HIVE-2391: vsphere zonal

[2uasimojo]

Co-Authored-By: @dlom

Summary by CodeRabbit

• New Features

  • Multi-vCenter support and new Infrastructure-based vSphere platform (including richer failure-domain/topology and machine-pool disk/zone options).
  • CLI: support for an installer platform JSON input and multi-vCenter flags.

• Deprecations

  • Legacy per-field vSphere settings (vCenter, datacenter, datastore, folder, cluster, network, etc.) deprecated in favor of Infrastructure/VCenters.

• Documentation

  • Updated docs and examples, secret format now supports a vcenters list and migration guidance included.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [2uasimojo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@2uasimojo: This pull request references HIVE-2391 which is a valid jira issue.

Details

In response to this:

Co-Authored-By: @dlom

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[codecov]

Codecov Report

❌ Patch coverage is 26.71480% with 203 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.21%. Comparing base (aa1db74) to head (5e671cb).
⚠️ Report is 7 commits behind head on master.

Files with missing lines	Patch %	Lines
contrib/pkg/createcluster/create.go	0.00%	78 Missing ⚠️
pkg/controller/utils/credentials.go	0.00%	33 Missing ⚠️
.../clusterdeployment/clusterdeployment_controller.go	0.00%	20 Missing and 1 partial ⚠️
contrib/pkg/deprovision/vsphere.go	0.00%	15 Missing ⚠️
pkg/creds/vsphere/vsphere.go	0.00%	15 Missing ⚠️
pkg/installmanager/installmanager.go	0.00%	13 Missing ⚠️
...g/controller/clusterpool/clusterpool_controller.go	0.00%	11 Missing and 1 partial ⚠️
pkg/install/generate.go	0.00%	6 Missing ⚠️
pkg/clusterresource/vsphere.go	83.33%	4 Missing ⚠️
pkg/controller/utils/vsphereutils/vsphere.go	77.77%	2 Missing and 2 partials ⚠️
... and 1 more

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2851      +/-   ##
==========================================
- Coverage   50.28%   50.21%   -0.07%     
==========================================
  Files         280      281       +1     
  Lines       34332    34365      +33     
==========================================
- Hits        17264    17258       -6     
- Misses      15707    15751      +44     
+ Partials     1361     1356       -5     

Files with missing lines	Coverage Δ
pkg/constants/constants.go	100.00% <ø> (ø)
...oller/clusterdeployment/installconfigvalidation.go	100.00% <100.00%> (ø)
...g/controller/machinepool/machinepool_controller.go	64.33% <100.00%> (+0.52%)	⬆️
pkg/controller/machinepool/vsphereactuator.go	77.14% <100.00%> (+3.57%)	⬆️
...hift/hive/apis/hive/v1/clusterdeprovision_types.go	0.00% <ø> (ø)
.../v1/clusterdeployment_validating_admission_hook.go	86.29% <87.50%> (+1.56%)	⬆️
pkg/clusterresource/vsphere.go	92.95% <83.33%> (+2.83%)	⬆️
pkg/controller/utils/vsphereutils/vsphere.go	77.77% <77.77%> (ø)
pkg/install/generate.go	45.56% <0.00%> (-0.29%)	⬇️
...g/controller/clusterpool/clusterpool_controller.go	58.83% <0.00%> (-0.22%)	⬇️
... and 6 more

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[2uasimojo]

@jianping-shu this passed e2e-vsphere, so I reckon it's probably ready for you to take another stab at it!

[2uasimojo]

/hold

Looks like I missed refactoring the preflight auth check for the new creds shape.

[2uasimojo]

/hold cancel

[dlom]

The new multi-creds changes LGTM. My only concern (as noted in review comments) is that there are some additional fields (at least Folder, potentially more) on the machinepool that end users may want to use

[2uasimojo]

/hold for QE

[2uasimojo]

/test e2e security

e2e: infra flake
security: upstream bug with the packageURL check again (though possibly slightly different this time).

[2uasimojo]

Allowable to override security job (buggy upstream tool) if necessary when ready to merge.

[dlom]

Thoughts on clearing usernames here too? (both the deprecated path and in the array of VCenters)

[2uasimojo]

Jianping brought up the same thing. I wasn't concerned about the username being sensitive; but I suppose for consistency with what we're doing elsewhere, it makes sense.

