⚠️ Allow specifying a different credentials per VSphereMachine #1743
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
Hi @farodin91. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/L
farodin91
force-pushed
the
allow-other-identity-in-vmmachine
branch
from
d6a85fc to
6070f30
Compare
farodin91
changed the title
farodin91
force-pushed
the
allow-other-identity-in-vmmachine
branch
from
6070f30 to
0567931
Compare
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
farodin91
force-pushed
the
allow-other-identity-in-vmmachine
branch
from
0567931 to
95ee4af
Compare
k8s-ci-robot
added
the
needs-rebase
|
|
k8s-ci-robot
added
size/XXL
k8s-ci-robot
added
size/L
farodin91
force-pushed
the
allow-other-identity-in-vmmachine
branch
from
95ee4af to
db9d2d7
Compare
k8s-ci-robot
added
needs-rebase
k8s-ci-robot
added
size/L
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
|
We discussed this in the call of 2023/07/23:
|
Signed-off-by: Jan Jansen <[email protected]>
farodin91
force-pushed
the
allow-other-identity-in-vmmachine
branch
from
67b9c07 to
148ce73
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@randomvariable I started to write a documentation. I added a link to external documentation for csi and cpi, do you think this is enough? How should i mark this a breaking change? |
|
/retitle (warning because of the security impact) |
k8s-ci-robot
changed the title
|
@randomvariable Should i add this to commit message? |
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-rebase
|
Any updates on this PR? This is something very useful when your infrastructure has multiple vcenters and you constantly needs to migrate machines from one to another.. In this scenario, this PR is essential to adopt the CAPI. Thanks |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
Hi, any updates on this PR? |
| @@ -204,6 +204,11 @@ type VirtualMachineCloneSpec struct { | |||
| // Check the compatibility with the ESXi version before setting the value. | |||
| // +optional | |||
| HardwareVersion string `json:"hardwareVersion,omitempty"` | |||
|
|
|||
| // IdentityRef is a reference to either a Secret or VSphereClusterIdentity that contains | |||
| // the identity to use when reconciling the virtual machine. | |||
There was a problem hiding this comment.
Should we also add information about the fallback here?
| @@ -0,0 +1,39 @@ | |||
| # Multi VCenter support | |||
|
|
|||
| Cluster API Provider vSphere (CAPV) supports multiple VCenter for a single. Therefore CAPV is allowing to define the used identity for each machine. CAPV will check on every Machine first, if there is a local identity otherwise it fallback on the default selection method. | |||
There was a problem hiding this comment.
| Cluster API Provider vSphere (CAPV) supports multiple VCenter for a single. Therefore CAPV is allowing to define the used identity for each machine. CAPV will check on every Machine first, if there is a local identity otherwise it fallback on the default selection method. | |
| Cluster API Provider vSphere (CAPV) supports multiple vCenter for a single cluster. Therefore CAPV allows to define the used identity for each machine. CAPV will check on every Machine first, if there is a local identity otherwise it fallback on the default selection method. |
There was a problem hiding this comment.
Also what does the first sentence mean?
Cluster API Provider vSphere (CAPV) supports multiple VCenter for a single.
| server: vcenter | ||
| identityRef: |
There was a problem hiding this comment.
| server: vcenter | |
| identityRef: | |
| server: vcenter | |
| identityRef: |
| r.Logger.Info("VSphereCluster couldn't be retrieved") | ||
| return session.GetOrCreate(r.Context, | ||
| params) | ||
| if vsphereVM.Spec.IdentityRef != nil { |
There was a problem hiding this comment.
Could we document the behaviour at the (not existing) function godoc?
| @@ -236,19 +236,19 @@ var _ = Describe("validateInputs", func() { | |||
|
|
|||
| Context("If the client is missing", func() { | |||
| It("should error if client is missing", func() { | |||
| Expect(validateInputs(nil, cluster)).NotTo(Succeed()) | |||
There was a problem hiding this comment.
would need test cases for the new behavior
| @@ -1687,5 +1687,6 @@ func autoConvert_v1beta1_VirtualMachineCloneSpec_To_v1alpha3_VirtualMachineClone | |||
| // WARNING: in.PciDevices requires manual conversion: does not exist in peer-type | |||
| // WARNING: in.OS requires manual conversion: does not exist in peer-type | |||
| // WARNING: in.HardwareVersion requires manual conversion: does not exist in peer-type | |||
| // WARNING: in.IdentityRef requires manual conversion: does not exist in peer-type | |||
There was a problem hiding this comment.
v1alpha3 is gone on main (similar v1alpha4?)
|
|
||
| Cluster API Provider vSphere (CAPV) supports multiple VCenter for a single. Therefore CAPV is allowing to define the used identity for each machine. CAPV will check on every Machine first, if there is a local identity otherwise it fallback on the default selection method. | ||
|
|
||
| In order to run a CAPV cluster in multiple VCenter, you have to configure CPI & CSI to support multi VCenter, see [guide](https://docs.vmware.com/en/VMware-vSphere-Container-Storage-Plug-in/3.0/vmware-vsphere-csp-getting-started/GUID-8B3B9004-DE37-4E6B-9AA1-234CDA1BD7F9.html). Trivia, `VSphereCluster` can be only in single VCenter. This will just used as a fallback, if you haven't configured a different identity for a `VSphereMachine``. |
There was a problem hiding this comment.
This only links csi, are there also instructions for CPI?
| @@ -108,15 +107,21 @@ func GetCredentials(ctx context.Context, c client.Client, cluster *infrav1.VSphe | |||
| return credentials, nil | |||
| } | |||
|
|
|||
| func validateInputs(c client.Client, cluster *infrav1.VSphereCluster) error { | |||
| func GetCredentials(ctx context.Context, c client.Client, cluster *infrav1.VSphereCluster, controllerNamespace string) (*Credentials, error) { | |||
| @@ -0,0 +1,39 @@ | |||
| # Multi VCenter support | |||
There was a problem hiding this comment.
Is most of this better suited to Also should ahve some explanation how it works in https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/blob/main/docs/identity_management.md ?
| return session.GetOrCreate(r.Context, | ||
| params) | ||
| if vsphereVM.Spec.IdentityRef != nil { | ||
| creds, err := identity.GetCredentialsWithExternalIdentity(ctx, r.Client, vsphereCluster, vsphereVM.Spec.IdentityRef, r.Namespace) |
There was a problem hiding this comment.
Wouldn't this get overwritten below in l 578 when there is a definition on the cluster level already?
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
|
Do we have any estimate of when this change might be released? |
|
I'm not actively working on this PR so I cannot give any estimate. |
|
@chrischdi @guilhermevillote If someone like to take over i'm fine. I don't have time at moment to fix it. |
Thanks @farodin91 ! /help |
|
/close Let's revive if someone has time & interest again |
|
@sbueringer: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@sbueringer I would be interested in re-opening and working on this PR. |
What this PR does / why we need it:
Allow multiple vcenter in a single cluster
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #1720
Special notes for your reviewer:
Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.
I will try to test it.
Release note: