CORS-2613: AWS: Cross-account Shared VPC Support #7161
CORS-2613: AWS: Cross-account Shared VPC Support #7161patrickdillon wants to merge 18 commits intoopenshift:masterfrom
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@patrickdillon: This pull request references CORS-2613 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
openshift-merge-robot
added
the
needs-rebase
|
@patrickdillon: This pull request references CORS-2613 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
I have some serious doubts about the destroy code in 06c8282cc1159ae0e5fdf8eaae4fb9a22ee2611f, so I might need to pull those into a separate PR. I believe we use the private hosted zone to determine the public records to destroy. That logic probably is not supportable when the zones are cross-account. |
|
@patrickdillon: This pull request references CORS-2613 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
patrickdillon
force-pushed
the
aws-phz-role-ic
branch
from
a1d247a to
d73f198
Compare
openshift-merge-robot
removed
the
needs-rebase
|
@patrickdillon looks like go-genmock needs to be run and some of the installconfig/aws/ tests need to be adjusted:
|
patrickdillon
force-pushed
the
aws-phz-role-ic
branch
from
d73f198 to
649eaf8
Compare
|
@patrickdillon: This pull request references CORS-2613 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
patrickdillon
force-pushed
the
aws-phz-role-ic
branch
2 times, most recently
from
1d834c0 to
1fdcec8
Compare
|
@patrickdillon: This pull request references CORS-2613 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@patrickdillon: This pull request references CORS-2613 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@patrickdillon: This pull request references CORS-2613 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Adds a hosted zone role field. If provided, this role will be assumed whenever operations are performed on the provided hosted zone. This enables the private hosted zone to belong to a different account than the rest of the cluster.
If a hosted zone role is specified in the install config, users must also supply a hosted zone.
The hostedZoneRole will need to be used when destroying the cluster.
Updates the route53 clients to allow passing config with assume role credentials. This allows the function caller to determine whether the service should authenticate with the default credentials or creds for another account.
Add the ability to assume a role in a different account when destroying records in a private hosted zone. When the hostedZoneRole is passed in the metadata, that role will be used when running destroy.
Plumb the hosted zone role through to terraform, so that it can be used to create records when the hosted zone belongs to another account.
Adds the ability in terraform to assume a role when performing operations on a private hosted zone which belongs to a different account than the rest of the cluster.
Display to users any errors when retrieving a hosted zone specified in the install config.
The most recent k8s api bump requires a context is passed to the wait.ExponentialBackoffWithContext function.
When a hostedZoneRole is specified for an AWS shared VPC install, write it to the DNS config so it can be used by the cluster ingress operator.
metal3-io/baremetal-operator@6c1abd0 moved the hardware profile package to the api. This commit points to the new package locations.
Update tests and mocks due to changes for adding cross-account private hosted-zone support.
$ go mod edit \ -replace=github.com/metal3-io/baremetal-operator=github.com/openshift/baremetal-operator@master \ -replace=github.com/metal3-io/baremetal-operator/apis=github.com/openshift/baremetal-operator/apis@master \ -replace=github.com/metal3-io/baremetal-operator/pkg/hardwareutils=github.com/openshift/baremetal-operator/pkg/hardwareutils@master $ go mod edit -require=github.com/openshift/api@master $ go mod edit -replace=sigs.k8s.io/controller-runtime=sigs.k8s.io/controller-runtime@v0.15.0 $ go mod edit -replace k8s.io/client-go=k8s.io/client-go@v0.27.2 (with $ go mod tidy run between each command)
Bumps core Installer to Go v1.20. Terraform and providers will be updated separately.
$ go mod vendor
Update generated CRD for explain after API vendoring.
Fixes deprecation issue: pkg/destroy/vsphere/vsphere.go:243:9: SA1019: wait.PollImmediateInfiniteWithContext is deprecated: This method does not return errors from context, use PollWithContextCancel. Note that the new method will no longer return ErrWaitTimeout and instead return errors defined by the context package. Will be removed in a future release. (staticcheck)
Specifying installconfig.platform.aws.hostedZoneRole and using a cross-account hosted zone in a shared vpc requires a TechPreviewNoUpgrade feature gate.
patrickdillon
force-pushed
the
aws-phz-role-ic
branch
from
a01d3e0 to
4666d72
Compare
|
@patrickdillon: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
mtulio
left a comment
mtulio
left a comment
There was a problem hiding this comment.
@patrickdillon aws changes look good to me. 💯
I am adding some suggestions to improve the UX, feel free to skip it.
I will take a look again tomorrow at the whole change.
| create the hosted zone on your behalf. | ||
| type: string | ||
| hostedZoneRole: | ||
| description: HostedZoneRole is the ARN of a role to be assumed |
There was a problem hiding this comment.
I would be specific of the name of the AWS service
| description: HostedZoneRole is the ARN of a role to be assumed | |
| description: HostedZoneRole is the ARN of an IAM role to be assumed |
| HostedZone is the ID of an existing hosted zone into which to add DNS records for the cluster's internal API. An existing hosted zone can only be used when also using existing subnets. The hosted zone must be associated with the VPC containing the subnets. Leave the hosted zone unset to have the installer create the hosted zone on your behalf. | ||
|
|
||
| hostedZoneRole <string> | ||
| HostedZoneRole is the ARN of a role to be assumed when performing operations on the provided HostedZone. HostedZoneRole can be used in a shared VPC scenario when the private hosted zone belongs to a different account than the rest of the cluster resources. If HostedZoneRole is set, HostedZone must also be set. |
There was a problem hiding this comment.
If tou accept the suggestion above, need to change here too:
| HostedZoneRole is the ARN of a role to be assumed when performing operations on the provided HostedZone. HostedZoneRole can be used in a shared VPC scenario when the private hosted zone belongs to a different account than the rest of the cluster resources. If HostedZoneRole is set, HostedZone must also be set. | |
| HostedZoneRole is the ARN of an IAM role to be assumed when performing operations on the provided HostedZone. HostedZoneRole can be used in a shared VPC scenario when the private hosted zone belongs to a different account than the rest of the cluster resources. If HostedZoneRole is set, HostedZone must also be set. |
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/close |
|
@patrickdillon: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
5 participants
Adds the ability for the installer to perform operations on a pre-existing private hosted zone which belongs to another account by allowing the ARN for a role to be passed in the install config. When the role is provided, the installer will assume that role when performing operations on the hosted zone.
Enhancement: openshift/enhancements#1397
Permissions checks will be moved to a separate PR.