-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add cloud-creds-secret #427
add cloud-creds-secret #427
Conversation
ba5aef4
to
cf0c81d
Compare
1e19dc9
to
0aa62e6
Compare
The libvirt analog is probably the libvird URI (and maybe a client cert/key, #296). |
0aa62e6
to
89036b6
Compare
84d59dd
to
3d0ec1f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we could make the secret provider-agnostic on the storage level and have the type embedded in the data instead. A use-case which makes this a bit more difficult by requiring the simultaneous storage of different provider credentials is a multi-cloud cluster.
Does the libvirt URI need to be part of the secret? It's not sensitive information and it's already handled by general cluster information. |
No, but once you need a client cert/key, the URI won't be any use without the secret key. It seems easier to just keep the cert/key and URI in the same place. But none of this needs to happen in this PR; just something to think about when planning ahead. |
Not to my knowledge. And the installer code currently assumes one provider in a few places, so I'd just roll with that approach for now. |
3d0ec1f
to
a299995
Compare
/retest |
a299995
to
06b370f
Compare
namespace: kube-system | ||
name: cloud-creds-secret | ||
data: | ||
aws_access_key_id: {{.CloudCreds.AwsCredsData.Base64encodeAWSaccessKeyID}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we expect that these resources will be identical for all platforms save for the data in the secret? If so, it may be better to use an if in the template that checks the platform type to determine which type of data to add rather than having a separate, mostly duplicated go file for each platform.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 makes sense thanks, will push a change to that effect.. er...easier said than done but looking into it
pkg/asset/manifests/tectonic.go
Outdated
@@ -80,6 +121,19 @@ func (t *Tectonic) Generate(dependencies asset.Parents) error { | |||
Data: data, | |||
}) | |||
} | |||
switch { | |||
case installConfig.Config.Platform.AWS != nil: | |||
t.files = remove(t.files, "99_openstack-creds-secret-and-reader-role.yaml") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why don't we just add conditionally rather than adding everything and removing based on the platform?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yup, that is silly.. fixing now..
pkg/asset/manifests/template.go
Outdated
} | ||
|
||
type cloudCredsTemplateData struct { | ||
AwsCredsData |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Give explicit names to these fields (e.g., AWS, OpenStack, Libvirt). That will (1) make the name in the template file shorter and (2) allow for fields in the various cred data struct to have the same names.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@sallyom thanks for including Let us know if we can do anything to help on the |
37d62e0
to
27293f8
Compare
namespace: kube-system | ||
name: cloud-creds | ||
data: | ||
{{- if .CloudCreds.AWS}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add the type of the cluster (AWS, OpenStack, etc.) so that consumers know what to expect?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and while we're at it (providing AWS coordinates), the registry operator would also like to know what s3 bucket name should be used for the registry (if you don't supply a name we'll create one, but it's likely users may want to create their own bucket).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dmage made it so, yes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bparees, makes sense, might not be within the scope of this PR, I'll discuss with the installer team. In a follow-up PR, we can add registry s3 bucket name to the secret if/when necessary.
956dbbd
to
32f6e1e
Compare
/retest |
32f6e1e
to
0dae560
Compare
Perfect, thanks! FWIW, I've tested this with openstack and openshift/release#1824 It works fine! |
0dae560
to
2a54dc4
Compare
pkg/asset/manifests/tectonic.go
Outdated
@@ -16,12 +20,17 @@ import ( | |||
|
|||
const ( | |||
tectonicManifestDir = "tectonic" | |||
// TODO: Verify this is expected os creds file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like we can drop this comment?
pkg/asset/manifests/tectonic.go
Outdated
) | ||
|
||
var ( | ||
tectonicConfigPath = filepath.Join(tectonicManifestDir, "00_cluster-config.yaml") | ||
|
||
_ asset.WritableAsset = (*Tectonic)(nil) | ||
|
||
// TODO: Verify which creds file to expect | ||
//openStackCredsFile = os.Getenv("HOME") + "/.config/openstack" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with a GitHub issue or commit-message comment about wanting this, but I'd rather not have commented-out code stubs committed to the repo. They just make refactoring harder, e.g. if we renamed openStackCredsFile
, this would be one more thing to update.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 #550
pkg/asset/manifests/tectonic.go
Outdated
var cloudCreds cloudCredsSecretData | ||
platform := "" | ||
switch { | ||
case installConfig.Config.Platform.AWS != nil: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To DRY up the naming, maybe use Platform.Name
:
platform := installConfig.Config.Platform.Name()
switch platform {
case "aws":
...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 thanks, got it. I missed the addn of func (p *Platform) Name() string
:)
pkg/asset/manifests/tectonic.go
Outdated
} | ||
|
||
for file, content := range conditionalAssetData { | ||
assetData[file] = content |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
conditionalAssetData
seems like more trouble than it's worth. Why not just:
assetData["99_..."] = applyTemplate...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
because doh-duh thank you!
379a604
to
f77fda4
Compare
When you get a moment, can you squash the commits and drop the WIP? $ git log --oneline -2 origin/pr/427
f77fda4 trevor's feedback
47b84f0 WIP-add aws-creds-secret is probably not a useful distinction for future readers ;). While you're editing the commit message, pasting in whatever is relevant from your initial PR comment (e.g. "Various components will require access...") will make it easier for folks running |
f77fda4
to
28f1dae
Compare
@wking squashed, re-worded commit msg :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sallyom, wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Various components will require access to credentials to create AWS resources (such as registry - s3 bucket). This PR adds a secret
aws-creds
oropenstack-creds
tokube-system namesapce
that holds the cloud-provider credentials plus a roleaws|openstack-creds-secret-reader
in -n kube-system to bind to to access the secret.Made the creds secret generic and added logic to get
libvirt andaws or openstack creds to generate a secret and role. Note, add whatever is required for libvirt when this lands: #296TODO: verify the OpenStack credentials secret is what's required @flaper87. Currently the secret is encoded from
/etc/openstack/clouds.yaml
.TODO in followup: Add libvirt credentials once they become necessary.
This PR adds (showing aws here):
and