GCP: populate encryption values into tf and machines#4397
GCP: populate encryption values into tf and machines#4397openshift-merge-robot merged 3 commits intoopenshift:masterfrom
Conversation
|
|
||
| var encryptionKey *gcpprovider.GCPEncryptionKeyReference | ||
|
|
||
| if mpool.OSDisk.EncryptionKey != nil { |
There was a problem hiding this comment.
Is there a reason that OSDisk.EncryptionKey can't just be an imported type from the GCP provider? That should allow us to a do a straight assignment here.
There was a problem hiding this comment.
Yeah. OSDisk.EncryptionKey is defined in the types package, which represents the installer API, so we try to keep it free of external dependencies considering other projects import the types package.
| "github.com/openshift/installer/pkg/types" | ||
| ) | ||
|
|
||
| const ( |
There was a problem hiding this comment.
Maybe this belongs in GCP provider in a util package?
| return json.MarshalIndent(cfg, "", " ") | ||
| } | ||
|
|
||
| func generateDiskEncryptionKeyLink(keyRef *gcpprovider.GCPEncryptionKeyReference, projectID string) string { |
There was a problem hiding this comment.
Maybe this belongs in GCP provider in a util package?
There was a problem hiding this comment.
To echo our conversation on slack, I would handle this in terraform:
- create a type for the key similar to Auth in TFVars and pass the values in that way
- conditionally create the self link variable (or null value therein) with logic similar to BYO networking: https://github.com/openshift/installer/blob/master/data/data/gcp/network/common.tf
I'm also fine with this approach and think it's OK to have this logic live here.
pkg/asset/machines/gcp/machines.go
Outdated
| } else { | ||
| encryptionKey = nil | ||
| } |
There was a problem hiding this comment.
The else block is unnecessary.
| root_volume_type = var.gcp_master_root_volume_type | ||
| root_volume_size = var.gcp_master_root_volume_size | ||
| root_volume_type = var.gcp_master_root_volume_type | ||
| root_volume_kms_key_link = var.gcp_root_volume_kms_key_link |
There was a problem hiding this comment.
Need to add this to the "bootstrap" module, too.
There was a problem hiding this comment.
Is that not done as the change in data/data/gcp/bootstrap/main.tf, or does that need to go into data/data/bootstrap somewhere?
There was a problem hiding this comment.
In /data/data/gcp/main.tf as linked above. It is currently only passing the variable from main to master, but needs to do the same for bootstrap.
patrickdillon
left a comment
patrickdillon
left a comment
There was a problem hiding this comment.
Left a few comments, but this looks really good to me.
pkg/asset/machines/gcp/machines.go
Outdated
| KMSKeyServiceAccount: mpool.OSDisk.EncryptionKey.KMSKeyServiceAccount, | ||
| } | ||
| } else { | ||
| encryptionKey = nil |
There was a problem hiding this comment.
nit: not sure this is necessary (should already be nil). if you want to leave it in, moving it out of else and before if would be more concise.
There was a problem hiding this comment.
This shouldn't be needed as var encryptionKey *gcpprovider.GCPEncryptionKeyReference above the if makes it a nil anyway
data/data/gcp/bootstrap/variables.tf
Outdated
|
|
||
| variable "root_volume_kms_key_link" { | ||
| type = string | ||
| description = "The GCP self link of KMS key to encrypt the volume" |
There was a problem hiding this comment.
nit: missing period.
data/data/gcp/master/variables.tf
Outdated
|
|
||
| variable "root_volume_kms_key_link" { | ||
| type = string | ||
| description = "The GCP self link of KMS key to encrypt the volume" |
data/data/gcp/variables-gcp.tf
Outdated
|
|
||
| variable "gcp_root_volume_kms_key_link" { | ||
| type = string | ||
| description = "The GCP self link of KMS key to encrypt the volume" |
| return json.MarshalIndent(cfg, "", " ") | ||
| } | ||
|
|
||
| func generateDiskEncryptionKeyLink(keyRef *gcpprovider.GCPEncryptionKeyReference, projectID string) string { |
There was a problem hiding this comment.
To echo our conversation on slack, I would handle this in terraform:
- create a type for the key similar to Auth in TFVars and pass the values in that way
- conditionally create the self link variable (or null value therein) with logic similar to BYO networking: https://github.com/openshift/installer/blob/master/data/data/gcp/network/common.tf
I'm also fine with this approach and think it's OK to have this logic live here.
|
/test e2e-gcp |
data/data/gcp/master/variables.tf
Outdated
| variable "root_volume_kms_key_link" { | ||
| type = string | ||
| description = "The GCP self link of KMS key to encrypt the volume" | ||
| default = null |
There was a problem hiding this comment.
column alignment is off and causing tf-fmt to fail
| variable "gcp_root_volume_kms_key_link" { | ||
| type = string | ||
| description = "The GCP self link of KMS key to encrypt the volume" | ||
| default = null |
There was a problem hiding this comment.
column alignment is off and causing tf-fmt to fail
There was a problem hiding this comment.
column alignment is off and causing
tf-fmtto fail
weird, tf-fmt seems to be suggesting different alignment for this file than the other two:
https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/4397/pull-ci-openshift-installer-master-tf-fmt/1329497726143959040/build-log.txt
data/data/gcp/bootstrap/variables.tf
Outdated
| variable "root_volume_kms_key_link" { | ||
| type = string | ||
| description = "The GCP self link of KMS key to encrypt the volume" | ||
| default = null |
There was a problem hiding this comment.
column alignment is off and causing tf-fmt to fail
|
I would pull the missing dependencies into this PR in two separate commit: one commit for your changes and a separate one for the vendored files. |
|
@patrickdillon I've fixed all of the comments that were left (I believe) on this branch master...JoelSpeed:gcp-encrypt I've also added a commit for the missing dependencies as requested. I didn't do anything for this one (https://github.com/openshift/installer/pull/4397/files#r527187850) as it seemed there wasn't a strong preference to change it. Mike is out today and has suggested he will be out all week, I wondered if you could give my branch a check over and, if that's looking good, I could squash my fixups into his commit, open a new PR and we can merge that one while he is out, WDYT? Trying to give this PR as much time to soak in QE as possible |
The branch in general looks good. I don't have approval rights at this level, so I can't push this through. @staebler is out until Monday. I would recommend just opening a PR and getting everything to pass so it could be ready to go on Monday. If you think it's really important to get it in ASAP we can try to coordinate an approve with @sdodson 's help. |
michaelgugino
force-pushed
the
gcp-encrypt2
branch
2 times, most recently
from
823aef4 to
11ae34a
Compare
|
/retest |
openshift-ci-robot
added
the
needs-rebase
|
@michaelgugino The dependency mess has finally merged. This PR needs another rebase. |
This commit ensures encryption values are properly populated into terraform and machines/machinesets.
michaelgugino
force-pushed
the
gcp-encrypt2
branch
from
f9a4267 to
50d34a0
Compare
openshift-ci-robot
removed
the
needs-rebase
staebler
left a comment
staebler
left a comment
There was a problem hiding this comment.
/lgtm
/approve
/label tide/merge-method-squash
openshift-ci-robot
added
the
tide/merge-method-squash
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: staebler The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/test e2e-gcp |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@michaelgugino: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
The GCP install succeeded in the latest e2e-gcp test. |
|
All the changes in this PR are in GCP-specific files. /override ci/prow/e2e-aws |
|
@staebler: Overrode contexts on behalf of staebler: ci/prow/e2e-aws DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
7 participants
This commit ensures encryption values are properly
populated into terraform and machines/machinesets.