Adds platform-specific specs to Infrastructure in config.openshift.io #231
Conversation
openshift-ci-robot
added
the
size/M
|
/assign @jwforres |
fabianofranz
force-pushed
the
add-infra-id-to-infrastructure
branch
from
771331c
to
2665158
Compare
|
Comments addressed, @abhinavdahiya @wking @smarterclayton PTAL? |
fabianofranz
force-pushed
the
add-infra-id-to-infrastructure
branch
from
2665158
to
5a515e7
Compare
|
/approve |
| // infrastructureName uniquely identifies a cluster with a human friendly name. | ||
| // Once set it should not be changed. Must be of max length 27 and must have only | ||
| // alphanumeric or hyphen characters. | ||
| InfrastructureName string `json:"infrastructureName"` |
There was a problem hiding this comment.
nit: InfrastructureID because it is an identifier. but looks like @smarterclayton wanted it this way so feel free to keep it as-is
There was a problem hiding this comment.
I'm good with either InfrastructureID or InfrastructureName. To me the difference sound more like in terms of uniqueness (an unique IDentifier) than about the content and readability. So in that sense I'd have it as InfrastructureID. But Name seems to be compliant with similar use cases in the API, e.g. the GroupName.
There was a problem hiding this comment.
Name in our API is a unique in space (but not time) identifier. Names are things that refer to entities in other systems. UID is reserved for unique in time and space things we generate ourselves. If you can set it, it's not a UID, because someone else could set it to the same value.
There was a problem hiding this comment.
Name in our API is a unique in space (but not time) identifier. Names are things that refer to entities in other systems. UID is reserved for unique in time and space things we generate ourselves. If you can set it, it's not a UID, because someone else could set it to the same value.
I'm going to pin this comment in my bookmarks :)
|
can we have a follow-on pr that ensures we write a validation that these status fields are not mutable once set by the installer? we could loosen that further if they are observable at a later time. https://github.com/openshift/origin/tree/master/pkg/admission/customresourcevalidation |
|
in upi install mode, who sets these values? |
|
/assign |
@wking ideas? |
The installer will generate these values for anyone who wants them. In the UPI mode where the user runs the installer to generate an Ignition config for the bootstrap machine, that Ignition config will contain a manifest for this object, as well as all the other usual manifests. In the UPI mode where the user manually configures their own bootstrap machine, it's going to be up to them to set up the manifests (although they could still have the installer generate them and just, for example, extract them from the Ignition config without actually using Ignition). |
|
/approve |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: abhinavdahiya, fabianofranz, wking If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@derekwaynecarr for approval. |
| // AWSPlatformStatus holds the current status of the Amazon Web Services infrastructure provider. | ||
| type AWSPlatformStatus struct { | ||
| // tags holds key and value pairs that are set as tags in the AWS resources created by the cluster. | ||
| Tags map[string]string `json:"tags,omitempty"` |
There was a problem hiding this comment.
does this actually extend to loadbalancers, volumes, or machines created by machine api?
There was a problem hiding this comment.
for in-tree aws cloud provider, it uses the cluster id here:
https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/providers/aws/aws.go#L548
There was a problem hiding this comment.
I think we can say that it should after this merges. I can notify those teams to make sure they're respecting it, if possible.
Machine API already has this info on each MachineSet, so user created ones wouldn't match unless the user thought to add the same tags.
I'm not sure how ingress/registry/storage are tagging but it would be nice to get everyone on same page. (kubernetes.io/cluster/dgoodwin-dev-6vzj7=owned)
I believe the infrastructureName being added above should match the kube one you link to.
There was a problem hiding this comment.
does this actually extend to loadbalancers, volumes, or machines created by machine api?
the installer currently tags all the machine/machinesets, loadbalancers with these tags on aws
eg: https://github.com/openshift/installer/blob/5455c4ac317900208a92983e35e6b87fc74fd354/pkg/asset/machines/aws/machines.go#L114-L129
for in-tree aws cloud provider, it uses the cluster id here:
https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/providers/aws/aws.go#L548
These are the tags important to openshift on AWS, all controllers must add these and then add more if it likes.
There was a problem hiding this comment.
this is a bit chicken/egg i guess.
the in-tree aws cloud provider from kube only applies the tags it knows about here:
https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/providers/aws/tags.go
which right now is of the form:
kubernetes.io/cluster/cluster-id=owned | shared
which we are getting assigned to entities by a bit of luck because of how we pre-tag ec2 instances. on startup, kube cloud provider sees its aws, sees no cloud.conf file to pull the cluster id from, and then falls back to reading the ec2 instance for its tags.
i would prefer that we update the language a bit here to reflect that the full set of tags enumerated may not be used by all entities unless we are saying the only tag we will set here. what will we set in this map? do we care about both key names and values?
There was a problem hiding this comment.
If it's holding up this PR, I'm fine adding language about anything beyond kubernetes.io/cluster/... being best-effort.
There was a problem hiding this comment.
For our purposes it was really the InfrastructureName we need as that should be the basis for the KubernetesClusterID, the tag can be inferred.
If we drop specification of arbitrary tags can we get this through @derekwaynecarr ?
There was a problem hiding this comment.
the tag can be inferred.
I would be cautious of operators making same decision independently.
There was a problem hiding this comment.
a best-effort API is hard to understand and enforce.
There was a problem hiding this comment.
the tag can be inferred.
I would be cautious of operators making same decision independently.
How can we make this explicit then?
InfrastructureTag:
Key: kubernetes.io/cluster/infraName
Value: owned
InfrastructureTag: kubernetes.io/cluster/infraName=owned (string)
My vote would be just to leave it implicit, if you need to tag cloud resources we expect you to apply the standard kube tag using the InfrastructureName as the Kube cluster-id.
|
I will reopen with some additional commits, taking this over for Fabiano. |
…t.io
Mostly, this is replacing cluster-config-v1 (which is deprecated [1])
with the Infrastructure config object. As part of that, I'm dropping
UserTags support (see discussion in [2,3]). I'm also replacing the
openshiftClusterID tag with a "kubernetes.io/cluster/{infraName}:
owned" tag [4,5].
[1]: openshift/installer#680
[2]: openshift/api#231 (comment)
[3]: openshift/api#266
[4]: openshift/installer#1280
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1685089#c11
…t.io
Mostly, this is replacing cluster-config-v1 (which is deprecated [1])
with the Infrastructure config object. As part of that, I'm dropping
UserTags support (see discussion in [2,3]). I'm also replacing the
openshiftClusterID tag with a "kubernetes.io/cluster/{infraName}:
owned" tag [4,5].
UnversionedRESTClientFor (vs. RESTClientFor) avoids errors like:
$ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_cluster-image-registry-operator/260/pull-ci-openshift-cluster-image-registry-operator-master-e2e-aws/1304/artifacts/e2e-aws/pods/openshift-image-registry_cluster-image-registry-operator-fc9948cc-b767n_cluster-image-registry-operator.log.gz | gunzip
I0423 05:43:03.599910 1 main.go:18] Cluster Image Registry Operator Version: 4.0.0-142-g38fc8f9-dirty
...
I0423 05:43:04.942285 1 bootstrap.go:38] generating registry custom resource
E0423 05:43:04.942775 1 controller.go:235] unable to sync: unable to get storage configuration from cluster install config: GroupVersion is required when initializing a RESTClient, requeuing
InClusterConfig does not set GroupVersion [6] and RESTClientFor
requires it [7] while UnversionedRESTClientFor can fill it in [8].
[1]: openshift/installer#680
[2]: openshift/api#231 (comment)
[3]: openshift/api#266
[4]: openshift/installer#1280
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1685089#c11
[6]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/rest/config.go#L422-L428
[7]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/rest/config.go#L269-L270
[8]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/rest/config.go#L331-L333
…t.io
Mostly, this is replacing cluster-config-v1 (which is deprecated [1])
with the Infrastructure config object. As part of that, I'm dropping
UserTags support (see discussion in [2,3]). I'm also replacing the
openshiftClusterID tag with a "kubernetes.io/cluster/{infraName}:
owned" tag [4,5].
The trip through clientcorev1.NewForConfig is because calling
RESTClientFor on the InClusterConfig raises:
$ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_cluster-image-registry-operator/260/pull-ci-openshift-cluster-image-registry-operator-master-e2e-aws/1304/artifacts/e2e-aws/pods/openshift-image-registry_cluster-image-registry-operator-fc9948cc-b767n_cluster-image-registry-operator.log.gz | gunzip
I0423 05:43:03.599910 1 main.go:18] Cluster Image Registry Operator Version: 4.0.0-142-g38fc8f9-dirty
...
