Add ability to assign tags to virtual machines

[alexander-demicev]

What this PR does / why we need it:
Add the ability to assign tags to virtual machines, similar to what is done in AWS. In order to do so, we need to have Tags field in VSphereMachineTemplate and create REST client. This change assumes that tags are already created by the user.

Release note:

-->

Add the ability to assign tags to virtual machines. 

[k8s-ci-robot]

Hi @alexander-demichev. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[alexander-demicev]

This line and _ "github.com/vmware/govmomi/vapi/simulator" are needed to make simulator register rest session endpoint or it returns an error - unable to create rest client: POST https://127.0.0.1:63223/rest/com/vmware/cis/session: 404 Not Found

[yastij]

/ok-to-test

[yastij]

@alexander-demichev - we're planning to cut v0.7.1 today, let's review this, merge it and cut a release once it's ready

[randomvariable]

Need to add the conversion webhooks for the tests to pass.

[EleanorRigby]

@alexander-demichev : I think these tags have to pre-exist in vCenter. Is there a way to dynamically create/delete them with VMs?

[ncdc]

@alexander-demichev would you be able to elaborate on your use case here? I recognize that other infra providers such as CAPA allow this, but you may want to read https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/performance/tagging-vsphere67-perf.pdf about tag performance in larger configurations.

[yastij]

I didn't review the tests yet, I'll do another pass monday

[yastij]

same

[yastij]

I'd remove this blank line

[yastij]

Another pass for the API

[yastij]

I'd put these in the VirtualMachineCloneSpec

[yastij]

can we make the tag category explicit also ? (this would enable key:value use cases)

[alexander-demicev]

@yastij Do you have an example of how to attach a tag from a specific category?

[yastij]

@alexander-demichev - the scalability concerns pointed by @ncdc are standing. what is the use case we want to cover and at what scale ?

[alexander-demicev]

@yastij @ncdc I didn't know about performance issues with tags. My use case is similar to what tags do for other providers.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[vrabbi]

i also have a few use cases for this. having the tags would greatly enhance the ability for extensibility using the VMware Ecosystem tools. the use cases i have seen for this so far are:

1. on-boarding clusters to vRealize Automation using the tag based on-boarding mechanism
2. using VMware Event Broker Appliance to run custom tasks when a specific event occurs. this use case is very helpful as there is no specific event in vSphere for a CAPV cluster being deployed as it is simply provisioning VMs from the vSphere perspective. by adding the tags a custom action could be built in VEBA which could run any custom logic when a node is created in a CAPV clusters. this could include DRS rules (anti-affinity or affinity), creating DNS records for the nodes, adding nodes to a CMDB , creating custom groups in VROPs for monitoring a cluster etc.

regarding the performance issues, while this is something to take into consideration, 25k tag assignments with good performance as mentioned in the article seems quite reasonable. many systems add tags in vSphere and the performance issue i dont think should be a blocker here either. just as maybe the user doesnt have enough resources isnt a blocker for automated deployments.
having CAPV add tags on its own would be an issue but if its opt-in and user defined i think it makes a lot of sense to add this functionality

[embano1]

Not sure about the initial use case here from reading the PR, but I'd suggest to use an async/throttled out-of-band (ie decoupled) mechanism based on vSphere events for this if possible, eg using the event broker or similar. It helps with separation of concerns (access permissions to VC), scalability concerns, network issues and making the controller logic less vulnerable to reconciliation/blocking issues due to heavy VC RPCs. We've seen users successfully adopting this model for tag management (beyond K8s controllers) and it works nicely (orthogonal) with the async reconciliation pattern in K8s controllers.

[yastij]

@vrabbi - I agree that we should have this. @alexander-demichev can you address the comments and rebase ?

[alexander-demicev]

@yastij yes, I'll try to find time this week

[gab-satchi]

Summarizing what's left to be done for the PR:

• rebase now that main branch has switched over to v1alpha4. The API changes will need to be modified to drop v1alpha2
• switch to the batch tagging API. also implies we use tagIDs in the spec and not the tag name.
• rate limiting for the tag attach call. This may not be strictly necessary if we switch to the batch tagging

@alexander-demichev apologies for the long delay with this PR. Is this still something you're interested in contributing?

[vrabbi]

it should be explicit we are dealing with Tag IDs and not Tag Names

[vrabbi]

should be "Tags is an optional set of tag IDs to add to an instance."

[TerryHowe]

Suggested change

	description: Tags is an optional set of tags to add to an instance.
	description: Tags is an optional set of tag IDs to add to an instance.

[vrabbi]

Should be "Tags is an optional set of tag IDs to add to an instance"

[vrabbi]

This should be "Tags is an optional set of tag IDs to add to an instance."

[alexander-demicev]

Hi all, I updated the PR:

1. bumped govmomi dependency so we can use batch tagging
2. changed API field name to TagIDs

I'm having an issue with generating conversions, it's failing with the following error:
E0818 13:26:54.674110 59681 conversion.go:755] Warning: could not find nor generate a final Conversion function for sigs.k8s.io/cluster-api-provider-vsphere/api/v1alpha4.VirtualMachineCloneSpec -> sigs.k8s.io/cluster-api-provider-vsphere/api/v1alpha3.VirtualMachineCloneSpec E0818 13:26:54.674407 59681 conversion.go:756] the following fields need manual conversion: E0818 13:26:54.674417 59681 conversion.go:758] - TagIDs

[embano1]

I think error handling could be slightly improved here instead of reconciling (potentially forever) on any error, including unrecoverable errors.

To quote from the docs:

AttachMultipleTagsToObject attaches multiple tag IDs to a managed object. This operation is idempotent. If a tag is already attached to the object, then the individual operation is a no-op and no error will be thrown. This operation is not atomic. If the underlying call fails with one or more tags not successfully attached to the managed object reference it might leave the managed object reference in a partially tagged state and needs to be resolved by the caller. In this case BatchErrors is returned and can be used to analyse failure reasons on each failed tag. Specified tagIDs must use URN-notation instead of display names or a generic error will be returned and no tagging operation will be performed. If the managed object reference does not exist a generic 403 Forbidden error will be returned. This operation was added in vSphere API 6.5.

We are working on improved error type handling (for assertions) but the above should give you an impression of different error scenarios.

[alexander-demicev]

Does it mean that there are no typed errors at the moment?

[embano1]

Only partially ([]BatchError) and the situation is improving as we export more errors. Please see the tests for the method which shows common error scenarios and the errors.

[gab-satchi]

For now, we don't distinguish between terminal and intermittent errors and we don't need to tackle that in this PR. What could be useful here is setting a condition on the VSphereMachine for reconciling tags. Right now if there is an error, nothing will show on the VSphereMachine to help the user debug further.

[gab-satchi]

thanks for the changes. tested it out locally and it works. It's a slight nuisance to have to use the tag URNs instead of just the name but that's an API limitation.

[gab-satchi]

when I ran a make generate there is a new function in the generated conversion file. Should add that in. This file/function is still needed as it requires us to do the manual conversion.

[gab-satchi]

For now, we don't distinguish between terminal and intermittent errors and we don't need to tackle that in this PR. What could be useful here is setting a condition on the VSphereMachine for reconciling tags. Right now if there is an error, nothing will show on the VSphereMachine to help the user debug further.

[yastij]

@alexander-demichev - pending @gab-satchi's comment on adding a condition, this looks good. Once we merge the v1beta1 types could you rebase your PR ? this way it can make it into the new release

[alexander-demicev]

@yastij Hi, I rebased the PR and added a condition

[yastij]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yastij

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [yastij]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gab-satchi]

thanks for the changes

/lgtm