Add secretRef to IgnitionConfig

hack/api-reference/api.md

@@ -341,6 +341,20 @@ string
 </tr>
 <tr>
 <td>
+<code>secretRef</code></br>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#localobjectreference-v1-core">
+Kubernetes core/v1.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>SecretRef is a reference to a secret containing the ignition config.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>override</code></br>
 <em>
 bool

hack/api-reference/config.md

@@ -46,7 +46,9 @@ string
 <td>
 <code>clientConnection</code></br>
 <em>
-invalid type
+<a href="https://godoc.org/k8s.io/component-base/config/v1alpha1#ClientConnectionConfiguration">
+Kubernetes v1alpha1.ClientConnectionConfiguration
+</a>
 </em>
 </td>
 <td>
@@ -72,7 +74,9 @@ ETCD
 <td>
 <code>healthCheckConfig</code></br>
 <em>
-invalid type
+<a href="https://github.com/gardener/gardener/extensions/pkg/apis/config">
+github.com/gardener/gardener/extensions/pkg/apis/config/v1alpha1.HealthCheckConfig
+</a>
 </em>
 </td>
 <td>
@@ -205,7 +209,9 @@ string
 <td>
 <code>capacity</code></br>
 <em>
-invalid type
+<a href="https://godoc.org/k8s.io/apimachinery/pkg/api/resource#Quantity">
+k8s.io/apimachinery/pkg/api/resource.Quantity
+</a>
 </em>
 </td>
 <td>

pkg/apis/metal/types_worker.go

@@ -4,6 +4,7 @@
 package metal
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -47,6 +48,7 @@ type MachineImage struct {
 
 // IgnitionConfig contains ignition settings.
 type IgnitionConfig struct {
-	Raw      string
-	Override bool
+	Raw       string
+	SecretRef *corev1.LocalObjectReference
+	Override  bool
 }

pkg/apis/metal/v1alpha1/types_worker.go

@@ -4,6 +4,7 @@
 package v1alpha1
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -54,6 +55,10 @@ type IgnitionConfig struct {
 	// +optional
 	Raw string `json:"raw,omitempty"`
 
+	// SecretRef is a reference to a secret containing the ignition config.
+	// +optional
+	SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`
+
 	// Override configures, if ignition keys set by the os-extension are overridden
 	// by extra ignition.
 	// +optional

pkg/controller/worker/machines.go

@@ -118,9 +118,14 @@ func (w *workerDelegate) generateMachineClassAndSecrets(ctx context.Context) ([]
 			metal.ImageFieldName:        machineImage,
 			metal.ServerLabelsFieldName: serverLabels,
 		}
+
 		if workerConfig.ExtraIgnition != nil {
-			machineClassProviderSpec[metal.IgnitionFieldName] = workerConfig.ExtraIgnition.Raw
-			machineClassProviderSpec[metal.IgnitionOverrideFieldName] = workerConfig.ExtraIgnition.Override
+			if mergedIgnition, err := w.mergeIgnitionConfig(ctx, workerConfig); err != nil {
+				return nil, nil, err
+			} else if mergedIgnition != "" {
+				machineClassProviderSpec[metal.IgnitionFieldName] = mergedIgnition
+				machineClassProviderSpec[metal.IgnitionOverrideFieldName] = workerConfig.ExtraIgnition.Override
+			}
 		}
 
 		for zoneIndex, zone := range pool.Zones {
@@ -227,3 +232,28 @@ func (w *workerDelegate) getServerLabelsForMachine(machineType string, workerCon
 	}
 	return combinedLabels, nil
 }
+
+func (w *workerDelegate) mergeIgnitionConfig(ctx context.Context, workerConfig *metalv1alpha1.WorkerConfig) (string, error) {
+	var mergedIgnition string
+
+	if workerConfig.ExtraIgnition.Raw != "" {
+		mergedIgnition = workerConfig.ExtraIgnition.Raw
+	}
+
+	if workerConfig.ExtraIgnition.SecretRef != nil {
+		secret := &corev1.Secret{}
+		secretKey := client.ObjectKey{Namespace: w.worker.Namespace, Name: workerConfig.ExtraIgnition.SecretRef.Name}
+		if err := w.client.Get(ctx, secretKey, secret); err != nil {
+			return "", fmt.Errorf("failed to get ignition secret %s: %w", workerConfig.ExtraIgnition.SecretRef, err)
+		}
+
+		secretContent, ok := secret.Data[metal.IgnitionFieldName]
+		if !ok {
+			return "", fmt.Errorf("ignition key not found in secret %s", workerConfig.ExtraIgnition.SecretRef)
+		}
+
+		mergedIgnition += string(secretContent)
+	}
+
+	return mergedIgnition, nil
+}

pkg/controller/worker/machines_test.go

@@ -76,7 +76,7 @@ var _ = Describe("Machines", func() {
 					"foo":  "bar",
 					"foo1": "bar1",
 				},
-				metal.IgnitionFieldName:         "abc",
+				metal.IgnitionFieldName:         "abcdef",
 				metal.IgnitionOverrideFieldName: true,
 			}
 

pkg/controller/worker/suite_test.go

@@ -115,6 +115,7 @@ var _ = BeforeSuite(func() {
 func SetupTest() (*corev1.Namespace, *gardener.ChartApplier) {
 	var chartApplier gardener.ChartApplier
 	ns := &corev1.Namespace{}
+	ign := &corev1.Secret{}
 
 	BeforeEach(func(ctx SpecContext) {
 		var err error
@@ -132,12 +133,27 @@ func SetupTest() (*corev1.Namespace, *gardener.ChartApplier) {
 		volumeName := "test-volume"
 		volumeType := "fast"
 
+		*ign = corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: "testign-",
+				Namespace:    ns.Name,
+			},
+			Data: map[string][]byte{
+				"ignition": []byte("def"),
+			},
+		}
+		Expect(k8sClient.Create(ctx, ign)).To(Succeed(), "failed to create test ignition secret")
+		DeferCleanup(k8sClient.Delete, ign)
+
 		workerConfig = &apiv1alpha1.WorkerConfig{
 			ExtraServerLabels: map[string]string{
 				"foo1": "bar1",
 			},
 			ExtraIgnition: &apiv1alpha1.IgnitionConfig{
-				Raw:      "abc",
+				Raw: "abc",
+				SecretRef: &corev1.LocalObjectReference{
+					Name: ign.Name,
+				},
 				Override: true,
 			},
 		}