I0423 05:43:04.942285 1 bootstrap.go:38] generating registry custom resource
E0423 05:43:04.942775 1 controller.go:235] unable to sync: unable to get storage configuration from cluster install config: GroupVersion is required when initializing a RESTClient, requeuing
InClusterConfig does not set GroupVersion [6] and RESTClientFor
requires it [7] while UnversionedRESTClientFor can fill it in [8].
But UnversionedRESTClientFor leaves NegotiatedSerializer unset:
$ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_cluster-image-registry-operator/260/pull-ci-openshift-cluster-image-registry-operator-master-e2e-aws/1305/artifacts/e2e-aws/pods/openshift-image-registry_cluster-image-registry-operator-66d8b56784-5wt9v_cluster-image-registry-operator.log.gz | gunzip
I0423 09:21:42.998300 1 main.go:18] Cluster Image Registry Operator Version: 4.0.0-142-g64d5f62-dirty
...
I0423 09:21:44.345677 1 bootstrap.go:38] generating registry custom resource
E0423 09:21:44.346403 1 controller.go:235] unable to sync: unable to get storage configuration from cluster install config: NegotiatedSerializer is required when initializing a RESTClient, requeuing
So I'm washing through clientcorev1.NewForConfig to get defaults for
both [9].
[1]: openshift/installer#680
[2]: openshift/api#231 (comment)
[3]: openshift/api#266
[4]: openshift/installer#1280
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1685089#c11
[6]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/rest/config.go#L422-L428
[7]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/rest/config.go#L269-L270
[8]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/rest/config.go#L331-L333
[9]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/kubernetes/typed/core/v1/core_client.go#L144-L155
…t.io
Mostly, this is replacing cluster-config-v1 (which is deprecated [1])
with the Infrastructure config object. As part of that, I'm dropping
UserTags support (see discussion in [2,3]). I'm also replacing the
openshiftClusterID tag with a "kubernetes.io/cluster/{infraName}:
owned" tag [4,5].
The trip through clientcorev1.NewForConfig is because calling
RESTClientFor on the InClusterConfig raises:
$ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_cluster-image-registry-operator/260/pull-ci-openshift-cluster-image-registry-operator-master-e2e-aws/1304/artifacts/e2e-aws/pods/openshift-image-registry_cluster-image-registry-operator-fc9948cc-b767n_cluster-image-registry-operator.log.gz | gunzip
I0423 05:43:03.599910 1 main.go:18] Cluster Image Registry Operator Version: 4.0.0-142-g38fc8f9-dirty
...
I0423 05:43:04.942285 1 bootstrap.go:38] generating registry custom resource
E0423 05:43:04.942775 1 controller.go:235] unable to sync: unable to get storage configuration from cluster install config: GroupVersion is required when initializing a RESTClient, requeuing
InClusterConfig does not set GroupVersion [6] and RESTClientFor
requires it [7] while UnversionedRESTClientFor can fill it in [8].
But UnversionedRESTClientFor leaves NegotiatedSerializer unset:
$ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_cluster-image-registry-operator/260/pull-ci-openshift-cluster-image-registry-operator-master-e2e-aws/1305/artifacts/e2e-aws/pods/openshift-image-registry_cluster-image-registry-operator-66d8b56784-5wt9v_cluster-image-registry-operator.log.gz | gunzip
I0423 09:21:42.998300 1 main.go:18] Cluster Image Registry Operator Version: 4.0.0-142-g64d5f62-dirty
...
I0423 09:21:44.345677 1 bootstrap.go:38] generating registry custom resource
E0423 09:21:44.346403 1 controller.go:235] unable to sync: unable to get storage configuration from cluster install config: NegotiatedSerializer is required when initializing a RESTClient, requeuing
So I'm washing through clientcorev1.NewForConfig to get defaults for
both [9].
The RBAC change avoids:
$ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_cluster-image-registry-operator/260/pull-ci-openshift-cluster-image-registry-operator-master-e2e-aws/1306/artifacts/e2e-aws/pods/openshift-image-registry_cluster-image-registry-operator-7f59899bf6-8c8x8_cluster-image-registry-operator.log.gz | gunzip | head -n7
I0423 10:44:51.121540 1 main.go:18] Cluster Image Registry Operator Version: 4.0.0-142-gfa5b59b-dirty
...
