Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blocking project wide ssh keys while creating machine class #506

Merged
merged 2 commits into from
Oct 17, 2022
Merged

Blocking project wide ssh keys while creating machine class #506

merged 2 commits into from
Oct 17, 2022

Conversation

rishabh-11
Copy link
Contributor

@rishabh-11 rishabh-11 commented Oct 13, 2022
edited
Loading

How to categorize this PR?

/area control-plane
/kind enhancement
/platform gcp

What this PR does / why we need it:
In GCP, for each project, there is a project-wide ssh key which can be used to access all the VM instances in that project. Each Instance has an option to disable this by marking Block project-wide SSH keys as On from the GCP console. This PR adds a metadata field in the machine class spec during machine class creation, which will then be used by mcm-provider-gcp during VM instance creation to mark the Block project wide SSH keys field as On. The corresponding code in mcm-provider-gcp can be checked out here. The metadata field will be present in the providerSpec of machineclass and will look like this:

Screenshot 2022-10-13 at 11 58 40 AM

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:
The testing of this was done using a shooted seed local setup of gardener, and it worked as expected. The created machine had Block project wide SSH keys as On in the GCP console.
Screenshot 2022-10-13 at 11 58 56 AM

Release note:

`Block project wide SSH keys` will be `On` for all new machines created.

@rishabh-11 rishabh-11 requested review from a team as code owners October 13, 2022 09:39
@gardener-robot gardener-robot added needs/review Needs review kind/enhancement Enhancement, improvement, extension platform/gcp Google cloud platform/infrastructure labels Oct 13, 2022
@gardener-robot
Copy link

@rishabh-11 Labels area/control, area/plane do not exist.

@gardener-robot gardener-robot added the size/xs Size of pull request is tiny (see gardener-robot robot/bots/size.py) label Oct 13, 2022
@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Oct 13, 2022
@gardener-robot gardener-robot added the area/control-plane Control plane related label Oct 13, 2022
@gardener-robot-ci-1 gardener-robot-ci-1 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Oct 13, 2022
dkistner
dkistner reviewed Oct 13, 2022
View reviewed changes
pkg/controller/worker/machines.go
@@ -179,7 +179,14 @@ func (w *workerDelegate) generateMachineConfig(_ context.Context) error {
"description": fmt.Sprintf("Machine of Shoot %s created by machine-controller-manager.", w.worker.Name),
"disks": disks,
"labels": gceInstanceLabels,
"machineType": pool.MachineType,
// TODO: make this configurable for the user
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a concrete need already known to let users pass additional metadata for the machines?
If yes, we might wanna create an issue for it as it is better trackable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the current mcm-provider-gcp code, we have a feature to add metadata field on a VM instance at the time of its creation(See this). But at the moment we cannot specify metadata field in the providerConfig section of the worker pool in the shoot yaml as the current extension-provider-gcp cannot decode it.(See this and this). So even though mcm provides the feature of specifying metadata on a VM instance, it will not be used as the machine class will never have this field present. This is the reason why I added this comment for now.

I am not opening an issue right now because we are unsure if we want to keep this field in the machine class. The reason is that any change in the providerConfig part of the worker section in the shoot yaml will generate a new machine class name (See this and this) and therefore a new machine class which will cause a rolling update of the machines. We don't want this just because some metadata field was changed. We already have an issue on mcm (See this) which requires something similar and should be sufficient to keep track of this as well.

cc @himanshu-kun

dkistner
dkistner approved these changes Oct 17, 2022
View reviewed changes
Copy link
Member

@dkistner dkistner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging and removed needs/review Needs review labels Oct 17, 2022
himanshu-kun
himanshu-kun approved these changes Oct 17, 2022
View reviewed changes
Copy link
Contributor

@himanshu-kun himanshu-kun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

kon-angelo
kon-angelo approved these changes Oct 17, 2022
View reviewed changes
Copy link
Contributor

@kon-angelo kon-angelo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@kon-angelo kon-angelo merged commit debd61e into gardener:master Oct 17, 2022
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Oct 17, 2022
@rishabh-11 rishabh-11 deleted the block-project-wide-ssh-keys branch October 17, 2022 09:55
@ialidzhikov ialidzhikov mentioned this pull request Oct 20, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@himanshu-kun himanshu-kun himanshu-kun approved these changes

@kon-angelo kon-angelo kon-angelo approved these changes

@dkistner dkistner dkistner approved these changes

Assignees
No one assigned
Labels
area/control-plane Control plane related kind/enhancement Enhancement, improvement, extension needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) platform/gcp Google cloud platform/infrastructure reviewed/lgtm Has approval for merging size/xs Size of pull request is tiny (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@rishabh-11 @gardener-robot @dkistner @kon-angelo @himanshu-kun @gardener-robot-ci-1 @gardener-robot-ci-3