OpenStack: Add cloud provider secret key #216
Conversation
Now we include only clouds.yaml key in CCO minted secrets. But starting from OpenShift 4.6 we also need clouds.conf key data for Cinder CSI driver. This commit adds clouds.conf key in generated secrets.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Fedosin The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
CC @openshift/storage |
|
/retest |
|
/test e2e-openstack |
|
I tested this patch and the operator correctly created a secret with a Thanks for your work on this, @Fedosin! |
|
Is there an example of the kind of data that is stored in clouds.conf (I've never come across this in my limited OpenStack experience)? Just as I wrote that I think I came across an example https://github.com/kubernetes/cloud-provider-openstack/blob/master/pkg/csi/cinder/etc/cloud.conf . |
|
IIUC, clouds.conf is basically just the same contents as clouds.yaml but in INI-style format? |
Not exactly - they're actually configuration files for different projects. The clouds.conf (should be cloud.conf really, I do not know why we chose to name it clouds.conf here) is the configuration for the cloud provider, while clouds.yaml is the configuration for the openstack client, that is also used by gophercloud. The change looks good to me, we can merge it when it passes e2e-openstack CI. |
Perhaps I've misread things. My understanding came from how the installer builds this INI-looking content https://github.com/openshift/installer/blob/master/pkg/asset/manifests/openstack/cloudproviderconfig.go#L29 So is it more accurate to say that this clouds.conf file is really useful only for Cinder? What I'm trying to understand is if in the future we decide to implement "mint" mode for cloud-cred-operator for OpenStack (today we only support "passthrough" mode where we blindly copy the contents of the secret kube-system/openstack-credentials), what do all these fields in the Secret that cloud-cred-operator would need to populate if CCO was making OpenStack API calls to create new credentials while processing a CredentialsRequest object? |
|
clouds.conf contains the in-tree cloud provider configuration. It includes auth parameters, cinder configuration and other sections: https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#typical-configuration For Cinder CSI driver they decided to reuse this file as it already has everything they need. Other sections are ignored. clouds.yaml has just auth parameters in the predefined format: https://docs.openstack.org/python-openstackclient/latest/configuration/index.html#configuration-files |
|
/retest |
|
@Fedosin: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
FYI e2e-openstack is currently broken due to https://bugzilla.redhat.com/show_bug.cgi?id=1853298. Patch at openshift/machine-config-operator#1773 should solve it. |
@dgoodwin WDYT? It seems like if we ever need to implement mint mode for OpenStack, it's going to be more involved than "give me creds" -> "save to secret" as there are files with specific formats that need to be built. I think my primary concern here is that we might be building files with storage configuration data/sections when the credentials request is for the ability to create/delete instances. |
|
How does it differ from the json blobs we do for GCP? |
Perhaps I simply do not understand how things are normally done in OpenStack, but to me the primary difference is that the GCP auth secret contains the auth info (urls, username, private keys), but not service configuration info (eg. no storage bucket encryption settings). In my mental model, I would expect the operator that managed running ServiceX to ask for creds, and then combine the creds with the desired ServiceX configuration (assuming ServiceX's config and auth were both bundled into a single file). With the present situation, for OpenStack mint-mode it feels like CCO would need to know:
(and every new service could potentially need CCO-specific handling) |
dgoodwin
left a comment
dgoodwin
left a comment
There was a problem hiding this comment.
Very good question, OpenStack folks, is Joel correct here? If we start supporting minting specific credentials for OpenStack by examining the CredentialsRequest, what is that secret expected to contain? Do we assume it would contain both of these two keys? Could there be additional keys and would we have enough into to always assume to populate them as well?
| const ( | ||
| rootOpenStackCredsSecretKey = "clouds.yaml" | ||
| rootOpenStackCredsSecretKey = "clouds.yaml" | ||
| cloudProviderOpenStackCredsSecretKey = "clouds.conf" |
There was a problem hiding this comment.
Please add some comments here for the differences between the two keys, as this is definitely going to be confusing.
| return err | ||
| } | ||
|
|
||
| cloudsCONF, err := a.getCloudCredentialsSecretData(cloudCredSecret, cloudProviderOpenStackCredsSecretKey, logger) |
There was a problem hiding this comment.
What's going to happen on a 4.5 to 4.6 upgrade here, presumably this key will not be populated, will all cred requests start failing?
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci-robot
added
the
lifecycle/stale
7 participants
Now we include only clouds.yaml key in CCO minted secrets. But starting from OpenShift 4.6 we also need clouds.conf key data for Cinder CSI driver.
Both keys are generated by the installer: https://github.com/openshift/installer/blob/master/data/data/manifests/openshift/cloud-creds-secret.yaml.template#L33-L34
This commit adds clouds.conf key in CCO generated secrets.