Feature: Implement vcpctl create solution user for CCM (Stage 2) #44
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/L
|
/assign |
There was a problem hiding this comment.
just a couple of comments to be addressed.
@dougm PTAL at the solution user create process
pkg/cli/cli.go
Outdated
| u.solution.Certificate = cert | ||
| } | ||
| if u.solution.Certificate == "" { | ||
| return fmt.Errorf("Need solution user certificate (--cert) to create solution user\n") |
There was a problem hiding this comment.
What are the steps to create/fetch this certificate?
There was a problem hiding this comment.
A vCenter Solution User can only use public key authentication via SAML, a Solution User does not have a plain text password. So the SSO_TOKEN needs to be provided (by ENV currently). This solution.Certificate contains the cert data decoded from crt file.
In command line, the cert file need to be passed to --cert flag.
--cert k8s-vcp.crtIt stores the raw data in ClientOption, and decoded into User.solution.Certificate
There was a problem hiding this comment.
We could add an option to generate the key pair too, can wait for a later PR though.
There was a problem hiding this comment.
Trailing \n should be removed from the error message.
pkg/cli/util.go
Outdated
| return "https://username:password@" + ip.String() + "/sdk" | ||
| } | ||
| } | ||
| return "https://username:password@host/sdk" |
There was a problem hiding this comment.
I'm a little puzzled on why you need to hardcode username:password in the URL here.
Also, seems like url.Parse would be more suitable for the type of parsing you're doing here.
There was a problem hiding this comment.
The basic idea is to initialize UserInfo with username and password. The following
processCredential() call will overwrite the actual credentials based on the Credential strategy.
type Credential struct {
username string
password string
cert string
Secrete VCCMSecret
}- declarative username and password
- Secrete in k8s
There was a problem hiding this comment.
soap.ParseURL can be used here instead? ok to initialize UserInfo, but it should be with empty "" username and password.
pkg/cli/util.go
Outdated
| if v == "https" || v == "http" { | ||
| continue | ||
| } | ||
| ip = net.ParseIP(v) |
There was a problem hiding this comment.
There is a small bug in for range loop, where token v should be trimmed by //
v = strings.Trim(v, "//")
There was a problem hiding this comment.
A few minor suggestions, otherwise looking good @fanzhangio
cmd/vcpctl/provision/provision.go
Outdated
| provisionCmd.Flags().StringVar(&vcport, "vcport", "", "specify vCenter Port ") | ||
| provisionCmd.Flags().StringVar(&vcUser, "vcuser", "", "specify vCenter user ") | ||
| provisionCmd.Flags().StringVar(&vcPassword, "vcpassword", "", "specify vCenter Password ") | ||
| provisionCmd.Flags().StringVar(&vchost, "host", "", "specify vCenter IP ") |
There was a problem hiding this comment.
Flag descriptions should start with an uppercase letter, and not have a trailing space.
pkg/cli/cli.go
Outdated
| u.solution.Certificate = cert | ||
| } | ||
| if u.solution.Certificate == "" { | ||
| return fmt.Errorf("Need solution user certificate (--cert) to create solution user\n") |
There was a problem hiding this comment.
We could add an option to generate the key pair too, can wait for a later PR though.
pkg/cli/cli.go
Outdated
| u.solution.Certificate = cert | ||
| } | ||
| if u.solution.Certificate == "" { | ||
| return fmt.Errorf("Need solution user certificate (--cert) to create solution user\n") |
There was a problem hiding this comment.
Trailing \n should be removed from the error message.
pkg/cli/cli.go
Outdated
| } | ||
| p := types.PrincipalId{Name: "k8s-vcp", Domain: c.Domain} | ||
|
|
||
| if _, err := c.SetRole(ctx, p, "Administrator"); err != nil { |
There was a problem hiding this comment.
Role should probably be a flag, we can default to Administrator. A separate feature for vcpctl could be to create a role with the minimum set of privileges required by VCP.
There was a problem hiding this comment.
Yes, added a flag for role (default is Administrator).
Create Role could be in separate PR.
pkg/cli/client.go
Outdated
| username string | ||
| password string | ||
| cert string | ||
| Secrete VCCMSecret |
pkg/cli/client.go
Outdated
| o.credential = c | ||
| } | ||
|
|
||
| func (c Credential) setPassowrd(p string) { |
There was a problem hiding this comment.
Why the getters and setters here, rather than just use the fields directly?
pkg/cli/config.go
Outdated
| @@ -22,6 +22,10 @@ import ( | |||
| "k8s.io/cloud-provider-vsphere/pkg/cloudprovider/vsphere" | |||
| ) | |||
|
|
|||
| // Config represents configuration of cpv | |||
pkg/cli/user.go
Outdated
| return err | ||
| } | ||
|
|
||
| // SSO admin server has its own session manager. There is no SSO token persistence yet, so just use an env |
There was a problem hiding this comment.
The persistence comment only applied to govc - sessions are persisted by default by govc in ~/.govmomi/sessions
pkg/cli/util.go
Outdated
| return "https://username:password@" + ip.String() + "/sdk" | ||
| } | ||
| } | ||
| return "https://username:password@host/sdk" |
There was a problem hiding this comment.
soap.ParseURL can be used here instead? ok to initialize UserInfo, but it should be with empty "" username and password.
- Add Client for delegating vim25 and ssoadmin - Add Credential for client, session and sso - Add CreateUserFunc for creating solution user and person user - Implement creating default solution user and granting WSTrust permission and Administrator role.
k8s-ci-robot
added
the
lgtm
|
/lgtm 👍 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: frapposelli The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
fanzhangio
changed the title
permission and Administrator role.
fixes #15
Special notes for your reviewer:
Stage 2 for vcpctl implementation
Release note:
NONE