🐛 CAPV CSI driver isn't passing TLS thumbprint

[PatrickLaabs]

What this PR does / why we need it:
With this PR I changed a few lines of code.

packaging/flavorgen/flavors/crs/csi.go

config.Global.Thumbprint = env.VSphereThumbprint
config.Global.Insecure = env.VSphereInsecure

packaging/flavorgen/flavors/env/envsubts_consts.go

VSphereInsecure              = true

With this, I was able to create a new 'cluster-template.yaml' inside .cluster-api/overrides... where the Global-Section of the csi-vsphere-config Secret gets the thumbprint and insecure flag passed.

  stringData:
     csi-vsphere.conf: |+
        [Global]
        insecure-flag = true
        thumbprint = "${VSPHERE_TLS_THUMBPRINT}"
        cluster-id = "${NAMESPACE}/${CLUSTER_NAME}"

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #1162

Special notes for your reviewer:

Newly created PR, since on my last one(PR 1812) , I encountered some Issues with my CLA.

Notes from the last PR:

Since the Insecure-Flag is defined as a bool inside packaging/flavorgen/flavors/crs/types/cloudprovider_types.go
at line 88, I was not able to make this Insecure-Flag configurable via the clusterctl.yaml under ~/.clusterctl-api.

Changing it to a string, would make it configurable.
Like so: Insecure string gcfg:"insecure-flag,omitempty" json:"insecure,omitempty"`` but comes with the side-effect, that the file packaging/flavorgen/flavors/crs/types/cloudprovider_encoding_test.go throws me an error cannot use true (untyped bool constant) as string...
Since changing the type of the Insecure-Flag causes some impact on the testing file (And I am not sure, which side-effects this could lead to) I did not changed the typed and let it remain as a bool.
Maybe a maintainer could have a look at this and maybe help me out with this 😄

Release note:

Passing Thumbprint and Insecure-Flag (set as true in default) to the generated Cluster-Manifests file

[k8s-ci-robot]

Hi @PatrickLaabs. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[srm09]

/ok-to-test

[hideakihal]

Hi.

The vSphere Container Storage Plug-in documentation states that the thumbprint option is ignored when you are using an unsecured setup or when you provide a ca-file. It seems that it is not recognized when the insecure-flag is set to true.

https://docs.vmware.com/en/VMware-vSphere-Container-Storage-Plug-in/2.0/vmware-vsphere-csp-getting-started/GUID-BFF39F1D-F70A-4360-ABC9-85BDAFBE8864.html

[srm09]

I am wary that the shipped cluster manifests with CAPV, by default support a non secure mode of communication. You could run an alternate mechanism to overlay these changes on top of the CAPV cluster manifests instead of chaining this directly in the cluster templates.

[PatrickLaabs]

@srm09 I guess I understand you thoughts.

I believe removing the insecure flag hard-coded on the templates could make sense. But the Thumbprint-passing should stay, I guess.

Letting the user decide to edit the yaml afterwards and strictly enable / disable the insecure-flag might be a better approach, isnt it?

Best,
Patrick

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: PatrickLaabs / name: Patrick Laabs (204f963, d2f865a, 2ce72fd, 55b88a2, 32a0e8e)

[PatrickLaabs]

/check-cla

[PatrickLaabs]

The insecure-flag has been removed.
The Thumbprint will now be passed from the cluster-api-configfile to the yaml-files.

[randomvariable]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: randomvariable

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [randomvariable]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[PatrickLaabs]

/retest

[PatrickLaabs]

I'll take a look at this in the next few days.
I guess I have to update my long-living branch with the latest changes to get this to work 😀

[sbueringer]

/tide merge-method-squash

It's just a flake

/retest
/lgtm

Thx for fixing this!

Let's cherry-pick

[sbueringer]

/cherry-pick release-1.7

[k8s-infra-cherrypick-robot]

@sbueringer: once the present PR merges, I will cherry-pick it on top of release-1.7 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sbueringer]

/cherry-pick release-1.6

[k8s-infra-cherrypick-robot]

@sbueringer: once the present PR merges, I will cherry-pick it on top of release-1.6 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sbueringer]

/cherry-pick release-1.5

[k8s-infra-cherrypick-robot]

@sbueringer: once the present PR merges, I will cherry-pick it on top of release-1.5 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-infra-cherrypick-robot]

@sbueringer: new pull request created: #2062

In response to this:

/cherry-pick release-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-infra-cherrypick-robot]

@sbueringer: new pull request created: #2063

In response to this:

/cherry-pick release-1.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-infra-cherrypick-robot]

@sbueringer: new pull request created: #2064

In response to this:

/cherry-pick release-1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.