From a47abed649db25992765743b88123a3ba5189355 Mon Sep 17 00:00:00 2001 From: Dharaneeshwaran Ravichandran Date: Mon, 13 Jun 2022 18:41:25 +0530 Subject: [PATCH] Add PowerVS Ingress Operator Changes --- api/fixtures/example.go | 3 ++ api/fixtures/example_ibmcloud_powervs.go | 5 +++ api/v1alpha1/hostedcluster_types.go | 13 +++++++ api/v1alpha1/zz_generated.deepcopy.go | 1 + cmd/cluster/powervs/create.go | 1 + ...ypershift.openshift.io_hostedclusters.yaml | 18 ++++++++++ ...hift.openshift.io_hostedcontrolplanes.yaml | 18 ++++++++++ .../controllers/resources/resources.go | 31 ++++++++++++++++ docs/content/reference/api.md | 26 ++++++++++++++ hack/app-sre/saas_template.yaml | 36 +++++++++++++++++++ .../internal/platform/powervs/powervs.go | 36 +++++++++++++++++++ support/globalconfig/infrastructure.go | 5 +-- 12 files changed, 191 insertions(+), 2 deletions(-) diff --git a/api/fixtures/example.go b/api/fixtures/example.go index ca0cda1a70..1f8cbb1e07 100644 --- a/api/fixtures/example.go +++ b/api/fixtures/example.go @@ -438,6 +438,7 @@ web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token buildIBMCloudCreds(o.Name+"-cloud-ctrl-creds", o.PowerVS.ApiKey), buildIBMCloudCreds(o.Name+"-node-mgmt-creds", o.PowerVS.ApiKey), buildIBMCloudCreds(o.Name+"-cpo-creds", o.PowerVS.ApiKey), + buildIBMCloudCreds(o.Name+"-ingress-creds", o.PowerVS.ApiKey), } resources = powerVSResources.AsObjects() platformSpec = hyperv1.PlatformSpec{ @@ -447,6 +448,7 @@ web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token ResourceGroup: o.PowerVS.ResourceGroup, Region: o.PowerVS.Region, Zone: o.PowerVS.Zone, + CISInstanceCRN: o.PowerVS.CISInstanceCRN, ServiceInstanceID: o.PowerVS.CloudInstanceID, Subnet: &hyperv1.PowerVSResourceReference{ Name: &o.PowerVS.Subnet, @@ -460,6 +462,7 @@ web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token KubeCloudControllerCreds: corev1.LocalObjectReference{Name: powerVSResources.KubeCloudControllerCreds.Name}, NodePoolManagementCreds: corev1.LocalObjectReference{Name: powerVSResources.NodePoolManagementCreds.Name}, ControlPlaneOperatorCreds: corev1.LocalObjectReference{Name: powerVSResources.ControlPlaneOperatorCreds.Name}, + IngressOperatorCloudCreds: corev1.LocalObjectReference{Name: powerVSResources.IngressOperatorCloudCreds.Name}, }, } services = getIngressServicePublishingStrategyMapping(o.NetworkType) diff --git a/api/fixtures/example_ibmcloud_powervs.go b/api/fixtures/example_ibmcloud_powervs.go index 2694d41450..9f8aa49180 100644 --- a/api/fixtures/example_ibmcloud_powervs.go +++ b/api/fixtures/example_ibmcloud_powervs.go @@ -11,6 +11,7 @@ type ExamplePowerVSOptions struct { ResourceGroup string Region string Zone string + CISInstanceCRN string CloudInstanceID string Subnet string SubnetID string @@ -30,6 +31,7 @@ type ExamplePowerVSResources struct { KubeCloudControllerCreds *corev1.Secret NodePoolManagementCreds *corev1.Secret ControlPlaneOperatorCreds *corev1.Secret + IngressOperatorCloudCreds *corev1.Secret } func (o *ExamplePowerVSResources) AsObjects() []crclient.Object { @@ -43,5 +45,8 @@ func (o *ExamplePowerVSResources) AsObjects() []crclient.Object { if o.ControlPlaneOperatorCreds != nil { objects = append(objects, o.ControlPlaneOperatorCreds) } + if o.IngressOperatorCloudCreds != nil { + objects = append(objects, o.IngressOperatorCloudCreds) + } return objects } diff --git a/api/v1alpha1/hostedcluster_types.go b/api/v1alpha1/hostedcluster_types.go index 