Skip to content

Use CA in cloudprofile for STACKIT clients#150

Open
nschad wants to merge 23 commits into
mainfrom
use-cloudprofile-ca
Open

Use CA in cloudprofile for STACKIT clients#150
nschad wants to merge 23 commits into
mainfrom
use-cloudprofile-ca

Conversation

@nschad

@nschad nschad commented May 21, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

How to categorize this PR?

/kind enhancement

What this PR does / why we need it:

Removes the custom-ca secret and instead uses the CA from the Cloudprofile for all stackit components. OpenStack is unaffected.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Breaking changes:

@ske-prow ske-prow Bot added kind/enhancement Enhancement, improvement, extension do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels May 21, 2026
@ske-prow

ske-prow Bot commented May 21, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign nschad for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ske-prow ske-prow Bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 21, 2026
@nschad nschad force-pushed the use-cloudprofile-ca branch from 2677cbd to ec54626 Compare May 22, 2026 07:42
@jamand jamand mentioned this pull request May 22, 2026
Merged
@nschad nschad force-pushed the use-cloudprofile-ca branch from ec54626 to 3afb9c7 Compare June 1, 2026 11:18
nschad
nschad commented Jun 5, 2026
View reviewed changes
Comment thread charts/gardener-extension-provider-stackit/templates/deployment.yaml
@nschad nschad force-pushed the use-cloudprofile-ca branch 2 times, most recently from e2e318a to 68adead Compare June 5, 2026 12:07
nschad added 5 commits June 8, 2026 10:46
@nschad
Use CA in cloudprofile for STACKIT clients
40dae4d 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
Add CABundle to mcm-provider-stackit if specified
23db13e 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
deduplicate CABundle for CSI/CCM
98a33f1 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
align volumeName with CSI/CCM
0837e3b 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
fix some lint errors
6431448 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad nschad force-pushed the use-cloudprofile-ca branch from cffc406 to 6431448 Compare June 8, 2026 08:46
@nschad
drop costuom-certs in provider-stackit
65f8350 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad

nschad commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

/retest

@nschad

nschad commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

/test post-gardener-extension-provider-stackit-dev-artifacts

@ske-prow

ske-prow Bot commented Jun 8, 2026

Copy link
Copy Markdown

@nschad: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test pull-gardener-extension-provider-stackit-integration-tests

/test pull-gardener-extension-provider-stackit-validate-renovate

/test pull-gardener-extension-provider-stackit-verify

Use /test all to run the following jobs that were automatically triggered:

pull-gardener-extension-provider-stackit-integration-tests

pull-gardener-extension-provider-stackit-verify
Details

In response to this:

/test post-gardener-extension-provider-stackit-dev-artifacts

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

nschad added 5 commits June 8, 2026 14:18
@nschad
do not double-encode cloudprofile caBundle
8a02f14 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
fix secret chart
262d068 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
decode cloudProfile.caBundle before using it
7816faa 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
use stackit SDK WithCustomHTTPClient for custom Transport with modifi…
b9c1710 
…ed Root CA's

Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
format and simplify code
4f049af 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad nschad changed the title WIP: Use CA in cloudprofile for STACKIT clients Use CA in cloudprofile for STACKIT clients Jun 8, 2026
@ske-prow ske-prow Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 8, 2026
nschad added 3 commits June 8, 2026 15:58
@nschad
remove unused helm value
6fd8895 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
rename InjectCAIntoHTTPClient => newHTTPClientWithCustomCA
d9f312e 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
fix: use newObj instead of old machineDeployment
76ed7b1 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
breuerfelix
breuerfelix requested changes Jun 9, 2026
View reviewed changes

@breuerfelix breuerfelix left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add tests for as much as possible. E.g. webhook, factory and maybe valuesprovider

Comment thread charts/internal/cloud-provider-config/values.yaml Outdated
Comment thread pkg/webhook/controlplane/ensurer.go Outdated
nschad added 9 commits June 9, 2026 10:46
@nschad
add unit test for webhook
53c5c5d 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
add unit test for DecodeCloudProfileCABundle
ab38f46 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
use const variable instead of string for volume name
fe48461 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
rename cloudProfileCABundleB64 => CABundleBase64
e1b8a1d 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
remove stackitv1alpha1.Cloudprofile's CABundle; use gardener's CABund…
b9c5dcf 
…le instead

Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
Gardener's Cloudprofile CABundle is not encoded. Encode it for the he…
956ae42 
…lm-chart

Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
use EnsureVolumeWithName and EnsureVolumeMountWithName instead of app…
fdfc523 
…ending everytime

Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
add stackit-ca-bundle from config chart to internal chart
c1dbe28 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
@nschad
use EnsureEnvVarWithName for the ENV vars
d86eb11 
Signed-off-by: Niclas Schad <niclas.schad@stackit.cloud>
breuerfelix
breuerfelix requested changes Jun 19, 2026
View reviewed changes
Comment thread pkg/apis/stackit/v1alpha1/types_cloudprofile.go
// CABundle is the CA certificate bundle for API endpoints.
// This field is currently ignored and reserved for future use.
// +optional
CABundle *string `json:"caBundle,omitempty"`

@breuerfelix breuerfelix Jun 19, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if we can just remove this field. We need to deprecate it first.
Since CloudProfile decoding is strict, this will fail for shoots that still have the CA set.
I remember that i wanted to add the DNSEndpoint to the cloudProfile but then the yawol extension was crashlooping since it didn't expect this field to be present.
That means that if the CABundle is still present, this controller would fail decoding it.
I think we should:

  1. deprecate that field
  2. make sure no cloudprofile has the cabundle set
  3. remove the cabundle field

@nschad nschad Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or we could just mark this as breaking and then inform everybody that the CABundle needs to be removed. That has happen anyway, why not now?

Comment thread pkg/controller/controlplane/valuesprovider.go
"podNetwork": strings.Join(extensionscontroller.GetPodNetwork(cluster), ","),
"podAnnotations": map[string]any{
"checksum/secret-" + v1beta1constants.SecretNameCloudProvider: checksums[v1beta1constants.SecretNameCloudProvider],
"checksum/secret-" + openstack.CloudProviderConfigName: checksums[openstack.CloudProviderConfigName],

@breuerfelix breuerfelix Jun 19, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also need to add a checksum of the new stackit-ca here, we also need to make sure that the other pods that use the secret has the corresponding checksum in order for ca rotation to work properly

@nschad nschad Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CA rotation? That's not really a thing to be honest, atleast in this case

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@breuerfelix breuerfelix breuerfelix requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

kind/enhancement Enhancement, improvement, extension size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nschad @breuerfelix