OCM-12363 | feat: HCP sharedVPC functionality to create/operatoroles

[hunterkepley]

• rosa create operator-roles [–oidc-config-id xxx] [-c xxx] –cross-account-hosted-zone-role-arn xxx –cross-account-vpc-endpoint-service-role-arn xxx
• The new parameter in bold is necessary to indicate the change to include permissions to assume role for both the control plane and ingress operator roles

The flag names above in the requirements were renamed to route53-role-arn and vpc-endpoint-role-arn

vpc-endpoint-role-arn deprecates shared-vpc-role-arn which is used currently for classic. This flag is still usable, but will print a deprecation warning when used instead of route53-role-arn

Output of commands surrounding operator roles:

VALIDATION:

> rosa create operator-roles --prefix hktest --route53-role-arn a
? Role creation mode:  [Use arrows to move, type to filter, ? for more help]
> auto
  manual

> rosa create operator-roles --prefix hktest --shared-vpc-role-arn a
Flag --shared-vpc-role-arn has been deprecated, '--shared-vpc-role-arn' will be replaced with route53-role-arn in future versions of ROSA
? Role creation mode:  [Use arrows to move, type to filter, ? for more help]
> auto
  manual

> rosa create operator-roles --prefix hktest --route53-role-arn a --vpc-endpoint-role-arn b
E: Invalid configuration: Can only use 'vpc-endpoint-role-arn' flag for Hosted Control Plane operator roles

> rosa create operator-roles --prefix hktest --route53-role-arn a --hosted-cp              
E: Invalid configuration: Must supply 'vpc-endpoint-role-arn' flag when using the 'route53-role-arn' flag

> rosa create operator-roles --prefix hktest --vpc-endpoint-role-arn b --hosted-cp
E: Invalid configuration: Must supply 'route53-role-arn' flag when using the 'vpc-endpoint-role-arn' flag

> rosa create operator-roles --prefix hktest --route53-role-arn a --vpc-endpoint-role-arn b --hosted-cp
? Role creation mode:  [Use arrows to move, type to filter, ? for more help]
> auto
  manual

> rosa create operator-roles --prefix hktest --shared-vpc-role-arn a --vpc-endpoint-role-arn b --hosted-cp
Flag --shared-vpc-role-arn has been deprecated, '--shared-vpc-role-arn' will be replaced with route53-role-arn in future versions of ROSA
? Role creation mode:  [Use arrows to move, type to filter, ? for more help]
> auto
  manual

CREATION:

> rosa create operatorroles --region us-west-2 --prefix hktest --hosted-cp --route53-role-arn arn:aws:iam::XXX:role/oadler-shared-vpc --vpc-endpoint-role-arn arn:aws:iam:: XXX:role/vpc-endpoint-service --profile shared-vpc
W: Region flag will be removed from this command in future versions
? Role creation mode: auto
? Operator roles prefix: hktest
? OIDC Configuration ID (default = 'XXX | https://XXX/XXX'): XXX | https://XXX.devshift.org/XXX
? Create hosted control plane operator roles: Yes
W: More than one Installer role found
? Installer role ARN (default = 'arn:aws:iam:: XXX:role/hk-HCP-ROSA-Installer-Role'): arn:aws:iam:: XXX:role/hk-HCP-ROSA-Installer-Role
? Permissions boundary ARN (optional): 
I: Reusable OIDC Configuration detected. Validating trusted relationships to operator roles: 
I: Creating roles using 'arn:aws:iam:: XXX:user/hkepley'
I: Attached trust policy to role 'hktest-kube-system-kube-controller-manager(https://console.aws.amazon.com/iam/home?#/roles/hktest-kube-system-kube-controller-manager)': {"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRoleWithWebIdentity"], "Effect": "Allow", "Condition": {"StringEquals": {"XXX.devshift.org/XXX:sub": ["system:serviceaccount:kube-system:kube-controller-manager"]}}, "Principal": {"Federated": "arn:aws:iam:: XXX:oidc-provider/XXX.devshift.org/XXX"}}]}
I: Created role 'hktest-kube-system-kube-controller-manager' with ARN 'arn:aws:iam:: XXX:role/hktest-kube-system-kube-controller-manager'
I: Attached policy 'ROSAKubeControllerPolicy(https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAKubeControllerPolicy)' to role 'hktest-kube-system-kube-controller-manager(https://console.aws.amazon.com/iam/home?#/roles/hktest-kube-system-kube-controller-manager)'

