OCM-9152 | test: automate id:74556,74408,74433 create/edit cluster wi…

…th additional allowed principals
openshift · Jul 15, 2024 · 68b4066 · 68b4066
1 parent 7c8f8d7
commit 68b4066
Show file tree

Hide file tree

Showing 14 changed files with 254 additions and 23 deletions.
diff --git a/go.mod b/go.mod
@@ -32,7 +32,7 @@ require (
 	github.com/nathan-fiscaletti/consolesize-go v0.0.0-20210105204122-a87d9f614b9d
 	github.com/onsi/ginkgo/v2 v2.17.1
 	github.com/onsi/gomega v1.30.0
-	github.com/openshift-online/ocm-common v0.0.6
+	github.com/openshift-online/ocm-common v0.0.7
 	github.com/openshift-online/ocm-sdk-go v0.1.428
 	github.com/pkg/errors v0.9.1
 	github.com/robfig/cron/v3 v3.0.1

diff --git a/go.sum b/go.sum
@@ -275,8 +275,8 @@ github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8
 github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
 github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
 github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
-github.com/openshift-online/ocm-common v0.0.6 h1:Il9vZ58fHdPu79K8a04rrq0DFhpjWGNQZjNHID5DyMI=
-github.com/openshift-online/ocm-common v0.0.6/go.mod h1:gsBWQYLZB0w0ZRR+NLASuTr29uFo5nekEODasFKxESc=
+github.com/openshift-online/ocm-common v0.0.7 h1:2/3G7W4gIyAZ1RyqbC+IUOHlf52Rd1Sf+MqmbQ2FYGk=
+github.com/openshift-online/ocm-common v0.0.7/go.mod h1:gsBWQYLZB0w0ZRR+NLASuTr29uFo5nekEODasFKxESc=
 github.com/openshift-online/ocm-sdk-go v0.1.428 h1:HIgQ9FkkgNEMyLsP75JU17nZjYV1Q9M9FrpO/Df2SSg=
 github.com/openshift-online/ocm-sdk-go v0.1.428/go.mod h1:CiAu2jwl3ITKOxkeV0Qnhzv4gs35AmpIzVABQLtcI2Y=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

diff --git a/tests/ci/data/profiles/rosa-hcp.yaml b/tests/ci/data/profiles/rosa-hcp.yaml
@@ -10,6 +10,7 @@ profiles:
     sts: true
     byo_vpc: true
     private_link: false
+    additional_principals: false
     private: false
     etcd_encryption: true
     autoscale: true
@@ -41,6 +42,7 @@ profiles:
     sts: true
     byo_vpc: true
     private: true
+    additional_principals: true
     etcd_encryption: false
     autoscale: false
     kms_key: false
@@ -64,6 +66,7 @@ profiles:
     sts: true
     byo_vpc: true
     private: false
+    additional_principals: false
     etcd_encryption: true
     autoscale: false
     kms_key: true
@@ -97,6 +100,7 @@ profiles:
     sts: true
     byo_vpc: true
     private_link: false
+    additional_principals: false
     private: false
     etcd_encryption: true
     autoscale: false
@@ -126,6 +130,7 @@ profiles:
     byo_vpc: true
     private_link: false
     private: false
+    additional_principals: false
     etcd_encryption: true
     autoscale: false
     kms_key: true

diff --git a/tests/e2e/hcp_cluster_test.go b/tests/e2e/hcp_cluster_test.go
@@ -1,12 +1,16 @@
 package e2e
 
 import (
+	"fmt"
+
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
+	ciConfig "github.com/openshift/rosa/tests/ci/config"
 	"github.com/openshift/rosa/tests/ci/labels"
 	"github.com/openshift/rosa/tests/utils/config"
 	"github.com/openshift/rosa/tests/utils/exec/rosacli"
+	"github.com/openshift/rosa/tests/utils/profilehandler"
 )
 
 var _ = Describe("HCP cluster testing",
@@ -19,6 +23,7 @@ var _ = Describe("HCP cluster testing",
 			rosaClient     *rosacli.Client
 			clusterService rosacli.ClusterService
 			clusterConfig  *config.ClusterConfig
+			profile        *profilehandler.Profile
 		)
 
