IBMCloud post cluster creation service endpoint override support #1712
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/test markdownlint |
|
|
||
| ### User Stories | ||
|
|
||
| * As an OpenShift cluster administrator, I want to update my cluster's current service endpoint configuration to point to new service endpoints. |
There was a problem hiding this comment.
i'd like to see this expanded a little, what happens if the new service endpoints are not used, or why we do need them?
eg
"As an OpenShift cluster administrator, I want to update my cluster's current service endpoint configuration to point to new service endpoints so that "
|
|
||
| * Expand API definition to support defining services + endpoints within cloud provider spec for IBM | ||
| * Modify CCCMO so that changes are reconciled from infrastructure spec to status for IBM cloud provider and cloud config | ||
| * Evaluate IBM components with service endpoint support and how they will react/respond to post-install service endpoint changes. |
There was a problem hiding this comment.
is this just evaluation or will changes need to be made based on the results of the evaluation?
There was a problem hiding this comment.
I removed this section it was more of a reminder to ourselves (IBM) of our testing process to ensure components we owned processed the changed but it doesn't seem like a relevant section of this enhancement since it exists on our side of the fence.
| } | ||
| ``` | ||
|
|
||
| ### Topology Considerations |
There was a problem hiding this comment.
do we ever need to consider a proxy scenario?
There was a problem hiding this comment.
We dont anticipate/wish to support such a scenario
There was a problem hiding this comment.
What would happen if someone had clusterwideproxy configured?
| **cccmo** is an operator responsible for watching updates to the infrastructure object and perforning updates once any value(s) are set. | ||
|
|
||
| 1. The cccmo reconciliation loop observes that the IBMCloudPlatform spec within the infrastructure object has been set, | ||
| 2. The cccmo validates the endpoints and then updates the IBMCloudPlatformStatus and cloud config. |
There was a problem hiding this comment.
is there anything special about the validation process?
There was a problem hiding this comment.
Validation involves ensuring the provided endpoint is a valid url using https for traffic, follows a particular pattern we expect for endpoints to follow ie /api/v1 or /v1 which are IBM standard, and whether the hostname exists and can be reached.
There was a problem hiding this comment.
Does this need to be done by CCMO or can it be done at admission time using something like CEL validations?
|
@jared-hayes-dev: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| **cccmo** is an operator responsible for watching updates to the infrastructure object and perforning updates once any value(s) are set. | ||
|
|
||
| 1. The cccmo reconciliation loop observes that the IBMCloudPlatform spec within the infrastructure object has been set, | ||
| 2. The cccmo validates the endpoints and then updates the IBMCloudPlatformStatus and cloud config. |
There was a problem hiding this comment.
Does this need to be done by CCMO or can it be done at admission time using something like CEL validations?
| // serviceEndpoints is a list of custom endpoints which will override the default | ||
| // service endpoints of an IBM Cloud service. These endpoints are consumed by | ||
| // components within the cluster to reach the respective IBM Cloud Services. |
There was a problem hiding this comment.
We need to explain what happens here when there is a change to this, how are values reconciled with status etc
| } | ||
| ``` | ||
|
|
||
| ### Topology Considerations |
There was a problem hiding this comment.
What would happen if someone had clusterwideproxy configured?
|
|
||
| ### Risks and Mitigations | ||
|
|
||
| Users may cause service interruptions for their cluster should they define invalid overrides. This is mitigated by performing validation on the endpoint as there requirements are understood at time of implementation for IBM Cloud. |
There was a problem hiding this comment.
I'd like to see how much of this can be done at API time, vs controller time. Earlier validation is better generally
Jira https://issues.redhat.com/browse/OCPCLOUD-2694