Power VS: Add resourcegroup to infrastructure manifest #144
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
note that the shileded_instance_config options have 3 states: 1. User-specified enabled 2. User-specified disabled 3. Not user-specfiied: default The shileded_instance_config is defined as dynamic block and will be only in case the user specified it. This should allow us to get the cloud provider default in case the user didn't specify the config (and will not require code updates if the cloud provider default changes).
OCPBUGS-1769: Check for AWS STS installation before trying to get all IAM Roles
…t Public It was previously only added for StackCloud but it's also needed for all national clouds.
SPLAT-901: set default for variables that are deprecated by failure_domains
OCPBUGS-881: fail to create install-config.yaml as apiVIP and ingress VIP are not in machine networks
OCPBUGS-5324: CVE-2021-4235 go-yaml: Denial of Service in go-yaml
MGMT-12839: Add Shielded VMs options to gcp mpool and TF
A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issue significantly reduces the amount of entropy generated in short strings by these functions.
Creating an extra CRD asset for the ControlPlaneMachineSet which is required for the machine api operator for more control over the control-plane nodes that come up on Azure.
AGENT-501: Make it easier to change node zero IP and SERVICE_BASE_URL
BUG 2110982: GCP skip public loadbalancer ip addresses
Users would like the ability to change their network configuration at the console if network connectivity problems are detected. To achieve this goal, this patch adds a new service called agent-interactive-console.service to block the login prompt and the agent services that pulls an image from the registry. The service will execute the agent TUI to allow users to update their network configuration. The TUI will check there is connectivity to the registry and to the rendezvous host. If the connectivity checks pass, the TUI exits, which also lead the interactive console service to exit, and this unblocks the login prompt and agent services waiting for pull from the registry, allowing the agent-based installer to proceed. The agent TUI will be added in a future patch. For now, the service executes a script that logs its presence, sleeps for 60 seconds, and exits. This should not block the automated flow. Added ConditionPathExists=/usr/local/bin/agent-tui, which means the service does not start nor is it active until the agent-tui binary is present at that path. Most of the service definition was lifted from celebdor's POC: openshift#6560 Signed-off-by: Richard Su <[email protected]>
The interactive console service will not start or be active until the path exists.
OCPBUGS-5770: CVE-2021-4238: goutils: update for randomness fix
** If this is needed then it an always be added back. The gcp byoh code is causing bugs and isn't a requirement. It was added at the same time as the shared vpn code, and the two became entangled, but there was no need for the byoh code without a requirement.
OCPBUGS-1695: Update FCOS to latest 37.20221127.3.0 stable
OCPBUGS-5734: make VIP 168.63.129.16 noProxy in all clouds except Public
CORS-2405: Create ControlPlaneMachineSet CRDs
Setting the pre-created state to active in the CPMS manifest. Also setting some extra fields missed.
A denial of service attack was found in prometheus/client_golang. This flaw allows an attacker to produce a denial of service attack on an HTTP server by exploiting the InstrumentHandlerCounter function in the version below 1.11.1, resulting in a loss of availability.
Split the parts of the InstallConfig asset consumed by the agent installer out into a separate AssetBase struct, so that the agent installer need not embed the whole of InstallConfig. This will allow us to do different validations where necessary in the agent installer.
Instead of embedding the full InstallConfig struct, just embed the common base struct.
Instead of trying to infer the installation method from an unreliable parsing of the command line arguments, pass a flag to explicitly identify the agent-based install method.
If TAGS env var contains "okd" CoreOS manifest script should use FCOS json. This is necessary for OKD clusters to be installable via Hypershift
…provider bump version of ovirt terraform provider
The `autorest/auth` library expects specific keys in the json file for certificate authentication [1]. If we ever saved the Credentials object to a json file during survey, it would have used the wrong keys: `certificatePath` and `certificatePassword` instead of `clientCertificate` and `clientCertificatePassword`, respectively. This change aims to fix that so that the saved `osServicePrincipal.json` file with certificate authentication details can be correctly loaded by the autorest library. It'll also be important in a follow-up change where we are going to load the file ourselves instead of using autorest. Notice that this is not breaking compatibility with previous versions since those fields were never used to create a file (we only survey client secret credentials). [1] https://github.com/Azure/go-autorest/blob/main/autorest/azure/auth/auth.go#L348-L349
If you tried to authenticate with a certificate and provided the wrong password, the installer error message didn't actually say what the error was. It just said ``` $ ./openshift-install create install-config --dir ipi-test INFO Could not get an azure authorizer from file: auth file missing client and certificate credentials INFO Asking user to provide authentication info ? azure subscription id [? for help] ``` That happens because the autorest lib would just ignore the auth errors in favor of a generic message [1]. Since the `autorest/auth` module is going out of support by March 31, 2023, let's get rid of it and load the auth file ourselves. Now when doing cert authentication with the wrong password we get: ``` INFO Credentials loaded from file "/root/.azure/osServicePrincipal.json" WARNING Using client certs to authenticate. Please be warned cluster does not support certs and only the installer does. ERROR failed to fetch Kubeconfig Admin Client: failed to load asset "Install Config": failed to create install config: creating Azure session: failed to parse client certificate: pkcs12: decryption password incorrect ``` [1] https://github.com/Azure/go-autorest/blob/main/autorest/azure/auth/auth.go#L264-L270
OCPBUGS-7993: hack/build-coreos-manifest: support OKD
This version is used implicitly by the integration tests, and currently it contains the required updated images
AGENT-526: Refactor Agent InstallConfig embedding
Add a `-r <regexp>` to `test-manifests.sh` to optionally only run test cases with a matching name.
openstack-manifests: Option to run selected test cases
…achinespec-new-fields Support the new fields in NutanixMachineProviderConfig
OCPBUGS-7991: vSphere - only create RP when cluster is not empty
OCPBUGS-7860: azure: session: fix unclear auth error messages
a58ac55 introduced many network validations for on-prem platforms. We want to relax one of those, the check that Ingress & API VIPs are in the machinenetwork because the check prevents using the TUI survey to generate the install config and this (mismatched) configuration has been allowed in all of OpenShift 4 without issue. Fixes OCPBUGS-7015
vsphere: Remove bostrt from approver/reviewer group
This changes the default behavior of always generating a service account to sign the ignition URL, to only generating the service account when it is needed; i.e. when authenticating with environmental authentication. Most of the time users provide a service account with key so we can just use that, as we did before environmental auth was recently introduced.
…sthrough GCP: conditionally create bootstrap service account
AGENT-502: Enable agent tui
ARMOCP-417: enable arm64 for agent installer
…tanix-vip-validation OCPBUGS-7015: Relax MachineCIDR check for vSphere, Nutanix
|
are we still maintaining this repo? 🤔 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
After openshift/api@925f75a ResourceGroup is needed by the machine-config-operator.