Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS-2764: AWS Shared VPC Backport [release-4.13] #7362

Merged
merged 16 commits into from
Aug 8, 2023
Merged

CORS-2764: AWS Shared VPC Backport [release-4.13] #7362

merged 16 commits into from
Aug 8, 2023

Conversation

patrickdillon
Copy link
Contributor

4.13 Backport of the AWS Shared VPC with cross-account private hosted zone

@openshift-ci openshift-ci bot requested review from barbacbd and mtulio July 24, 2023 18:46
r4f4
r4f4 reviewed Aug 1, 2023
View reviewed changes
Copy link
Contributor

@r4f4 r4f4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 1, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: r4f4

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 1, 2023
@patrickdillon
Copy link
Contributor Author

patrickdillon commented Aug 3, 2023
edited by openshift-ci bot
Loading

/retitle CORS-2764: AWS Shared VPC Backport [release-4.13]

@openshift-ci openshift-ci bot changed the title [release-4.13] AWS Shared VPC CORS-2764: AWS Shared VPC Backport [release-4.13] Aug 3, 2023
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Aug 3, 2023
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Aug 3, 2023
edited by openshift-ci bot
Loading

@patrickdillon: This pull request references CORS-2764 which is a valid jira issue.

In response to this:

4.13 Backport of the AWS Shared VPC with cross-account private hosted zone

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@patrickdillon
aws: add HostedZoneRole to platform
dd92873 
Adds a hosted zone role field. If provided,
this role will be assumed whenever operations
are performed on the provided hosted zone. This
enables the private hosted zone to belong to a different
account than the rest of the cluster.
@patrickdillon
aws: validate hosted zone role
a50093f 
If a hosted zone role is specified in the install config, users
must also supply a hosted zone.
@patrickdillon
aws: add hostedZoneRole to metadata
923b1b9 
The hostedZoneRole will need to be used when destroying the cluster.
@patrickdillon
aws: update route53 clients to allow assume role
c266b69 
Updates the route53 clients to allow passing config with
assume role credentials. This allows the function caller
to determine whether the service should authenticate with
the default credentials or creds for another account.
@patrickdillon
aws: destroy phzs in other accounts
202d67a 
Add the ability to assume a role in a different account
when destroying records in a private hosted zone. When the
hostedZoneRole is passed in the metadata, that role will be used
when running destroy.
@patrickdillon
aws tfvars: pass hosted zone role
439e970 
Plumb the hosted zone role through to terraform, so that it can
be used to create records when the hosted zone belongs to another
account.
@patrickdillon
aws tf: private hosted zone assume role support
93fb751 
Adds the ability in terraform to assume a role when performing operations
on a private hosted zone which belongs to a different account than
the rest of the cluster.
@patrickdillon
aws: surface error when validating hosted zone
5fd7bfa 
Display to users any errors when retrieving a hosted zone
specified in the install config.
@patrickdillon
aws: write hostedZoneRole to DNS config
3570a6e 
When a hostedZoneRole is specified for an AWS
shared VPC install, write it to the DNS config
so it can be used by the cluster ingress operator.
@patrickdillon
aws: update tests for route53 client update
92dfb8c 
Update tests and mocks due to changes for adding cross-account
private hosted-zone support.
@patrickdillon
aws: validate hostedZoneRole cred mode
83c839e 
Adds validation to require that either manual or
passthrough credentials mode is used when specifying
hosted zone role.

In order to perform the AssumeRole operation on the provided
role, a policy must be in place to establish a trust reltionship
between the role and the IAM credential (for the installer and
ingress operator). Because mint mode will create new credentials
with non-deterministic unique identifiers in the cluster,
it is impossible to generate the policy in advance.
@patrickdillon
aws: adjust permisisons for hostedZone
612a499 
When users bring their own hosted zone, the installer
no longer requires permissions to create or destroy zones.
@patrickdillon
aws: refactor destroy code
311014c 
Small refactoring of destroy code for increasing readibility
for cross-account private hosted zones.
@patrickdillon
aws: clarify hostedZoneRole description
6fd4ba3 
Improves wording of hostedZoneRole comment/godoc.
@patrickdillon
go.mod: pull in AWS Shared VPC changes
92bc5af 
commands:
go get github.com/openshift/[email protected]
go mod edit
-replace=github.com/openshift/api=github.com/openshift/[email protected]
go mod tidy
@patrickdillon
Vendor AWS Shared VPC API Changes
0e97e7e 
go mod vendor
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 3, 2023

@patrickdillon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-agent-ha-dualstack 0e97e7e link false /test e2e-agent-ha-dualstack
ci/prow/e2e-aws-ovn-disruptive 0e97e7e link false /test e2e-aws-ovn-disruptive
ci/prow/okd-scos-e2e-aws-upgrade 0e97e7e link false /test okd-scos-e2e-aws-upgrade
ci/prow/e2e-aws-ovn-single-node 0e97e7e link false /test e2e-aws-ovn-single-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@yunjiang29 yunjiang29 mentioned this pull request Aug 7, 2023
Merged
barbacbd
barbacbd reviewed Aug 7, 2023
View reviewed changes
Copy link
Contributor

@barbacbd barbacbd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 7, 2023
@patrickdillon
Copy link
Contributor Author

/label backport-risk-assessed

QE has verified with pre-merge testing.

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Aug 7, 2023
@mrunalp mrunalp added cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Aug 7, 2023
@patrickdillon
Copy link
Contributor Author

/skip

@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD 9796d30 and 2 for PR HEAD 0e97e7e in total

@openshift-merge-robot openshift-merge-robot merged commit 9e2176e into openshift:release-4.13 Aug 8, 2023
@patrickdillon patrickdillon mentioned this pull request Aug 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@barbacbd barbacbd barbacbd left review comments

@r4f4 r4f4 r4f4 left review comments

@mtulio mtulio Awaiting requested review from mtulio

Assignees

@barbacbd barbacbd

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@patrickdillon @openshift-ci-robot @r4f4 @barbacbd @mrunalp @openshift-merge-robot