Add PowerVS Ingress Operator Changes

api/fixtures/example.go

@@ -438,6 +438,7 @@ web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
 			buildIBMCloudCreds(o.Name+"-cloud-ctrl-creds", o.PowerVS.ApiKey),
 			buildIBMCloudCreds(o.Name+"-node-mgmt-creds", o.PowerVS.ApiKey),
 			buildIBMCloudCreds(o.Name+"-cpo-creds", o.PowerVS.ApiKey),
+			buildIBMCloudCreds(o.Name+"-ingress-creds", o.PowerVS.ApiKey),
 		}
 		resources = powerVSResources.AsObjects()
 		platformSpec = hyperv1.PlatformSpec{
@@ -447,6 +448,7 @@ web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
 				ResourceGroup:     o.PowerVS.ResourceGroup,
 				Region:            o.PowerVS.Region,
 				Zone:              o.PowerVS.Zone,
+				CISInstanceCRN:    o.PowerVS.CISInstanceCRN,
 				ServiceInstanceID: o.PowerVS.CloudInstanceID,
 				Subnet: &hyperv1.PowerVSResourceReference{
 					Name: &o.PowerVS.Subnet,
@@ -460,6 +462,7 @@ web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
 				KubeCloudControllerCreds:  corev1.LocalObjectReference{Name: powerVSResources.KubeCloudControllerCreds.Name},
 				NodePoolManagementCreds:   corev1.LocalObjectReference{Name: powerVSResources.NodePoolManagementCreds.Name},
 				ControlPlaneOperatorCreds: corev1.LocalObjectReference{Name: powerVSResources.ControlPlaneOperatorCreds.Name},
+				IngressOperatorCloudCreds: corev1.LocalObjectReference{Name: powerVSResources.IngressOperatorCloudCreds.Name},
 			},
 		}
 		services = getIngressServicePublishingStrategyMapping(o.NetworkType)

api/fixtures/example_ibmcloud_powervs.go

@@ -11,6 +11,7 @@ type ExamplePowerVSOptions struct {
 	ResourceGroup   string
 	Region          string
 	Zone            string
+	CISInstanceCRN  string
 	CloudInstanceID string
 	Subnet          string
 	SubnetID        string
@@ -30,6 +31,7 @@ type ExamplePowerVSResources struct {
 	KubeCloudControllerCreds  *corev1.Secret
 	NodePoolManagementCreds   *corev1.Secret
 	ControlPlaneOperatorCreds *corev1.Secret
+	IngressOperatorCloudCreds *corev1.Secret
 }
 
 func (o *ExamplePowerVSResources) AsObjects() []crclient.Object {
@@ -43,5 +45,8 @@ func (o *ExamplePowerVSResources) AsObjects() []crclient.Object {
 	if o.ControlPlaneOperatorCreds != nil {
 		objects = append(objects, o.ControlPlaneOperatorCreds)
 	}
+	if o.IngressOperatorCloudCreds != nil {
+		objects = append(objects, o.IngressOperatorCloudCreds)
+	}
 	return objects
 }

api/v1alpha1/hostedcluster_types.go

@@ -590,6 +590,13 @@ type PowerVSPlatformSpec struct {
 	// +immutable
 	AccountID string `json:"accountID"`
 
+	// CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name
+	// This field is immutable. Once set, It can't be changed.
+	//
+	// +kubebuilder:validation:Pattern=`^crn:`
+	// +immutable
+	CISInstanceCRN string `json:"cisInstanceCRN"`
+
 	// ResourceGroup is the IBMCloud Resource Group in which the cluster resides.
 	// This field is immutable. Once set, It can't be changed.
 	//
@@ -663,6 +670,12 @@ type PowerVSPlatformSpec struct {
 	//
 	// +immutable
 	ControlPlaneOperatorCreds corev1.LocalObjectReference `json:"controlPlaneOperatorCreds"`
+
+	// IngressOperatorCloudCreds is a reference to a secret containing ibm cloud
+	// credentials for ingress operator to get authenticated with ibm cloud.
+	//
+	// +immutable
+	IngressOperatorCloudCreds corev1.LocalObjectReference `json:"ingressOperatorCloudCreds"`
 }
 