Oh, I just thought of a better reason: I think in some places we're only setting the username if it's unset. So there's a potential failure mode if the username is present but incorrect. (Though arguably that's a user error...)

[dlom]

Needs omitempty in the json tag (and VCenters too)

[2uasimojo]

Since neither is a pointer type and both have +optional, omitempty has no effect. I don't mind including the tag though.

[dlom]

Probably worth it to test this more vigorously, I bet the LLM could generate tons of theoretical test cases

[2uasimojo]

I'm a little meh about testing upstream functionality. Having a smoke test like this to make sure we're calling upstream correctly (or at all) is sane, but trying to cover all its paths seems like the responsibility of the repo in which it lives, no?

[2uasimojo]

Rebase only. Fixes pending.

[2uasimojo]

Okay, fixes are in. Thanks for the review @dlom

[jianping-shu]

regression test in progress...

[2uasimojo]

/test e2e-vsphere

[2uasimojo]

Unfortunately, since the issue in question here is important for security, I think it would be prudent to block this PR until the above is resolved.

That's merged.

Getting real close here. Currently just waiting on:

• Regression QE (@jianping-shu)
• /lgtm if all is well (@dlom)

[jianping-shu]

@dlom I've finished the round of regression tests.
Here are 2 findings:

1. For vsphere credential secret, data.vCenters works but data.vcenters is NOT working.
   (1)data.vcenters worked for the previous commit but didn't work for the latest commit
   (2) For using-hive.md, the cmd sample still uses 'vcenters'
   oc create secret generic mycluster-vsphere-creds -n mynamespace --from-file=vcenters=/home/me/vsphere/vcenters.yaml
   (3)For the vsphere credential secret generated by hiveutil, it uses 'vCenters'

- apiVersion: v1
  data:
    password: aaa
    username: bbb
    vCenters: ccc

2. The admission validation doesn't work for clusterpool, this is OK since HIVE-3131 change is NOT included in this PR yet.

I think we have 2 alternatives:
(A) Wait for Eric to review and address the issue 1
(B) If we expected to merge the PR sooner, then it is possible to merge the PR now and create one follow up PR to change the command is using-hive.md from 'vcenters' to 'vCenters' as temporary solution.
Pls. check and comment

cc @newtonheath @2uasimojo

[2uasimojo]

1. For vsphere credential secret, data.vCenters works but data.vcenters is NOT working.
   (1)data.vcenters worked for the previous commit but didn't work for the latest commit

Looks like I "fixed" that here. This isn't the same as the json unmarshaling issue we were seeing previously: this is about the spelling of the key in the Secret, which is definitely case-sensitive. We just need to decide which spelling we want to use and make it consistent.

(Later) So my plan was to look at the installer's incarnations of this string and use whichever spelling they favor. Alas, it is not consistent there either -- there are cases of vcenters, vCenters, and even VCenters (I had thought capitalized keys weren't allowed in JSON for some reason).

However, the singular (deprecated in install-config platform, but still viable in metadata) is always spelled vCenter, which I guess is as good a reason as any to go with camel case here.

TL;DR: I'll update the doc to match the code.

[2uasimojo]

2. The admission validation doesn't work for clusterpool, this is OK since HIVE-3131 change is NOT included in this PR yet.

Okay, that PR is merged, so I'll just rebase this one...

[2uasimojo]

@dlom Given that Jianping already validated using vCenters as the creds Secret key, and the latest commit is just a doc update & rebase, and the clusterpool webhook was validated via HIVE-3131, I think we should be okay to merge this now.

[jcpowermac]

/test e2e-vsphere

[2uasimojo]

/test e2e-vsphere

...since openshift/release#77981

/test periodic-images

(flake)

/override ci/prow/security

Known, to be dealt with elsewhere.

[openshift-ci]

@2uasimojo: Overrode contexts on behalf of 2uasimojo: ci/prow/security

Details

In response to this:

/test e2e-vsphere

...since openshift/release#77981

/test periodic-images

(flake)

/override ci/prow/security

Known, to be dealt with elsewhere.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[2uasimojo]

/test e2e-vsphere

Gonna hope this was a temporary DNS flake...

[2uasimojo]

/assign @suhanime

[2uasimojo]

/hold cancel

This should be ready to go now.

[2uasimojo]

/test e2e-vsphere

Trying to confirm this test infra fix: we want to see a successful run that uses vcenter-120.ci.ibmc.devcluster.openshift.com.

[openshift-ci]

@2uasimojo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.