VSphere: Provider Credentials

Creates a credentials request to retrieve VSphere creds. Update provider to expect credentials in required format: https://vmware.github.io/vsphere-storage-for-kubernetes/documentation/k8s-secret.html
openshift · Jan 24, 2020 · cf42b0c · cf42b0c
1 parent 5aec132
commit cf42b0c
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 40 deletions.
diff --git a/pkg/controller/vsphere/machine_scope.go b/pkg/controller/vsphere/machine_scope.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 
 	machinev1 "github.com/openshift/machine-api-operator/pkg/apis/machine/v1beta1"
-	apivshpere "github.com/openshift/machine-api-operator/pkg/apis/vsphereprovider/v1alpha1"
+	apivsphere "github.com/openshift/machine-api-operator/pkg/apis/vsphereprovider/v1alpha1"
 	machineapierros "github.com/openshift/machine-api-operator/pkg/controller/machine"
 	"github.com/openshift/machine-api-operator/pkg/controller/vsphere/session"
 	"github.com/pkg/errors"
@@ -16,9 +16,7 @@ import (
 )
 
 const (
-	userDataSecretKey         = "userData"
-	credentialsSecretUser     = "user"
-	credentialsSecretPassword = "password"
+	userDataSecretKey = "userData"
 )
 
 // machineScopeParams defines the input parameters used to create a new MachineScope.
@@ -37,8 +35,8 @@ type machineScope struct {
 	client runtimeclient.Client
 	// machine resource
 	machine            *machinev1.Machine
-	providerSpec       *apivshpere.VSphereMachineProviderSpec
-	providerStatus     *apivshpere.VSphereMachineProviderStatus
+	providerSpec       *apivsphere.VSphereMachineProviderSpec
+	providerStatus     *apivsphere.VSphereMachineProviderStatus
 	machineToBePatched runtimeclient.Patch
 }
 
@@ -49,12 +47,12 @@ func newMachineScope(params machineScopeParams) (*machineScope, error) {
 		return nil, fmt.Errorf("%v: machine scope require a context", params.machine.GetName())
 	}
 
-	providerSpec, err := apivshpere.ProviderSpecFromRawExtension(params.machine.Spec.ProviderSpec.Value)
+	providerSpec, err := apivsphere.ProviderSpecFromRawExtension(params.machine.Spec.ProviderSpec.Value)
 	if err != nil {
 		return nil, machineapierros.InvalidMachineConfiguration("failed to get machine config: %v", err)
 	}
 
-	providerStatus, err := apivshpere.ProviderStatusFromRawExtension(params.machine.Status.ProviderStatus)
+	providerStatus, err := apivsphere.ProviderStatusFromRawExtension(params.machine.Status.ProviderStatus)
 	if err != nil {
 		return nil, machineapierros.InvalidMachineConfiguration("failed to get machine provider status: %v", err.Error())
 	}
@@ -88,7 +86,7 @@ func newMachineScope(params machineScopeParams) (*machineScope, error) {
 func (s *machineScope) PatchMachine() error {
 	klog.V(3).Infof("%v: patching machine", s.machine.GetName())
 
-	providerStatus, err := apivshpere.RawExtensionFromProviderStatus(s.providerStatus)
+	providerStatus, err := apivsphere.RawExtensionFromProviderStatus(s.providerStatus)
 	if err != nil {
 		return machineapierros.InvalidMachineConfiguration("failed to get machine provider status: %v", err.Error())
 	}
@@ -139,21 +137,7 @@ func (s *machineScope) GetUserData() ([]byte, error) {
 	return userData, nil
 }
 
-// This is a temporary assumption to expose credentials as a secret
-// TODO: re-evaluate this when is clear how the credentials are exposed
-// for us to consume
-//
-// expects:
-//apiVersion: v1
-//kind: Secret
-//metadata:
-//  name: vsphere
-//  namespace: openshift-machine-api
-//type: Opaque
-//data:
-//  user: base64 string
-//  password: base64 string
-func getCredentialsSecret(client runtimeclient.Client, namespace string, spec apivshpere.VSphereMachineProviderSpec) (string, string, error) {
+func getCredentialsSecret(client runtimeclient.Client, namespace string, spec apivsphere.VSphereMachineProviderSpec) (string, string, error) {
 	if spec.CredentialsSecret == nil {
 		return "", "", nil
 	}
@@ -169,6 +153,9 @@ func getCredentialsSecret(client runtimeclient.Client, namespace string, spec ap
 		return "", "", fmt.Errorf("error getting credentials secret %v/%v: %v", namespace, spec.CredentialsSecret.Name, err)
 	}
 