 // PowerVSVPC specifies IBM Cloud PowerVS LoadBalancer configuration for the control

cmd/cluster/powervs/create.go

@@ -157,6 +157,7 @@ func applyPlatformSpecificsValues(ctx context.Context, exampleOptions *apifixtur
 		ResourceGroup:   opts.PowerVSPlatform.ResourceGroup,
 		Region:          opts.PowerVSPlatform.Region,
 		Zone:            opts.PowerVSPlatform.Zone,
+		CISInstanceCRN:  infra.CisCrn,
 		CloudInstanceID: infra.PowerVSCloudInstanceID,
 		Subnet:          infra.PowerVSDhcpSubnet,
 		SubnetID:        infra.PowerVSDhcpSubnetID,

cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml

@@ -2339,6 +2339,12 @@ spec:
                         description: AccountID is the IBMCloud account id. This field
                           is immutable. Once set, It can't be changed.
                         type: string
+                      cisInstanceCRN:
+                        description: CISInstanceCRN is the IBMCloud CIS Service Instance's
+                          Cloud Resource Name This field is immutable. Once set, It
+                          can't be changed.
+                        pattern: '^crn:'
+                        type: string
                       controlPlaneOperatorCreds:
                         description: "ControlPlaneOperatorCreds is a reference to
                           a secret containing cloud credentials with permissions matching
@@ -2351,6 +2357,16 @@ spec:
                               TODO: Add other useful fields. apiVersion, kind, uid?'
                             type: string
                         type: object
+                      ingressOperatorCloudCreds:
+                        description: IngressOperatorCloudCreds is a reference to a
+                          secret containing ibm cloud credentials for ingress operator
+                          to get authenticated with ibm cloud.
+                        properties:
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              TODO: Add other useful fields. apiVersion, kind, uid?'
+                            type: string
+                        type: object
                       kubeCloudControllerCreds:
                         description: "KubeCloudControllerCreds is a reference to a
                           secret containing cloud credentials with permissions matching
@@ -2446,7 +2462,9 @@ spec:
                         type: string
                     required:
                     - accountID
+                    - cisInstanceCRN
                     - controlPlaneOperatorCreds
+                    - ingressOperatorCloudCreds
                     - kubeCloudControllerCreds
                     - nodePoolManagementCreds
                     - region

cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml

@@ -2247,6 +2247,12 @@ spec:
                         description: AccountID is the IBMCloud account id. This field
                           is immutable. Once set, It can't be changed.
                         type: string
+                      cisInstanceCRN:
+                        description: CISInstanceCRN is the IBMCloud CIS Service Instance's
+                          Cloud Resource Name This field is immutable. Once set, It
+                          can't be changed.
+                        pattern: '^crn:'
+                        type: string
                       controlPlaneOperatorCreds:
                         description: "ControlPlaneOperatorCreds is a reference to
                           a secret containing cloud credentials with permissions matching
@@ -2259,6 +2265,16 @@ spec:
                               TODO: Add other useful fields. apiVersion, kind, uid?'
                             type: string
                         type: object
+                      ingressOperatorCloudCreds:
+                        description: IngressOperatorCloudCreds is a reference to a
+                          secret containing ibm cloud credentials for ingress operator
+                          to get authenticated with ibm cloud.
+                        properties:
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              TODO: Add other useful fields. apiVersion, kind, uid?'
+                            type: string
+                        type: object
                       kubeCloudControllerCreds:
                         description: "KubeCloudControllerCreds is a reference to a
                           secret containing cloud credentials with permissions matching
@@ -2354,7 +2370,9 @@ spec:
                         type: string
                     required:
                     - accountID
+                    - cisInstanceCRN
                     - controlPlaneOperatorCreds
+                    - ingressOperatorCloudCreds
                     - kubeCloudControllerCreds
                     - nodePoolManagementCreds
                     - region

control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go

@@ -876,6 +876,37 @@ func (r *reconciler) reconcileCloudCredentialSecrets(ctx context.Context, hcp *h
 		}); err != nil {
 			errs = append(errs, fmt.Errorf("failed to reconcile csi driver secret: %w", err))
 		}
+	case hyperv1.PowerVSPlatform:
+		var ingressCredentials corev1.Secret
+		err := r.cpClient.Get(ctx, client.ObjectKey{Namespace: hcp.Namespace, Name: hcp.Spec.Platform.PowerVS.IngressOperatorCloudCreds.Name}, &ingressCredentials)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("failed to get ingress operator cloud credentials secret %s from hcp namespace : %w", hcp.Spec.Platform.PowerVS.IngressOperatorCloudCreds.Name, err))
+			return errs
+		}
+
+		cloudCredentials := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "openshift-ingress-operator",
+				Name:      "cloud-credentials",
+			},
+		}
+
+		_, err = r.CreateOrUpdate(ctx, r.client, cloudCredentials, func() error {
+			credData, credHasData := ingressCredentials.Data["ibmcloud_api_key"]
+			if !credHasData {
+				return fmt.Errorf("ingress cloud credentials secret %q is missing credentials key", ingressCredentials.Name)
+			}
+			cloudCredentials.Type = corev1.SecretTypeOpaque
+			if cloudCredentials.Data == nil {
+				cloudCredentials.Data = map[string][]byte{}
+			}
+			cloudCredentials.Data["ibmcloud_api_key"] = credData
+			return nil
+		})
+
+		if err != nil {
+			errs = append(errs, fmt.Errorf("failed to reconcile powervs cloud credentials secret %w", err))
+		}
 	}
 	return errs
 }

docs/content/reference/api.md

@@ -5467,6 +5467,18 @@ This field is immutable. Once set, It can&rsquo;t be changed.</p>
 </tr>
 <tr>
 <td>
+<code>cisInstanceCRN</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>CISInstanceCRN is the IBMCloud CIS Service Instance&rsquo;s Cloud Resource Name
+This field is immutable. Once set, It can&rsquo;t be changed.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>resourceGroup</code></br>
 <em>
 string
@@ -5598,6 +5610,20 @@ This field is immutable. Once set, It can&rsquo;t be changed.</p>
 <p>TODO(dan): document the &ldquo;control plane operator policy&rdquo;</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>ingressOperatorCloudCreds</code></br>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#localobjectreference-v1-core">
+Kubernetes core/v1.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<p>IngressOperatorCloudCreds is a reference to a secret containing ibm cloud
+credentials for ingress operator to get authenticated with ibm cloud.</p>
+</td>
+</tr>
 </tbody>
 </table>
 ###PowerVSResourceReference { #hypershift.openshift.io/v1alpha1.PowerVSResourceReference }

hack/app-sre/saas_template.yaml

@@ -22335,6 +22335,12 @@ objects:
                           description: AccountID is the IBMCloud account id. This
                             field is immutable. Once set, It can't be changed.
                           type: string
+                        cisInstanceCRN:
+                          description: CISInstanceCRN is the IBMCloud CIS Service
+                            Instance's Cloud Resource Name This field is immutable.
+                            Once set, It can't be changed.
+                          pattern: '^crn:'
+                          type: string
                         controlPlaneOperatorCreds:
                           description: "ControlPlaneOperatorCreds is a reference to
                             a secret containing cloud credentials with permissions
@@ -22347,6 +22353,16 @@ objects:
                                 TODO: Add other useful fields. apiVersion, kind, uid?'
                               type: string
                           type: object
+                        ingressOperatorCloudCreds:
+                          description: IngressOperatorCloudCreds is a reference to
+                            a secret containing ibm cloud credentials for ingress
+                            operator to get authenticated with ibm cloud.
+                          properties:
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                          type: object
                         kubeCloudControllerCreds:
                           description: "KubeCloudControllerCreds is a reference to
                             a secret containing cloud credentials with permissions
@@ -22442,7 +22458,9 @@ objects:
                           type: string
                       required:
                       - accountID
+                      - cisInstanceCRN
                       - controlPlaneOperatorCreds
+                      - ingressOperatorCloudCreds
                       - kubeCloudControllerCreds
                       - nodePoolManagementCreds
                       - region
@@ -25316,6 +25334,12 @@ objects:
                           description: AccountID is the IBMCloud account id. This
                             field is immutable. Once set, It can't be changed.
                           type: string
+                        cisInstanceCRN:
+                          description: CISInstanceCRN is the IBMCloud CIS Service
+                            Instance's Cloud Resource Name This field is immutable.
+                            Once set, It can't be changed.
+                          pattern: '^crn:'
+                          type: string
                         controlPlaneOperatorCreds:
                           description: "ControlPlaneOperatorCreds is a reference to
                             a secret containing cloud credentials with permissions
@@ -25328,6 +25352,16 @@ objects:
                                 TODO: Add other useful fields. apiVersion, kind, uid?'
                               type: string
                           type: object
+                        ingressOperatorCloudCreds:
+                          description: IngressOperatorCloudCreds is a reference to
+                            a secret containing ibm cloud credentials for ingress
+                            operator to get authenticated with ibm cloud.
+                          properties:
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                          type: object
                         kubeCloudControllerCreds:
                           description: "KubeCloudControllerCreds is a reference to
                             a secret containing cloud credentials with permissions
@@ -25423,7 +25457,9 @@ objects:
                           type: string
                       required:
                       - accountID
+                      - cisInstanceCRN
                       - controlPlaneOperatorCreds
+                      - ingressOperatorCloudCreds
                       - kubeCloudControllerCreds
                       - nodePoolManagementCreds
                       - region

hypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.go

@@ -262,6 +262,42 @@ func (p PowerVS) ReconcileCredentials(ctx context.Context, c client.Client, crea
 	if err != nil {
 		return fmt.Errorf("failed to reconcile control plane operator provider creds: %w", err)
 	}
+
+	// Reconcile the platform provider ingress operator credentials secret by
+	// resolving  the reference from the HostedCluster and syncing the secret in
+	// the control plane namespace.
+	err = c.Get(ctx, client.ObjectKey{Namespace: hcluster.GetNamespace(), Name: hcluster.Spec.Platform.PowerVS.IngressOperatorCloudCreds.Name}, &src)
+	if err != nil {
+		return fmt.Errorf("failed to get ingress operator provider creds %s: %w", hcluster.Spec.Platform.PowerVS.IngressOperatorCloudCreds.Name, err)
+	}
+	dest = &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: controlPlaneNamespace,
+			Name:      src.Name,
+		},
+	}
+	_, err = createOrUpdate(ctx, c, dest, func() error {
+		apiKeySrcData, apiKeySrcHasData := src.Data["ibmcloud_api_key"]
+		if !apiKeySrcHasData {
+			return fmt.Errorf("hostedcluster ingress operator credentials secret %q must have a credentials key ibmcloud_api_key", src.Name)
+		}
+		dest.Type = corev1.SecretTypeOpaque
+		if dest.Data == nil {
+			dest.Data = map[string][]byte{}
+		}
+		dest.Data["ibmcloud_api_key"] = apiKeySrcData
+
+		envSrcData, envSrcHasData := src.Data["ibm-credentials.env"]
+		if !envSrcHasData {
+			return fmt.Errorf("hostedcluster ingress operator credentials secret %q must have a credentials key ibm-credentials.env", src.Name)
+		}
+		dest.Data["ibm-credentials.env"] = envSrcData
+
+		return nil
+	})
+	if err != nil {
+		return fmt.Errorf("failed to reconcile ingress operator provider creds: %w", err)
+	}
 	return nil
 }
 

support/globalconfig/infrastructure.go

@@ -71,8 +71,9 @@ func ReconcileInfrastructure(infra *configv1.Infrastructure, hcp *hyperv1.Hosted
 		}
 	case hyperv1.PowerVSPlatform:
 		infra.Status.PlatformStatus.PowerVS = &configv1.PowerVSPlatformStatus{
-			Region: hcp.Spec.Platform.PowerVS.Region,
-			Zone:   hcp.Spec.Platform.PowerVS.Zone,
+			Region:         hcp.Spec.Platform.PowerVS.Region,
+			Zone:           hcp.Spec.Platform.PowerVS.Zone,
+			CISInstanceCRN: hcp.Spec.Platform.PowerVS.CISInstanceCRN,
 		}
 	}
 }