Uploaded image for project: 'OpenShift Cloud'
  1. OpenShift Cloud
  2. OCPCLOUD-2266

Add IBM Cloud service endpoint override support (MAPI)


    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None

      User Story:

      A user currently is not able to create a Disconnected cluster, using IPI, on IBM Cloud. 
      Currently, support for BYON and Private clusters does exist on IBM Cloud, but support to override IBM Cloud Service endpoints does not exist, which is required to allow for Disconnected support to function (reach IBM Cloud private endpoints).


      IBM dependent components of OCP will need to add support to use a set of endpoint override values in order to reach IBM Cloud Services in Disconnected environments.

      The MAPI component will need to be able to allow all API calls to IBM Cloud Services, be directed to these endpoint values, in order to communicate in environments where the Public or default IBM Cloud Service endpoint is not available.

      The endpoint overrides are available via the infrastructure/cluster (.status.platformStatus.ibmcloud.serviceEndpoints) resource, which is how a majority of components are consuming cluster specific configurations (Ingress, MAPI, etc.). It will be structured as such

      apiVersion: config.openshift.io/v1
      kind: Infrastructure
        creationTimestamp: "2023-10-04T22:02:15Z"
        generation: 1
        name: cluster
        resourceVersion: "430"
        uid: b923c3de-81fc-4a0e-9fdb-8c4c337fba08
          key: config
          name: cloud-provider-config
          type: IBMCloud
        apiServerInternalURI: https://api-int.us-east-disconnect-21.ipi-cjschaef-dns.com:6443
        apiServerURL: https://api.us-east-disconnect-21.ipi-cjschaef-dns.com:6443
        controlPlaneTopology: HighlyAvailable
        cpuPartitioning: None
        etcdDiscoveryDomain: ""
        infrastructureName: us-east-disconnect-21-gtbwd
        infrastructureTopology: HighlyAvailable
        platform: IBMCloud
            dnsInstanceCRN: 'crn:v1:bluemix:public:dns-svcs:global:a/fa4fd9fa0695c007d1fdcb69a982868c:f00ac00e-75c2-4774-a5da-44b2183e31f7::'
            location: us-east
            providerType: VPC
            resourceGroupName: us-east-disconnect-21-gtbwd
            - name: iam
              url: https://private.us-east.iam.cloud.ibm.com
            - name: vpc
              url: https://us-east.private.iaas.cloud.ibm.com/v1
            - name: resourcecontroller
              url: https://private.us-east.resource-controller.cloud.ibm.com
            - name: resourcemanager
              url: https://private.us-east.resource-controller.cloud.ibm.com
            - name: cis
              url: https://api.private.cis.cloud.ibm.com
            - name: dnsservices
              url: https://api.private.dns-svcs.cloud.ibm.com/v1
            - name: cis
              url: https://s3.direct.us-east.cloud-object-storage.appdomain.cloud
          type: IBMCloud

      The CCM is currently relying on updates to the openshift-cloud-controller-manager/cloud-conf configmap, in order to override its required IBM Cloud Service endpoints, such as:

        config: |+
          version = 1.1.0
          config-file = ""
          accountID = ...
          clusterID = temp-disconnect-7m6rw
          cluster-default-provider = g2
          region = eu-de
          g2Credentials = /etc/vpc/ibmcloud_api_key
          g2ResourceGroupName = temp-disconnect-7m6rw
          g2VpcName = temp-disconnect-7m6rw-vpc
          g2workerServiceAccountID = ...
          g2VpcSubnetNames = temp-disconnect-7m6rw-subnet-compute-eu-de-1,temp-disconnect-7m6rw-subnet-compute-eu-de-2,temp-disconnect-7m6rw-subnet-compute-eu-de-3,temp-disconnect-7m6rw-subnet-control-plane-eu-de-1,temp-disconnect-7m6rw-subnet-control-plane-eu-de-2,temp-disconnect-7m6rw-subnet-control-plane-eu-de-3
          iamEndpointOverride = https://private.iam.cloud.ibm.com
          g2EndpointOverride = https://eu-de.private.iaas.cloud.ibm.com
          rmEndpointOverride = https://private.resource-controller.cloud.ibm.com

      These changes have already landed in the release-1.28 branch (target OCP release-4.15 branch), but we need to make sure they get pulled into the github.com/openshift/cloud-provider-ibm branch and built into a 4.15 image.

      Acceptance Criteria:

      Installer validates and injects user provided endpoint overrides into cluster deployment process and the MAPI components use specified endpoints and start up properly.

            jeffbnowickirh Jeff Nowicki
            jeffbnowickirh Jeff Nowicki
            Christopher Schaefer Christopher Schaefer
            0 Vote for this issue
            1 Start watching this issue