Skip to content

PowerScale Plugin Implementation

The PowerScale plugin provides storage integration for the dapcli repository, enabling the management of Isilon (PowerScale) clusters through Cloudify orchestration. It encapsulates the OneFS Platform-API (PAPI) client to handle session management, CSRF token propagation, and secure credential handling, while leveraging the DAP secret store to manage sensitive data like S3 access keys without exposing them in deployment runtime properties. The plugin defines specific Cloudify node types that utilize these components to reconcile storage resources, ensuring that cluster connections and secrets are maintained in a consistent state.

The core communication with PowerScale clusters is handled by the PapiClient class in plugins/powerscale/src/powerscale_plugin/papi.py 1. OneFS does not accept HTTP basic authentication on real endpoints; instead, every request must travel through a session where the isicsrf cookie is echoed back as the X-CSRF-Token header, accompanied by a matching Referer header. The client manages this session lifecycle, including a single retry on 401 responses to handle silent session cookie expiration after the cluster’s idle timeout.

Credentials are encapsulated in the ClusterConnection dataclass, which includes the host, user, password, TLS verification settings, and port. These credentials are never exposed in command-line arguments, environment variables, or unredacted log output. The client uses httpx for HTTP operations and provides methods for GET, POST, PUT, and DELETE requests, automatically parsing JSON responses or returning raw responses when requested 2.

Error handling is centralized in the PapiError exception, which captures the HTTP status code, the AEC_* error code extracted from the OneFS error envelope, and the error message 1. The _extract_aec helper function parses the JSON error body to retrieve the first error’s code and message, falling back to generic HTTP error details if parsing fails 3.

diagram

Sensitive data, such as S3 access keys, is managed through the SecretStore class in plugins/powerscale/src/powerscale_plugin/secrets.py 4. This class acts as a thin wrapper around the DAP orchestrator’s secret store, ensuring that minted secrets never appear in the deployment’s runtime_properties. Instead, runtime_properties carries only the secret’s key name, allowing consumers to reference the value via {get_secret: <key>}.

The SecretStore provides idempotent operations for creating, updating, and deleting secrets. The create_or_update method attempts to create a secret first; if a conflict occurs (e.g., the key already exists), it falls back to updating the existing value. This logic handles compatibility with older orchestrator client signatures that may not support the update_if_exists parameter.

The REST client for the orchestrator is acquired lazily via cloudify.manager.get_rest_client, allowing tests to patch the module-level import without requiring a real orchestrator environment. The delete method swallows “not found” errors to ensure retries converge successfully.

The plugin defines Cloudify node types that utilize the PapiClient and SecretStore to manage storage resources 5. The package version is defined as “0.1.0” in plugins/powerscale/src/powerscale_plugin/__init__.py. While the specific node type definitions are not detailed in the provided sources, the reconciliation logic relies on the capabilities of the PAPI client to interact with the OneFS cluster and the secret store to manage credentials 1 4.

The reconciliation process involves establishing a secure session with the PowerScale cluster using the provided credentials, performing necessary API calls to create or modify storage resources, and updating the deployment’s runtime properties with the resulting resource identifiers or secret keys 1 4. The PapiClient ensures that all API interactions are authenticated and authorized via the session cookie mechanism, while the SecretStore ensures that sensitive data is handled securely and idempotently 1 4.