Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upi/vsphere: multiple terraform updates #1518

Merged
merged 4 commits into from
Apr 5, 2019
Merged

upi/vsphere: multiple terraform updates #1518

merged 4 commits into from
Apr 5, 2019

Conversation

staebler
Copy link
Contributor

@staebler staebler commented Apr 2, 2019
edited
Loading

  • Add DNS records for the control plane and compute hostnames so that they are resolvable from within the cluster.
  • Use IP addresses reserved from an IPAM server.

@openshift-ci-robot openshift-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Apr 2, 2019
@staebler staebler mentioned this pull request Apr 2, 2019
Closed
This was referenced Apr 2, 2019
Closed
Closed
Closed
@abhinavdahiya
Copy link
Contributor

  • Add DNS records for the control plane and compute hostnames so that they are resolvable from within the cluster.
  • Put pull secret directly in VM ignition config.

The bootstrap ignition has pull secret in multiple locations, secret object, files etc. What about the kubeconfig? IMO users need to make sure the security of the endpoint serving them because ignition doesn't....

Why are we doing this?

  • Use static IP addresses.

@staebler
Copy link
Contributor Author

staebler commented Apr 2, 2019

The bootstrap ignition has pull secret in multiple locations, secret object, files etc. What about the kubeconfig? IMO users need to make sure the security of the endpoint serving them because ignition doesn't....

Why are we doing this?

@abhinavdahiya How do we provide a URL that the bootstrap VM can access but is not accessible publicly? I don't see a way to provide credentials in the ignition file. The only thing that I see is a way to provide a cert to verify the ignition file pulled from the URL. In AWS, the ignition config is stored in S3 to make it secure. In OpenStack, the ignition config is stored in objectstorage. VSphere does not have that capability.

@staebler
Copy link
Contributor Author

staebler commented Apr 2, 2019

I'll take out the commit for dealing with the pull secret. There is clearly more work that needs to be done to address the issue of exposing the pull secret. The ignition config fed from the machine config operator also contains the pull secret and is publicly accessible.

@staebler
Copy link
Contributor Author

staebler commented Apr 2, 2019

a31370864...cc8f9f70a removed the changes dealing with the pull secret

@staebler
Copy link
Contributor Author

staebler commented Apr 4, 2019

cc8f9f70a..041b00f79 switches to reserving IP addresses from an IPAM server.

@dav1x
Copy link
Contributor

dav1x commented Apr 5, 2019

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 5, 2019
staebler and others added 4 commits April 5, 2019 13:49
@staebler
upi/vsphere: add dns for control plane and compute hostnames
fa79dd7 
Add DNS records for the control plane and compute hostnames so that
they are resolvable from within the cluster.
@staebler
upi/vsphere: use static ip addresses
52bb39d 
Static IP addresses are now working with rhcos.
@dav1x @staebler
adding only network module for managing IP addresses
2b81fec 
change network to IPAM query and add local-exec provisioner for VM on destroy

update examples file by removing IP address and adding machine_cidr
@staebler
upi/vsphere: simplify cidr_to_ip.sh script
a4c67e1 
We can use the cidr_to_ip.sh external data source to reserve IP
addresses for each machine individually rather than all of the machines
at once. This greatly simplifies the cidr_to_ip.sh script.

Additionally, update the README and terraform.tfvars.example.
@openshift-ci-robot openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Apr 5, 2019
@dav1x
Copy link
Contributor

dav1x commented Apr 5, 2019

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 5, 2019
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dav1x, staebler

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit dfb4316 into openshift:master Apr 5, 2019
@vrutkovs vrutkovs mentioned this pull request Apr 8, 2019
Merged
8 tasks
@staebler staebler mentioned this pull request Apr 10, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hardys hardys Awaiting requested review from hardys

@wking wking Awaiting requested review from wking

Assignees

@dav1x dav1x

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@staebler @abhinavdahiya @dav1x @openshift-ci-robot @openshift-merge-robot