🌱 Add OpenStackAuthenticationSucceeded condition #2985
Conversation
k8s-ci-robot
added
the
do-not-merge/hold
✅ Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
k8s-ci-robot
added
cncf-cla: yes
|
Maybe a better name would be |
I do indeed think that
|
lentzi90
force-pushed
the
lentzi90/credentials-condition
branch
from
d6cabc9 to
8cbf7e4
Compare
I like this also! Changing :) |
lentzi90
force-pushed
the
lentzi90/credentials-condition
branch
from
8cbf7e4 to
290723e
Compare
lentzi90
changed the title
lentzi90
force-pushed
the
lentzi90/credentials-condition
branch
2 times, most recently
from
30ea69d to
9df7bdd
Compare
k8s-ci-robot
removed
the
do-not-merge/hold
|
/cc @mandre @bnallapeta |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
Should we try to define a condition that is perhaps a little bit less specific? Do you think a more generic condition like |
|
Obviously, if we're using a condition that express "I can't connect to the cloud", we would need to change its status in more places. |
|
Hmm, yes it would be good to capture more issues, but I am not sure how much more we can do at this early stage. If the secret is missing or malformed, we get a reconciliation error here. Those errors are included in the message with the condition, so the user do get that information. When there are issues later on, it is usually quite hard to know if they are related to the credentials without parsing the error messages. I am hoping that we do set relevant conditions and messages in most places though. cluster-api-provider-openstack/controllers/openstackcluster_controller.go Lines 330 to 333 in 9e848d9 Sigh... we set no condition. |
|
Documenting findings from manual tests. I was wrong about how far we check the credentials when creating the scope. We do notice all kinds of issues here immediately, so that is really great. I'll still create an issue for adding a condition to that @mandre what do you think about these below? Are they good enough (at least as a first step)? Here is the condition for a cluster with non-existing credentials secret: status:
conditions:
- lastTransitionTime: "2026-01-29T11:05:25Z"
message: 'Failed to create OpenStack client scope: secrets "dev-test-cloud-config"
not found'
reason: OpenStackCredentialsFailed
severity: Error
status: "False"
type: OpenStackCredentialsAvailable
ready: falseThis I am quite happy with. It clearly shows which secret it is unhappy about and why. "OpenStack client scope" is perhaps not immediately understandable, but it avoids making assumptions about the kind of error we get. We cannot know if there is some parsing error or something else entirely going on so I think it is quite ok. Next, I created a secret with matching name but nonsense content. Then I got this: status:
conditions:
- lastTransitionTime: "2026-01-29T11:12:59Z"
message: 'Failed to create OpenStack client scope: OpenStack credentials secret
dev-test-cloud-config did not contain key clouds.yaml'
reason: OpenStackCredentialsFailed
severity: Error
status: "False"
type: OpenStackCredentialsAvailable
ready: falseThis is also really nice IMO! Then I did one with proper content but wrong clouds: spec:
identityRef:
cloudName: capo-e2e # <-- This does not exist in the clouds.yaml
name: dev-test-cloud-config
type: Secret
...
status:
conditions:
- lastTransitionTime: "2026-01-29T11:16:19Z"
message: 'Failed to create OpenStack client scope: auth option failed for cloud
: Missing input for argument [auth_url]'
reason: OpenStackCredentialsFailed
severity: Error
status: "False"
type: OpenStackCredentialsAvailable
ready: falseIt is looking for capo-e2e but it doesn't exist. Not the best error message, but I am not sure how to improve. Should we add extra validation somewhere? I think this is coming from gophercloud currently. Next, correct cloud entry except the password was wrong: status:
conditions:
- lastTransitionTime: "2026-01-29T11:21:47Z"
message: 'Failed to create OpenStack client scope: providerClient authentication
err: Expected HTTP response code [201 202] when accessing [POST http://10.0.3.15/identity/v3/auth/tokens],
but got 401 instead: {"error":{"code":401,"message":"The request you have made
requires authentication.","title":"Unauthorized"}}'
reason: OpenStackCredentialsFailed
severity: Error
status: "False"
type: OpenStackCredentialsAvailable
ready: falseQuite ok I would say. Finally, wrong URL: status:
conditions:
- lastTransitionTime: "2026-01-29T11:23:19Z"
message: 'Failed to create OpenStack client scope: providerClient authentication
err: Get "http://10.0.3.150/identity/": EOF'
reason: OpenStackCredentialsFailed
severity: Error
status: "False"
type: OpenStackCredentialsAvailable
ready: falseAlso ok IMO. All in all, I think this is a clear improvement. Before this PR we did not get any conditions at all. Users had to dig through logs. |
|
Thanks for manually checking the different cases. I believe this covers the most important ones indeed. I'd still rename the condition to |
|
Good point! I guess there is a little risk that authentication fails later, in the middle of operations. Then we probably would not be able to set this condition. But the next reconcile should handle that anyway so should be fine. I also realized now that we should check all other controllers and see if we can do the same there. This one is the most critical, but we could have different credentials per OpenStackMachine and those should also have conditions then. |
lentzi90
force-pushed
the
lentzi90/credentials-condition
branch
from
9df7bdd to
97c19ee
Compare
k8s-ci-robot
added
size/XL
lentzi90
left a comment
lentzi90
left a comment
There was a problem hiding this comment.
/hold
TODO: I should check if I can remove the //nolint comments now after renaming...
k8s-ci-robot
added
the
do-not-merge/hold
lentzi90
force-pushed
the
lentzi90/credentials-condition
branch
from
97c19ee to
4220771
Compare
|
@lentzi90 please update once this is ready for review. Thanks. |
lentzi90
changed the title
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
I forgot to mention that I didn't include OpenStackMachineTemplate here. It has no conditions at all yet and I didn't want to "mess with the API" just to add these conditions there also. I'll instead do a follow up PR where I add conditions there. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mandre The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
bnallapeta
left a comment
bnallapeta
left a comment
There was a problem hiding this comment.
Looks good in general. Pending those minor comments.
|
Thanks @bnallapeta ! Good findings! |
- Sets OpenStackAuthenticationSucceededCondition to True/False based on credential validity during reconciliation. - Adds tests for condition handling on credential errors and missing secrets. The condition is set for OpenStackCluster, OpenStackMachine, OpenStackServer and OpenStackFloatingIPPool. OpenStackMachineTemplate is currently missing conditions completely. These will be added separately. Signed-off-by: Lennart Jern <[email protected]>
lentzi90
force-pushed
the
lentzi90/credentials-condition
branch
from
4220771 to
36e4343
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
5 participants
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #2264
Special notes for your reviewer:
TODOs:
/hold