Conversation
|
please update the title and add JIRA link into commit message |
|
IMO, it's better to split this change into fip and trust two PRs |
update image tag and support machinedeployment.clusters.x-k8s.io/fip: enable annotation jira:EAS-109332
update use trust openstack auth jira:EAS-109331
chestack
left a comment
chestack
left a comment
There was a problem hiding this comment.
how about add fip options into openstackmachine spec
|
关于trust 的使用有几个问题
|
| // ClientKeyFile a path to a client key to use as part of the SSL | ||
| // transaction. | ||
| ClientKeyFile string `yaml:"key,omitempty" json:"key,omitempty"` | ||
| } |
There was a problem hiding this comment.
这个 不能复用 "github.com/gophercloud/utils/openstack/clientconfig" 的 type Cloud struct {} 吗
There was a problem hiding this comment.
how about add fip options into openstackmachine spec
add annotations to machine deployment, machinedeployment.clusters.x-k8s.io/fip: "enable",and it is ok for openstackmachine
There was a problem hiding this comment.
关于trust 的使用有几个问题
1. trust 何时创建,magnum里是创建cluster时 创建trust 2. 因为 token会过期,password会修改,使用trust是为了解决 后续 访问openstack API的问题,场景主要是 cloud provider使用[root@zxy-clustern0 ~]# cat /etc/kubernetes/cloud-config [Global] auth-url=http://keystone.openstack.svc.cluster.local:80/v3 user-id=d8431d5559f54edd8dc31811921ae6d6 password=4wmU2NG4PAFAz7vN89 trust-id=8d4b24f9cbc047e2bd4370d4d3d5a2fd ca-file=/etc/kubernetes/ca-bundle.crt region=RegionOne [LoadBalancer] use-octavia=True subnet-id= floating-network-id= create-monitor=yes monitor-delay=1m monitor-timeout=30s monitor-max-retries=3 [BlockStorage] bs-version=v2 ignore-volume-az=True
trust 当前没有创建逻辑 如果需要 需要在capi中补充 即创建cluster资源时 需要创建trust用户
这里认证是解决创建虚拟机时使用trust用户认证 master虚拟机内部的cloud-config 生成是由KubeadmControlPlane资源下spec.files下的content内容决定的 work虚拟机是由KubeadmConfigTemplate 下template.spec.files下的content内容决定的 使用clusterctl命令行工具 在生成配置时会帮我们注入 但这里 我们应该自己完成这个配置的组装和base64并填写到这里
There was a problem hiding this comment.
这个 不能复用 "github.com/gophercloud/utils/openstack/clientconfig" 的 type Cloud struct {} 吗
"github.com/gophercloud/utils/openstack/clientconfig" 的 type Cloud struct {} 中AuthInfo 是默认不包含trust id,我将其补充了进去 外层使用NewCloud。并使用此字段的有无来决定认证的方式 只使用原来的cloud struct我无法解析应该位于auth下的trust信息 应该是不行
示例
- 现在
[root@node-3 ~]# cat cloud_config.yaml
clouds:
test-trust:
identity_api_version: 3
auth:
auth_url: http://keystone.openstack.svc.cluster.local/v3
user_id: 8b924ec3792b452987cff3cadd44d35f
password: tocn8v4JbjT8AuJx8D
trust_id: 63b279acae8e46fe8c3a5f7384147935
region_name: RegionOne
- 原来
clouds:
test:
identity_api_version: 3
auth:
auth_url: http://keystone.openstack.svc.cluster.local/v3
project_domain_name: Default
user_domain_name: Default
project_name: admin
username: admin
password: test@passw0rd
region_name: RegionOne
| Rt: provider.HTTPClient.Transport, | ||
| Logger: &defaultLogger{}, | ||
| } | ||
| if cloud.AuthInfo.TrustID!="" { |
2 participants
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
TODOs:
/hold