Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 2uasimojo The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
openshift-ci-robot
added
the
jira/valid-reference
|
@2uasimojo: This pull request references HIVE-2391 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
2uasimojo
force-pushed
the
HIVE-2391/vsphere-zonal
branch
from
29af27f to
5249404
Compare
|
@jianping-shu this passed e2e-vsphere, so I reckon it's probably ready for you to take another stab at it! |
|
/hold Looks like I missed refactoring the preflight auth check for the new creds shape. |
openshift-ci
bot
added
the
do-not-merge/hold
2uasimojo
force-pushed
the
HIVE-2391/vsphere-zonal
branch
from
5249404 to
39cf13e
Compare
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
The new multi-creds changes LGTM. My only concern (as noted in review comments) is that there are some additional fields (at least |
2uasimojo
force-pushed
the
HIVE-2391/vsphere-zonal
branch
from
39cf13e to
896e851
Compare
|
/hold for QE |
openshift-ci
bot
added
the
do-not-merge/hold
2uasimojo
force-pushed
the
HIVE-2391/vsphere-zonal
branch
from
896e851 to
7996e22
Compare
|
/test e2e security e2e: infra flake |
|
Allowable to override |
pkg/validating-webhooks/hive/v1/clusterdeployment_validating_admission_hook.go
Outdated
Show resolved
Hide resolved
2uasimojo
force-pushed
the
HIVE-2391/vsphere-zonal
branch
from
7996e22 to
066a4e4
Compare
Well, I thought I had fixed it for hiveutil and clusterpool with this, but, rookie mistake, I'm assigning into the loop variable which is a local copy 🙄 I'm going to fix this... but your comment also made me think we should also try to prevent the user from handing us a CD with passwords populated. It's a bit awkward because we can't modify the schema to exclude those fields, or even add a docstring indicating they should not be used, without making our own copy. The best we can do is a webhook, which should at least prevent the sensitive data from getting into etcd. |
openshift-ci
bot
added
the
needs-rebase
2uasimojo
force-pushed
the
HIVE-2391/vsphere-zonal
branch
from
183ef5e to
de00368
Compare
openshift-ci
bot
removed
the
needs-rebase
|
This one is just a rebase. Fixes incoming... |
2uasimojo
force-pushed
the
HIVE-2391/vsphere-zonal
branch
from
de00368 to
afded4e
Compare
|
Okay @jianping-shu, this rev should have fixed the following:
|
|
@2uasimojo Here is the test result for today.
hiveutil doesn't support ClusterPool for vsphere/openstack so far so no issue here.
Tested w/ Case 3a - CD/CP yaml shall not contain password of OCP-84265, |
Well that's pretty weird. The call stack should be: I even added unit tests, which pass as written, and fail correctly when I comment out the new code. I'll see if I can reproduce. |
Yup. Reproduced no problem. It, uh, turns out we're not installing the VWHC for clusterpool at all 😬 I wonder how long that's been the case, and how much of our validation has drifted broken in the interim. I'll track this down and get back to you. Tempted to say we should fix it in a separate PR, but stay tuned. |
Yeah, it looks like we might never have had this piece, which means we've not been validating ClusterPools, ever. I've opened https://redhat.atlassian.net/browse/HIVE-3131 for this. I would indeed like to track this as a separate effort due to the risk: since we haven't been running this code (other than in unit tests!) there is a chance it will reject some things it shouldn't, regressing existing consumers' ability to use ClusterPools. So while the code change won't be hard, the test effort needs to be somewhat comprehensive. Unfortunately, since the issue in question here is important for security, I think it would be prudent to block this PR until the above is resolved. |
pkg/installmanager/installmanager.go
Outdated
| } | ||
| metadata.VSphere.VCenters = vcenters | ||
| } | ||
| creds.ConfigureCreds[utils.GetClusterPlatform(cd)](dynClient, nil) |
There was a problem hiding this comment.
this nil should be metadata, right?
There was a problem hiding this comment.
Good catch!
@jianping-shu this should have failed the cleanupFailedProvision test?
There was a problem hiding this comment.
I ever tested the following case with the commit before last Fri. The CD was deleted successfully finally.
