Merge pull request openshift#722 from tbrisker/sts2

STS for addons - helper methods
rendhalver · Jun 13, 2022 · 561d911 · 561d911
2 parents f79b478 + deac4d7
commit 561d911
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 3 deletions.
diff --git a/cmd/create/cluster/cmd.go b/cmd/create/cluster/cmd.go
@@ -1959,7 +1959,7 @@ func getAccountRolePrefix(roleARN string, role aws.AccountRole) (string, error)
 		return "", err
 	}
 	roleName := strings.SplitN(parsedARN.Resource, "/", 2)[1]
-	rolePrefix := strings.TrimSuffix(roleName, fmt.Sprintf("-%s-Role", role.Name))
+	rolePrefix := aws.TrimRoleSuffix(roleName, fmt.Sprintf("-%s-Role", role.Name))
 	return rolePrefix, nil
 }
 

diff --git a/cmd/create/service/cmd.go b/cmd/create/service/cmd.go
@@ -467,7 +467,7 @@ func getAccountRolePrefix(roleARN string, role aws.AccountRole) (string, error)
 		return "", err
 	}
 	roleName := strings.SplitN(parsedARN.Resource, "/", 2)[1]
-	rolePrefix := strings.TrimSuffix(roleName, fmt.Sprintf("-%s-Role", role.Name))
+	rolePrefix := aws.TrimRoleSuffix(roleName, fmt.Sprintf("-%s-Role", role.Name))
 	return rolePrefix, nil
 }
 

diff --git a/pkg/aws/helpers.go b/pkg/aws/helpers.go
@@ -374,10 +374,27 @@ func GetPrefixFromAccountRole(cluster *cmv1.Cluster) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	rolePrefix := strings.TrimSuffix(roleName, fmt.Sprintf("-%s-Role", role.Name))
+	rolePrefix := TrimRoleSuffix(roleName, fmt.Sprintf("-%s-Role", role.Name))
 	return rolePrefix, nil
 }
 
+func GetPrefixFromOperatorRole(cluster *cmv1.Cluster) string {
+	operator := cluster.AWS().STS().OperatorIAMRoles()[0]
+	roleName := strings.SplitN(operator.RoleARN(), "/", 2)[1]
+	rolePrefix := TrimRoleSuffix(roleName, fmt.Sprintf("-%s-%s", operator.Namespace(), operator.Name()))
+	return rolePrefix
+}
+
+// Role names can be truncated if they are over 64 chars, so we need to make sure we aren't missing a truncated suffix
+func TrimRoleSuffix(orig, sufix string) string {
+	for i := len(sufix); i >= 0; i-- {
+		if strings.HasSuffix(orig, sufix[:i]) {
+			return orig[:len(orig)-i]
+		}
+	}
+	return orig
+}
+
 func GetAccountRoleName(cluster *cmv1.Cluster) (string, error) {
 	parsedARN, err := arn.Parse(cluster.AWS().STS().RoleARN())
 	if err != nil {

diff --git a/pkg/ocm/addons.go b/pkg/ocm/addons.go
@@ -278,3 +278,28 @@ func (c *Client) GetClusterAddOns(cluster *cmv1.Cluster) ([]*ClusterAddOn, error
 
 	return clusterAddOns, nil
 }
+
+func (c *Client) AddClusterOperatorRole(cluster *cmv1.Cluster, role *cmv1.OperatorIAMRole) error {
+	// Make sure the role doesn't exist already, to avoid conflicts
+	operatorRoles := cluster.AWS().STS().OperatorIAMRoles()
+	for _, item := range operatorRoles {
+		if role.Name() == item.Name() &&
+			role.Namespace() == item.Namespace() &&
+			role.RoleARN() == item.RoleARN() {
+			return nil
+		}
+	}
+
+	response, err := c.ocm.ClustersMgmt().V1().
+		Clusters().
+		Cluster(cluster.ID()).
+		STSOperatorRoles().
+		Add().
+		Body(role).
+		Send()
+	if err != nil {
+		return handleErr(response.Error(), err)
+	}
+
+	return nil
+}