WIP: Add Azure VAP #321
WIP: Add Azure VAP #321
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| apiVersion: admissionregistration.k8s.io/v1beta1 | ||
| kind: ValidatingAdmissionPolicy | ||
| metadata: | ||
| name: openshift-cluster-api-protect-azureclusteridentities |
There was a problem hiding this comment.
I'm presuming this has to be it's own separate thing, and that it cannot be included in the VAP above by adding azureclusteridentities as a resource?
| apiVersion: config.openshift.io/v1 | ||
| kind: Infrastructure | ||
| validations: | ||
| - expression: '!(oldObject.metadata.name == params.status.infrastructureName)' |
There was a problem hiding this comment.
aware that this message isn't the most useful thing here - will update once I've tidied up a little
| parameterNotFoundAction: Deny | ||
| policyName: openshift-cluster-api-protect-azureclusteridentities | ||
| validationActions: | ||
| - Deny |
There was a problem hiding this comment.
do we want to include anything else that we don't want to be deleted, or are the cluster and the identity reference enough?
(ignore the lack of a new line, will fix:) )
|
/test ? |
|
@damdo: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@damdo: The specified target(s) for
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/retitle WIP: Add Azure VAP |
|
/test e2e-azure-capi-techpreview |
racheljpg
force-pushed
the
azureVAP
branch
2 times, most recently
from
c431373 to
37e035f
Compare
| matchConstraints: | ||
| resourceRules: | ||
| - apiGroups: | ||
| - infrastructure.cluster.x-k8s.io |
There was a problem hiding this comment.
This will need to match the apiGroup of a Secret, which is the core one.
racheljpg
force-pushed
the
azureVAP
branch
2 times, most recently
from
f5e6f18 to
13aa469
Compare
| message: InfraCluster resources with metadata.name corresponding to the cluster | ||
| infrastructureName cannot be deleted. | ||
| --- | ||
| apiVersion: admissionregistration.k8s.io/v1beta1 |
There was a problem hiding this comment.
Let's change all of these to v1, and make sure the syntax/fields are ok with v1
| validationActions: | ||
| - Deny | ||
| --- | ||
| apiVersion: admissionregistration.k8s.io/v1beta1 |
| @@ -11025,6 +11025,129 @@ data: | |||
| targetPort: webhook-server | |||
| selector: | |||
| cluster.x-k8s.io/provider: infrastructure-azure | |||
| --- | |||
| apiVersion: admissionregistration.k8s.io/v1beta1 | |||
| message: InfraCluster resources with metadata.name corresponding to the cluster | ||
| infrastructureName cannot be deleted. | ||
| --- | ||
| apiVersion: admissionregistration.k8s.io/v1beta1 |
| @@ -11023,3 +11023,126 @@ spec: | |||
| targetPort: webhook-server | |||
| selector: | |||
| cluster.x-k8s.io/provider: infrastructure-azure | |||
| --- | |||
| apiVersion: admissionregistration.k8s.io/v1 | |||
There was a problem hiding this comment.
Indentation is wrong on these YAMLs (only on this file openshift/infrastructure-components-openshift.yaml), they should be starting at the beginning of the line
| --- | ||
| apiVersion: admissionregistration.k8s.io/v1 | ||
| kind: ValidatingAdmissionPolicyBinding | ||
| metadata: | ||
| name: openshift-cluster-api-protect-azureclustersecrets | ||
| spec: | ||
| matchResources: | ||
| namespaceSelector: | ||
| matchLabels: | ||
| kubernetes.io/metadata.name: openshift-cluster-api | ||
| paramRef: | ||
| name: cluster | ||
| parameterNotFoundAction: Deny | ||
| policyName: openshift-cluster-api-protect-azureclustersecrets | ||
| validationActions: | ||
| - Deny |
There was a problem hiding this comment.
The indentation of this file is off (too much on the right end side, which is throwing off the parser with:
E1025 10:54:25.739990 1 controller.go:316] "Reconciler error" err="error during reconcile: error applying CAPI provider \"azure\" components: error getting provider components: error parsing provider component at position 32 to unstructured: error while decoding YAML to runtime object: error while decoding YAML object: yaml: line 29: could not find expected ':'" controller="CapiInstallerController" controllerGroup="config.openshift.io" controllerKind="ClusterOperator" ClusterOperator="cluster-api" namespace="" name="cluster-api" reconcileID="ff9c7798-9de6-4629-a95e-c358aaecf1f2" E1025 10:54:29.500601 1 kind.go:71] "if kind is a CRD, it should be installed before calling Start" err="failed to get restmapping: no matches for kind \"AzureCluster\" in version \"infrastructure.cluster.x-k8s.io/v1beta1\"" logger="controller-runtime.source.EventHandler" kind="AzureCluster.infrastructure.cluster.x-k8s.io"
|
#322 now includes the VAPs; I couldn't get around generating the manifests without the VAPs once I updated Along those lines, I wonder if this particular PR should be done as a Kustomization patch, since |
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@racheljpg are you still planning to finish this off? |
|
@damdo yes, I think we still need this! Will pick it back up ASAP |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
@racheljpg when we do this, we'll need to also need to update the other providers to use v1 instead of v1beta1 |
|
/remove-lifecycle stale |
openshift-ci
bot
removed
the
lifecycle/stale
|
@racheljpg: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@racheljpg We should likely move these to cluster-capi-operator |
Hello! This is a WIP to ask some questions on the generation for the Azure VAP to stop the deletion of Azure InfraClusters/IdentityReferences/whatever else we want to include. Thanks!