5f6585c365..349e91655f 100644 --- a/api/v1alpha1/hostedcluster_types.go +++ b/api/v1alpha1/hostedcluster_types.go @@ -590,6 +590,13 @@ type PowerVSPlatformSpec struct { // +immutable AccountID string `json:"accountID"` + // CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name + // This field is immutable. Once set, It can't be changed. + // + // +kubebuilder:validation:Pattern=`^crn:` + // +immutable + CISInstanceCRN string `json:"cisInstanceCRN"` + // ResourceGroup is the IBMCloud Resource Group in which the cluster resides. // This field is immutable. Once set, It can't be changed. // @@ -663,6 +670,12 @@ type PowerVSPlatformSpec struct { // // +immutable ControlPlaneOperatorCreds corev1.LocalObjectReference `json:"controlPlaneOperatorCreds"` + + // IngressOperatorCloudCreds is a reference to a secret containing ibm cloud + // credentials for ingress operator to get authenticated with ibm cloud. + // + // +immutable + IngressOperatorCloudCreds corev1.LocalObjectReference `json:"ingressOperatorCloudCreds"` } // PowerVSVPC specifies IBM Cloud PowerVS LoadBalancer configuration for the control diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 8a9b53c984..06c97a30b1 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -1777,6 +1777,7 @@ func (in *PowerVSPlatformSpec) DeepCopyInto(out *PowerVSPlatformSpec) { out.KubeCloudControllerCreds = in.KubeCloudControllerCreds out.NodePoolManagementCreds = in.NodePoolManagementCreds out.ControlPlaneOperatorCreds = in.ControlPlaneOperatorCreds + out.IngressOperatorCloudCreds = in.IngressOperatorCloudCreds } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PowerVSPlatformSpec. diff --git a/cmd/cluster/powervs/create.go b/cmd/cluster/powervs/create.go index 414981a2e6..08a3bf03d0 100644 --- a/cmd/cluster/powervs/create.go +++ b/cmd/cluster/powervs/create.go @@ -157,6 +157,7 @@ func applyPlatformSpecificsValues(ctx context.Context, exampleOptions *apifixtur ResourceGroup: opts.PowerVSPlatform.ResourceGroup, Region: opts.PowerVSPlatform.Region, Zone: opts.PowerVSPlatform.Zone, + CISInstanceCRN: infra.CisCrn, CloudInstanceID: infra.PowerVSCloudInstanceID, Subnet: infra.PowerVSDhcpSubnet, SubnetID: infra.PowerVSDhcpSubnetID, diff --git a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml index f5fd43c9e0..25502788e7 100644 --- a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml +++ b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml @@ -2339,6 +2339,12 @@ spec: description: AccountID is the IBMCloud account id. This field is immutable. Once set, It can't be changed. type: string + cisInstanceCRN: + description: CISInstanceCRN is the IBMCloud CIS Service Instance's + Cloud Resource Name This field is immutable. Once set, It + can't be changed. + pattern: '^crn:' + type: string controlPlaneOperatorCreds: description: "ControlPlaneOperatorCreds is a reference to a secret containing cloud credentials with permissions matching @@ -2351,6 +2357,16 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object + ingressOperatorCloudCreds: + description: IngressOperatorCloudCreds is a reference to a + secret containing ibm cloud credentials for ingress operator + to get authenticated with ibm cloud. