vSphere passthrough mode for CredentialsRequests

Implement a simple passthrough-mode-only actuator for vSphere. Assumes the credentials used during installation are good enough to be passed along to any in-cluster components needing vSphere credentials. Add the VSphereProviderSpec definitions which allows listing permissions being requested (even though they are presently ignored as passthrough-mode is assumed).
openshift · Jan 9, 2020 · 55c6662 · 55c6662
1 parent de83d86
commit 55c6662
Show file tree

Hide file tree

Showing 10 changed files with 1,203 additions and 0 deletions.
diff --git a/pkg/apis/cloudcredential/v1/credentialsrequest_types.go b/pkg/apis/cloudcredential/v1/credentialsrequest_types.go
@@ -148,5 +148,6 @@ func init() {
 		&AWSProviderStatus{}, &AWSProviderSpec{},
 		&AzureProviderStatus{}, &AzureProviderSpec{},
 		&GCPProviderStatus{}, &GCPProviderSpec{},
+		&VSphereProviderStatus{}, &VSphereProviderSpec{},
 	)
 }
diff --git a/pkg/apis/cloudcredential/v1/vsphere_types.go b/pkg/apis/cloudcredential/v1/vsphere_types.go
@@ -0,0 +1,61 @@
+/*
+Copyright 2020 The OpenShift Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// TODO: these types should eventually be broken out, along with the actuator,
+// to a separate repo.
+
+// VSphereProviderSpec contains the required information to create RBAC role
+// bindings for VSphere.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type VSphereProviderSpec struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Permissions contains a list of groups of privileges that are being requested.
+	Permissions []VSpherePermission `json:"permissions"`
+}
+
+// VSpherePermission captures the details of the privileges being requested for the list of entities.
+type VSpherePermission struct {
+	// Privileges is the list of access being requested.
+	Privileges []string `json:"privileges"`
+
+	// TODO: when implementing mint-mode will need to figure out how to allow
+	// a CredentialsRequest to indicate that the above list of privileges should
+	// be bound to a specific scope(s) (eg Storage, Hosts/Clusters, Networking, Global, etc).
+	// Entities is the list of entities for which the list of permissions should be granted
+	// access to.
+	// Entities []string `json:"entities"`
+
+	// Also will need to allow specifying whether permissions should "Propagate to children".
+	// Propagate bool `json:"propagate"`
+}
+
+// VSphereProviderStatus contains the status of the credentials request in VSphere.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type VSphereProviderStatus struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// SecretLastResourceVersion is the resource version of the secret resource
+	// that was last synced. Used to determine if the object has changed and
+	// requires a sync.
+	SecretLastResourceVersion string `json:"secretLastResourceVersion"`
+}
diff --git a/pkg/apis/cloudcredential/v1/zz_generated.deepcopy.go b/pkg/apis/cloudcredential/v1/zz_generated.deepcopy.go
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
@@ -24,6 +24,7 @@ import (
 	gcpactuator "github.com/openshift/cloud-credential-operator/pkg/gcp/actuator"
 	"github.com/openshift/cloud-credential-operator/pkg/openstack"
 	"github.com/openshift/cloud-credential-operator/pkg/ovirt"
+	vsphereactuator "github.com/openshift/cloud-credential-operator/pkg/vsphere/actuator"
 
 	configv1 "github.com/openshift/api/config/v1"
 
@@ -99,6 +100,12 @@ func AddToManager(m manager.Manager, explicitKubeconfig string) error {
 			if err != nil {
 				return err
 			}
+		case configv1.VSpherePlatformType:
+			log.Info("initializing VSphere actuator")
+			a, err = vsphereactuator.NewVSphereActuator(m.GetClient())
+			if err != nil {
+				return err
+			}
 		default:
 			log.Info("initializing no-op actuator (unsupported platform)")
 			a = &actuator.DummyActuator{}

diff --git a/pkg/controller/credentialsrequest/credentialsrequest_controller.go b/pkg/controller/credentialsrequest/credentialsrequest_controller.go
@@ -676,6 +676,8 @@ func crInfraMatches(cr *minterv1.CredentialsRequest, clusterCloudPlatform config
 		return cloudType == reflect.TypeOf(minterv1.OpenStackProviderSpec{}).Name(), nil
 	case configv1.OvirtPlatformType:
 		return cloudType == reflect.TypeOf(minterv1.OvirtProviderSpec{}).Name(), nil
+	case configv1.VSpherePlatformType:
+		return cloudType == reflect.TypeOf(minterv1.VSphereProviderSpec{}).Name(), nil
 	default:
 		return false, fmt.Errorf("unsupported platorm type: %v", clusterCloudPlatform)
 	}