Merge pull request #7632 from cjschaef/splat-1097

CORS-2933: IBMCloud: Basic service endpoint override

Author: openshift-merge-bot[bot]

data/data/ibmcloud/bootstrap/common.tf

@@ -1,6 +1,9 @@
 locals {
-  description      = "Created By OpenShift Installer"
-  public_endpoints = var.ibmcloud_publish_strategy == "External" ? true : false
+  description = "Created By OpenShift Installer"
+  # If any Service Endpoints are being overridden, set visibility to 'private'
+  # for IBM Terraform Provider to use the endpoints JSON file.
+  endpoint_visibility = var.ibmcloud_endpoints_json_file != "" ? "private" : "public"
+  public_endpoints    = var.ibmcloud_publish_strategy == "External" ? true : false
   tags = concat(
     ["kubernetes.io_cluster_${var.cluster_id}:owned"],
     var.ibmcloud_extra_tags
@@ -14,4 +17,8 @@ locals {
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.ibmcloud_region
-}
+
+  # Manage endpoints for IBM Cloud services
+  visibility          = local.endpoint_visibility
+  endpoints_file_path = var.ibmcloud_endpoints_json_file
+}

data/data/ibmcloud/bootstrap/ignition.tf

@@ -1,9 +1,18 @@
+locals {
+  # Use the direct COS endpoint if IBM Cloud Service Endpoints are being overridden,
+  # as public and private may not be available. The direct endpoint requires
+  # additional IBM Cloud Account configuration, which must be configured when using
+  # Service Endpoint overrides.
+  cos_endpoint_type = local.endpoint_visibility == "private" ? "direct" : "public"
+}
+
 ############################################
 # COS bucket
 ############################################
 
 resource "ibm_cos_bucket" "bootstrap_ignition" {
   bucket_name          = "${local.prefix}-bootstrap-ignition"
+  endpoint_type        = local.cos_endpoint_type
   resource_instance_id = var.cos_resource_instance_crn
   region_location      = var.ibmcloud_region
   storage_class        = "smart"
@@ -16,9 +25,10 @@ resource "ibm_cos_bucket" "bootstrap_ignition" {
 resource "ibm_cos_bucket_object" "bootstrap_ignition" {
   bucket_crn      = ibm_cos_bucket.bootstrap_ignition.crn
   bucket_location = ibm_cos_bucket.bootstrap_ignition.region_location
-  key             = "bootstrap.ign"
   content_file    = var.ignition_bootstrap_file
+  endpoint_type   = local.cos_endpoint_type
   etag            = filemd5(var.ignition_bootstrap_file)
+  key             = "bootstrap.ign"
 }
 
 ############################################

data/data/ibmcloud/master/common.tf

@@ -1,6 +1,9 @@
 locals {
-  description      = "Created By OpenShift Installer"
-  public_endpoints = var.ibmcloud_publish_strategy == "External" ? true : false
+  description = "Created By OpenShift Installer"
+  # If any Service Endpoints are being overridden, set visibility to 'private'
+  # for IBM Terraform Provider to use the endpoints JSON file.
+  endpoint_visibility = var.ibmcloud_endpoints_json_file != "" ? "private" : "public"
+  public_endpoints    = var.ibmcloud_publish_strategy == "External" ? true : false
   tags = concat(
     ["kubernetes.io_cluster_${var.cluster_id}:owned"],
     var.ibmcloud_extra_tags
@@ -14,4 +17,8 @@ locals {
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.ibmcloud_region
-}
+
+  # Manage endpoints for IBM Cloud services
+  visibility          = local.endpoint_visibility
+  endpoints_file_path = var.ibmcloud_endpoints_json_file
+}

data/data/ibmcloud/network/common.tf

@@ -1,6 +1,9 @@
 locals {
-  description      = "Created By OpenShift Installer"
-  public_endpoints = var.ibmcloud_publish_strategy == "External" ? true : false
+  description = "Created By OpenShift Installer"
+  # If any Service Endpoints are being overridden, set visibility to 'private'
+  # for IBM Terraform Provider to use the endpoints JSON file.
+  endpoint_visibility = var.ibmcloud_endpoints_json_file != "" ? "private" : "public"
+  public_endpoints    = var.ibmcloud_publish_strategy == "External" ? true : false
   tags = concat(
     ["kubernetes.io_cluster_${var.cluster_id}:owned"],
     var.ibmcloud_extra_tags
@@ -14,4 +17,8 @@ locals {
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.ibmcloud_region
-}
+
+  # Manage endpoints for IBM Cloud services
+  visibility          = local.endpoint_visibility
+  endpoints_file_path = var.ibmcloud_endpoints_json_file
+}

data/data/ibmcloud/network/image/main.tf

@@ -1,9 +1,18 @@
 locals {
-  prefix = var.cluster_id
+  # Use the direct COS endpoint if IBM Cloud Service Endpoints are being overridden,
+  # as public and private may not be available. The direct endpoint requires
+  # additional IBM Cloud Account configuration, which must be configured when using
+  # Service Endpoint overrides.
+  cos_endpoint_type = var.endpoint_visibility == "private" ? "direct" : "public"
+  prefix            = var.cluster_id
 }
 
