Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds a mechanism in vSphere Cloud Provider to get credentials from Kubernetes secrets #63902

Merged
merged 7 commits into from
May 18, 2018
Merged

Adds a mechanism in vSphere Cloud Provider to get credentials from Kubernetes secrets #63902

merged 7 commits into from
May 18, 2018

Conversation

abrarshivani
Copy link
Contributor

@abrarshivani abrarshivani commented May 16, 2018
edited

What this PR does / why we need it:
Currently, vCenter credentials are stored in plain text in vsphere.conf. This PR adds a mechanism in vSphere Cloud Provider to get vCenter credentials from Kubernetes secrets.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:
Internally review here: vmware-archive#484
Workflow:

  1. Create vsphere.conf file with secret-name and secret-namespace.

    [Global]
insecure-flag = 1
secret-name = "vcconf"
secret-namespace = "kube-system"

[VirtualCenter "10.160.45.119"]
port = 443
datacenters = k8s-dc-1

[Workspace]
server = 10.160.45.119
datacenter = k8s-dc-1
default-datastore = sharedVMFS-0
folder = Discovered virtual machine

  2. Launch Kubernetes cluster with vSphere Cloud Provider Configured.

  3. Create secret with vCenter credentials.
    a. Create base64 encoding for username and password:
    username:

    	> echo -n 'admin' | base64
	YWRtaW4=

    password:

    	> echo -n 'vsphere' | base64
	dnNwaGVyZQ==

    b. kubectl create -f vccredentials.yaml

    	#vccredentials.yaml
	apiVersion: v1
	kind: Secret
	metadata:
		name: vcconf
	type: Opaque
	data:
		10.192.44.199.username: YWRtaW4=
		10.192.44.199.password: dnNwaGVyZQ==

  4. vSphere Cloud Provider can be used now.

Note:
Secrets info can be provided with both (old and new) vSphere Cloud provider configuration formats.

Tests Done:

  • vSphere Cloud Provider unit test.
  • Volume lifecyle with Username and Password in vsphere.conf (for backward compability)
  • Volume lifecyle with secrets information in vsphere.conf.
  • Update secrets workflow

Release note:

Adds a mechanism in vSphere Cloud Provider to get credentials from Kubernetes secrets

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 16, 2018
@k8s-ci-robot k8s-ci-robot requested review from jingxu97 and a user May 16, 2018 01:49
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 16, 2018
@abrarshivani
Copy link
Contributor Author

//cc @kubernetes/vmware

@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels May 16, 2018
@abrarshivani abrarshivani force-pushed the vcp_secrets branch 2 times, most recently from 6edf469 to e5e001c Compare May 16, 2018 19:54
@abrarshivani
Copy link
Contributor Author

/retest

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 17, 2018
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 17, 2018
@abrarshivani
Copy link
Contributor Author

/retest

@divyenpatel
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 17, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abrarshivani, divyenpatel

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 63969, 63902, 63689, 63973, 63978). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 2d1f42e into kubernetes:master May 18, 2018
@s0komma s0komma mentioned this pull request Jul 12, 2018
Closed
@dkirrane
Copy link

dkirrane commented Aug 2, 2018

Question is this available as part of K8s 1.10.3?

And can the Secret be Global i.e. not for specific VirtualCenter:

[Global]
insecure-flag = 1
secret-name = "vcconf"
secret-namespace = "kube-system"

	apiVersion: v1
	kind: Secret
	metadata:
		name: vcconf
	type: Opaque
	data:
		username: YWRtaW4=
		password: dnNwaGVyZQ==

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jingxu97 jingxu97 Awaiting requested review from jingxu97

Assignees

@divyenpatel divyenpatel

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@abrarshivani @divyenpatel @k8s-ci-robot @k8s-github-robot @dkirrane