 		BeforeEach(func() {
@@ -29,6 +34,7 @@ var _ = Describe("HCP cluster testing",
 			By("Init the client")
 			rosaClient = rosacli.NewClient()
 			clusterService = rosaClient.Cluster
+			profile = profilehandler.LoadProfileYamlFileByENV()
 			var err error
 			clusterConfig, err = config.ParseClusterProfile()
 			Expect(err).ToNot(HaveOccurred())
@@ -182,4 +188,76 @@ var _ = Describe("HCP cluster testing",
 					Should(ContainSubstring(
 						"ERR: Listing identity providers is not supported for clusters with external authentication configured"))
 			})
+
+		It("can edit ROSA HCP cluster with additional allowed principals - [id:74556]",
+			labels.High, labels.Runtime.Day2,
+			func() {
+				By("Check the help message of 'rosa edit cluster -h'")
+				helpOutput, err := clusterService.EditCluster("", "-h")
+				Expect(err).To(BeNil())
+				Expect(helpOutput.String()).To(ContainSubstring("--additional-allowed-principals"))
+
+				By("Check if cluster profile is enabled with additional allowed principals")
+				if !profile.ClusterConfig.AdditionalPrincipals {
+					SkipTestOnFeature("additional allowed principals")
+				}
+
+				output, err := clusterService.DescribeClusterAndReflect(clusterID)
+				Expect(err).ToNot(HaveOccurred())
+				Expect(output.AdditionalPrincipals).To(ContainSubstring(clusterConfig.AdditionalPrincipals))
+
+				By("Get the installer role arn")
+				rosaClient.Runner.JsonFormat()
+				jsonOutput, err := clusterService.DescribeCluster(clusterID)
+				Expect(err).To(BeNil())
+				rosaClient.Runner.UnsetFormat()
+				jsonData := rosaClient.Parser.JsonData.Input(jsonOutput).Parse()
+				installRoleArn := jsonData.DigString("aws", "sts", "role_arn")
+
+				By("Get additional principal credentials")
+				awsSharedCredentialFile := ciConfig.Test.GlobalENV.SVPC_CREDENTIALS_FILE
+
+				By("Create additional account roles")
+				accrolePrefix := "arPrefix74556"
+
+				additionalPrincipalRoleName := fmt.Sprintf("%s-%s", accrolePrefix, "additional-principal-role")
+				additionalPrincipalRoleArn, err := profilehandler.PrepareAdditionalPrincipalsRole(
+					additionalPrincipalRoleName,
+					installRoleArn,
+					profile.Region, awsSharedCredentialFile)
+				Expect(err).To(BeNil())
+				defer func() {
+					By("Delete the additional principal account-roles")
+					err = profilehandler.DeleteAdditionalPrincipalsRole(additionalPrincipalRoleName,
+						true, profile.Region, awsSharedCredentialFile)
+					Expect(err).To(BeNil())
+				}()
+
+				additionalPrincipalsFlag := fmt.Sprintf(
+					"%s,%s", clusterConfig.AdditionalPrincipals, additionalPrincipalRoleArn)
+
+				By("Edit the cluster with additional allowed principals")
+				out, err := clusterService.EditCluster(clusterID,
+					"--additional-allowed-principals",
