Support CloudStack normal user account

[rohityadavcloud]

/kind feature

Describe the solution you'd like

While this is documented at https://cluster-api-cloudstack.sigs.k8s.io/topics/cloudstack-permissions I would prefer if I can use CAPC as a normal user account without any issues for support network models such as shared network, vpc and isolated network.

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Environment:

• Cluster-api-provider-cloudstack version:
• Kubernetes version: (use kubectl version):
• OS (e.g. from /etc/os-release):

[rohityadavcloud]

This is possibly already not an issue with ACS 4.18.1 and above that allows end-users to select a public IP in shared network etc. Needs testing, if it's already addressed we close this and update the docs/website; otherwise move this to the next v0.5.0 milestone.

[g-gaston]

Moving to v0.5.0 since this is a new feature and we are only prioritizing vital bugfixes for v0.4.9

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[rohityadavcloud]

cc @kiranchavala @vishesh92 @weizhouapache to advise if this is still applicable/relevant? Or can a normal user account also use CAPC without any issues?

[weizhouapache]

cc @kiranchavala @vishesh92 @weizhouapache to advise if this is still applicable/relevant? Or can a normal user account also use CAPC without any issues?

@rohityadavcloud I will do a quick testing and update you

[weizhouapache]

• No issue when deploy capc cluster as a domain admin

• Failed to deploy capc cluster as regular user

E0322 14:54:15.732481 1 controller.go:326] "msg"="Reconciler error" "error"="parsing ACSEndpoint secret with ref: {cloudstack-credentials-user default}: resolving account ACSUser details: resolving domain details: CloudStack API error 432 (CSExceptionErrorCode: 9999): The API [listDomains] does not exist or is not available for the account Account [{\"accountName\":\"ACSUser\",\"id\":4,\"uuid\":\"d744ea6d-45ca-4b4f-aee7-1b057d5ccb8f\"}]." "cloudStackFailureDomain"={"name":"590ec016fd8ebae981d65adf1e7306e8","namespace":"default"} "controller"="cloudstackfailuredomain" "controllerGroup"="infrastructure.cluster.x-k8s.io" "controllerKind"="CloudStackFailureDomain" "name"="590ec016fd8ebae981d65adf1e7306e8" "namespace"="default" "reconcileID"="da10e689-dda1-495e-af9e-a0c0e71d8a8f"

the fix seems simple. cc @rohityadavcloud @vishesh92

[weizhouapache]

it has been mentioned in https://github.com/kubernetes-sigs/cluster-api-provider-cloudstack/blob/main/docs/book/src/topics/cloudstack-permissions.md

The account that CAPC runs under must minimally be a Domain Admin type account with a role offering the following permissions