I: Attached trust policy to role 'hktest-kube-system-capa-controller-manager(https://console.aws.amazon.com/iam/home?#/roles/hktest-kube-system-capa-controller-manager)': {"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRoleWithWebIdentity"], "Effect": "Allow", "Condition": {"StringEquals": {"XXX.devshift.org/XXX:sub": ["system:serviceaccount:kube-system:capa-controller-manager"]}}, "Principal": {"Federated": "arn:aws:iam:: XXX:oidc-provider/XXX.devshift.org/XXX"}}]}
I: Created role 'hktest-kube-system-capa-controller-manager' with ARN 'arn:aws:iam:: XXX:role/hktest-kube-system-capa-controller-manager'
I: Attached policy 'ROSANodePoolManagementPolicy(https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSANodePoolManagementPolicy)' to role 'hktest-kube-system-capa-controller-manager(https://console.aws.amazon.com/iam/home?#/roles/hktest-kube-system-capa-controller-manager)'

I: Attached trust policy to role 'hktest-kube-system-control-plane-operator(https://console.aws.amazon.com/iam/home?#/roles/hktest-kube-system-control-plane-operator)': {"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRoleWithWebIdentity"], "Effect": "Allow", "Condition": {"StringEquals": {"XXX.devshift.org/XXX:sub": ["system:serviceaccount:kube-system:control-plane-operator"]}}, "Principal": {"Federated": "arn:aws:iam:: XXX:oidc-provider/XXX.devshift.org/XXX"}}]}
I: Created role 'hktest-kube-system-control-plane-operator' with ARN 'arn:aws:iam:: XXX:role/hktest-kube-system-control-plane-operator'
I: Attached policy 'arn:aws:iam:: XXX:policy/rosa-assume-role-hktest-kube-system-control-plane-operator-kube-' to role 'hktest-kube-system-control-plane-operator(https://console.aws.amazon.com/iam/home?#/roles/hktest-kube-system-control-plane-operator)'

I: Attached trust policy to role 'hktest-kube-system-kms-provider(https://console.aws.amazon.com/iam/home?#/roles/hktest-kube-system-kms-provider)': {"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRoleWithWebIdentity"], "Effect": "Allow", "Condition": {"StringEquals": {"XXX.devshift.org/XXX:sub": ["system:serviceaccount:kube-system:kms-provider"]}}, "Principal": {"Federated": "arn:aws:iam:: XXX:oidc-provider/XXX.devshift.org/XXX"}}]}
I: Created role 'hktest-kube-system-kms-provider' with ARN 'arn:aws:iam:: XXX:role/hktest-kube-system-kms-provider'
I: Attached policy 'ROSAKMSProviderPolicy(https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAKMSProviderPolicy)' to role 'hktest-kube-system-kms-provider(https://console.aws.amazon.com/iam/home?#/roles/hktest-kube-system-kms-provider)'

I: Attached trust policy to role 'hktest-openshift-image-registry-installer-cloud-credentials(https://console.aws.amazon.com/iam/home?#/roles/hktest-openshift-image-registry-installer-cloud-credentials)': {"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRoleWithWebIdentity"], "Effect": "Allow", "Condition": {"StringEquals": {"XXX.devshift.org/XXX:sub": ["system:serviceaccount:openshift-image-registry:cluster-image-registry-operator" , "system:serviceaccount:openshift-image-registry:registry"]}}, "Principal": {"Federated": "arn:aws:iam:: XXX:oidc-provider/XXX.devshift.org/XXX"}}]}
I: Created role 'hktest-openshift-image-registry-installer-cloud-credentials' with ARN 'arn:aws:iam:: XXX:role/hktest-openshift-image-registry-installer-cloud-credentials'
I: Attached policy 'ROSAImageRegistryOperatorPolicy(https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAImageRegistryOperatorPolicy)' to role 'hktest-openshift-image-registry-installer-cloud-credentials(https://console.aws.amazon.com/iam/home?#/roles/hktest-openshift-image-registry-installer-cloud-credentials)'

I: Attached trust policy to role 'hktest-openshift-ingress-operator-cloud-credentials(https://console.aws.amazon.com/iam/home?#/roles/hktest-openshift-ingress-operator-cloud-credentials)': {"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRoleWithWebIdentity"], "Effect": "Allow", "Condition": {"StringEquals": {"XXX.devshift.org/XXX:sub": ["system:serviceaccount:openshift-ingress-operator:ingress-operator"]}}, "Principal": {"Federated": "arn:aws:iam:: XXX:oidc-provider/XXX.devshift.org/XXX"}}]}
I: Created role 'hktest-openshift-ingress-operator-cloud-credentials' with ARN 'arn:aws:iam:: XXX:role/hktest-openshift-ingress-operator-cloud-credentials'
I: Attached policy 'arn:aws:iam:: XXX:policy/rosa-assume-role-hktest-openshift-ingress-operator-cloud-credent' to role 'hktest-openshift-ingress-operator-cloud-credentials(https://console.aws.amazon.com/iam/home?#/roles/hktest-openshift-ingress-operator-cloud-credentials)'

