Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Propogate public-keys to cloud-init NoCloud meta-data #10231

Merged
merged 2 commits into from Sep 25, 2023
Merged

Propogate public-keys to cloud-init NoCloud meta-data #10231

merged 2 commits into from Sep 25, 2023

Conversation

kvaps
Copy link
Member

@kvaps kvaps commented Aug 3, 2023
edited

What this PR does / why we need it:

Cloud-init's NoCloud also supports specifying public-keys in meta-data.
This patch enables propogation of ssh-keys into instance metadata.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #10249

Special notes for your reviewer:

ExampleUsage

accessCredentials:
- sshPublicKey:
    source:
      secret:
        secretName: my-pub-key
    propagationMethod:
      noCloud: {}
volumes:
- cloudInitNoCloud: {}
  name: cloudinitdisk

Release note:

Propogate public-keys to cloud-init NoCloud meta-data

@kubevirt-bot kubevirt-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. size/S labels Aug 3, 2023
@kubevirt-bot kubevirt-bot added kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API size/L and removed size/S labels Aug 3, 2023
@maiqueb
Copy link
Contributor

maiqueb commented Aug 3, 2023

Thanks for evolving the nocloud cloud-init datasource.

I think this makes sense - and addresses an important gap: we couldn't use secrets when defining the ssh keys and define a netplanv2 network configuration in the same datasource.

We would just need you to fix the unit tests (you need to adjust to the new resolveNoCloudSecrets function's signature), and provide an e2e test assuring the feature works as intended.

@kubevirt-bot kubevirt-bot added dco-signoff: no Indicates the PR's author has not DCO signed all their commits. and removed dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Aug 4, 2023
@kubevirt-bot kubevirt-bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Aug 4, 2023
@kvaps
Copy link
Member Author

kvaps commented Aug 5, 2023

/retest

@kvaps
Propogate public-keys to cloud-init NoCloud meta-data
5e3be24 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
@kvaps
Copy link
Member Author

kvaps commented Aug 6, 2023

Job is done @maiqueb 🙂

maiqueb
maiqueb suggested changes Aug 7, 2023
View reviewed changes
Copy link
Contributor

@maiqueb maiqueb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have some very minor comments into how I think the e2e test should look like.

Plus some suggestions on what should be checked in the unit tests, and finally an opinionated comment into how I think the code should look like.

But overall really good, this is a nice feature to have around.

Thanks for the contribution !

pkg/cloud-init/cloud-init.go Outdated Show resolved Hide resolved
pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go Show resolved Hide resolved
tests/credentials_test.go Outdated Show resolved Hide resolved
tests/credentials_test.go Outdated Show resolved Hide resolved
tests/credentials_test.go Outdated Show resolved Hide resolved
tests/credentials_test.go Outdated Show resolved Hide resolved
tests/credentials_test.go Show resolved Hide resolved
@alaypatel07
Copy link
Contributor

/cc

@kubevirt-bot kubevirt-bot added dco-signoff: no Indicates the PR's author has not DCO signed all their commits. and removed dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Aug 17, 2023
@kubevirt-bot kubevirt-bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Aug 17, 2023
@0xFelix
Copy link
Member

0xFelix commented Sep 4, 2023

@kvaps Can you please update it to match @lyarwood's suggestion? #10231 (comment)

The function name and logic should match.

@kvaps
Copy link
Member Author

kvaps commented Sep 4, 2023

@0xFelix @lyarwood sure, done

@0xFelix
Copy link
Member

0xFelix commented Sep 4, 2023

Excuse me if I'm wrong, but now the names do not match the logic again? Please change just the names to isNoCloudAccessCredential and isConfigDriveAccessCredential.

@kvaps
apply review suggestions
6c22622 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
@kvaps
Copy link
Member Author

kvaps commented Sep 4, 2023

yeah, you're right, fixed that, sorry

0xFelix
0xFelix approved these changes Sep 4, 2023
View reviewed changes
Copy link
Member

@0xFelix 0xFelix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apart from one comment it looks good to me.

Thanks!

/lgtm

tests/credentials_test.go

It("[test_id:TODO]should have ssh-key under authorized keys added by NoCloud", func() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could write these tests as a table, but it can be done in a follow up because there is more to clean up here (e.g. swapping NewRandomVMIWithEphemeralDiskHighMemory with libvmi).

