Add day 1 API for cluster #7
Conversation
api/wip-files/examples/2024-06-10-preview/HypershiftClusters_CreateOrUpdate.json
Outdated
Show resolved
Hide resolved
api/wip-files/examples/2024-06-10-preview/HypershiftClusters_CreateOrUpdate.json
Outdated
Show resolved
Hide resolved
petrkotas
force-pushed
the
add-typespec-api
branch
from
375a6cc to
1b57981
Compare
petrkotas
force-pushed
the
add-typespec-api
branch
2 times, most recently
from
aa0e413 to
547e999
Compare
|
@UlrichSchlueter we do not, it was remaining from the dependency of a different branch. I rebased and now the commit is out. |
There was a problem hiding this comment.
Dumb question on file structure, potentially more for myself than this PR since I'm coding these APIs in Go...
For comparison, ARO-RP puts API specifications under /swagger and the Go files under /pkg/api (not /api).
Do we want the TypeSpec files and Go files to live together under /api or would it be better to separate them, say by having these specs in a /typespec folder and the Go files in /api (or /pkg/api)?
|
|
||
| /** Worker node pools configuration */ | ||
| @visibility("create", "update") | ||
| nodePoolProfile: NodePoolProfile[]; |
There was a problem hiding this comment.
This should be plural since it's an array, yes? (cf. ingressProfiles above)
There was a problem hiding this comment.
Sorry for another one-off comment.
In the TypeSpec file I'm seeing a lot of
@visibility("create", "update")
As I understand TypeSpec visibility, it's converted directly to the x-ms-mutability OpenAPI annotation and "create, update" alone specifies a write-only field which ARM guidelines forbid:
OAPI027: API must not have write-Only properties
Write-only properties are not acceptible ("x-ms-mutability": ["create", "update"]).
User must be able to read the properties (GET/LIST).
This will create noise in what-if reports that would show write-only properties as an update.
I think these cases all need to be
@visibility("read", "create", "update")
which is equivalent to omitting @visibility.
| * if omitted, the default encryption key is used | ||
| */ | ||
| @visibility("create") | ||
| etcdEncryption?: EtcdEncryptionProfile; |
There was a problem hiding this comment.
Should this be named etcdEncryptionProfile for consistency's sake?
| availabilityZone: string; | ||
|
|
||
| /** The type of the disc storage account */ | ||
| discStorageAccountType: string; |
There was a problem hiding this comment.
Should discStorageAccountType be an enum?
| /** Etcd encryption profile sets the configuration needed for | ||
| * customer brought keys to encrypt the etcd. | ||
| * This is an optional field, if omitted the default encryption key is used. | ||
| * TODO: decide how this is going to be implemented | ||
| */ | ||
| model EtcdEncryptionProfile { | ||
| /** The id of the disk encryption set to be used for etcd | ||
| * Is relies on https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview | ||
| */ | ||
| discEncryptionSetId: string; | ||
| } |
There was a problem hiding this comment.
This is no longer used, since the etcdEncryptionSetId is now part of the PlatformProfile model.
petrkotas
force-pushed
the
add-typespec-api
branch
from
086b993 to
adfa1d5
Compare
There was a problem hiding this comment.
@petrkotas please rename the directory redhatopenshift/Hypershift to redhatopenshift/hcpcluster or redhatopenshift/hcpopenshiftcluster. There are also lots of "Hypershift" mentioned in the comments which needs to be refactored.
| * When set to true, `platform.etcdEncryptionSetId` must be set | ||
| */ | ||
| @visibility("create") | ||
| etcdEncryption?: boolean = false; |
There was a problem hiding this comment.
This field strikes me as redundant. Could we either drop it or make it read-only and just say the presence of a non-empty platform.etcdEncryptionSetId in the PUT request implies encryption is enabled?
There was a problem hiding this comment.
The reason we use this is to provide fast-fail validation. For example, if you set FIPS=true, we force etcdEncryption to also be true, which forces the request to fail if encryptionSetId is empty. There might be other use cases (at least we have some others in CS why we do it this way) that may or may not apply.
There was a problem hiding this comment.
Presumably enforcing this consistency will be part of the RP's static validation. Still seems to me this field could be read-only; the static validation can check if etcdEncryptionSetId is non-empty as easily as whether etcdEncryption is true. What you're describing wrt FIPS sound like an implementation detail.
...openshift/resource-manager/Microsoft.RedHatOpenshift/preview/2024-06-10-preview/openapi.json
Outdated
Show resolved
Hide resolved
petrkotas
force-pushed
the
add-typespec-api
branch
from
c94c764 to
d79b8a4
Compare
petrkotas
force-pushed
the
add-typespec-api
branch
2 times, most recently
from
e2a3ff0 to
9d810b2
Compare
|
@s-amann I have updated the references to mention only hcpCluster. |
|
I have also removed all links to openshift documentation as it was pointing to fixed version. |
petrkotas
force-pushed
the
add-typespec-api
branch
from
12d07e6 to
9339944
Compare
...openshift/resource-manager/Microsoft.RedHatOpenshift/preview/2024-06-10-preview/openapi.json
Show resolved
Hide resolved
Creates the initial implementation of the hcpCluster API for day 1 operations.
petrkotas
force-pushed
the
add-typespec-api
branch
from
9339944 to
4c7bf16
Compare
Creates the initial implementation of the hcpCluster
API for day 1 operations.