Add a cloud credentials checker asset #1100
Conversation
openshift-ci-robot
added
size/L
|
@staebler PTAL. Looks like a lot of code churn but really not. Important part is that cluster asset now includes this new 'platformCredsCheck' as a dependency. |
rajatchopra
force-pushed
the
aws_creds
branch
3 times, most recently
from
69ef03d
to
a21fa57
Compare
There was a problem hiding this comment.
There are other places where the AWS creds are used. Those places need to use the creds checker, too. For example, https://github.com/openshift/installer/blob/master/pkg/asset/machines/aws/zones.go.
rajatchopra
force-pushed
the
aws_creds
branch
from
a21fa57
to
e6866c5
Compare
openshift-ci-robot
added
size/M
rajatchopra
force-pushed
the
aws_creds
branch
from
e6866c5
to
15eac10
Compare
|
@staebler credchecker now depends on installconfig, thanks for pointing out the loophole.
But it is not reachable directly via a target without going through 'create cluster'. Or so far as I could tell. |
There was a problem hiding this comment.
Thanks for this patch. I've dropped a comment on the openstack check.
Please add me or @tomassedovic on patches that have an impact on OpenStack. 😃
Thanks
@rajatchopra In the particular case of the |
|
I agree with @staebler that |
A cloud creds checker asset just checks upon the credentials. The 'cluster' target can then depend on it and, thus, cloud creds will be checked again before the cluster is finally created. The reason for a double check is that a cluster can be created through an imported install-config and the credentials may be missing then. If the cluster were to be created in one go (i.e. no install-config generation as a sub-step), then the asset creation graph ensures that they are checked upon only once. (Or rather asked about the creds only once.)
rajatchopra
force-pushed
the
aws_creds
branch
from
15eac10
to
7b83101
Compare
I will get the centralizing the GetSession in another PR (the minor difference right now in the two usages is that one is generic and the other is specific to the region). |
Adjusting the region will look like this, but with the EC2 client as the wrapper. So: func ec2Client(region string) (*ec2.EC2, error) {
ssn, err := installeraws.GetSession()
if err != nil {
return nil, err
}
client := ec2.New(ssn, aws.NewConfig().WithRegion(region))
return client, nil
}I'm ok punting that if you like, but I think it's about as complicated as your current asset-dependency stopgap ;). |
Reuse removes code duplication as well as ensuring there is one central way of creating the sessions.
You made it look easy :). Done as a separate commit in this PR. |
@rajatchopra With the consolidation, I would like at some point (not necessarily for this PR) to go through the Credentials Checker Asset to get the session, making the reliance on the checker explicit. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rajatchopra, wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
1 similar comment
|
/retest |
The volume failure should be ignored now, but looks like this test [started after that ignore landed][3]. Hmm... /retest |
|
/retest Pick up openshift/origin#21867. |
A cloud creds checker asset just checks upon the credentials. The 'cluster' target
can then depend on it and, thus, cloud creds will be checked again before the
cluster is finally created.
The reason for a double check is that a cluster can be created through an
imported install-config and the credentials may be missing then.
If the cluster were to be created in one go (i.e. no install-config generation
as a sub-step), then the asset creation ensures that they are checked upon only once.
Or rather asked about the creds only once.
Solves: https://jira.coreos.com/projects/CORS/issues/CORS-949