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Sep 4, 2023
@0xFelix
Copy link
Member

0xFelix commented Sep 5, 2023

/retest-required

@lyarwood
Copy link
Member

lyarwood commented Sep 5, 2023

/lgtm

@kvaps
Copy link
Member Author

kvaps commented Sep 5, 2023

/retest-required

@aburdenthehand
Copy link
Contributor

/cc @iholder101

@0xFelix
Copy link
Member

0xFelix commented Sep 21, 2023

Ping @iholder101 @alicefr

iholder101
iholder101 reviewed Sep 21, 2023
View reviewed changes
Copy link
Contributor

@iholder101 iholder101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @kvaps! This looks great.
Sorry to chime in late on this.

/approve
/hold

Holding to let @alicefr respond if she wants to. If she doesn't respond soon, feel free to unhold 👍

tests/utils.go Outdated
Comment on lines 688 to 694
func NewRandomVMIWithEphemeralDiskAndNoCloudUserdataHighMemory(containerImage string, userData string) *v1.VirtualMachineInstance {
vmi := NewRandomVMIWithEphemeralDiskAndNoCloudUserdata(containerImage, userData)

vmi.Spec.Domain.Resources.Requests[k8sv1.ResourceMemory] = resource.MustParse("512M")
return vmi
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the record, we sometime need to create similar functions in libvmi

pkg/cloud-init/cloud-init.go Outdated
@@ -162,15 +163,73 @@ func ReadCloudInitVolumeDataSource(vmi *v1.VirtualMachineInstance, secretSourceD
return nil, nil
}

func resolveSSHPublicKeys(accessCredentials []v1.AccessCredential, secretSourceDir string, methodNoCloud, methodConfigDrive bool) (map[string]string, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I would loose the bool arguments and go with something like

type AccessCredentialPropagationMethod string
const (
    methodNoCloud = "methodNoCloud"
    methodConfigDrive = "methodConfigDrive"
)

// ...
func resolveSSHPublicKeys(accessCredentials []v1.AccessCredential, propagationMethod AccessCredentialPropagationMethod) (map[string]string, error) {
    // ...
}

If we'd support more methods in the future it's better not to end up with many bool arguments that are all false but one.

@kubevirt-bot kubevirt-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 21, 2023
@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: iholder101

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 21, 2023
maiqueb
maiqueb approved these changes Sep 21, 2023
View reviewed changes
Copy link
Contributor

@maiqueb maiqueb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really happy to see this feature accepted.

@0xFelix
Copy link
Member

0xFelix commented Sep 25, 2023

Feeling free to unhold ;)

/hold cancel

@kubevirt-bot kubevirt-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 25, 2023
@0xFelix
Copy link
Member

0xFelix commented Sep 25, 2023

/retest-required

@kubevirt-bot
Copy link
Contributor

@kvaps: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubevirt-e2e-k8s-1.26-sig-compute 6c22622 link unknown /test pull-kubevirt-e2e-k8s-1.26-sig-compute
pull-kubevirt-e2e-k8s-1.26-sig-storage 6c22622 link unknown /test pull-kubevirt-e2e-k8s-1.26-sig-storage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@kubevirt-bot kubevirt-bot merged commit 9a94b8c into kubevirt:main Sep 25, 2023
37 of 39 checks passed
@maiqueb
Copy link
Contributor

maiqueb commented Sep 26, 2023

@0xFelix do we want to back-port this into other releases ?

@xpivarc
Copy link
Member

xpivarc commented Sep 26, 2023

@0xFelix do we want to back-port this into other releases ?

Please don't backport features to stable releases, it goes against the meaning of stable releases.

@0xFelix
Copy link
Member

0xFelix commented Sep 26, 2023

@maiqueb I'd consider this a new feature, not a bug. So I would not backport it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iholder101 iholder101 iholder101 left review comments

@0xFelix 0xFelix 0xFelix approved these changes

@maiqueb maiqueb maiqueb approved these changes

@rmohr rmohr Awaiting requested review from rmohr

@alaypatel07 alaypatel07 Awaiting requested review from alaypatel07

@lyarwood lyarwood Awaiting requested review from lyarwood

Assignees

@lyarwood lyarwood

@0xFelix 0xFelix

@maiqueb maiqueb

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add NoCloud propagation method support to access credentials API
9 participants
@kvaps @maiqueb @alaypatel07 @0xFelix @lyarwood @aburdenthehand @kubevirt-bot @xpivarc @iholder101