proposal: add new CRD OpenStackClusterIdentity #2628
Conversation
Signed-off-by: Bharath Nallapeta <bnallapeta@mirantis.com>
✅ Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
needs-ok-to-test
|
Hi @bnallapeta. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
I'm very much in favour of this. A few API-related notes inline.
The more I think about it, the more I'm convinced we should extend identityRef rather than adding an alternative with a fallback. I think the semantics and validation will be much clearer.
Incidentally, on the subject of validations I'd expect this to be validated with CEL. Lets not add anything new to the existing webhooks when it's not required. That's an implementation detail, though, so no need to add CEL expressions to this doc unless you really want to.
| **Key Edge Cases:** | ||
| - Both references specified: Use `clusterIdentityRef`, log warning | ||
| - Identity deletion: Clusters show degraded status, don't fail | ||
| - Permission changes: Dynamic re-validation during reconciliation |
There was a problem hiding this comment.
What permissions are you referring to here?
There was a problem hiding this comment.
Clarified in docs.
yes, I considered both while thinking about this proposal. Let me put down my thoughts as simple pros vs cons: new clusterIdentityRef cons: extend current identityRef cons: Kindly think this over and let me know. |
I don't follow this. Can you explain the additional risk? For additional context I'm thinking something like this: CurrentThis is the existing syntax. It is identical, with identical semantics. The absence of a apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: OpenStackCluster
metadata:
name: my-cluster
namespace: team-a
spec:
identityRef:
name: fallback-secret
cloudName: openstackClusterIdentitySpecifying a ClusterIdentity. Note the apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: OpenStackCluster
metadata:
name: my-cluster
namespace: team-a
spec:
identityRef:
type: ClusterIdentity
name: production-openstackCurrent with explicit typeThis form uses the current apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: OpenStackCluster
metadata:
name: my-cluster
namespace: team-a
spec:
identityRef:
type: Secret
name: fallback-secret
cloudName: openstackThis is a common pattern in kubernetes APIs. It's not strictly a
Incidentally, an older version of the CAPO API actually had a Another reason in favour of extending the existing struct is that it would propagate everywhere that the struct is used, including OpenStackMachine (and Server). We have had users relying on separate Machine credentials, and there's no reason to restrict which credential types they can use. |
Signed-off-by: Bharath Nallapeta <bnallapeta@mirantis.com>
Signed-off-by: Bharath Nallapeta <bnallapeta@mirantis.com>
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lentzi90 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
@mandre There's definitely an impact on ORC. ORC will need to implement this or something like it. |
This PR adds a proposal doc to work on the issue described in #2386