Add ability to disable oci client init on startup (#243)

* Add option to disable OCI client init on startup
oracle · Apr 19, 2023 · 535d6ef · 535d6ef
1 parent db4d5fc
commit 535d6ef
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 34 deletions.
diff --git a/cloud/util/util.go b/cloud/util/util.go
@@ -158,6 +158,10 @@ func InitClientsAndRegion(ctx context.Context, client client.Client, defaultRegi
 	} else {
 		clientProvider = defaultClientProvider
 	}
+	if clientProvider == nil {
+		return nil, "", scope.OCIClients{}, errors.New("OCI authentication credentials could not be retrieved from pod or cluster level," +
+			"please install Cluster API Provider for OCI with OCI authentication credentials or set Cluster Identity in the OCICluster")
+	}
 	// Region set at cluster takes highest precedence
 	if len(clusterAccessor.GetRegion()) > 0 {
 		clusterRegion = clusterAccessor.GetRegion()

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -30,6 +30,7 @@ spec:
         - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},OKE=${EXP_OKE:=false}"
         - "--metrics-bind-address=127.0.0.1:8080"
         - "--logging-format=${LOG_FORMAT:=text}"
+        - "--init-oci-clients-on-startup=${INIT_OCI_CLIENTS_ON_STARTUP:=true}"
         image: controller:latest
         name: manager
         securityContext:

diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md
@@ -29,6 +29,7 @@
     - [Provision a PVC on the File Storage Service](./gs/pvc-fss.md)
   - [Customize worker nodes](./gs/customize-worker-node.md)
   - [Multi Tenancy](./gs/multi-tenancy.md)
+  - [Advanced Options](./gs/advanced.md)
 - [Networking Guide](./networking/networking.md)
   - [Default Network Infrastructure](./networking/infrastructure.md)
     - [Using Calico](./networking/calico.md)

diff --git a/docs/src/gs/advanced.md b/docs/src/gs/advanced.md
@@ -0,0 +1,18 @@
+# Advanced Options
+
+## Disable OCI Client initialization on startup
+
+CAPOCI supports setting OCI principals at [cluster level][cluster-identity], hence CAPOCI can be
+installed without providing OCI user credentials. The following environment variable need to be exported
+to install CAPOCI without providing any OCI credentials.
+
+   ```shell
+   export INIT_OCI_CLIENTS_ON_STARTUP=false
+   ```
+
+If the above setting is used, and [Cluster Identity][cluster-identity] is not used, the OCICluster will
+go into error state, and the following error will show up in the CAPOCI pod logs.
+
+`OCI authentication credentials could not be retrieved from pod or cluster level,please install Cluster API Provider for OCI with OCI authentication credentials or set Cluster Identity in the OCICluster`
+
+[cluster-identity]: ./multi-tenancy.md
diff --git a/main.go b/main.go
@@ -57,6 +57,7 @@ var (
 	ociClusterConcurrency     int
 	ociMachineConcurrency     int
 	ociMachinePoolConcurrency int
+	initOciClientsOnStartup   bool
 )
 
 const (
@@ -112,6 +113,12 @@ func main() {
 		5,
 		"Number of OciMachinePools to process simultaneously",
 	)
+	flag.BoolVar(
+		&initOciClientsOnStartup,
+		"init-oci-clients-on-startup",
+		true,
+		"Initialize OCI clients on startup",
+	)
 
 	opts := zap.Options{
 		Development: true,
@@ -144,46 +151,48 @@ func main() {
 		setupLog.Error(err, "unable to start manager")
 		os.Exit(1)
 	}
+	// Setup the context that's going to be used in controllers and for the manager.
+	ctx := ctrl.SetupSignalHandler()
 
-	authConfigDir := os.Getenv(AuthConfigDirectory)
-	if authConfigDir == "" {
-		setupLog.Error(err, "auth config directory environment variable is not set")
-		os.Exit(1)
-	}
-
-	authConfig, err := config.FromDir(authConfigDir)
-	if err != nil {
-		setupLog.Error(err, "invalid auth config file")
-		os.Exit(1)
-	}
+	var clientProvider *scope.ClientProvider
+	var region string
+	if initOciClientsOnStartup {
+		authConfigDir := os.Getenv(AuthConfigDirectory)
+		if authConfigDir == "" {
+			setupLog.Error(err, "auth config directory environment variable is not set")
+			os.Exit(1)
+		}
 
-	setupLog.Info("CAPOCI Version", "version", version.GitVersion)
-	ociAuthConfigProvider, err := config.NewConfigurationProvider(authConfig)
-	if err != nil {
-		setupLog.Error(err, "authentication provider could not be initialised")
-		os.Exit(1)
-	}
+		authConfig, err := config.FromDir(authConfigDir)
+		if err != nil {
+			setupLog.Error(err, "invalid auth config file")
+			os.Exit(1)
+		}
 
-	// Setup the context that's going to be used in controllers and for the manager.
-	ctx := ctrl.SetupSignalHandler()
+		setupLog.Info("CAPOCI Version", "version", version.GitVersion)
+		ociAuthConfigProvider, err := config.NewConfigurationProvider(authConfig)
+		if err != nil {
+			setupLog.Error(err, "authentication provider could not be initialised")
+			os.Exit(1)
+		}
 
-	region, err := ociAuthConfigProvider.Region()
-	if err != nil {
-		setupLog.Error(err, "unable to get OCI region from AuthConfigProvider")
-		os.Exit(1)
-	}
+		region, err = ociAuthConfigProvider.Region()
+		if err != nil {
+			setupLog.Error(err, "unable to get OCI region from AuthConfigProvider")
+			os.Exit(1)
+		}
 
-	clientProvider, err := scope.NewClientProvider(ociAuthConfigProvider)
-	if err != nil {
-		setupLog.Error(err, "unable to create OCI ClientProvider")
-		os.Exit(1)
-	}
-	_, err = clientProvider.GetOrBuildClient(region)
-	if err != nil {
-		setupLog.Error(err, "authentication provider could not be initialised")
-		os.Exit(1)
+		clientProvider, err = scope.NewClientProvider(ociAuthConfigProvider)
+		if err != nil {
+			setupLog.Error(err, "unable to create OCI ClientProvider")
+			os.Exit(1)
+		}
+		_, err = clientProvider.GetOrBuildClient(region)
+		if err != nil {
+			setupLog.Error(err, "authentication provider could not be initialised")
+			os.Exit(1)
+		}
 	}
-
 	if err = (&controllers.OCIClusterReconciler{
 		Client:         mgr.GetClient(),
 		Scheme:         mgr.GetScheme(),