Uploaded image for project: 'Network Edge'
  1. Network Edge
  2. NE-1402

Add IBM Cloud service endpoint override support (Ingress Operator)

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • 0
    • 0

      User Story:

      A user currently is not able to create a Disconnected cluster, using IPI, on IBM Cloud. 
      Currently, support for BYON and Private clusters does exist on IBM Cloud, but support to override IBM Cloud Service endpoints does not exist, which is required to allow for Disconnected support to function (reach IBM Cloud private endpoints).

      Description:

      IBM dependent components of OCP will need to add support to use a set of endpoint override values in order to reach IBM Cloud Services in Disconnected environments.

      The Ingress Operator components will need to be able to allow all API calls to IBM Cloud Services, be directed to these endpoint values, in order to communicate in environments where the Public or default IBM Cloud Service endpoint is not available.

      The endpoint overrides are available via the infrastructure/cluster (.status.platformStatus.ibmcloud.serviceEndpoints) resource, which is how a majority of components are consuming cluster specific configurations (Ingress, MAPI, etc.). It will be structured as such

      apiVersion: config.openshift.io/v1
      kind: Infrastructure
      metadata:
        creationTimestamp: "2023-10-04T22:02:15Z"
        generation: 1
        name: cluster
        resourceVersion: "430"
        uid: b923c3de-81fc-4a0e-9fdb-8c4c337fba08
      spec:
        cloudConfig:
          key: config
          name: cloud-provider-config
        platformSpec:
          type: IBMCloud
      status:
        apiServerInternalURI: https://api-int.us-east-disconnect-21.ipi-cjschaef-dns.com:6443
        apiServerURL: https://api.us-east-disconnect-21.ipi-cjschaef-dns.com:6443
        controlPlaneTopology: HighlyAvailable
        cpuPartitioning: None
        etcdDiscoveryDomain: ""
        infrastructureName: us-east-disconnect-21-gtbwd
        infrastructureTopology: HighlyAvailable
        platform: IBMCloud
        platformStatus:
          ibmcloud:
            dnsInstanceCRN: 'crn:v1:bluemix:public:dns-svcs:global:a/fa4fd9fa0695c007d1fdcb69a982868c:f00ac00e-75c2-4774-a5da-44b2183e31f7::'
            location: us-east
            providerType: VPC
            resourceGroupName: us-east-disconnect-21-gtbwd
            serviceEndpoints:
            - name: iam
              url: https://private.us-east.iam.cloud.ibm.com
            - name: vpc
              url: https://us-east.private.iaas.cloud.ibm.com/v1
            - name: resourcecontroller
              url: https://private.us-east.resource-controller.cloud.ibm.com
            - name: resourcemanager
              url: https://private.us-east.resource-controller.cloud.ibm.com
            - name: cis
              url: https://api.private.cis.cloud.ibm.com
            - name: dnsservices
              url: https://api.private.dns-svcs.cloud.ibm.com/v1
            - name: cis
              url: https://s3.direct.us-east.cloud-object-storage.appdomain.cloud
          type: IBMCloud
      

      The CCM is currently relying on updates to the openshift-cloud-controller-manager/cloud-conf configmap, in order to override its required IBM Cloud Service endpoints, such as:

      data:
        config: |+
          [global]
          version = 1.1.0
          [kubernetes]
          config-file = ""
          [provider]
          accountID = ...
          clusterID = temp-disconnect-7m6rw
          cluster-default-provider = g2
          region = eu-de
          g2Credentials = /etc/vpc/ibmcloud_api_key
          g2ResourceGroupName = temp-disconnect-7m6rw
          g2VpcName = temp-disconnect-7m6rw-vpc
          g2workerServiceAccountID = ...
          g2VpcSubnetNames = temp-disconnect-7m6rw-subnet-compute-eu-de-1,temp-disconnect-7m6rw-subnet-compute-eu-de-2,temp-disconnect-7m6rw-subnet-compute-eu-de-3,temp-disconnect-7m6rw-subnet-control-plane-eu-de-1,temp-disconnect-7m6rw-subnet-control-plane-eu-de-2,temp-disconnect-7m6rw-subnet-control-plane-eu-de-3
          iamEndpointOverride = https://private.iam.cloud.ibm.com
          g2EndpointOverride = https://eu-de.private.iaas.cloud.ibm.com
          rmEndpointOverride = https://private.resource-controller.cloud.ibm.com
      

      Acceptance Criteria:

      Installer validates and injects user provided endpoint overrides into cluster deployment process and the Ingress Operator components use specified endpoints and start up properly.

              jeffbnowickirh Jeff Nowicki
              jeffbnowickirh Jeff Nowicki
              Melvin Joseph Melvin Joseph
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: