[release-4.15] OCPBUGS-26208: openshift/manifests: CloudCredential capability for CredentialsRequest

.ci-operator.yaml

@@ -0,0 +1,4 @@
+build_root_image:
+  name: release
+  namespace: openshift
+  tag: rhel-8-release-golang-1.20-openshift-4.15

.gitignore

@@ -179,3 +179,7 @@ docs/book/book/
 
 # Development container files (https://containers.dev/)
 .devcontainer
+
+# Don't ignore anything in vendor directories
+!/vendor/**
+!/hack/tools/vendor/**

.golangci.yml

@@ -126,6 +126,9 @@ linters-settings:
       - pkg: sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1
         alias: controlplanev1
 
+  nolintlint:
+    # https://github.com/golangci/golangci-lint/issues/3228
+    allow-unused: true
   staticcheck:
     go: "1.17"
   stylecheck:

.snyk

@@ -0,0 +1,7 @@
+# References:
+# https://docs.snyk.io/scan-applications/snyk-code/using-snyk-code-from-the-cli/excluding-directories-and-files-from-the-snyk-code-cli-test
+# https://docs.snyk.io/snyk-cli/commands/ignore
+exclude:
+  global:
+    - vendor/**
+    - **/vendor/**

DOWNSTREAM_OWNERS

@@ -0,0 +1,6 @@
+approvers:
+  - shiftstack-team
+reviewers:
+  - shiftstack-team
+component: "Cloud Compute"
+subcomponent: "OpenStack Provider"

DOWNSTREAM_OWNERS_ALIASES

@@ -0,0 +1,10 @@
+aliases:
+  shiftstack-team:
+    - EmilienM
+    - MaysaMacedo
+    - dulek
+    - gryf
+    - mandre
+    - mdbooth
+    - pierreprinetti
+    - stephenfin

Dockerfile.rhel

@@ -0,0 +1,51 @@
+# Copyright 2019 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Build the manager binary
+FROM registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.20-openshift-4.15 as builder
+WORKDIR /workspace
+
+# Run this with docker build --build_arg goproxy=$(go env GOPROXY) to override the goproxy
+ARG goproxy=https://proxy.golang.org
+ENV GOPROXY=$goproxy
+
+# Copy the sources
+COPY ./ ./
+
+# Build
+ARG ARCH
+ARG ldflags
+
+WORKDIR /workspace/openshift
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \
+    go build -ldflags "${ldflags} -extldflags '-static'" \
+    -o ../infracluster-controller cmd/manager.go
+
+WORKDIR /workspace
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \
+    go build -ldflags "${ldflags} -extldflags '-static'" \
+    -o manager
+
+# Production image
+FROM registry.ci.openshift.org/ocp/4.15:base
+
+COPY --from=builder /workspace/manager .
+COPY --from=builder /workspace/infracluster-controller .
+COPY ./openshift/manifests ./manifests
+
+# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
+USER 65532
+ENTRYPOINT ["/manager"]
+
+LABEL io.openshift.release.operator true

Makefile

@@ -52,12 +52,7 @@ GOLANGCI_LINT := $(TOOLS_BIN_DIR)/golangci-lint
 KUSTOMIZE := $(TOOLS_BIN_DIR)/kustomize
 MOCKGEN := $(TOOLS_BIN_DIR)/mockgen
 RELEASE_NOTES := $(TOOLS_BIN_DIR)/release-notes
-
-# Setup-envtest
-SETUP_ENVTEST_VER := v0.0.0-20221201045826-d9912251cd81
-SETUP_ENVTEST_BIN := setup-envtest
-SETUP_ENVTEST := $(abspath $(TOOLS_BIN_DIR)/$(SETUP_ENVTEST_BIN)-$(SETUP_ENVTEST_VER))
-SETUP_ENVTEST_PKG := sigs.k8s.io/controller-runtime/tools/setup-envtest
+SETUP_ENVTEST := $(TOOLS_BIN_DIR)/setup-envtest
 
 # Kubebuilder
 export KUBEBUILDER_ENVTEST_KUBERNETES_VERSION ?= 1.25.0
@@ -135,15 +130,25 @@ endif
 $(ARTIFACTS):
 	mkdir -p $@
 
