machines: add the authorized keys for a pool using a machine config #1150
Conversation
openshift-ci-robot
added
size/XXL
|
Can you elaborate in the commit message why we're making this change, what problem it's solving? This is basically the inverse of the existing MCO ssh key support - the installer uses its own config to inject MC objects, rather than the MCO scraping the install config and generating MC fragments. Are we going forward with both of these approaches? |
It would be good to mention #680 and cluster-config-v1 deprecation. |
i have tried to add the Also created openshift/machine-config-operator#356 that drops creating machineconfig with ssh key |
openshift-ci-robot
added
the
needs-rebase
|
@abhinavdahiya can you rebase this so we can get it in along with openshift/machine-config-operator#356 |
|
Lets make sure we summarize the why in the PR description before this merges. Even if that's just a copy of the non vendor commit. |
|
I've updated the PR topic post. |
openshift-ci-robot
removed
the
needs-rebase
|
5412e88 ... 3ad4777 is extracted from #1392 modified-local-branch to reuse the plumbing that we need to push machineconfig for hyperthreading... /cc @staebler |
Users can push manifests during bootstrap that of the form: ```yaml --- ``` Especially for the installer: setting authorizes_keys [1] and setting hyperthreading [2] will push a manifest that includes multiple machineconfig objects for control-plane (master) and compute (worker) roles. Single file with multiple k8s objects separated by `---` is also a supported structure for `oc create|apply` ie. there is a high chance that users trying to push machineconfigs at install time might create such files. This commit allows bootstrap controller to read all k8s objects, even ones described above to find all the `machineconfiguration.openshift.io` Objects. [1]: openshift/installer#1150 [2]: openshift/installer#1392
@runcom PTAL |
|
This LGTM. (I debated some bikeshedding on the This PR should land first - in that case we'll have two things injecting SSH (the installer's MCs and the MCO), and then we land openshift/machine-config-operator#356 to bring us back down to 1. /approve |
| @@ -135,6 +133,7 @@ func (o *Openshift) Generate(dependencies asset.Parents) error { | |||
| Data: data, | |||
| }) | |||
| } | |||
| o.FileList = append(o.FileList, worker.Files()...) | |||
There was a problem hiding this comment.
This makes me jumpy about reloading/regenerating these when they're loaded from disk during a multi-stage install. Can we move
Workerout from underOpenshiftinto it's own writeable asset (like we did for masters in 7a396d9, #1211)? CC @staebler
master's we use as input to cluster asset and that's why it makes sense to split that out in #1211 that worker machinesets are opaque to creating infra resources for now and I don't think we would need to do something like #1211 for the time being.
There was a problem hiding this comment.
... worker machinesets are opaque to creating infra resources for now...
So should we stop writing them at all? Drop them from Openshift without making them writable assets? This is getting into #1119.
There was a problem hiding this comment.
So should we stop writing them at all?
why, people can edit the manifest as a file. doesn't mean we don't write them 😕
There was a problem hiding this comment.
why, people can edit the manifest as a file. doesn't mean we don't write them confused
Because then we won't have structured info about chosen worker availability zones and such. I'll work up some test-cases tonight.
There was a problem hiding this comment.
whatever we decide on that ^^ , I don't think it should be part of this PR.
openshift-ci-robot
added
do-not-merge/hold
replied to the comments. PTAL @wking |
/lgtm |
|
Failing tests are openshift/origin#22412, and may be happening every time. |
|
/hold cancel Needs a rebase, though |
openshift-ci-robot
removed
the
do-not-merge/hold
Vendor openshift/machine-config-operator to have access to the MachineConfig type. The MachineConfig type is used to send supplement the ignition config for machine pools that have hyperthreading enabled. This also adds some more packages from coreos/ignition.
Provide the means by which a machines asset can add MachineConfig manifests. This is needed so that the ignition configs can be supplemented for machine pools for example have hyperthreading disabled, include authorized_keys for user.
…machinepool This sets up the master machine asset to allow adding MachineConfigs. A list of machine configs can be added to master machines that will be created alongside the user-data and machine objects.
…epools This sets up the worker machine asset to allow adding MachineConfigs. A list of machine configs can be added to compute machinepools that will be created alongside the user-data and machineset objects.
`cluster-config-v1` is being deprecated in favor of global configs [1] and Machine Config Operator needs to drop using the `SSHKey` in install-config [2] to setup the `SSHAuthorizedKeys` for `core` user. This pushes a machineconfig with the `SSHAuthorizedKeys` sourced from [2] for each machinepool, so that Machine Config Operator can drop generating the machineconfig using the `cluster-config-v1` config map in the cluster. [1]: openshift#680 [2]: https://godoc.org/github.com/openshift/installer/pkg/types#InstallConfig
done. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, cgwalters, wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Failing tests:
[sig-apps] StatefulSet [k8s.io] Basic StatefulSet functionality [StatefulSetBasic] should not deadlock when a pod's predecessor fails [Suite:openshift/conformance/parallel] [Suite:k8s]
[sig-storage] Dynamic Provisioning DynamicProvisioner should provision storage with different parameters [Suite:openshift/conformance/parallel] [Suite:k8s]/retest |
Since f2eacf3 (asset/machines/master: allow adding MachineConfigs for control-plane machinepool, 2019-03-25, openshift#1150), we no longer need to filet a File slice to get a Master object's Machine files. Moving the method to a stand-alone function sets the stage for structured worker Machine objects. f2eacf3 also removed the only (*Master).Machines() consumer, so remove that method completely.
/retest |
…hines Since f2eacf3 (asset/machines/master: allow adding MachineConfigs for control-plane machinepool, 2019-03-25, openshift#1150), we no longer need to filter a File slice to get a Master object's Machine files. Drop the obsoleted Machines() implemenation and rename the previous StructuredMachines implmentation to take its place.
…hines Since f2eacf3 (asset/machines/master: allow adding MachineConfigs for control-plane machinepool, 2019-03-25, openshift#1150), we no longer need to filter a File slice to get a Master object's Machine files. Drop the obsoleted Machines() implemenation and rename the previous StructuredMachines implmentation to take its place.
…hines Since f2eacf3 (asset/machines/master: allow adding MachineConfigs for control-plane machinepool, 2019-03-25, openshift#1150), we no longer need to filter a File slice to get a Master object's Machine files. Drop the obsoleted Machines() implemenation and rename the previous StructuredMachines implmentation to take its place.
cluster-config-v1is being deprecated in favor of global configs (#680) and Machine Config Operator needs to drop using theSSHKeyin install-config to setup theSSHAuthorizedKeysforcoreuser.This pushes a machineconfig with the
SSHAuthorizedKeyssourced from here for each machinepool, so that Machine Config Operator can drop generating the machineconfig using thecluster-config-v1config map in the cluster./cc @crawford