+					additionalPrincipalsFlag)
+				Expect(err).ToNot(HaveOccurred())
+				textData := rosaClient.Parser.TextData.Input(out).Parse().Tip()
+				Expect(textData).To(ContainSubstring("Updated cluster '%s'", clusterID))
+
+				By("Confirm additional principals is edited successfully")
+				output, err = clusterService.DescribeClusterAndReflect(clusterID)
+				Expect(err).To(BeNil())
+				Expect(output.AdditionalPrincipals).
+					To(
+						ContainSubstring(
+							"%s,%s", clusterConfig.AdditionalPrincipals, additionalPrincipalRoleArn))
+
+				By("Edit the cluster with additional allowed principals")
+				out, err = clusterService.EditCluster(clusterID,
+					"--additional-allowed-principals",
+					clusterConfig.AdditionalPrincipals)
+				Expect(err).ToNot(HaveOccurred())
+				textData = rosaClient.Parser.TextData.Input(out).Parse().Tip()
+				Expect(textData).To(ContainSubstring("Updated cluster '%s'", clusterID))
+			})
 	})
diff --git a/tests/e2e/test_rosacli_cluster.go b/tests/e2e/test_rosacli_cluster.go
@@ -1190,6 +1190,39 @@ var _ = Describe("HCP cluster creation negative testing",
 						ContainSubstring(
 							"ERR: 'ec2-metadata-http-tokens' is not available for Hosted Control Plane clusters"))
 			})
+
+		It("expose additional allowed principals for HCP negative - [id:74433]",
+			labels.Medium, labels.Runtime.Day1Negative,
+			func() {
+				By("Create hcp cluster using --additional-allowed-principals and invalid formatted arn")
+				clusterName := "ocp-74408"
+				replacingFlags := map[string]string{
+					"-c":              clusterName,
+					"--cluster-name":  clusterName,
+					"--domain-prefix": clusterName,
+				}
+
+				By("Create cluster with invalid additional allowed principals")
+				rosalCommand.ReplaceFlagValue(replacingFlags)
+				if rosalCommand.CheckFlagExist("--additional-allowed-principals") {
+					rosalCommand.DeleteFlag("--additional-allowed-principals", true)
+				}
+				rosalCommand.AddFlags("--dry-run", "--additional-allowed-principals", "zzzz", "-y")
+				out, err := rosaClient.Runner.RunCMD(strings.Split(rosalCommand.GetFullCommand(), " "))
+				Expect(err).To(HaveOccurred())
+				Expect(out.String()).
+					To(
+						ContainSubstring(
+							"ERR: Expected valid ARNs for additional allowed principals list: Invalid ARN: arn: invalid prefix"))
+
+				By("Create classic cluster with additional allowed principals")
+				output, err := clusterService.CreateDryRun(clusterName, "--additional-allowed-principals", "zzzz", "-y")
+				Expect(err).To(HaveOccurred())
+				Expect(rosaClient.Parser.TextData.Input(output).Parse().Tip()).
+					To(
+						ContainSubstring(
+							"ERR: Additional Allowed Principals is supported only for Hosted Control Planes"))
+			})
 	})
 