I0423 10:44:52.461691 1 bootstrap.go:38] generating registry custom resource
E0423 10:44:52.464035 1 controller.go:235] unable to sync: unable to get storage configuration from cluster install config: infrastructures "cluster" is forbidden: User "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator" cannot get resource "infrastructures" in API group "" at the cluster scope, requeuing
[1]: openshift/installer#680
[2]: openshift/api#231 (comment)
[3]: openshift/api#266
[4]: openshift/installer#1280
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1685089#c11
[6]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/rest/config.go#L422-L428
[7]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/rest/config.go#L269-L270
[8]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/rest/config.go#L331-L333
[9]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/kubernetes/typed/core/v1/core_client.go#L144-L155
…t.io
Mostly, this is replacing cluster-config-v1 (which is deprecated [1])
with the Infrastructure config object. As part of that, I'm dropping
UserTags support (see discussion in [2,3]). I'm also replacing the
openshiftClusterID tag with a "kubernetes.io/cluster/{infraName}:
owned" tag [4,5].
The trip through clientcorev1.NewForConfig is because calling
RESTClientFor on the InClusterConfig raises:
$ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_cluster-image-registry-operator/260/pull-ci-openshift-cluster-image-registry-operator-master-e2e-aws/1304/artifacts/e2e-aws/pods/openshift-image-registry_cluster-image-registry-operator-fc9948cc-b767n_cluster-image-registry-operator.log.gz | gunzip
I0423 05:43:03.599910 1 main.go:18] Cluster Image Registry Operator Version: 4.0.0-142-g38fc8f9-dirty
...
I0423 05:43:04.942285 1 bootstrap.go:38] generating registry custom resource
E0423 05:43:04.942775 1 controller.go:235] unable to sync: unable to get storage configuration from cluster install config: GroupVersion is required when initializing a RESTClient, requeuing
InClusterConfig does not set GroupVersion [6] and RESTClientFor
requires it [7] while UnversionedRESTClientFor can fill it in [8].
But UnversionedRESTClientFor leaves NegotiatedSerializer unset:
$ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_cluster-image-registry-operator/260/pull-ci-openshift-cluster-image-registry-operator-master-e2e-aws/1305/artifacts/e2e-aws/pods/openshift-image-registry_cluster-image-registry-operator-66d8b56784-5wt9v_cluster-image-registry-operator.log.gz | gunzip
I0423 09:21:42.998300 1 main.go:18] Cluster Image Registry Operator Version: 4.0.0-142-g64d5f62-dirty
...
I0423 09:21:44.345677 1 bootstrap.go:38] generating registry custom resource
E0423 09:21:44.346403 1 controller.go:235] unable to sync: unable to get storage configuration from cluster install config: NegotiatedSerializer is required when initializing a RESTClient, requeuing
So I'm washing through clientcorev1.NewForConfig to get defaults for
both [9].
The RBAC change avoids:
$ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_cluster-image-registry-operator/260/pull-ci-openshift-cluster-image-registry-operator-master-e2e-aws/1306/artifacts/e2e-aws/pods/openshift-image-registry_cluster-image-registry-operator-7f59899bf6-8c8x8_cluster-image-registry-operator.log.gz | gunzip | head -n7
I0423 10:44:51.121540 1 main.go:18] Cluster Image Registry Operator Version: 4.0.0-142-gfa5b59b-dirty
...
I0423 10:44:52.461691 1 bootstrap.go:38] generating registry custom resource
E0423 10:44:52.464035 1 controller.go:235] unable to sync: unable to get storage configuration from cluster install config: infrastructures "cluster" is forbidden: User "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator" cannot get resource "infrastructures" in API group "" at the cluster scope, requeuing
[1]: openshift/installer#680
[2]: openshift/api#231 (comment)
[3]: openshift/api#266
[4]: openshift/installer#1280
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1685089#c11
[6]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/rest/config.go#L422-L428
[7]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/rest/config.go#L269-L270
[8]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/rest/config.go#L331-L333
[9]: https://github.com/kubernetes/client-go/blob/59781b88d0faa9d51be48b4ca49eb08e05246de4/kubernetes/typed/core/v1/core_client.go#L144-L155
This adds platform-specific specs to the specs of
infrastructuresinconfig.openshift.io/v1.Specifically, this allows in-cluster components to read settings related to the underlying infrastructure where they're running. For example, operators like the cloud credentials operator can read the infra ID and tags set by the installer so that they can tag their own resources.
Targeting AWS as of now, but adding more infrastructure providers is supported.
/cc @dgoodwin @wking @crawford