Add IBMCloud Passthrough #344
Conversation
Support the IBMCloud platform in Passthrough mode for IPI/UPI.
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: BobbyRadford The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @BobbyRadford. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
the
needs-ok-to-test
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/ok-to-test |
openshift-ci
bot
added
ok-to-test
|
/test all |
|
@dgoodwin are we still accepting new platform enablement of this style (where CCO is doing in-cluster processing of CredentialsRequests)? |
|
@BobbyRadford per Joel's comment above, we are wondering if you would be willing to be an early adopter of our new approach to new platforms in CCO. We have some docs on how we want this to work going forward that will merge once the window opens for next release: #326 Essentially over the past few years of openshift 4 we have learned that customers prefer (a) fine grained least privileged for each component, and (b) the cluster not having admin level credentials. We're now moving away from mint and passthough mode (especially for new platforms) instead opting for manual mode, with ccoctl utility for admins to manually mint their credentials. For this PR we'd love to have IBM cloud be a fully supported best practice implementation within CCO which would mean:
Lets us know what you think here, or find Joel or I on slack. |
|
@dgoodwin - thank you for the feedback and nudge to look at the new CCO approach. We are in 100% agreement on the preference for fine-grain component-level privilege control and removal of admin level credentials from the cluster. OCP 4.9 will be the first release for IBM Cloud platform support. The timeline we have is extremely tight and we have significant amount of work to complete. Decisions have been made that would keep us on this timeline. One of those decisions (discussed with Katherine Dube and RH team) was to support “passthrough” only in our genesis effort. We would be in a better position to look at this support as an update on a 4.10 timeline. |
|
FWIW, using the Manual mode approach doesn't mean you must use fine-grained permissions. Manual mode just means that there is no in-cluster handling of cloud credentials data. It is entirely possible to just put the same credentials secret data into each generated Secret manifests when using Manual mode (which is precisely how things work when doing an install on AWS in an environment where the IAM API endpoints are not available, and the cloud-cred-operator cannot do it's normal mode of operation). But extending |
|
Closing this in light of the new PR for Manual mode: #356 |
5 participants
Support the IBMCloud platform in Passthrough mode for IPI/UPI.
Related to: openshift/enhancements#773