 resource "ibm_cos_bucket" "images" {
-  bucket_name          = "${local.prefix}-vsi-image"
+  bucket_name = "${local.prefix}-vsi-image"
+  # Use the direct COS endpoint if IBM Cloud Service endpoints are being overridden,
+  # as public and private may not be available. Direct requires additional IBM Cloud
+  # Account configuration
+  endpoint_type        = local.cos_endpoint_type
   resource_instance_id = var.cos_resource_instance_crn
   region_location      = var.region
   storage_class        = "smart"
@@ -13,6 +22,7 @@ resource "ibm_cos_bucket_object" "file" {
   bucket_crn      = ibm_cos_bucket.images.crn
   bucket_location = ibm_cos_bucket.images.region_location
   content_file    = var.image_filepath
+  endpoint_type   = local.cos_endpoint_type
   key             = basename(var.image_filepath)
 }
 

data/data/ibmcloud/network/image/variables.tf

@@ -25,3 +25,7 @@ variable "tags" {
 variable "cos_resource_instance_crn" {
   type = string
 }
+
+variable "endpoint_visibility" {
+  type = string
+}

data/data/ibmcloud/network/main.tf

@@ -48,6 +48,7 @@ module "image" {
   resource_group_id         = local.resource_group_id
   tags                      = local.tags
   cos_resource_instance_crn = ibm_resource_instance.cos.crn
+  endpoint_visibility       = local.endpoint_visibility
 }
 
 ############################################

data/data/ibmcloud/variables-ibmcloud.tf

@@ -55,6 +55,12 @@ variable "ibmcloud_image_filepath" {
 # Top-level module variables (optional)
 #######################################
 
+variable "ibmcloud_endpoints_json_file" {
+  type        = string
+  description = "JSON file containing IBM Cloud service endpoints"
+  default     = ""
+}
+
 variable "ibmcloud_preexisting_vpc" {
   type        = bool
   description = "Specifies whether an existing VPC should be used or a new one created for installation."

data/data/install.openshift.io_installconfigs.yaml

@@ -3364,6 +3364,49 @@ spec:
                       resource group where the cluster should be installed. If empty,
                       a new resource group will be created for the cluster.
                     type: string
+                  serviceEndpoints:
+                    description: ServiceEndpoints is a list which contains custom
+                      endpoints to override default service endpoints of IBM Cloud
+                      Services. There must only be one ServiceEndpoint for a service
+                      (no duplicates).
+                    items:
+                      description: IBMCloudServiceEndpoint stores the configuration
+                        of a custom url to override existing defaults of IBM Cloud
+                        Services.
+                      properties:
+                        name:
+                          description: 'name is the name of the IBM Cloud service.
+                            Possible values are: CIS, COS, DNSServices, GlobalSearch,
+                            GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController,
+                            ResourceManager, or VPC. For example, the IBM Cloud Private
+                            IAM service could be configured with the service `name`
+                            of `IAM` and `url` of `https://private.iam.cloud.ibm.com`
+                            Whereas the IBM Cloud Private VPC service for US South
+                            (Dallas) could be configured with the service `name` of
+                            `VPC` and `url` of `https://us.south.private.iaas.cloud.ibm.com`'
+                          enum:
+                          - CIS
+                          - COS
+                          - DNSServices
+                          - GlobalSearch
+                          - GlobalTagging
+                          - HyperProtect
+                          - IAM
+                          - KeyProtect
+                          - ResourceController
+                          - ResourceManager
+                          - VPC
+                          type: string
+                        url:
+                          description: url is fully qualified URI with scheme https,
+                            that overrides the default generated endpoint for a client.
+                            This must be provided and cannot be empty.
+                          type: string
+                      required:
+                      - name
+                      - url
+                      type: object
+                    type: array
                   vpcName:
                     description: VPCName is the name of an already existing VPC to
                       be used during cluster creation.

pkg/asset/cluster/ibmcloud/ibmcloud.go

@@ -10,7 +10,8 @@ import (
 )
 
 // Metadata converts an install configuration to IBM Cloud metadata.
-func Metadata(infraID string, config *types.InstallConfig, meta *icibmcloud.Metadata) *ibmcloud.Metadata {
+func Metadata(infraID string, config *types.InstallConfig) *ibmcloud.Metadata {
+	meta := icibmcloud.NewMetadata(config)
 	accountID, _ := meta.AccountID(context.TODO())
 	cisCrn, _ := meta.CISInstanceCRN(context.TODO())
 	dnsInstance, _ := meta.DNSInstance(context.TODO())
@@ -40,6 +41,7 @@ func Metadata(infraID string, config *types.InstallConfig, meta *icibmcloud.Meta
 		DNSInstanceID:     dnsInstanceID,
 		Region:            config.Platform.IBMCloud.Region,
 		ResourceGroupName: config.Platform.IBMCloud.ClusterResourceGroupName(infraID),
+		ServiceEndpoints:  config.Platform.IBMCloud.ServiceEndpoints,
 		Subnets:           subnets,
 		VPC:               config.Platform.IBMCloud.GetVPCName(),
 	}