✨ Rosa Config implementaiton #5499
Conversation
|
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
do-not-merge/release-note-label-needed
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
needs-priority
size/XXL
|
Hi @PanSpagetka. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
do-not-merge/work-in-progress
PanSpagetka
force-pushed
the
rosa-roles-implementations
branch
from
11dac0b to
6056618
Compare
PanSpagetka
force-pushed
the
rosa-roles-implementations
branch
6 times, most recently
from
1587db4 to
9121ec2
Compare
PanSpagetka
force-pushed
the
rosa-roles-implementations
branch
3 times, most recently
from
07b73a3 to
097252f
Compare
Dockerfile
Outdated
| @@ -28,12 +28,17 @@ WORKDIR /workspace | |||
| # Copy the Go Modules manifests | |||
| COPY go.mod go.mod | |||
| COPY go.sum go.sum | |||
| COPY ./rosa /workspace/rosa | |||
There was a problem hiding this comment.
why are we adding this ? what is the rosa file
Dockerfile
Outdated
| # Cache deps before building and copying source so that we don't need to re-download as much | ||
| # and so that source changes don't invalidate our downloaded layer | ||
| RUN --mount=type=cache,target=/root/.local/share/golang \ | ||
| --mount=type=cache,target=/go/pkg/mod \ | ||
| go mod download | ||
|
|
||
| # RUN go mod download |
PROJECT
Outdated
There was a problem hiding this comment.
can you just add the RosaRoleConfig item without changing the order of other items
config/default/tmp.yaml
Outdated
There was a problem hiding this comment.
why do we need this file ?
config/crd/kustomization.yaml
Outdated
| @@ -38,6 +39,7 @@ patchesStrategicMerge: | |||
| - patches/webhook_in_awsmanagedcontrolplanes.yaml | |||
| - patches/webhook_in_eksconfigs.yaml | |||
| - patches/webhook_in_eksconfigtemplates.yaml | |||
| #- patches/webhook_in_rosaroleconfigs.yaml | |||
There was a problem hiding this comment.
I believe you need to uncomment this line
| } | ||
| } | ||
|
|
||
| if scope.RosaRoleConfig.Status.OIDCID == "" { |
There was a problem hiding this comment.
I believe you should check/set the RosaRoleConfig condition first , then get the oidc using OCM client if it is not exist then create it.
Same applied for account-roles and operator-roles
| } | ||
| } | ||
|
|
||
| err = r.deleteOperatorRoles(ocmClient, awsClient, scope.RosaRoleConfig.Spec.AccountRoleConfig.Prefix) |
There was a problem hiding this comment.
Do we need to delete the operator roles before the oidc-provider ?
There was a problem hiding this comment.
Nope, a changed it so it matches reverse creation order.
| return ocmClient.DeleteOidcConfig(oidcConfigID) | ||
| } | ||
|
|
||
| type reporter struct { |
There was a problem hiding this comment.
please move this to another file , better to be under pkg/.../rosa
PanSpagetka
force-pushed
the
rosa-roles-implementations
branch
from
097252f to
0c9fa93
Compare
k8s-ci-robot
added
the
needs-rebase
PanSpagetka
force-pushed
the
rosa-roles-implementations
branch
3 times, most recently
from
b3aded3 to
23fa4cb
Compare
PanSpagetka
force-pushed
the
rosa-roles-implementations
branch
from
23fa4cb to
2515be2
Compare
PanSpagetka
force-pushed
the
rosa-roles-implementations
branch
from
2515be2 to
c0d0d2a
Compare
k8s-ci-robot
removed
the
needs-rebase
|
@PanSpagetka would you fix the PR title so PR verify job can pass |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
PanSpagetka
force-pushed
the
rosa-roles-implementations
branch
4 times, most recently
from
ac54449 to
f1fdb1c
Compare
PanSpagetka
force-pushed
the
rosa-roles-implementations
branch
2 times, most recently
from
29f9584 to
844a962
Compare
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
PanSpagetka
force-pushed
the
rosa-roles-implementations
branch
from
844a962 to
7395772
Compare
PanSpagetka
force-pushed
the
rosa-roles-implementations
branch
from
5997fac to
3f9bd3a
Compare
|
@PanSpagetka: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| @@ -179,6 +183,24 @@ func (r *ROSAControlPlane) validateExternalAuthProviders() *field.Error { | |||
| return nil | |||
| } | |||
|
|
|||
| func (r *ROSAControlPlane) validateRosaRoleConfig() *field.Error { | |||
There was a problem hiding this comment.