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object kubeCloudControllerCreds: description: "KubeCloudControllerCreds is a reference to a secret containing cloud credentials with permissions matching @@ -2446,7 +2462,9 @@ spec: type: string required: - accountID + - cisInstanceCRN - controlPlaneOperatorCreds + - ingressOperatorCloudCreds - kubeCloudControllerCreds - nodePoolManagementCreds - region diff --git a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml index 97c74af3c2..2a48c3d0d4 100644 --- a/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml +++ b/cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml @@ -2247,6 +2247,12 @@ spec: description: AccountID is the IBMCloud account id. This field is immutable. Once set, It can't be changed. type: string + cisInstanceCRN: + description: CISInstanceCRN is the IBMCloud CIS Service Instance's + Cloud Resource Name This field is immutable. Once set, It + can't be changed. + pattern: '^crn:' + type: string controlPlaneOperatorCreds: description: "ControlPlaneOperatorCreds is a reference to a secret containing cloud credentials with permissions matching @@ -2259,6 +2265,16 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object + ingressOperatorCloudCreds: + description: IngressOperatorCloudCreds is a reference to a + secret containing ibm cloud credentials for ingress operator + to get authenticated with ibm cloud. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object kubeCloudControllerCreds: description: "KubeCloudControllerCreds is a reference to a secret containing cloud credentials with permissions matching @@ -2354,7 +2370,9 @@ spec: type: string required: - accountID + - cisInstanceCRN - controlPlaneOperatorCreds + - ingressOperatorCloudCreds - kubeCloudControllerCreds - nodePoolManagementCreds - region diff --git a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go index 2030a33aa4..1d0e091bf2 100644 --- a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go +++ b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go @@ -876,6 +876,37 @@ func (r *reconciler) reconcileCloudCredentialSecrets(ctx context.Context, hcp *h }); err != nil { errs = append(errs, fmt.Errorf("failed to reconcile csi driver secret: %w", err)) } + case hyperv1.PowerVSPlatform: + var ingressCredentials corev1.Secret + err := r.cpClient.Get(ctx, client.ObjectKey{Namespace: hcp.Namespace, Name: hcp.Spec.Platform.PowerVS.IngressOperatorCloudCreds.Name}, &ingressCredentials) + if err != nil { + errs = append(errs, fmt.Errorf("failed to get ingress operator cloud credentials secret %s from hcp namespace : %w", hcp.Spec.Platform.PowerVS.IngressOperatorCloudCreds.Name, err)) + return errs + } + + cloudCredentials := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "openshift-ingress-operator", + Name: "cloud-credentials", + }, + } + + _, err = r.CreateOrUpdate(ctx, r.client, cloudCredentials, func() error { + credData, credHasData := ingressCredentials.Data["ibmcloud_api_key"] + if !credHasData { + return fmt.Errorf("ingress cloud credentials secret %q is missing credentials key", ingressCredentials.Name) + } + cloudCredentials.Type = corev1.SecretTypeOpaque + if cloudCredentials.Data == nil { + cloudCredentials.Data = map[string][]byte{} + } + cloudCredentials.Data["ibmcloud_api_key"] = credData + return nil + }) + + if err != nil { + errs = append(errs, fmt.Errorf("failed to reconcile powervs cloud credentials secret %w", err)) + } } return errs } diff --git a/docs/content/reference/api.md b/docs/content/reference/api.md index e70c57ca27..98f4e8d8b6 100644 --- a/docs/content/reference/api.md +++ b/docs/content/reference/api.md @@ -5467,6 +5467,18 @@ This field is immutable. Once set, It can’t be changed.