I: Attached trust policy to role 'hktest-openshift-cluster-csi-drivers-ebs-cloud-credentials(https://console.aws.amazon.com/iam/home?#/roles/hktest-openshift-cluster-csi-drivers-ebs-cloud-credentials)': {"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRoleWithWebIdentity"], "Effect": "Allow", "Condition": {"StringEquals": {"XXX.devshift.org/XXX:sub": ["system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-operator" , "system:serviceaccount:openshift-cluster-csi-drivers:aws-ebs-csi-driver-controller-sa"]}}, "Principal": {"Federated": "arn:aws:iam:: XXX:oidc-provider/XXX.devshift.org/XXX"}}]}
I: Created role 'hktest-openshift-cluster-csi-drivers-ebs-cloud-credentials' with ARN 'arn:aws:iam:: XXX:role/hktest-openshift-cluster-csi-drivers-ebs-cloud-credentials'
I: Attached policy 'ROSAAmazonEBSCSIDriverOperatorPolicy(https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAAmazonEBSCSIDriverOperatorPolicy)' to role 'hktest-openshift-cluster-csi-drivers-ebs-cloud-credentials(https://console.aws.amazon.com/iam/home?#/roles/hktest-openshift-cluster-csi-drivers-ebs-cloud-credentials)'

I: Attached trust policy to role 'hktest-openshift-cloud-network-config-controller-cloud-credentia(https://console.aws.amazon.com/iam/home?#/roles/hktest-openshift-cloud-network-config-controller-cloud-credentia)': {"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRoleWithWebIdentity"], "Effect": "Allow", "Condition": {"StringEquals": {"XXX.devshift.org/XXX:sub": ["system:serviceaccount:openshift-cloud-network-config-controller:cloud-network-config-controller"]}}, "Principal": {"Federated": "arn:aws:iam:: XXX:oidc-provider/XXX.devshift.org/XXX"}}]}
I: Created role 'hktest-openshift-cloud-network-config-controller-cloud-credentia' with ARN 'arn:aws:iam:: XXX:role/hktest-openshift-cloud-network-config-controller-cloud-credentia'
I: Attached policy 'ROSACloudNetworkConfigOperatorPolicy(https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSACloudNetworkConfigOperatorPolicy)' to role 'hktest-openshift-cloud-network-config-controller-cloud-credentia(https://console.aws.amazon.com/iam/home?#/roles/hktest-openshift-cloud-network-config-controller-cloud-credentia)'

I: To create a cluster with these roles, run the following command:
	rosa create cluster --sts --oidc-config-id XXX --operator-roles-prefix hktest --hosted-cp

DELETION:

> rosa delete operator-roles --prefix hktest -y --profile shared-vpc 
? Operator roles deletion mode: auto
I: Fetching operator roles for the prefix: hktest
I: Deleting operator role 'hktest-kube-system-capa-controller-manager'
I: Deleting operator role 'hktest-kube-system-control-plane-operator'
I: Deleting operator role 'hktest-kube-system-kms-provider'
I: Deleting operator role 'hktest-kube-system-kube-controller-manager'
I: Deleting operator role 'hktest-openshift-cloud-network-config-controller-cloud-credentia'
I: Deleting operator role 'hktest-openshift-cluster-csi-drivers-ebs-cloud-credentials'
I: Deleting operator role 'hktest-openshift-image-registry-installer-cloud-credentials'
I: Deleting operator role 'hktest-openshift-ingress-operator-cloud-credentials'
I: Successfully deleted the operator roles

[den-rgb]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: den-rgb, hunterkepley

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [den-rgb,hunterkepley]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD b1a0b95 and 2 for PR HEAD 4be740e in total

[openshift-ci]

@hunterkepley: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[codecov]

Codecov Report

Attention: Patch coverage is 49.31507% with 37 lines in your changes missing coverage. Please review.

Project coverage is 29.41%. Comparing base (c042750) to head (4be740e).
Report is 24 commits behind head on master.

Files with missing lines	Patch %	Lines
cmd/create/operatorroles/by_prefix.go	0.00%	31 Missing ⚠️
cmd/create/operatorroles/cmd.go	73.91%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2617      +/-   ##
==========================================
- Coverage   30.12%   29.41%   -0.71%     
==========================================
  Files         175      180       +5     
  Lines       24038    24963     +925     
==========================================
+ Hits         7241     7344     +103     
- Misses      16212    17035     +823     
+ Partials      585      584       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.