-ifeq ($(shell go env GOOS),darwin) # Use the darwin/amd64 binary until an arm64 version is available
-  KUBEBUILDER_ASSETS ?= $(shell $(SETUP_ENVTEST) use --use-env -p path --arch amd64 $(KUBEBUILDER_ENVTEST_KUBERNETES_VERSION))
-else
-  KUBEBUILDER_ASSETS ?= $(shell $(SETUP_ENVTEST) use --use-env -p path $(KUBEBUILDER_ENVTEST_KUBERNETES_VERSION))
+setup_envtest_extra_args=
+# Use the darwin/amd64 binary until an arm64 version is available
+ifeq ($(shell go env GOOS),darwin)
+	setup_envtest_extra_args += --arch amd64
+endif
+
+# By default setup-envtest will write to $XDG_DATA_HOME, or $HOME/.local/share
+# if that is not defined. Set KUBEBUILDER_ASSETS_DIR to override.
+ifdef KUBEBUILDER_ASSETS_DIR
+	setup_envtest_extra_args += --bin-dir $(KUBEBUILDER_ASSETS_DIR)
 endif
 
 .PHONY: test
 test: $(SETUP_ENVTEST) ## Run tests
-	KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test -v ./... $(TEST_ARGS)
+	set -xeuf -o pipefail; \
+	if [ -z "$(KUBEBUILDER_ASSETS)" ]; then \
+		KUBEBUILDER_ASSETS=`$(SETUP_ENVTEST) use --use-env -p path $(setup_envtest_extra_args) $(KUBEBUILDER_ENVTEST_KUBERNETES_VERSION)`; \
+	fi; \
+	KUBEBUILDER_ASSETS="$$KUBEBUILDER_ASSETS" go test -v ./... $(TEST_ARGS)
 
 E2E_TEMPLATES_DIR=test/e2e/data/infrastructure-openstack
 E2E_KUSTOMIZE_DIR=test/e2e/data/kustomize
@@ -225,12 +230,6 @@ managers:
 manager-openstack-infrastructure: ## Build manager binary.
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "${LDFLAGS} -extldflags '-static'" -o $(BIN_DIR)/manager .
 
-$(SETUP_ENVTEST): # Build setup-envtest from tools folder.
-	GOBIN=$(abspath $(TOOLS_BIN_DIR)) $(GO_INSTALL) $(SETUP_ENVTEST_PKG) $(SETUP_ENVTEST_BIN) $(SETUP_ENVTEST_VER)
-
-.PHONY: $(SETUP_ENVTEST_BIN)
-	$(SETUP_ENVTEST_BIN): $(SETUP_ENVTEST) ## Build a local copy of setup-envtest.
-
 ## --------------------------------------
 ##@ Linting
 ## --------------------------------------
@@ -517,6 +516,17 @@ verify-gen: generate
 		echo "generated files are out of date, run make generate"; exit 1; \
 	fi
 
+.PHONY: vendor verify-vendoring
+vendor:
+	go mod vendor
+	cd $(TOOLS_DIR); go mod vendor
+
+verify-vendoring: vendor
+	@if !(git diff --quiet HEAD); then \
+		git diff; \
+		echo "vendored files are out of date, run go mod vendor"; exit 1; \
+	fi
+
 .PHONY: compile-e2e
 compile-e2e: ## Test e2e compilation
 	go test -c -o /dev/null -tags=e2e ./test/e2e/suites/conformance

api/v1alpha5/conversion.go

@@ -433,3 +433,7 @@ func Convert_v1alpha5_OpenStackClusterStatus_To_v1alpha7_OpenStackClusterStatus(
 
 	return nil
 }
+
+func Convert_v1alpha7_OpenStackMachineSpec_To_v1alpha5_OpenStackMachineSpec(in *infrav1.OpenStackMachineSpec, out *OpenStackMachineSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha7_OpenStackMachineSpec_To_v1alpha5_OpenStackMachineSpec(in, out, s)
+}

api/v1alpha6/conversion.go

@@ -60,13 +60,12 @@ func restorev1alpha7MachineSpec(previous *infrav1.OpenStackMachineSpec, dst *inf
 	// PropagateUplinkStatus has been added in v1alpha7.
 	// We restore the whole Ports since they are anyway immutable.
 	dst.Ports = previous.Ports
+	dst.AdditionalBlockDevices = previous.AdditionalBlockDevices
 }
 
 func restorev1alpha7Bastion(previous **infrav1.Bastion, dst **infrav1.Bastion) {
-	// PropagateUplinkStatus has been added in v1alpha7.
-	// We restore the whole Ports since they are anyway immutable.
-	if *previous != nil && (*previous).Instance.Ports != nil && *dst != nil && (*dst).Instance.Ports != nil {
-		(*dst).Instance.Ports = (*previous).Instance.Ports
+	if *previous != nil && *dst != nil {
+		restorev1alpha7MachineSpec(&(*previous).Instance, &(*dst).Instance)
 	}
 }
 
