NE-1323: Add AWS RoleARN for Shared VPC support #195
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
There was a problem hiding this comment.
I believe you need to add sts:AssumeRole to the AWS CredentilasRequest too.
| @@ -194,6 +194,10 @@ func (b *externalDNSContainerBuilder) fillProviderAgnosticFields(seq int, zone s | |||
| args = append(args, "--ignore-hostname-annotation") | |||
| } | |||
|
|
|||
| if b.externalDNS.Spec.AWSRoleARN != nil { | |||
| args = append(args, fmt.Sprintf("--aws-assume-role=%s", *b.externalDNS.Spec.AWSRoleARN)) | |||
There was a problem hiding this comment.
I'm wondering whether we should expose the external ID as the API knob too. ExternalDNS has a dedicated flag for it. I see that we didn't bother with it in C-I-O.
There was a problem hiding this comment.
That's a good point, I hadn't heard of the ExternalID until now. But, if we didn't bother with it in CIO, I wonder if we should bother with it here. I can point it out to the Shared VPC folks so they are aware something like this exists.
|
@gcs278 : what are your thoughts about the testing of this feature? |
gcs278
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@gcs278: This pull request references NE-1323 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
gcs278
changed the title
gcs278
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
@gcs278: This pull request references NE-1323 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@gcs278: This pull request references NE-1323 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I would like to E2E test it, but we need a E2E test job that stands up a shared VPC in Account A, and stands up a cluster with a role ARN in Account B. My assumption is that we need a new, seperate E2E job that does these things as prerequisites, and separately runs a subset of Shared VPC E2E tests. I'm waiting on https://issues.redhat.com/browse/CORS-2650 to finish up, as this story will hopefully paving a way, creating items in the CI Step Registry that we could potentially leverage. Do you have any thoughts? |
gcs278
force-pushed
the
shared-vpc
branch
3 times, most recently
from
c3b0f26 to
2c7e1d8
Compare
|
@alebedev87 thanks for your time. Update:
|
There was a problem hiding this comment.
Thanks for the review @alebedev87
I'm working on E2E tests at the moment. I may add them to this PR if it's still open, but I don't think we have to hold this PR up for the E2E tests.
| - '{{.Name}}.mydomain.net' | ||
| ``` | ||
|
|
||
| **Note**: Due to a limitation of the `v1beta1` API requiring the `credentials` field, OpenShift users will be required |
There was a problem hiding this comment.
Okay thanks. I'll leave what I have now, and possibly open another PR later with details on CredentialsRequest to keep this PR cleaner.
api/v1beta1/webhook_test.go
Outdated
| AWS: &ExternalDNSAWSProviderOptions{ | ||
| AssumeRole: &ExternalDNSAWSAssumeRoleOptions{ | ||
| ARN: pointer.String("arn:aws:iam::123456789012:role/foo"), | ||
| }, | ||
| }, |
There was a problem hiding this comment.
This test is for OpenShift, and the CRDs aren't involved, just the webhook. The webhook doesn't validate credentials for Openshift. The CRDs were the issue due to +required on the Credentials field.
The webhook works without issue, but use of the CRD would require an empty credentials field.
Agree, we don't need to hold this PR. Do you plan to add e2e test in another PR then? |
|
/lgtm |
|
/test verify |
|
@alebedev87 forgot to run |
|
/lgtm |
Adds the ability to specify a Role ARN to create Route 53 DNS records in a different AWS Account. Supports Shared VPC scenario. `api/v1beta1/externaldns_types.go`: Add AssumeRole API `api/v1beta1/webhook_test.go`: Add AssumeRole WebHook Validation test `api/v1beta1/zz_generated.deepcopy.go`: Generated `bundle/manifests/externaldns.olm.openshift.io_externaldnses.yaml`: Generated `config/crd/bases/externaldns.olm.openshift.io_externaldnses.yaml`: Generated `docs/usage.md`: Add section on AWS Assume Role `pkg/operator/controller/externaldns/credentials_request.go`: Add sts:AssumeRole to credential requests `pkg/operator/controller/externaldns/deployment_test.go`: Unit test `desiredExternalDNSDeployment` `pkg/operator/controller/externaldns/pod.go`: Add --aws-assume-role argument with AssumeRole ARN value
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alebedev87 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
Cluster installation failed. /test e2e-gcp-operator |
|
cluster install failure |
|
/label px-approved |
openshift-ci
bot
added
the
px-approved
|
/label qe-approved |
openshift-ci
bot
added
the
qe-approved
|
Cluster install failed |
|
@gcs278: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/label docs-approved |
openshift-ci
bot
added
the
docs-approved
Adds the ability to specify a RoleARN to create Route 53 DNS records in a different AWS Account. Supports Shared VPC scenario.
The new API is propagated to the existing external-dns argument
--aws-assume-role.Epic Link: https://issues.redhat.com/browse/NE-1299
EP PR: openshift/enhancements#1436