search

hetznercloud / hcloud-cloud-controller-manager

Kubernetes cloud-controller-manager for Hetzner Cloud
Apache License 2.0
743 stars 118 forks source link

feat: read HCLOUD_TOKEN from file #652

Closed simonostendorf closed 5 months ago

simonostendorf commented 6 months ago

This allows the HCLOUD_TOKEN (and ROBOT_USER and ROBOT_PASSWORD) to be read from a file. This can be useful if the token is injected using secret injection (e.g. with the vault agent injector).

I tested the changes on my dev cluster. I cannot test the robot account changes, because I only use hcloud. But because they use the same function inside the code I think its working too :). If someone is interested in using this with the vault agent injector, I used the following helm values:

image:
  repository: <custom-image-because-changes-are-not-released>
  tag: <custom-image-because-changes-are-not-released>
podAnnotations:
  vault.hashicorp.com/agent-inject: "true"
  vault.hashicorp.com/log-format: json
  vault.hashicorp.com/role: <your-vault-role-name>
  vault.hashicorp.com/secret-volume-path-token: /vault/secrets
  vault.hashicorp.com/agent-inject-file-token: token
  vault.hashicorp.com/agent-inject-secret-token: <your-vault-mount>/data/<your-vault-path>
  vault.hashicorp.com/agent-inject-template-token: |
    {{ with secret "<your-vault-mount>/data/<your-vault-path>" -}}
     {{ .Data.data.token }}
    {{- end }}
env:
  HCLOUD_TOKEN_FILE:
    value: "/vault/secrets/token"
  HCLOUD_TOKEN: null # must be set because helm results in using value and valueFrom and that results in an error

This change is inspired from external-dns cloudflare provider. I requested the same change for the csi-driver to keep consistency in reading HCLOUD_TOKEN from file.

Closes #595

codecov[bot] commented 6 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 76.81%. Comparing base (ed097ab) to head (12ee38b). Report is 3 commits behind head on main.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #652 +/- ## ========================================== + Coverage 76.23% 76.81% +0.58% ========================================== Files 21 20 -1 Lines 2264 2105 -159 ========================================== - Hits 1726 1617 -109 + Misses 360 329 -31 + Partials 178 159 -19 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

apricote commented 5 months ago

Thanks for the PR @simonostendorf!

Dont worry about the e2e tests failing, they dont work for people outside of the hetznercloud organization on GitHub.

simonostendorf commented 5 months ago

I forgot to update the helm chart and i pushed some of my private fixes, sorry. I will fix this as soon as possible :D