+cisInstanceCRN
+ +string + + + +

CISInstanceCRN is the IBMCloud CIS Service Instance’s Cloud Resource Name +This field is immutable. Once set, It can’t be changed.

+ + + + resourceGroup
string @@ -5598,6 +5610,20 @@ This field is immutable. Once set, It can’t be changed.

TODO(dan): document the “control plane operator policy”

+ + +ingressOperatorCloudCreds
+ + +Kubernetes core/v1.LocalObjectReference + + + + +

IngressOperatorCloudCreds is a reference to a secret containing ibm cloud +credentials for ingress operator to get authenticated with ibm cloud.

+ + ###PowerVSResourceReference { #hypershift.openshift.io/v1alpha1.PowerVSResourceReference } diff --git a/hack/app-sre/saas_template.yaml b/hack/app-sre/saas_template.yaml index fb593338d9..a428f010dc 100644 --- a/hack/app-sre/saas_template.yaml +++ b/hack/app-sre/saas_template.yaml @@ -22335,6 +22335,12 @@ objects: description: AccountID is the IBMCloud account id. This field is immutable. Once set, It can't be changed. type: string + cisInstanceCRN: + description: CISInstanceCRN is the IBMCloud CIS Service + Instance's Cloud Resource Name This field is immutable. + Once set, It can't be changed. + pattern: '^crn:' + type: string controlPlaneOperatorCreds: description: "ControlPlaneOperatorCreds is a reference to a secret containing cloud credentials with permissions @@ -22347,6 +22353,16 @@ objects: TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object + ingressOperatorCloudCreds: + description: IngressOperatorCloudCreds is a reference to + a secret containing ibm cloud credentials for ingress + operator to get authenticated with ibm cloud. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object kubeCloudControllerCreds: description: "KubeCloudControllerCreds is a reference to a secret containing cloud credentials with permissions @@ -22442,7 +22458,9 @@ objects: type: string required: - accountID + - cisInstanceCRN - controlPlaneOperatorCreds + - ingressOperatorCloudCreds - kubeCloudControllerCreds - nodePoolManagementCreds - region @@ -25316,6 +25334,12 @@ objects: description: AccountID is the IBMCloud account id. This field is immutable. Once set, It can't be changed. type: string + cisInstanceCRN: + description: CISInstanceCRN is the IBMCloud CIS Service + Instance's Cloud Resource Name This field is immutable. + Once set, It can't be changed. + pattern: '^crn:' + type: string controlPlaneOperatorCreds: description: "ControlPlaneOperatorCreds is a reference to a secret containing cloud credentials with permissions @@ -25328,6 +25352,16 @@ objects: TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object + ingressOperatorCloudCreds: + description: IngressOperatorCloudCreds is a reference to + a secret containing ibm cloud credentials for ingress + operator to get authenticated with ibm cloud. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object kubeCloudControllerCreds: description: "KubeCloudControllerCreds is a reference to a secret containing cloud credentials with permissions @@ -25423,7 +25457,9 @@ objects: type: string required: - accountID + - cisInstanceCRN - controlPlaneOperatorCreds + - ingressOperatorCloudCreds - kubeCloudControllerCreds - nodePoolManagementCreds - region diff --git a/hypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.go b/hypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.go index e7e6e529ee..57087623d4 100644 --- a/hypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.go +++ b/hypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.go @@ -262,6 +262,42 @@ func (p PowerVS) ReconcileCredentials(ctx context.Context, c client.Client, crea if err != nil { return fmt.Errorf("failed to reconcile control plane operator provider creds: %w", err) } + + // Reconcile the platform provider ingress operator credentials secret by + // resolving the reference from the HostedCluster and syncing the secret in + // the control plane namespace. + err = c.Get(ctx, client.ObjectKey{Namespace: hcluster.GetNamespace(), Name: hcluster.Spec.Platform.PowerVS.IngressOperatorCloudCreds.Name}, &src) + if err != nil { + return fmt.Errorf("failed to get ingress operator provider creds %s: %w", hcluster.Spec.Platform.PowerVS.IngressOperatorCloudCreds.Name, err) + } + dest = &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: controlPlaneNamespace, + Name: src.Name, + }, + } + _, err = createOrUpdate(ctx, c, dest, func() error { + apiKeySrcData, apiKeySrcHasData := src.Data["ibmcloud_api_key"] + if !apiKeySrcHasData { + return fmt.Errorf("hostedcluster ingress operator credentials secret %q must have a credentials key ibmcloud_api_key", src.Name) + } + dest.Type = corev1.SecretTypeOpaque + if dest.Data == nil { + dest.Data = map[string][]byte{} + } + dest.Data["ibmcloud_api_key"] = apiKeySrcData + + envSrcData, envSrcHasData := src.Data["ibm-credentials.env"] + if !envSrcHasData { + return fmt.Errorf("hostedcluster ingress operator credentials secret %q must have a credentials key ibm-credentials.env", src.Name) + } + dest.Data["ibm-credentials.env"] = envSrcData + + return nil + }) + if err != nil { + return fmt.Errorf("failed to reconcile ingress operator provider creds: %w", err) + } return nil } diff --git a/support/globalconfig/infrastructure.go b/support/globalconfig/infrastructure.go index b6b31541cd..3052690507 100644 --- a/support/globalconfig/infrastructure.go +++ b/support/globalconfig/infrastructure.go @@ -71,8 +71,9 @@ func ReconcileInfrastructure(infra *configv1.Infrastructure, hcp *hyperv1.Hosted } case hyperv1.PowerVSPlatform: infra.Status.PlatformStatus.PowerVS = &configv1.PowerVSPlatformStatus{ - Region: hcp.Spec.Platform.PowerVS.Region, - Zone: hcp.Spec.Platform.PowerVS.Zone, + Region: hcp.Spec.Platform.PowerVS.Region, + Zone: hcp.Spec.Platform.PowerVS.Zone, + CISInstanceCRN: hcp.Spec.Platform.PowerVS.CISInstanceCRN, } } }