NE-1381: API - add STSIAMRoleARN field

[alebedev87]

Context
According to Tokenized Cloud Auth Enablement For Operators EP CCO can now provision secrets on STS clusters too. However this EP is meant for the operators only, the operands are supposed to be managed via their APIs.

Goal
The goal of this PR is to add a new field for the Role ARN which is supposed to be added to CredentialsRequest CR created by the operator for its operand (AWS LoadBalancer Controller).

[openshift-ci-robot]

@alebedev87: This pull request references NE-1381 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set.

In response to this:

Context
According to Tokenized Cloud Auth Enablement For Operators EP CCO can now provision secrets on STS clusters too. The EP is dedicated to the operator's credentials, the operands are supposed to be managed via their APIs.

Goal
The goal of this PR is to add a new field for the Role ARN which is supposed to be added to CredentialsRequest CR created by the operator for its operand (AWS LoadBalancer controller).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@alebedev87: This pull request references NE-1381 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set.

In response to this:

Context
According to Tokenized Cloud Auth Enablement For Operators EP CCO can now provision secrets on STS clusters too. The EP is dedicated to the operator's credentials, the operands are supposed to be managed via their APIs.

Goal
The goal of this PR is to add a new field for the Role ARN which is supposed to be added to CredentialsRequest CR created by the operator for its operand (AWS LoadBalancer controller).

Commits

• NE-1381: API - add STSIAMRoleARN field: API change
• STSIAMRoleARN usage example: API usage example

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[JoelSpeed]

You could enforce this validation using a CEL validation rule

[alebedev87]

CEL validation is added.

[JoelSpeed]

So this allows me to configure a credentials request that is created by the load balancer type? Or to refer to an existing credentials request?

[alebedev87]

This is to configure a credentials request that is created for the managed load balancer controller. The credentials request is defined by the operator. The new field is the only moving part in it for the moment.

[openshift-ci-robot]

@alebedev87: This pull request references NE-1381 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set.

In response to this:

Context
According to Tokenized Cloud Auth Enablement For Operators EP CCO can now provision secrets on STS clusters too. The EP is dedicated to the operator's credentials, the operands are supposed to be managed via their APIs.

Goal
The goal of this PR is to add a new field for the Role ARN which is supposed to be added to CredentialsRequest CR created by the operator for its operand (AWS LoadBalancer Controller).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[alebedev87]

Needs openshift/release#44017 to make the rosa e2e work.

[alebedev87]

/test e2e-aws-proxy-operator

[openshift-ci-robot]

@alebedev87: This pull request references NE-1381 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set.

In response to this:

Context
According to Tokenized Cloud Auth Enablement For Operators EP CCO can now provision secrets on STS clusters too. However this EP is meant for the operators only, the operands are supposed to be managed via their APIs.

Goal
The goal of this PR is to add a new field for the Role ARN which is supposed to be added to CredentialsRequest CR created by the operator for its operand (AWS LoadBalancer Controller).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[alebedev87]

/test e2e-aws-rosa-operator

[alebedev87]

ROSA cluster provisioning is blocked by openshift/rosa#1548.

[candita]

/assign @gcs278

[alebedev87]

Docs updated to truncate the role name used by ccoctl. This should help avoiding the problems when controller and operator roles names turn to be same due to the limitation of 64 chars.

[chenz4027]

/test e2e-aws-rosa-operator

[alebedev87]

/test e2e-aws-rosa-operator

[gcs278]

Looks great, mostly nit picks.

[gcs278]

tangential nit I think the names of these documents are confusing.

docs/prerequisities.md:

• For STS, shows you how to create IAM Role and then install ALBO
• VPC and Subnets

docs/install.md

• For STS, assumes ALBO is already installed, and shows you how to create the AWSLoadBalancerController with STS IAM Role ARN.
• Nothing for non-STS

prerequisties.md documents STS install, but install.md documents how to configure an ALBC instance (only for STS).

My thoughts:

1. It shouldn't be prerequisites.md if we describe how to install ALBO on an STS cluster, that should be install.md
2. install.md isn't showing how to install, it's showing how to finish configuring ALBC (post-install?)
3. install.md lacks showing how to install non-STS clusters

I think these suggestions are out of scope of this PR, so I don't want to hold you to it right now, but what do you think about someone addressing this as a bug in another PR? Do you agree something seems funky with organization?

[alebedev87]

Do you agree something seems funky with organization?

Yes, I agree. The 3 docs (prerequisistes, install, tutorial) overlap and mislead sometimes. It's a problem of this repository from the very beginning. Many reshuffles were done with different success rates.

I did another one to exclude the overlap, feel free to leave comments.

[gcs278]

I like it. It feels like it flows a bit better.

[gcs278]

nit I think this information is good, but arguably shouldn't it be added to prerequisites.md to be symmetrical? These two documents seem to describe very similar things, and this statement also applies there.

Also, do you think it should be an absolute link, [hack/controller](/hack/controller/), to be more resilient to moving docs around?

[alebedev87]

nit I think this information is good, but arguably shouldn't it be added to prerequisites.md to be symmetrical? These two documents seem to describe very similar things, and this statement also applies there.

Both docs are aligned now.

Also, do you think it should be an absolute link, hack/controller, to be more resilient to moving docs around?

The path you proposed doesn't seem to be 100% absolute, it's still relative to the repository. I'm fine with it but does this syntax work?

[gcs278]

Ah sorry. I was wrong about how github markdown works. You'd need to do the full URL in order to make it absolute, and that feels wrong. Seems like relative paths are preferred anyways. mkdocs/mkdocs#192

[gcs278]

So I tried to run E2E in my STS cluster, non-ROSA, but this logic won't allow me to provide a roleARN manually, right?