 var _ = Describe("Create cluster with availability zones testing",

diff --git a/tests/e2e/test_rosacli_cluster_post.go b/tests/e2e/test_rosacli_cluster_post.go
@@ -27,6 +27,7 @@ var _ = Describe("Healthy check",
 			clusterService     rosacli.ClusterService
 			machinePoolService rosacli.MachinePoolService
 			clusterConfig      *config.ClusterConfig
+			profile            *profilehandler.Profile
 		)
 
 		BeforeEach(func() {
@@ -40,6 +41,7 @@ var _ = Describe("Healthy check",
 			machinePoolService = rosaClient.MachinePool
 			var err error
 			clusterConfig, err = config.ParseClusterProfile()
+			profile = profilehandler.LoadProfileYamlFileByENV()
 			Expect(err).ToNot(HaveOccurred())
 		})
 
@@ -230,6 +232,27 @@ var _ = Describe("Healthy check",
 				Expect(clusterConfig.Encryption.KmsKeyArn).To(Equal(kmsKey))
 			})
 
+		It("additional allowed principals work on cluster creation - [id:74408]",
+			labels.Critical, labels.Runtime.Day1Post,
+			func() {
+				By("Confirm current cluster profile uses additional allowed principals")
+				if !profile.ClusterConfig.AdditionalPrincipals {
+					SkipTestOnFeature("additional allowed principals")
+				}
+
+				By("Check the help message of 'rosa create cluster -h'")
+				output, err := clusterService.CreateDryRun(clusterID, "-h")
+				Expect(err).To(BeNil())
+				Expect(output.String()).
+					To(
+						ContainSubstring("--additional-allowed-principals"))
+
+				By("Confirm additional principals is present")
+				out, err := clusterService.DescribeClusterAndReflect(clusterID)
+				Expect(err).To(BeNil())
+				Expect(out.AdditionalPrincipals).To(ContainSubstring(clusterConfig.AdditionalPrincipals))
+			})
+
 		It("etcd encryption works on cluster creation - [id:42188]",
 			labels.Critical, labels.Runtime.Day1Post,
 			func() {

diff --git a/tests/utils/config/cluster.go b/tests/utils/config/cluster.go
@@ -119,6 +119,7 @@ type ClusterConfig struct {
 	WorkerDiskSize            string                    `json:"worker_disk_size,omitempty"`
 	DomainPrefix              string                    `json:"domain_prefix,omitempty"`
 	BillingAccount            string                    `json:"billing_account,omitempty"`
+	AdditionalPrincipals      string                    `json:"additional_principals,omitempty"`
 	AdditionalSecurityGroups  *AdditionalSecurityGroups `json:"additional_sgs,omitempty"`
 	Autoscaling               *Autoscaling              `json:"autoscaling,omitempty"`
 	Aws                       *AWS                      `json:"aws,omitempty"`

diff --git a/tests/utils/exec/rosacli/cluster_service.go b/tests/utils/exec/rosacli/cluster_service.go
@@ -58,6 +58,7 @@ type ClusterDescription struct {
 	OpenshiftVersion      string                   `yaml:"OpenShift Version,omitempty"`
 	ChannelGroup          string                   `yaml:"Channel Group,omitempty"`
 	DNS                   string                   `yaml:"DNS,omitempty"`
+	AdditionalPrincipals  string                   `yaml:"Additional Principals,omitempty"`
 	AWSAccount            string                   `yaml:"AWS Account,omitempty"`
 	AWSBillingAccount     string                   `yaml:"AWS Billing Account,omitempty"`
 	APIURL                string                   `yaml:"API URL,omitempty"`

diff --git a/tests/utils/profilehandler/data_cleaner.go b/tests/utils/profilehandler/data_cleaner.go
@@ -45,6 +45,18 @@ func DeleteSharedVPCRole(sharedVPCRoleName string, managedPolicy bool, region st
 	return err
 }
 
+func DeleteAdditionalPrincipalsRole(additionalPrincipalRoleName string,
+	managedPolicy bool, region string,
+	awsSharedCredentialFile string) error {
+	awsClient, err := aws_client.CreateAWSClient("", region, awsSharedCredentialFile)
+	if err != nil {
+		return err
+	}
+
+	err = awsClient.DeleteRoleAndPolicy(additionalPrincipalRoleName, managedPolicy)
+	return err
+}
+
 func DeleteSharedVPCChain(vpcID string, region string, awsSharedCredentialFile string) error {
 	vpcClient, err := vpc_client.GenerateVPCByID(vpcID, region, awsSharedCredentialFile)
 	if err != nil {

diff --git a/tests/utils/profilehandler/data_preparation.go b/tests/utils/profilehandler/data_preparation.go
@@ -468,6 +468,33 @@ func PrepareSharedVPCRole(sharedVPCRolePrefix string, installerRoleArn string, i
 	return roleName, sharedVPCRoleArn, err
 }
 
