Uploaded image for project: 'OpenShift Hosted Control Plane'
  1. OpenShift Hosted Control Plane
  2. HOSTEDCP-640

MCE 2.2 add oc cli support for MCE credentials with Hypershift


    • Icon: Spike Spike
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • None
    • 0
    • 0
    • 0


      • Integrate the hypershift cli with the MCE credentials, this credential includes Cloud Provider connectivity details, base-domain, SSH Key and Pull-secret

      Use cases

      1. Existing MCE and ACM users that are provisioning AWS and Azure clusters, already have a number of parameters you otherwise have to pass to the CLI available, allow the cli for the `hypershift create clusters aws` and `hypershift create cluster azure` leverage the exist credential
      2. For a new user that will create more then one cluster and wants to re-use their cloud credential, pull-secret, ssh-pubkey, and base-domain
      3. Support a GitOps flow with basic infrastructure. You can use the credential secret and a tekton task, kube job, etc... to call hypershift install, and leverage the secret. This is key for these types of flows as users will not store their credentials in Git.  This offers a quick introduction/approach to deploying hypershift with GitOps from scratch.
      4. If the MCE/ACM AWS console shows a page with the hypershift cli command, this would allow the command to be more likely to be successful, as the user does not need to have a pull-secret, provider credential and ssh-key in their env.

      Scope (implementation chunks)

      1st spike

      • Implement `hypershift create cluster aws --secret-creds <name> --name...`
      • Implement `hypershift destroy cluster aws --secret-creds <name> --name...`

      2nd spike

      • Implement `hypershift create cluster azure --secret-creds <name> --name...`
      • Impelment `hypershift destroy cluster azure --secret-creds <name> --name...`

      3rd spike

      • hypershift infra create <Platform>?? Since this command does not require an OCP connection, we will wait to see if there is a request for enhancement from the field.

      Assumptions and overrides


      1. All existing error messages and require flags will be maintained when `--credential-secret` is not present.
      2. Credential secret will exist in the `hypershift --namespace` location (default: clusters)
      3. When `--credential-secret` is used, we always pull the Platform credentials
      4. We will use all available values unless they are overridden:
        1. Platform credential
        2. base-domain
        3. pull-secret
        4. ssh-key (TBD)


      1. In first implementation `base-domain` will override `-secret-creds` value
      2. SPIKE: override with `--pull-secret`,  & `ssh-key`

      Parameter name

      MCE's console refers to the the secret as a Credential, and the platforms are referred to as "Credential types", this is the reason for calling the param --secret-creds

            jpacker@redhat.com Joshua Packer
            jpacker@redhat.com Joshua Packer
            0 Vote for this issue
            1 Start watching this issue


                Original Estimate - 2 days Original Estimate - 2 days
                Remaining Estimate - 0 minutes
                Time Spent - 3 days