Alicloud: enable customized image sharing

[EmoinLanyu]

What this PR does / why we need it:
Alicloud currently does not actively support latest operating system images. To reduce & avoid security risks, we are using customized images for Shoot creation. Customized images need to be first shared with Shoot's alicloud account before it can consume it.
This PR provide automatic sharing mechanism in extension-provider-alicloud.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Release note:

provider-alicloud extension now automatically shares customized images to Shoot's alicloud account during infrastructure reconcile.

[jia-jerry]

I can't remove the comment...

[jia-jerry]

I can't remove the comment...

[EmoinLanyu]

Hi @rfranzke , I have moved the code to infrastructure controller control loop. Build and tests have passed as well. Could you please help review? Thanks

[ialidzhikov]

Does it makes sense also to add docs about the image sharing/custom images in controllers/provider-alicloud/docs/usage-as-end-user.md/controllers/provider-alicloud/docs/usage-as-operator.md?

[EmoinLanyu]

Does it makes sense also to add docs about the image sharing/custom images in controllers/provider-alicloud/docs/usage-as-end-user.md/controllers/provider-alicloud/docs/usage-as-operator.md?

Yes, good point indeed! Will add it too.

[ialidzhikov]

One more question - shouldn't we preserve also the existing public image scenario somehow? Currently I try to pass a worker

workers:
- autoScalerMax: 1
  autoScalerMin: 1
  machineImage:
    name: coreos-alicloud
    version: 2023.4.0
  machineType: ecs.c5.large

referencing the public CoreOS image. And the infra fails to reconcile because I didn't specified the machine-image-owner secret.

[EmoinLanyu]

One more question - shouldn't we preserve also the existing public image scenario somehow? Currently I try to pass a worker

workers:
- autoScalerMax: 1
  autoScalerMin: 1
  machineImage:
    name: coreos-alicloud
    version: 2023.4.0
  machineType: ecs.c5.large

referencing the public CoreOS image. And the infra fails to reconcile because I didn't specified the machine-image-owner secret.

Sorry for the late reply, I somehow missed your later comments...
Yes, this is because currently Alicloud ECS client is instantiated only once for one extension controller and the initialization is before sharing the image (we are also moving the instantiation to Actuator instantiation as well).
In future setup, which we are working on, this machine-image-owner secret should be created in extension's namespace in seeds by default (since only Alicloud provider is needing it, we don't want to simply adding it the way backup bucket did. So it's kind of tricky so we are looking for a good solution).
As a matter of fact, since we have talked Alicloud into providing a new CoreOS version, we have more time reconsider this sharing process and find a better way to pass this secret credentials.

[EmoinLanyu]

Hi @ialidzhikov @rfranzke , I have made some refactoring and added related documents for customized image sharing. Could you please do another round of review? Thanks a lot!
So Alicloud ECS Client for Seed now is instantiated only once when the controller is added to controller manager (during APIReader injection). Secret reference will be checked, and only when it exists the client will be created, so landscapes that don't use customized images won't be affected.
As specified in the docs file, administrator needs to explicitly provide access credentials of Seed operator in the controller registration configuration (TODO: encrypt ctrlreg). Related PR is also created for landscape-setup.

[rfranzke]

/lgtm now, very nice PR, thank you!

[rfranzke]

@ialidzhikov could you check again as well?

[ialidzhikov]

/approve

[jia-jerry]

If .Values.config.machineImageOwnerSecret is not set, let's not create the secret.

[jia-jerry]

Please mark them off. Otherwise, it will be used as an default value.

[jia-jerry]

As MachineImageOwnerSecretRef could be a nil, please define it as *corev1.SecretReference

[ialidzhikov]

@EmoinLanyu , could you please check @jia-jerry's comments? Thanks!

[EmoinLanyu]

@EmoinLanyu , could you please check @jia-jerry's comments? Thanks!

I've changed them locally and have been testing it, but was occupied by other stuff so didn't create a PR. Anyway, thanks for the reminder, will do asap! :=)

[EmoinLanyu]

@EmoinLanyu , could you please check @jia-jerry's comments? Thanks!

Hi @ialidzhikov , done, please check #483, thanks!