Add support for Equinix Metal

[detiber]

Start adding support for at least documenting the secret format for Equinix Metal.

Related to: openshift/machine-api-operator#753 (comment)

[openshift-ci-robot]

Hi @detiber. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: detiber
To complete the pull request process, please assign twiest after the PR has been reviewed.
You can assign the PR to them by writing /assign @twiest in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[detiber]

Seeing this, we should likely change the name of this variable to EQUINIX_METAL_API_KEY or similar. That would require changes to the cluster-api-provider-equinix-metal PR: openshift/cluster-api-provider-equinix-metal#1 (comment) and installer PR: openshift/installer#4472

[elmiko]

+1, i think that makes sense for clarity

[detiber]

@elmiko does it make sense to add more functional support beside just documenting the format? If so, it would help to get some additional context into how CCO fits into the process and what methods might make sense for Equinix Metal to support.

[elmiko]

that's a good question, what were you thinking?

[detiber]

EM doesn't currently have fine grained credentials, so I suspect Passthrough may make the most sense, and then as additional support is added for finer grained credentials, we can likely add support for the other methods.

[elmiko]

passthrough seems to make sense (i don't a ton about EM though), but as long as fits those restrictions (eg can't mint new credentials) then i would agree.

i think it makes sense to add an asterisk with a note about EM. but i don't want to create an extra maintenance burden, my main goal was to make sure we have a document about what the credentials need in the resource.

get some additional context into how CCO fits into the process

just to make sure i don't skip on this part. as i understand it, the CCO holds the credentials that the Machine-API bits will use(the sensitive bits are in secrets). when calls to the cloud provider API are made then this object will get referenced to ensure we have the proper creds.

what methods might make sense for Equinix Metal to support

another good question, i would like to confer with the installer team to see if there is anything specific we should be highlighting here.

in general, i think proceeding with the passthrough option makes sense to me but i will gather some more information from our teams.

[elmiko]

@detiber i followed up with some folks internally and passthrough is fine for now. in the future it would be nice if equinix supported the more granular options, but as it sounds like that does not currently exist we should be fine passthrough.

[detiber]

I wasn't sure the right way to do this, whether it was to just add a 'Y' here or try to add the version like some of the fields for AWS and GCP...

[joelddiaz]

Similar to my overall comment on this PR, we want to not add any in-cluster processing of CredentialsRequest CRs which means that the only column to be supported would be the Manual column.
This doesn't mean that you don't implement what is effectively Passthrough mode (where each Secret for each in-cluster component contains the same API key), but Passthrough mode implies in-cluster handling of CredentialsRequests...

Suggested change

	EquinixMetal | N | N | 4.x+ (expected) | N | N
	EquinixMetal | N | N | N | 4.x+ (expected) | N

[detiber]

Temporary workaround until openshift/api#784 is merged

[detiber]

This was required when I added the replace for github.com/openshift/api below.

I believe the other updates came in transitively through the replace and these updates

[elmiko]

yeah, seems like you got caught in the middle of some changes

[detiber]

Updating this through make update-vendored-crds was required to pass make verify

[detiber]

Updating this through make update-vendored-crds was required to pass make verify

[elmiko]

here's a little background on this annotation, https://github.com/openshift/enhancements/blob/master/enhancements/single-node-developer-cluster-profile.md

[detiber]

Mostly copy/paste from pkg/vsphere/actuator/actuator.go

[joelddiaz]

This is one of those pieces that we don't want to add to the in-cluster operator. As an example of what we would like, you can view the PRs that were done for IBMCloud (the first pass they made at this effectively implemented Passthrough mode, but their current - as of today - PR removes this Passthrough with support for fine-grained creds) #356

[detiber]

Mostly copy/paste from pkg/operator/secretannotator/vsphere/reconciler.go

[joelddiaz]

Same thing here. We don't need in-cluster processing of the Secret that idealy should not even exist.

[detiber]

Mostly copy/paste from pkg/operator/secretannotator/vsphere/reconciler_test.go

[detiber]

@elmiko Updated to add support for passthrough creds using the vsphere implementation as a guide

[elmiko]

thanks @detiber, i will be following up with some folks internally next week to make sure this is correct.

[detiber]

Rebased on top of the latest changes, still caught in the middle of a 1.19 to 1.20 rebase.

[detiber]

Rebased on top of the latest changes, still caught in the middle of a 1.19 to 1.20 rebase.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-ci]

@detiber: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[joelddiaz]

In general for new platforms, we want to move away from having CCO's in-cluster operator handling/processing CredentialsRequest CRs. We want to have cloud credentials provisioning/handling to be handled outside the cluster. This goes back to many customer discussions where they have concerns about a highly-privileged credential sitting inside the cluster.

As an alternative, there is a relatively new ccoctl binary in this repo that is meant to handle creating the cloud/platform resources (not applicable for Equinix b/c of supporting shared/passthrough credentials) and the manifests that need to be passed to the installer.

Also, would it be possible to break the vendoring into its own commit?

[joelddiaz]

In an ideal world, this Secret should not even exist on a cluster as the individual components that need to make cloud API calls would receive their credentials via Secrets directly. This allows for a future where we can introduce fine-grained creds/permissions if/when the platform/cloud allows it.

[joelddiaz]

Similar to my overall comment on this PR, we want to not add any in-cluster processing of CredentialsRequest CRs which means that the only column to be supported would be the Manual column.
This doesn't mean that you don't implement what is effectively Passthrough mode (where each Secret for each in-cluster component contains the same API key), but Passthrough mode implies in-cluster handling of CredentialsRequests...

Suggested change

	EquinixMetal | N | N | 4.x+ (expected) | N | N
	EquinixMetal | N | N | N | 4.x+ (expected) | N

[joelddiaz]

This is one of those pieces that we don't want to add to the in-cluster operator. As an example of what we would like, you can view the PRs that were done for IBMCloud (the first pass they made at this effectively implemented Passthrough mode, but their current - as of today - PR removes this Passthrough with support for fine-grained creds) #356

[joelddiaz]

Same thing here. We don't need in-cluster processing of the Secret that idealy should not even exist.

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci]

@openshift-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.