add cloud-creds-secret

[sallyom]

Various components will require access to credentials to create AWS resources (such as registry - s3 bucket). This PR adds a secret aws-creds or openstack-creds to kube-system namesapce that holds the cloud-provider credentials plus a role aws|openstack-creds-secret-reader in -n kube-system to bind to to access the secret.

Made the creds secret generic and added logic to get libvirt and aws or openstack creds to generate a secret and role. Note, add whatever is required for libvirt when this lands: #296

TODO: verify the OpenStack credentials secret is what's required @flaper87. Currently the secret is encoded from /etc/openstack/clouds.yaml.
TODO in followup: Add libvirt credentials once they become necessary.

This PR adds (showing aws here):

$ oc describe secret aws-creds -n kube-system
Name:         aws-creds
Namespace:    kube-system
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
aws_access_key_id:      20 bytes
aws_secret_access_key:  40 bytes

and

$ oc describe role aws-creds-secret-reader -n kube-system
Name:         aws-creds-secret-reader
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  secrets    []                 [aws-creds]     [get]

[wking]

TODO: create secret/role only if cloud provider is aws, and/or make secret more generically 'cloud-creds-secret'.

The libvirt analog is probably the libvird URI (and maybe a client cert/key, #296).

[steveej]

I wonder if we could make the secret provider-agnostic on the storage level and have the type embedded in the data instead. A use-case which makes this a bit more difficult by requiring the simultaneous storage of different provider credentials is a multi-cloud cluster.

[steveej]

@wking

The libvirt analog is probably the libvird URI

Does the libvirt URI need to be part of the secret? It's not sensitive information and it's already handled by general cluster information.

[wking]

The libvirt analog is probably the libvird URI

Does the libvirt URI need to be part of the secret?

No, but once you need a client cert/key, the URI won't be any use without the secret key. It seems easier to just keep the cert/key and URI in the same place. But none of this needs to happen in this PR; just something to think about when planning ahead.

[sallyom]

@steveej @wking is a multi-cloud cluster possible atm? I'm going with installconfig platform (aws|libvirt|openstack) as the only options. Is there/will there be an option for more than 1 provider?

[wking]

Is there/will there be an option for more than 1 provider?

Not to my knowledge. And the installer code currently assumes one provider in a few places, so I'd just roll with that approach for now.

[smarterclayton]

/retest

[staebler]

Do we expect that these resources will be identical for all platforms save for the data in the secret? If so, it may be better to use an if in the template that checks the platform type to determine which type of data to add rather than having a separate, mostly duplicated go file for each platform.

[sallyom]

👍 makes sense thanks, will push a change to that effect.. er...easier said than done but looking into it

[staebler]

Why don't we just add conditionally rather than adding everything and removing based on the platform?

[sallyom]

yup, that is silly.. fixing now..

[staebler]

Give explicit names to these fields (e.g., AWS, OpenStack, Libvirt). That will (1) make the name in the template file shorter and (2) allow for fields in the various cred data struct to have the same names.

[sallyom]

done

[flaper87]

@sallyom thanks for including OpenStack in this PR. cc'ing @tomassedovic @hardys @russellb too.

Let us know if we can do anything to help on the OpenStack side of things.

[dmage]

Can we add the type of the cluster (AWS, OpenStack, etc.) so that consumers know what to expect?

[bparees]

and while we're at it (providing AWS coordinates), the registry operator would also like to know what s3 bucket name should be used for the registry (if you don't supply a name we'll create one, but it's likely users may want to create their own bucket).

[sallyom]

@dmage made it so, yes

[sallyom]

@bparees, makes sense, might not be within the scope of this PR, I'll discuss with the installer team. In a follow-up PR, we can add registry s3 bucket name to the secret if/when necessary.

[sallyom]

/retest

[sallyom]

@staebler @wking, I think this is ready for approval, ptal. I've tested in libvirt, no secret/role is created and in aws aws-creds secret and aws-creds-secret-reader role are created

@flaper87 I've made the change to name os secret data clouds.yaml instead of credentials

[flaper87]

@flaper87 I've made the change to name os secret data clouds.yaml instead of credentials

Perfect, thanks!

FWIW, I've tested this with openstack and openshift/release#1824 It works fine!

[wking]

Looks like we can drop this comment?

[wking]

I'm fine with a GitHub issue or commit-message comment about wanting this, but I'd rather not have commented-out code stubs committed to the repo. They just make refactoring harder, e.g. if we renamed openStackCredsFile, this would be one more thing to update.

[sallyom]

👍 #550

[wking]

To DRY up the naming, maybe use Platform.Name:

platform := installConfig.Config.Platform.Name()
switch platform {
case "aws":
  ...

[sallyom]

👍 thanks, got it. I missed the addn of func (p *Platform) Name() string :)

[wking]

conditionalAssetData seems like more trouble than it's worth. Why not just:

assetData["99_..."] = applyTemplate...

[sallyom]

because doh-duh thank you!

[wking]

When you get a moment, can you squash the commits and drop the WIP?

$ git log --oneline -2 origin/pr/427
f77fda4 trevor's feedback
47b84f0 WIP-add aws-creds-secret

is probably not a useful distinction for future readers ;). While you're editing the commit message, pasting in whatever is relevant from your initial PR comment (e.g. "Various components will require access...") will make it easier for folks running blame to understand the motivation (otherwise they have to figure out the PR number and check here ;).

[sallyom]

@wking squashed, re-worded commit msg :)

[wking]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sallyom, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment