upi/vsphere: add vsphere to cloudproviderconfig #1516
Conversation
openshift-ci-robot
added
needs-rebase
|
/hold This builds on top of #1479. |
openshift-ci-robot
added
do-not-merge/hold
$ cat > install-config.yaml << EOF
apiVersion: v1beta4
baseDomain: devcluster.openshift.com
metadata:
name: mstaeble
networking:
machineCIDR: "139.178.89.192/26"
platform:
vsphere:
virtualCenters:
- name: vcsa.vmware.devcluster.openshift.com
username: dummy@e2e.local
password: MyPassword
datacenters:
- dc1
workspace:
defaultDatastore: nvme-ds1
scsiControllerType: pvscsi
publicNetwork: VM Network
pullSecret: redacted
sshKey: redacted
EOF
$ openshift-install create manifests
INFO Consuming "Install Config" from target directory
$ cat manifests/cloud-provider-config
apiVersion: v1
data:
config: |-
[Global]
secret-name = "vsphere-creds"
secret-namespace = "kube-system"
[VirtualCenter "vcsa.vmware.devcluster.openshift.com"]
datacenters = "dc1"
[Workspace]
server = "vcsa.vmware.devcluster.openshift.com"
datacenter = "dc1"
default-datastore = "nvme-ds1"
resourcepool-path = "mstaeble"
folder = "mstaeble"
[Disk]
scsicontrollertype = "pvscsi"
[Network]
public-network = "VM Network"
kind: ConfigMap
metadata:
creationTimestamp: null
name: cloud-provider-config
namespace: openshift-config
$ cat openshift/99_cloud-creds-secret.yaml
kind: Secret
apiVersion: v1
metadata:
namespace: kube-system
name: vsphere-creds
data:
vcsa.vmware.devcluster.openshift.com.username: ZHVtbXlAZTJlLmxvY2Fs
vcsa.vmware.devcluster.openshift.com.password: TXlQYXNzd29yZA== |
|
@staebler quick question if you don't mind asking: have you considered/ is on the table for future work to obfuscate the below credentials ? Some users might have use an admin user and i personally would not feel comfortable to put that in clear as everyone will then be able to use the infrastructure. Same goes with the Secret as is a simple base64 decode. i know and understand that it might be a bigger discussion however i thought i should mention (although i'm sure is already known) |
@DanyC97 Obfuscation would be good. I'm not sure what options we have, though. We are limited by what the vsphere provider supports, which as far as I know is an un-obfuscated username and password. Do you have any suggestion for how we could add obfuscation? |
|
/cc @gnufied How does this look to you with regards to setting up the vSphere cloud config? |
|
@staebler this is looking good. I just have a minor comment about some of validation. |
@staebler i'm not an terraform expert (still ramping up) however i'll dig a bit into and then open an issue to discuss further so i don't distract the attention on this PR. |
| public-network = "{{.PublicNetwork}}"` | ||
|
|
||
| // CloudProviderConfig generates the cloud provider config for the vSphere platform. | ||
| func CloudProviderConfig(installConfig *types.InstallConfig) (string, error) { |
There was a problem hiding this comment.
nit: start with Vpshere platform?
openshift-ci-robot
removed
the
do-not-merge/hold
The install-config does end up on the cluster, as config map. it might be necessary to remove this password when we store the configmap here
Secrets are pushed to the api and then they are always kept encrypted in etcd like any other secret. Only valid users has access to secrets. So there is no requirement for doing anything here.
|
This configuration file is used to configure the Kubernetes cloud provider integration when using the built-in cloud provider integration or the external cloud controller manager. The configmap containing cloud provider config must be in `openshift-config` namespace as required by openshift/api PR 245 [1] [1]: https://github.com/openshift/api/blob/master/config/v1/types_infrastructure.go#L28
openshift-ci-robot
removed
the
needs-rebase
The vSphere usernames and passwords are now redacted from the install-config. |
Add the config for vsphere to cloudproviderconfig. Add vsphere cloud creds to cloud-creds-secret.yaml. Add fields to vsphere platform in installconfig to support cloudproviderconfig. Set the enable_disk_uuid attribute to true for vsphere VMs as that is required to ensure the VMDK properly mounts disks. See https://vmware.github.io/vsphere-storage-for-kubernetes/documentation/existing.html for details on the vsphere cloud config file.
|
Updated output $ cat > install-config.yaml << EOF
apiVersion: v1beta4
baseDomain: devcluster.openshift.com
metadata:
name: mstaeble
networking:
machineCIDR: "139.178.89.192/26"
platform:
vsphere:
virtualCenters:
- name: vcsa.vmware.devcluster.openshift.com
username: dummy@e2e.local
password: MyPassword
datacenters:
- dc1
workspace:
defaultDatastore: nvme-ds1
scsiControllerType: pvscsi
publicNetwork: VM Network
pullSecret: redacted
sshKey: redacted
EOF
$ openshift-install create manifests
INFO Consuming "Install Config" from target directory
$ cat manifests/cloud-provider-config.yaml
apiVersion: v1
data:
config: |+
[Global]
secret-name = vsphere-creds
secret-namespace = kube-system
[Workspace]
server = vcsa.vmware.devcluster.openshift.com
datacenter = dc1
default-datastore = nvme-ds1
folder = mstaeble
[Disk]
scsicontrollertype = pvscsi
[Network]
public-network = VM Network
[VirtualCenter "vcsa.vmware.devcluster.openshift.com"]
datacenters = dc1
kind: ConfigMap
metadata:
creationTimestamp: null
name: cloud-provider-config
namespace: openshift-config
$ cat openshift/99_cloud-creds-secret.yaml
kind: Secret
apiVersion: v1
metadata:
namespace: kube-system
name: vsphere-creds
data:
vcsa.vmware.devcluster.openshift.com.username: ZHVtbXlAZTJlLmxvY2Fs
vcsa.vmware.devcluster.openshift.com.password: TXlQYXNzd29yZA== |
|
/approve |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, staebler The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
See https://vmware.github.io/vsphere-storage-for-kubernetes/documentation/existing.html
for details on the vsphere cloud config file.