OCP-87278 Case 3- Old hive version, install vsphere CD; Start to delete CD(hung due to cred failure), upgrade hive to zonal version and delete the CD successfully with default destroy
contrib/pkg/createcluster/create.go
Outdated
| map[string][]byte{ | ||
| constants.UsernameSecretKey: []byte(vsphereUsername), | ||
| constants.PasswordSecretKey: []byte(vspherePassword), | ||
| "vCenters": vcenterCredsb, |
There was a problem hiding this comment.
creds/vsphere/vsphere.go and controller/utils/credentials.go both looks for this key at "vcenters", not "vCenters"
There was a problem hiding this comment.
Well how the heck were they ever working??
Good eye.
pkg/controller/utils/credentials.go
Outdated
| if !cdVCenters.IsSuperset(credsVCenters) { | ||
| return false, fmt.Errorf("missing VSphere credentials for some configured VCenters: %q", sets.List(credsVCenters.Difference(cdVCenters))) | ||
| } |
There was a problem hiding this comment.
| if !cdVCenters.IsSuperset(credsVCenters) { | |
| return false, fmt.Errorf("missing VSphere credentials for some configured VCenters: %q", sets.List(credsVCenters.Difference(cdVCenters))) | |
| } | |
| if !credsVCenters.IsSuperset(cdVCenters) { | |
| return false, fmt.Errorf("missing VSphere credentials for some configured VCenters: %q", sets.List(cdVCenters.Difference(credsVCenters))) | |
| } |
I think these sets are backwards. As it stands, this fires when creds has vcenters not present on the CD
| @@ -1325,15 +1342,7 @@ func (r *ReconcileClusterPool) createCloudBuilder(pool *hivev1.ClusterPool, logg | |||
| return nil, err | |||
There was a problem hiding this comment.
This needs to return a new err (errors.New("vsphere certificates secret missing '.cacert' key")) rather than the existing err (which is nil in this codepath always thanks to the if block immediately above)
| } | ||
| // Scrub credentials | ||
| i := b.infrastructure.DeepCopy() | ||
| i.DeprecatedPassword = "" |
There was a problem hiding this comment.
Thoughts on clearing usernames here too? (both the deprecated path and in the array of VCenters)
There was a problem hiding this comment.
Jianping brought up the same thing. I wasn't concerned about the username being sensitive; but I suppose for consistency with what we're doing elsewhere, it makes sense.
Oh, I just thought of a better reason: I think in some places we're only setting the username if it's unset. So there's a potential failure mode if the username is present but incorrect. (Though arguably that's a user error...)
| // DeprecatedVCenter is the vSphere vCenter hostname. | ||
| // Deprecated: use VCenters instead. | ||
| // +optional | ||
| DeprecatedVCenter string `json:"vCenter"` |
There was a problem hiding this comment.
Needs omitempty in the json tag (and VCenters too)
There was a problem hiding this comment.
Since neither is a pointer type and both have +optional, omitempty has no effect. I don't mind including the tag though.
| } | ||
|
|
||
| for _, test := range tests { | ||
| t.Run(test.Name, func(t *testing.T) { |
There was a problem hiding this comment.
Probably worth it to test this more vigorously, I bet the LLM could generate tons of theoretical test cases
There was a problem hiding this comment.
I'm a little meh about testing upstream functionality. Having a smoke test like this to make sure we're calling upstream correctly (or at all) is sane, but trying to cover all its paths seems like the responsibility of the repo in which it lives, no?
2uasimojo
force-pushed
the
HIVE-2391/vsphere-zonal
branch
from
afded4e to
870fdd5
Compare
|
Rebase only. Fixes pending. |
Followon addressing review from openshift#2731. MachinePool: - Removed `Topology` override - Restored ResourcePool and TagIDs overrides - Removed `osImage` detected from arbitrary master; using whatever's passed through from FD Topology (which defaults sanely if unset). Deprovision: - Changed `--vsphere-vcenter` StringVar to `--vsphere-vcenters` StringSliceVar Platform Creds: - Redesigned to take `vcenters`, a list of vcenter server/username/password, matching (and unmarshaling into) the corresponding chunk of metadata.json. Docs: - Updated install-config sample to zonal shape. - Documented new creds shape.
2uasimojo
force-pushed
the
HIVE-2391/vsphere-zonal
branch
from
870fdd5 to
d3042d8
Compare
|
Okay, fixes are in. Thanks for the review @dlom |
|
regression test in progress... |
|
/test e2e-vsphere |
|
@2uasimojo: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
That's merged. Getting real close here. Currently just waiting on:
|
|
@dlom I've finished the round of regression tests.
I think we have 2 alternatives: |
4 participants
Co-Authored-By: @dlom
Summary by CodeRabbit
New Features
Deprecations
Documentation