Uploaded image for project: 'OpenShift Cloud'
  1. OpenShift Cloud
  2. OCPCLOUD-1136

Allow Cluster Machine Approver to work with Cluster API

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • None
    • CLOUD Sprint 200, CLOUD Sprint 201, CLOUD Sprint 202, CLOUD Sprint 203, CLOUD Sprint 204, CLOUD Sprint 205, CLOUD Sprint 206, CLOUD Sprint 207, CLOUD Sprint 208, CLOUD Sprint 209, CLOUD Sprint 210, CLOUD Sprint 211

      For HyperShift and for Cluster API experiments, we currently have no way to securely check CSRs created by Nodes as they start up. HyperShift currently auto approves all CSRs.

      Before going into production, HyperShift will require our existing Cluster Machine Approver (or something equivalent) to approve certificates based on the existing security criteria we have within regular OpenShift clusters.

      To enable CMA to support both MAPI and CAPI based clusters, we can take the approach used in the cluster autoscaler:

      • Convert internal code to use either unstructured or an internal machine type (we are read only on machines currently so could stick to an internal type unmarshalled from either API)
      • Allow API group and version to be specified via CLI args (to be able to switch between MAPI/CAPI)
      • Internally split Node/CSR clients from Machine clients
      • By default, use in cluster creds for both clients
      • Allow kubeconfig override for Node/CSR/Machine clients via `--kubeconfig` flag
      • Provide second kubeconfig override for Machine client via `--management-kubeconfig` flag

      This should allow the CMA to continue working in existing clusters, but also allow usage in a pure CAPI cluster (by using the kubeconfig flag), or in split management/spoke clusters using both kubeconfig flags.

              ademicev@redhat.com Alexandr Demicev (Inactive)
              joelspeed Joel Speed
              Zhaohua Sun Zhaohua Sun
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: