respect capv wc proxy enabled setting (#530)

Co-authored-by: Xavier <[email protected]>

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Do not create proxy secrets for capv clusters if the proxy is not enabled in the cluster app.
+
 ## [2.23.0] - 2024-07-18
 
 ### Changed

service/controller/resource/clustersecret/desired.go

@@ -78,8 +78,13 @@ func (r *Resource) GetDesiredState(ctx context.Context, obj interface{}) ([]*cor
 				// CAPV all clusters are private if the MC is private.
 				privateCluster = !reflect.ValueOf(r.proxy).IsZero()
 			case infra.VSphereClusterKind:
-				// CAPV all clusters are private if the MC is private.
-				privateCluster = !reflect.ValueOf(r.proxy).IsZero()
+				// CAPV all clusters are private if the MC is private and proxy is enabled.
+				proxyEnabled, err := vsphereProxyEnabled(ctx, r.k8sClient.CtrlClient(), cr)
+				if err != nil {
+					return nil, microerror.Mask(err)
+				}
+
+				privateCluster = !reflect.ValueOf(r.proxy).IsZero() && proxyEnabled
 			}
 
 		}

service/controller/resource/clustersecret/vsphere.go

@@ -0,0 +1,79 @@
+package clustersecret
+
+import (
+	"context"
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	capi "sigs.k8s.io/cluster-api/api/v1beta1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/yaml"
+
+	appv1alpha1 "github.com/giantswarm/apiextensions-application/api/v1alpha1"
+	"github.com/giantswarm/microerror"
+)
+
+func vsphereProxyEnabled(ctx context.Context, ctrlClient client.Client, cluster capi.Cluster) (bool, error) {
+	var userConfig string
+	{
+		var clusterApp appv1alpha1.App
+
+		err := ctrlClient.Get(ctx, client.ObjectKey{Namespace: cluster.GetNamespace(), Name: cluster.GetName()}, &clusterApp)
+		if err != nil {
+			return false, microerror.Mask(err)
+		}
+
+		if clusterApp.Spec.Name != "cluster-vsphere" {
+			return false, nil
+		}
+		userConfig = clusterApp.Spec.UserConfig.ConfigMap.Name
+	}
+
+	if userConfig == "" {
+		return false, nil
+	}
+
+	var configMap corev1.ConfigMap
+	{
+		err := ctrlClient.Get(ctx, client.ObjectKey{Namespace: cluster.GetNamespace(), Name: userConfig}, &configMap)
+		if err != nil {
+			return false, microerror.Mask(err)
+		}
+	}
+
+	return getProxyEnabledValueFromConfigMap(configMap)
+}
+
+func getProxyEnabledValueFromConfigMap(configMap corev1.ConfigMap) (bool, error) {
+
+	var values map[string]interface{}
+	{
+		if configMap.Data == nil {
+			return false, nil
+		}
+		if configMap.Data["values"] == "" {
+			return false, nil
+		}
+		data := configMap.Data["values"]
+		data = strings.TrimPrefix(data, "|")
+		data = strings.TrimPrefix(data, "\n")
+
+		err := yaml.Unmarshal([]byte(data), &values)
+		if err != nil {
+			return false, microerror.Mask(err)
+		}
+	}
+
+	// check for global.connectivity.proxy.enabled key
+	if value, ok := values["global"].(map[string]interface{}); ok {
+		if value, ok := value["connectivity"].(map[string]interface{}); ok {
+			if value, ok := value["proxy"].(map[string]interface{}); ok {
+				if value, ok := value["enabled"].(bool); ok {
+					return value, nil
+				}
+			}
+		}
+	}
+
+	return false, nil
+}

service/controller/resource/clustersecret/vsphere_test.go

@@ -0,0 +1,171 @@
+package clustersecret
+
+import (
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+func Test_GetProxyEnabledValueFromConfigMap(t *testing.T) {
+	testCases := []struct {
+		name        string
+		configMap   corev1.ConfigMap
+		result      bool
+		expectError bool
+	}{
+		{
+			name: "case 0",
+			configMap: corev1.ConfigMap{
+				Data: map[string]string{
+					"values": getValuesProxyEnabled(),
+				},
+			},
+			result: true,
+		},
+		{
+			name: "case 1",
+			configMap: corev1.ConfigMap{
+				Data: map[string]string{
+					"values": getValuesProxyDisabled(),
+				},
+			},
+			result: false,
+		},
+		{
+			name: "case 2",
+			configMap: corev1.ConfigMap{
+				Data: map[string]string{
+					"values": getValuesProxyNotDefined(),
+				},
+			},
+			result: false,
+		},
+		{
+			name: "case 3",
+			configMap: corev1.ConfigMap{
+				Data: map[string]string{
+					"values": getValuesProxyEmpty(),
+				},
+			},
+			result: false,
+		},
+		{
+			name: "case 4",
+			configMap: corev1.ConfigMap{
+				Data: map[string]string{
+					"values": getValuesEmptyString(),
+				},
+			},
+			result: false,
+		},
+		{
+			name: "case 5",
+			configMap: corev1.ConfigMap{
+				Data: map[string]string{
+					"values": getValuesRandomContent(),
+				},
+			},
+			result:      false,
+			expectError: true,
+		},
+		{
+			name: "case 6",
+			configMap: corev1.ConfigMap{
+				Data: map[string]string{
+					"wrongKey": getValuesProxyEnabled(),
+				},
+			},
+			result: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result, err := getProxyEnabledValueFromConfigMap(tc.configMap)
+			if err != nil && !tc.expectError {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if err == nil && tc.expectError {
+				t.Fatalf("expected error, got nil")
+			}
+			if result != tc.result {
+				t.Fatalf("result == %#v, want %#v", result, tc.result)
+			}
+		})
+	}
+}
+
+func getValuesProxyEnabled() string {
+	return `|
+    global:
+      release:
+        version: 1.2.3
+      podSecurityStandards:
+        enforced: true
+      connectivity:
+        baseDomain: test.example.io
+        proxy:
+          enabled: true
+          httpProxy: http://proxy.example.io:3128
+          httpsProxy: http://proxy.example.io:3128
+          noProxy: localhost,example.io
+        availabilityZoneUsageLimit: 3
+      providerSpecific:
+        region: far-away-4`
+}
+
+func getValuesProxyDisabled() string {
+	return `|
+    global:
+      release:
+        version: 1.2.3
+      podSecurityStandards:
+        enforced: true
+      connectivity:
+        baseDomain: test.example.io
+        proxy:
+          enabled: false
+        availabilityZoneUsageLimit: 3
+      providerSpecific:
+        region: far-away-4`
+}
+
+func getValuesProxyNotDefined() string {
+	return `|
+    global:
+      release:
+        version: 1.2.3
+      podSecurityStandards:
+        enforced: true
+      connectivity:
+        baseDomain: test.example.io
+        availabilityZoneUsageLimit: 3
+      providerSpecific:
+        region: far-away-4`
+}
+
+func getValuesProxyEmpty() string {
+	return `|
+    global:
+      release:
+        version: 1.2.3
+      podSecurityStandards:
+        enforced: true
+      connectivity:
+        baseDomain: test.example.io
+        proxy:
+          enabled:
+        availabilityZoneUsageLimit: 3
+      providerSpecific:
+        region: far-away-4`
+}
+
+func getValuesEmptyString() string {
+	return `|`
+}
+
+func getValuesRandomContent() string {
+	return `abcd
+    efgh
+    ijkl`
+}