I feel like we should support directly provide ENV while not in a Rosa cluster, otherwise I can't test your changes manually in my STS cluster.

[alebedev87]

There is a dedicated README chapter for the manual testing on a ROSA cluster. But I believe it should work on any STS cluster too. I think I should add ALBO_E2E_CONTROLLER_ROLE_ARN variable in there and maybe make it more generic: change the chapter name and add new platform toALBO_E2E_PLATFORM envvar.

Does it sound like what you were looking for?

[gcs278]

Ah okay, I didn't realize the platform was controlled by a ENV Variables, I thought it was looking at some sort of cluster config object. Yea I suppose I could say I'm "ROSA" to test, but that does feel a little funky because I'd be lying.

I think your suggestion makes sense. If I provide ALBO_E2E_CONTROLLER_ROLE_ARN, I feel like it should use that in ALBC creation regardless of my platform, but at the same time, I don't think I should have to set ALBO_E2E_PLATFORM to ROSA.

[alebedev87]

Ah okay, I didn't realize the platform was controlled by a ENV Variables, I thought it was looking at some sort of cluster config object.

I don't know any reliable way of how to detect whether your container runs on a cluster which uses STS credentials. Infrastructure resource doesn't have any info about it. CCO in manual mode != STS. We could check the format of the contents of the cluster operator's secrets but that seems to be a little too much. Overall, it's a good question which needs to be digged in. I'll try to follow up on it.

I tried to address the comment in this commit. Let me know if it's still unclear.

[gcs278]

Yea your approach is fine.

[chenz4027]

@alebedev87 It passes the provision tests. My fix was in and it no longer blocks that step :)

INFO[2023-10-19T15:39:55Z] Running step e2e-aws-rosa-operator-rosa-cluster-provision. 
INFO[2023-10-19T16:10:28Z] Step e2e-aws-rosa-operator-rosa-cluster-provision succeeded after 30m32s. 

[alebedev87]

Thanks @chenz4027! The provisioning is back indeed.

[alebedev87]

/test e2e-aws-operator

[alebedev87]

Problems pulling openshift/node image faced:

                "containerStatuses": [
                    {
                        "image": "openshift/origin-node",
                        "imageID": "",
                        "lastState": {},
                        "name": "echo",
                        "ready": false,
                        "restartCount": 0,
                        "started": false,
                        "state": {
                            "waiting": {
                                "message": "Back-off pulling image \"openshift/origin-node\"",
                                "reason": "ImagePullBackOff"
                            }
                        }
                    }
                ],

Since it's pulled from docker.io, I decided to replace it with openshift/tools images from the internal registry, similar to what was done in the cluster ingress operator.

[alebedev87]

Another ROSA provisioning issue: openshift/release#44633.

[gcs278]

Thanks for the updates, I like the reformatting.

[gcs278]

nit This is install.md, but only shows how to install STS clusters. Is it worth adding a Non-STS Cluster section for completeness?

[alebedev87]

Non-STS clusters chapter added.

[gcs278]

When installing from the UI, don't you also need to apply:

      config:
        env:
        - name: ROLEARN
          value: "${ROLEARN}"

to the subscription object? How is this done when you install it via the UI? I'm confused, because looking at https://github.com/alebedev87/aws-load-balancer-operator/blob/ne-1381-api-rolearn/bundle/manifests/aws-load-balancer-operator.clusterserviceversion.yaml, I followed to https://docs.openshift.com/container-platform/4.13/networking/aws_load_balancer_operator/installing-albo-sts-cluster.html#nw-bootstra-albo-on-sts-cluster_albo-sts-cluster and that didn't tell me how to include the ROLEARN env? Or is that automatic somehow when using the Web UI?

[alebedev87]

The OperatorHub's web UI is supposed to be updated with a new input box for the role ARN. A screenshot of how this is supposed to look like can be found in How To STS doc. Let me say this explicitly in our markdown.

[alebedev87]

Rephrased.

[gcs278]

I like it. It feels like it flows a bit better.

[gcs278]

I think this test is a good addition, but future looking, are you familiar with the API integration test suite? https://github.com/openshift/api/tree/master/tests#readme. You can create API tests like this in YAML files. Not sure how easy it would be to port that over here.

[alebedev87]

Interesting. That may be useful to test the openAPI validations indeed. The setup may be a little heavy for this concrete PR but if the API will grow in complexity we can think of it.

[alebedev87]

ROSA provisions 4.13.x clusters which don't have CredentialsRequest CRD updated with STSIAMRoleARN field used by the code introduced in this PR. The support starts from 4.14.0.
Therefore, as of now the ROSA e2e job cannot work with the new STS flow. This commit aims at fixing the gap temporarily.

[gcs278]

Thanks for working through these reviews with me. Hopefully CI will sort itself out.
/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gcs278

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [gcs278]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[alebedev87]

/test e2e-aws-rosa-operator

[openshift-ci]

@alebedev87: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[kowen-rh]

/label docs-approved

[alebedev87]

I edited Kevin's comment from docs-approved to /label docs-approved but it was not enough for the bot.

/label docs-approved

[CFields651]

/label px-approved

[ShudiLi]

The ALBO can be created on ROSA STS with secrets created by ccoctl or the AWS CLI.
/qe-approved
thanks.

[alebedev87]

/label qe-approved

I believe that's what Shudi wanted to say 😉.

[openshift-ci-robot]

@alebedev87: This pull request references NE-1381 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set.

In response to this:

Context
According to Tokenized Cloud Auth Enablement For Operators EP CCO can now provision secrets on STS clusters too. However this EP is meant for the operators only, the operands are supposed to be managed via their APIs.

Goal
The goal of this PR is to add a new field for the Role ARN which is supposed to be added to CredentialsRequest CR created by the operator for its operand (AWS LoadBalancer Controller).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.