+	credentialsSecretUser := spec.Workspace.Server + ".username"
+	credentialsSecretPassword := spec.Workspace.Server + ".password"
+
 	user, exists := credentialsSecret.Data[credentialsSecretUser]
 	if !exists {
 		return "", "", machineapierros.InvalidMachineConfiguration("secret %v/%v does not have %q field set", namespace, spec.CredentialsSecret.Name, credentialsSecretUser)

diff --git a/pkg/controller/vsphere/machine_scope_test.go b/pkg/controller/vsphere/machine_scope_test.go
@@ -139,6 +139,9 @@ func TestGetUserData(t *testing.T) {
 func TestGetCredentialsSecret(t *testing.T) {
 	expectedUser := "user"
 	expectedPassword := "password"
+	expectedServer := "test-server"
+	expectedCredentialsSecretUsername := expectedServer + ".username"
+	expectedCredentialsSecretPassword := expectedServer + ".password"
 	testCases := []struct {
 		testCase          string
 		secret            *corev1.Secret
@@ -154,14 +157,17 @@ func TestGetCredentialsSecret(t *testing.T) {
 					Namespace: TestNamespace,
 				},
 				Data: map[string][]byte{
-					credentialsSecretUser:     []byte(expectedUser),
-					credentialsSecretPassword: []byte(expectedPassword),
+					expectedCredentialsSecretUsername: []byte(expectedUser),
+					expectedCredentialsSecretPassword: []byte(expectedPassword),
 				},
 			},
 			providerSpec: &apivsphere.VSphereMachineProviderSpec{
 				CredentialsSecret: &corev1.LocalObjectReference{
 					Name: "test",
 				},
+				Workspace: &apivsphere.Workspace{
+					Server: expectedServer,
+				},
 			},
 			expectCredentials: true,
 		},
@@ -173,8 +179,8 @@ func TestGetCredentialsSecret(t *testing.T) {
 					Namespace: TestNamespace,
 				},
 				Data: map[string][]byte{
-					credentialsSecretUser:     []byte(expectedUser),
-					credentialsSecretPassword: []byte(expectedPassword),
+					expectedCredentialsSecretUsername: []byte(expectedUser),
+					expectedCredentialsSecretPassword: []byte(expectedPassword),
 				},
 			},
 			providerSpec: &apivsphere.VSphereMachineProviderSpec{
@@ -192,8 +198,8 @@ func TestGetCredentialsSecret(t *testing.T) {
 					Namespace: TestNamespace,
 				},
 				Data: map[string][]byte{
-					"badUserKey":              []byte(expectedUser),
-					credentialsSecretPassword: []byte(expectedPassword),
+					"badUserKey":                      []byte(expectedUser),
+					expectedCredentialsSecretPassword: []byte(expectedPassword),
 				},
 			},
 			providerSpec: &apivsphere.VSphereMachineProviderSpec{
@@ -211,8 +217,8 @@ func TestGetCredentialsSecret(t *testing.T) {
 					Namespace: TestNamespace,
 				},
 				Data: map[string][]byte{
-					credentialsSecretUser: []byte(expectedUser),
-					"badPasswordKey":      []byte(expectedPassword),
+					expectedCredentialsSecretUsername: []byte(expectedUser),
+					"badPasswordKey":                  []byte(expectedPassword),
 				},
 			},
 			providerSpec: &apivsphere.VSphereMachineProviderSpec{
@@ -230,8 +236,8 @@ func TestGetCredentialsSecret(t *testing.T) {
 					Namespace: TestNamespace,
 				},
 				Data: map[string][]byte{
-					credentialsSecretUser:     []byte(expectedUser),
-					credentialsSecretPassword: []byte(expectedPassword),
+					expectedCredentialsSecretUsername: []byte(expectedUser),
+					expectedCredentialsSecretPassword: []byte(expectedPassword),
 				},
 			},
 			providerSpec:      &apivsphere.VSphereMachineProviderSpec{},
@@ -274,8 +280,8 @@ func TestPatchMachine(t *testing.T) {
 			Namespace: namespace,
 		},
 		Data: map[string][]byte{
-			credentialsSecretUser:     []byte(server.URL.User.Username()),
-			credentialsSecretPassword: []byte(password),
+			server.URL.Host + ".username": []byte(server.URL.User.Username()),
+			server.URL.Host + ".password": []byte(password),
 		},
 	}
 

diff --git a/pkg/controller/vsphere/reconciler_test.go b/pkg/controller/vsphere/reconciler_test.go
@@ -81,8 +81,8 @@ func TestClone(t *testing.T) {
 			Namespace: namespace,
 		},
 		Data: map[string][]byte{
-			credentialsSecretUser:     []byte(server.URL.User.Username()),
-			credentialsSecretPassword: []byte(password),
+			server.URL.Host + ".username": []byte(server.URL.User.Username()),
+			server.URL.Host + ".password": []byte(password),
 		},
 	}
 
@@ -695,8 +695,8 @@ func TestDelete(t *testing.T) {
 			Namespace: namespace,
 		},
 		Data: map[string][]byte{
-			credentialsSecretUser:     []byte(server.URL.User.Username()),
-			credentialsSecretPassword: []byte(password),
+			server.URL.Host + ".username": []byte(server.URL.User.Username()),
+			server.URL.Host + ".password": []byte(password),
 		},
 	}