EKS-A Nutanix Provider Action Items

[abhinavmpandey08]

These are some of the action items that came up from bugbash. These items are roughly in the order by priority

• Support auto-generating SSH keys when sshAuthorizedKeys field is not set or is empty
• Update CAPX in build-tooling to support additionalTrustBundle
• Update EKS-A to pass additionalTrustBundle to CAPX
• Propagate UUID to CAPX if provided
• Rename Nutanix credentials env vars from NUTANIX_USER to EKSA_NUTANIX_USERNAME and NUTANIX_PASSWORD to EKSA_NUTANIX_PASSWORD to be consistent with other EKS Anywhere providers
• Add preflight to validate connection to NutanixDatacenterConfig's endpoint:port using something similar to this

  eks-anywhere/pkg/executables/govc.go

  Lines 598 to 604 in 2a03ef2

  	skipVerifyTransport := http.DefaultTransport.(*http.Transport).Clone()
  	skipVerifyTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
  	client := &http.Client{Transport: skipVerifyTransport}
  	if _, err := client.Get("https://" + server); err != nil {
  	return fmt.Errorf("failed to reach server %s: %v", server, err)
  	}

• Add preflight to validate Nutanix credentials before validating subnets and images
• Add preflight to validate NutanixDatacenterConfig.endpoint is a valid endpoint
• Add preflight to validate NutanixDatacenterConfig.port is a valid port
• Add preflight to validate NutanixDatacenterConfig.additionalTrustBundle, if provided, is a valid PEM encoded cert
• Add preflight to validate NutanixMachineConfig's memorySize, systemDiskSize, vcpuSockets and vcpusPerSocket
• Separate out validation errors for cluster/subnet/image instead of wrapping them https://github.com/aws/eks-anywhere/blob/main/pkg/providers/nutanix/validator.go#L45-L55
• In the NutanixDatacenterConfig object, include the additionalTrustBundle by default in the generated cluster config
• In the NutanixDatacenterConfig object, change the default port to something else since 0 is not a valid port. Maybe set it to the default Prism Central port 9440?
• In the NutanixMachineConfig object, don't include uuid: null by default in the generated cluster config

[deepakm-ntnx]

/assign @thunderboltsid

[thunderboltsid]

TLS Skip verification is handled using the insecure parameter in the nutanix client #4171. We won't blanket skip verification. Only when it is actually requested by specifying the 'insecure' parameter in the dc config.

[deepakm-ntnx]

/assign @thunderboltsid

[thunderboltsid]

Added the pre-flight checks in #4215

[deepakm-ntnx]

for items

• In the NutanixDatacenterConfig object, change the default port to something else since 0 is not a valid port. Maybe set it to the default Prism Central port 9440?
• In the NutanixMachineConfig object, don't include uuid: null by default in the generated cluster config

#4197

[deepakm-ntnx]

Pending tasks from above list:
-[]  Support auto-generating SSH keys when sshAuthorizedKeys field is not set or is empty
-[] Rename Nutanix credentials env vars from NUTANIX_USER to EKSA_NUTANIX_USERNAME and NUTANIX_PASSWORD to EKSA_NUTANIX_PASSWORD to be consistent with other EKS Anywhere providers
-[]  In the NutanixDatacenterConfig object, include the additionalTrustBundle by default in the generated cluster config

[deepakm-ntnx]

• ssh key gen Generate ssh key for Nutanix if user has not provided #4297
• passing additionalTrustBundle to capx now passing additionalTrustBundle to capx #4321
• Rename Nutanix credentials env vars from NUTANIX_USER to EKSA_NUTANIX_USERNAME and NUTANIX_PASSWORD to EKSA_NUTANIX_PASSWORD to be consistent with other EKS Anywhere providers now test has to define EKSA_NUTANIX_USERNAME and EKSA_NUTANIX_PASSWORD #4303

we decided not to do following since we dont want to encourage it and want users to use valid certs as following is a 2nd option.
-[] In the NutanixDatacenterConfig object, include the additionalTrustBundle by default in the generated cluster config