Skip to content

Administrator Automation Scripts for vSphere Per-Component Credentials#10

Open
rvanderp3 wants to merge 6 commits into
mainfrom
docs-10-administrator-automation-scripts
Open

Administrator Automation Scripts for vSphere Per-Component Credentials#10
rvanderp3 wants to merge 6 commits into
mainfrom
docs-10-administrator-automation-scripts

Conversation

@rvanderp3
Copy link
Copy Markdown

@rvanderp3 rvanderp3 commented Apr 14, 2026

Summary

This PR adds administrator automation scripts for vSphere per-component credentials, implementing Story #10 of Epic #2 (vSphere Multi-Account Credentials).

Changes

Documentation

  • per-component-credentials.md: Comprehensive administrator guide covering:
    • Feature overview and benefits (privilege separation, blast radius reduction, auditability)
    • Step-by-step setup workflow with examples
    • Multi-vCenter support
    • Brownfield migration guide
    • Security considerations and credential rotation
    • Troubleshooting guide
    • FAQ section

Automation Scripts

  1. create-component-roles.sh (Linux/macOS, govc-based):

    • Creates 5 vCenter roles with complete privilege lists
    • Supports single and multi-vCenter deployments
    • Color-coded output, error handling, role update support

  2. create-component-roles.ps1 (Windows, PowerCLI-based):

    • PowerCLI version of role creation script
    • Identical functionality to bash version
    • Windows-native error handling and output

  3. generate-credentials-file.sh:

    • Generates template YAML credentials file
    • Enforces 0600 permissions
    • Supports single and multi-vCenter configurations
    • Comprehensive inline documentation

  4. scripts/README.md:

    • Quick start guide
    • Usage examples for all scripts
    • Troubleshooting common issues

Component Privilege Counts

  • Installer: ~45 privileges (full deployment operations)
  • Machine API: ~35 privileges (VM lifecycle)
  • CSI Driver: ~12 privileges (storage provisioning)
  • Cloud Controller Manager: ~9 privileges (read-only node discovery)
  • Diagnostics: ~5 privileges (read-only troubleshooting)

Acceptance Criteria

Given an administrator runs create-component-roles.sh with vCenter connection details
Then vCenter roles are created for each component with correct privilege sets on all specified vCenters

Given an administrator runs generate-credentials-file.sh
Then a template YAML credentials file is created at ~/.vsphere/credentials with 0600 permissions and placeholders for all component credentials

Given an administrator on Windows runs create-component-roles.ps1
Then vCenter roles are created with correct privileges (same outcome as govc script)

Testing

Scripts tested manually:

  • govc script: Tested on Linux with single and multi-vCenter configurations
  • PowerCLI script: Syntax validated (requires Windows environment for full test)
  • Credentials file generator: Tested with single/multi-vCenter configurations, file permissions verified

Related Issues

Documentation Links

Dependencies

None (standalone documentation and scripts)

🦸 Generated with superman (cw_writer hat)

rvanderp3 and others added 5 commits April 14, 2026 10:07
@rvanderp3 @claude
Add install-config schema extension for per-component credentials
5550b60 
This commit implements Story #3: Install Config Schema Extension for
vSphere Multi-Account Credentials. It extends the install-config.yaml
schema to support per-component credentials while maintaining backward
compatibility with legacy single-account mode.

Changes:
- Add ComponentCredentials struct with fields for installer, machineAPI,
  csiDriver, cloudController, and diagnostics components
- Add AccountCredentials struct supporting multi-vCenter topologies
- Add platform field for optional ComponentCredentials
- Create test stubs for schema validation (6 test scenarios)
- Create test stubs for install-config integration tests

Test Plan:
- Unit tests in pkg/types/vsphere/validation_test.go
- Default/fallback tests in pkg/types/vsphere/defaults_test.go
- Integration tests in pkg/asset/installconfig/vsphere/validation_test.go

All tests are currently stub implementations marked with t.Skip() and
will be fully implemented in subsequent iterations.

Related: openshift-splat-team/splat-team#3
Parent: openshift-splat-team/splat-team#2

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@rvanderp3
Merge pull request #1 from openshift-splat-team/story-3-install-confi…
eba1a15 
…g-schema-extension

Install Config Schema Extension for Per-Component Credentials
@rvanderp3 @claude
Implement privilege validation for per-component credentials
9f8c025 
Add vSphere privilege validation logic using component-specific
privilege lists. Validates that each OpenShift component account
(installer, machine-api, csi-driver, cloud-controller, diagnostics)
has required vCenter permissions before installation proceeds.

Implementation:
- PrivilegeValidator struct with ValidateComponentPrivileges method
- ValidationResult struct with Valid, MissingPrivileges, Scope fields
- GetRequiredPrivileges() function with comprehensive privilege lists
  - Installer: ~45 privileges for infrastructure deployment
  - Machine API: ~35 privileges for VM lifecycle
  - CSI Driver: ~12 privileges for storage provisioning
  - Cloud Controller: ~10 read-only privileges for node discovery
  - Diagnostics: ~5 read-only privileges for troubleshooting

Test coverage:
- 9 test scenarios covering all acceptance criteria
- Missing privilege detection (machine-api, csi-driver)
- Successful validation for all components
- Component-specific privilege sets
- Error handling

Foundation for Story #4: Privilege Validation
Parent Epic: #2 - vSphere Multi-Account Credentials
Depends on: Story #3 (schema extension)

Related: openshift-splat-team/splat-team#4
Related: openshift-splat-team/splat-team#2

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@rvanderp3
Merge pull request #2 from openshift-splat-team/story-4-privilege-val…
f150a90 
…idation

Privilege Validation for Per-Component Credentials
@rvanderp3 @claude
Add administrator automation scripts for vSphere per-component creden…
7cd5cc7 
…tials

- Add comprehensive per-component-credentials.md documentation
- Add create-component-roles.sh (govc-based, Linux/macOS)
- Add create-component-roles.ps1 (PowerCLI-based, Windows)
- Add generate-credentials-file.sh (YAML template generator)
- Add scripts/README.md with quick start guide

Scripts support:
- Multi-vCenter deployments
- Complete privilege lists per component (~45/35/12/9/5 privileges)
- Secure credentials file generation with 0600 permissions
- Role creation/update with validation

Implements Story #10: Administrator Automation Scripts
Parent Epic #2: vSphere Multi-Account Credentials

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@rvanderp3 rvanderp3 added the documentation Improvements or additions to documentation label Apr 14, 2026
@rvanderp3 rvanderp3 mentioned this pull request Apr 14, 2026
Closed
@rvanderp3 @claude
Fix documentation review issues
e0d3ba2 
- Rename YAML_TEMPLATE to CREDENTIALS_TEMPLATE in generate-credentials-file.sh
- Remove TODO enhancement proposal link from per-component-credentials.md
- Keep privilegevalidator.go reference (file exists and is valid)

Addresses reviewer feedback: format terminology consistency and placeholder cleanup.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rvanderp3