@@ -646,3 +645,7 @@ func Convert_v1alpha6_OpenStackClusterStatus_To_v1alpha7_OpenStackClusterStatus(
 
 	return nil
 }
+
+func Convert_v1alpha7_OpenStackMachineSpec_To_v1alpha6_OpenStackMachineSpec(in *infrav1.OpenStackMachineSpec, out *OpenStackMachineSpec, s apiconversion.Scope) error {
+	return autoConvert_v1alpha7_OpenStackMachineSpec_To_v1alpha6_OpenStackMachineSpec(in, out, s)
+}

api/v1alpha7/openstackmachine_types.go

@@ -84,6 +84,12 @@ type OpenStackMachineSpec struct {
 	// The volume metadata to boot from
 	RootVolume *RootVolume `json:"rootVolume,omitempty"`
 
+	// AdditionalBlockDevices is a list of specifications for additional block devices to attach to the server instance
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	AdditionalBlockDevices []AdditionalBlockDevice `json:"additionalBlockDevices,omitempty"`
+
 	// The server group to assign the machine to
 	ServerGroupID string `json:"serverGroupID,omitempty"`
 

api/v1alpha7/openstackmachine_webhook.go

@@ -62,6 +62,14 @@ func (r *OpenStackMachine) ValidateCreate() (admission.Warnings, error) {
 		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "identityRef", "kind"), "must be a Secret"))
 	}
 
+	if r.Spec.RootVolume != nil && r.Spec.AdditionalBlockDevices != nil {
+		for _, device := range r.Spec.AdditionalBlockDevices {
+			if device.Name == "root" {
+				allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "additionalBlockDevices"), "cannot contain a device named \"root\" when rootVolume is set"))
+			}
+		}
+	}
+
 	return aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
 }
 

api/v1alpha7/types.go

@@ -163,6 +163,69 @@ type RootVolume struct {
 	AvailabilityZone string `json:"availabilityZone,omitempty"`
 }
 
+// BlockDeviceStorage is the storage type of a block device to create and
+// contains additional storage options.
+// +union
+//
+//nolint:godot
+type BlockDeviceStorage struct {
+	// Type is the type of block device to create.
+	// This can be either "Volume" or "Local".
+	// +unionDiscriminator
+	Type BlockDeviceType `json:"type"`
+
+	// Volume contains additional storage options for a volume block device.
+	// +optional
+	// +unionMember,optional
+	Volume *BlockDeviceVolume `json:"volume,omitempty"`
+}
+
+// BlockDeviceVolume contains additional storage options for a volume block device.
+type BlockDeviceVolume struct {
+	// Type is the Cinder volume type of the volume.
+	// If omitted, the default Cinder volume type that is configured in the OpenStack cloud
+	// will be used.
+	// +optional
+	Type string `json:"type,omitempty"`
+
+	// AvailabilityZone is the volume availability zone to create the volume in.
+	// If omitted, the availability zone of the server will be used.
+	// The availability zone must NOT contain spaces otherwise it will lead to volume that belongs
+	// to this availability zone register failure, see kubernetes/cloud-provider-openstack#1379 for
+	// further information.
+	// +optional
+	AvailabilityZone string `json:"availabilityZone,omitempty"`
+}
+
+// AdditionalBlockDevice is a block device to attach to the server.
+type AdditionalBlockDevice struct {
+	// Name of the block device in the context of a machine.
+	// If the block device is a volume, the Cinder volume will be named
+	// as a combination of the machine name and this name.
+	// Also, this name will be used for tagging the block device.
+	// Information about the block device tag can be obtained from the OpenStack
+	// metadata API or the config drive.
+	Name string `json:"name"`
+
+	// SizeGiB is the size of the block device in gibibytes (GiB).
+	SizeGiB int `json:"sizeGiB"`
+
+	// Storage specifies the storage type of the block device and
+	// additional storage options.
+	Storage BlockDeviceStorage `json:"storage"`
+}
+
+// BlockDeviceType defines the type of block device to create.
+type BlockDeviceType string
+
+const (
+	// LocalBlockDevice is an ephemeral block device attached to the server.
+	LocalBlockDevice BlockDeviceType = "Local"
+
+	// VolumeBlockDevice is a volume block device attached to the server.
+	VolumeBlockDevice BlockDeviceType = "Volume"
+)
+
 // NetworkStatus contains basic information about an existing neutron network.
 type NetworkStatus struct {
 	Name string `json:"name"`