+func PrepareAdditionalPrincipalsRole(roleName string, installerRoleArn string,
+	region string, awsSharedCredentialFile string) (string, error) {
+	awsClient, err := aws_client.CreateAWSClient("", region, awsSharedCredentialFile)
+	if err != nil {
+		return "", err
+	}
+	policyArn := "arn:aws:iam::aws:policy/service-role/ROSAControlPlaneOperatorPolicy"
+	if installerRoleArn == "" {
+		log.Logger.Errorf("Can not create additional principal role due to no installer role.")
+		return "", err
+	}
+	roleArn, err := awsClient.CreateRoleForAdditionalPrincipals(roleName, installerRoleArn)
+	additionalPrincipalRoleArn := aws.ToString(roleArn.Arn)
+	if err != nil {
+		log.Logger.Errorf("Error happens when prepare additional principal role: %s", err.Error())
+		return additionalPrincipalRoleArn, err
+	}
+	log.Logger.Infof("Create a new role for Additional Principal: %s", additionalPrincipalRoleArn)
+	err = awsClient.AttachIAMPolicy(roleName, policyArn)
+	if err != nil {
+		log.Logger.Errorf(
+			"Error happens when attach control plane operator policy %s to role %s: %s", policyArn,
+			additionalPrincipalRoleArn, err.Error())
+	}
+	return additionalPrincipalRoleArn, err
+}
+
 func PrepareDNSDomain(client *rosacli.Client) (string, error) {
 	var dnsDomain string
 	var output bytes.Buffer

diff --git a/tests/utils/profilehandler/interface.go b/tests/utils/profilehandler/interface.go
@@ -31,6 +31,7 @@ type ClusterConfig struct {
 	NameLegnth                    int    `default:"15" yaml:"name_length,omitempty" json:"name_length,omitempty"`
 	VolumeSize                    int    `yaml:"volume_size,omitempty" json:"volume_size,omitempty"`
 	WorkerPoolReplicas            int    `yaml:"replicas,omitempty" json:"replicas,omitempty"`
+	AdditionalPrincipals          bool   `yaml:"additional_principals,omitempty" json:"additional_principals,omitempty"`
 	AdminEnabled                  bool   `yaml:"admin_enabled,omitempty" json:"admin_enabled,omitempty"`
 	AuditLogForward               bool   `yaml:"auditlog_forward,omitempty" json:"auditlog_forward,omitempty"`
 	Autoscale                     bool   `yaml:"autoscale,omitempty" json:"autoscale,omitempty"`
@@ -60,17 +61,18 @@ type ClusterConfig struct {
 
 // UserData will record the user data prepared for resource clean up
 type UserData struct {
-	AccountRolesPrefix  string `json:"account_roles_prefix,omitempty"`
-	AuditLogArn         string `json:"audit_log,omitempty"`
-	DNSDomain           string `json:"dns_domain,omitempty"`
-	EtcdKMSKey          string `json:"etcd_kms_key,omitempty"`
-	HostedZoneID        string `json:"hosted_zone_id,omitempty"`
-	KMSKey              string `json:"kms_key,omitempty"`
-	OperatorRolesPrefix string `json:"operator_roles_prefix,omitempty"`
-	OIDCConfigID        string `json:"oidc_config_id,omitempty"`
-	ResourceShareArn    string `json:"resource_share,omitempty"`
-	SharedVPCRole       string `json:"shared_vpc_role,omitempty"`
-	VpcID               string `json:"vpc_id,omitempty"`
+	AccountRolesPrefix   string `json:"account_roles_prefix,omitempty"`
+	AdditionalPrincipals string `json:"additional_principals,omitempty"`
+	AuditLogArn          string `json:"audit_log,omitempty"`
+	DNSDomain            string `json:"dns_domain,omitempty"`
+	EtcdKMSKey           string `json:"etcd_kms_key,omitempty"`
+	HostedZoneID         string `json:"hosted_zone_id,omitempty"`
+	KMSKey               string `json:"kms_key,omitempty"`
+	OperatorRolesPrefix  string `json:"operator_roles_prefix,omitempty"`
+	OIDCConfigID         string `json:"oidc_config_id,omitempty"`
+	ResourceShareArn     string `json:"resource_share,omitempty"`
+	SharedVPCRole        string `json:"shared_vpc_role,omitempty"`
+	VpcID                string `json:"vpc_id,omitempty"`
 }
 
 // ClusterDetail will record basic cluster info to support other team's testing