Not sure if the logic here is valid, hasDirectRoleFields will be true even if one condition is true and others are false. Ex; r.Spec.OIDCID can be true but all others fields can be false that case hasDirectRoleFields will be true.
| r.Spec.RolesRef.NetworkARN != "" || r.Spec.RolesRef.KubeCloudControllerARN != "" || r.Spec.RolesRef.NodePoolManagementARN != "" || | ||
| r.Spec.RolesRef.ControlPlaneOperatorARN != "" || r.Spec.RolesRef.KMSProviderARN != "" | ||
|
|
||
| if hasRosaRoleConfigRef && hasDirectRoleFields { |
There was a problem hiding this comment.
Lets make the logic as below;
if RosaRoleConfigRef is set, we use the roleConfigRef to get all roles (ignore all other role fields even if set) just log warning.
if RosaRoleConfigRef not set and all other Role fields are set, we use the roles fields
if RosaRoleConfigRef not set and some Roles fields are missing we raise error
if RosaRoleConfigRef not set and all Roles fields are missing we raise error
|
|
||
| conditions.MarkTrue(rosaScope.ControlPlane, rosacontrolplanev1.ROSARoleConfigReadyCondition) | ||
|
|
||
| // Update spec fields from RosaRoleConfig |
There was a problem hiding this comment.
This logic is not correct, If the user is already setting those fields value, we are updating those values. I believe we should define internal roleConfig in rosacontrolPlane scope and then check which roles to use based on availability
| OperatorRoleConfig OperatorRoleConfig `json:"operatorRoleConfig"` | ||
| OIDCConfig OIDCConfig `json:"oidcConfig"` | ||
| IdentityRef *infrav1.AWSIdentityReference `json:"identityRef,omitempty"` | ||
| Region string `json:"region,omitempty"` |
There was a problem hiding this comment.
Missing description and kbuilder tags.
| Region string `json:"region,omitempty"` | ||
| Prefix string `json:"prefix"` |
There was a problem hiding this comment.
Missing description and kbuilder tags.
| // User-defined prefix for generated AWS operator policies. | ||
| // +kubebuilder:validation:MaxLength:=4 | ||
| // +kubebuilder:validation:Required | ||
| Prefix string `json:"prefix"` |
There was a problem hiding this comment.
Prefix must be immutable cause changing the prefix will create new role
| // User-defined prefix for all generated AWS resources | ||
| // +kubebuilder:validation:MaxLength:=4 | ||
| // +kubebuilder:validation:Required | ||
| Prefix string `json:"prefix"` |
There was a problem hiding this comment.
Prefix must be immutable cause changing the prefix will create new roles
| ) | ||
|
|
||
| // SetupWebhookWithManager will setup the webhooks for the ROSARoleConfig. | ||
| func (r *ROSARoleConfig) SetupWebhookWithManager(mgr ctrl.Manager) error { |
There was a problem hiding this comment.
This routine is never called from main.go, which is why I'm getting:
$ kubectl apply -f rosa-roleconfig-01.yaml
Error from server (InternalError): error when creating "rosa-roleconfig-01.yaml": Internal error occurred: failed calling webhook "default.rosaroleconfig.infrastructure.cluster.x-k8s.io": failed to call webhook: the server could not find the requested resource
With this change in place the above error goes away:
$ git diff
diff --git a/main.go b/main.go
index c65ff7356..6348fd0de 100644
--- a/main.go
+++ b/main.go
@@ -285,6 +285,11 @@ func main() {
setupLog.Error(err, "unable to create webhook", "webhook", "ROSAMachinePool")
os.Exit(1)
}
+
+ if err := (&expinfrav1.ROSARoleConfig{}).SetupWebhookWithManager(mgr); err != nil {
+ setupLog.Error(err, "unable to create webhook", "webhook", "ROSARoleConfig")
+ os.Exit(1)
+ }
}
if err = (&expcontrollers.ROSARoleConfigReconciler{
There was a problem hiding this comment.
Although I don't quite understand the point of this webhook, since it's currently not doing anything.
Based on proposal #5451
Adding RosaRoleConfig API with implementation. that should create Account/Operator roles and OIDC config/provider necessary to create ROSA cluster.
We need to move RosaMachinePoolAutoScaling definition to controlplane, because otherwise there would be circular dependency.
What type of PR is this?
/kind feature
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Checklist:
Release note: