs/cluster-api-runtime-extensions-nutanix/common/pkg/capi/clustertopology/patches"
@@ -29,18 +30,23 @@ const (
 type extraAPIServerCertSANsPatchHandler struct {
 	variableName      string
 	variableFieldPath []string
+	client            ctrlclient.Reader
 }
 
-func NewPatch() *extraAPIServerCertSANsPatchHandler {
-	return newExtraAPIServerCertSANsPatchHandler(clusterconfig.MetaVariableName, VariableName)
+func NewPatch(
+	cl ctrlclient.Reader,
+) *extraAPIServerCertSANsPatchHandler {
+	return newExtraAPIServerCertSANsPatchHandler(clusterconfig.MetaVariableName, cl, VariableName)
 }
 
 func newExtraAPIServerCertSANsPatchHandler(
 	variableName string,
+	cl ctrlclient.Reader,
 	variableFieldPath ...string,
 ) *extraAPIServerCertSANsPatchHandler {
 	return &extraAPIServerCertSANsPatchHandler{
 		variableName:      variableName,
+		client:            cl,
 		variableFieldPath: variableFieldPath,
 	}
 }
@@ -50,12 +56,16 @@ func (h *extraAPIServerCertSANsPatchHandler) Mutate(
 	obj *unstructured.Unstructured,
 	vars map[string]apiextensionsv1.JSON,
 	holderRef runtimehooksv1.HolderReference,
-	_ client.ObjectKey,
+	clusterKey ctrlclient.ObjectKey,
 ) error {
 	log := ctrl.LoggerFrom(ctx).WithValues(
 		"holderRef", holderRef,
 	)
-
+	cluster := &capiv1.Cluster{}
+	if err := h.client.Get(ctx, clusterKey, cluster); err != nil {
+		return err
+	}
+	defaultAPICertSANs := getDefaultAPIServerSANs(cluster)
 	extraAPIServerCertSANsVar, found, err := variables.Get[v1alpha1.ExtraAPIServerCertSANs](
 		vars,
 		h.variableName,
@@ -64,11 +74,13 @@ func (h *extraAPIServerCertSANsPatchHandler) Mutate(
 	if err != nil {
 		return err
 	}
-	if !found {
-		log.V(5).Info("Extra API server cert SANs variable not defined")
+	if !found && len(defaultAPICertSANs) == 0 {
+		log.V(5).Info("No Extra API server cert SANs needed to be added")
 		return nil
 	}
 
+	extraSans := deDup(extraAPIServerCertSANsVar, defaultAPICertSANs)
+
 	log = log.WithValues(
 		"variableName",
 		h.variableName,
@@ -83,15 +95,46 @@ func (h *extraAPIServerCertSANsPatchHandler) Mutate(
 		func(obj *controlplanev1.KubeadmControlPlaneTemplate) error {
 			log.WithValues(
 				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
-				"patchedObjectName", client.ObjectKeyFromObject(obj),
+				"patchedObjectName", ctrlclient.ObjectKeyFromObject(obj),
 			).Info("adding API server extra cert SANs in kubeadm config spec")
 
 			if obj.Spec.Template.Spec.KubeadmConfigSpec.ClusterConfiguration == nil {
 				obj.Spec.Template.Spec.KubeadmConfigSpec.ClusterConfiguration = &bootstrapv1.ClusterConfiguration{}
 			}
-			obj.Spec.Template.Spec.KubeadmConfigSpec.ClusterConfiguration.APIServer.CertSANs = extraAPIServerCertSANsVar
-
+			obj.Spec.Template.Spec.KubeadmConfigSpec.ClusterConfiguration.APIServer.CertSANs = extraSans
 			return nil
 		},
 	)
 }
+
+func getDefaultAPIServerSANs(cluster *capiv1.Cluster) []string {
+	provider, ok := cluster.Labels[capiv1.ProviderNameLabel]
+	if !ok {
+		return []string{}
+	}
+	switch provider {
+	case "docker":
+		return v1alpha1.DefaultDockerCertSANs
+	default:
+		return []string{}
+	}
+}
+
+func deDup(a, b []string) []string {
+	found := map[string]bool{}
+	for _, s := range a {
+		if _, ok := found[s]; !ok {
+			found[s] = true
+		}
+	}
+	for _, s := range b {
+		if _, ok := found[s]; !ok {
+			found[s] = true
+		}
+	}
+	ret := make([]string, 0, len(found))
+	for k := range found {
+		ret = append(ret, k)
+	}
+	return ret
+}

pkg/handlers/generic/mutation/handlers.go

@@ -23,7 +23,7 @@ func MetaMutators(mgr manager.Manager) []mutation.MetaMutator {
 	return []mutation.MetaMutator{
 		auditpolicy.NewPatch(),
 		etcd.NewPatch(),
-		extraapiservercertsans.NewPatch(),
+		extraapiservercertsans.NewPatch(mgr.GetClient()),
 		httpproxy.NewPatch(mgr.GetClient()),
 		kubernetesimagerepository.NewPatch(),
 		credentials.NewPatch(mgr.GetClient()),