✨ Rosa Config implementaiton

[PanSpagetka]

Based on proposal #5451
Adding RosaRoleConfig API with implementation. that should create Account/Operator roles and OIDC config/provider necessary to create ROSA cluster.

We need to move RosaMachinePoolAutoScaling definition to controlplane, because otherwise there would be circular dependency.

What type of PR is this?
/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist:

• squashed commits
• includes documentation
• includes emoji in title
• adds unit tests
• adds or updates e2e tests

Release note:

[k8s-ci-robot]

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign neolit123 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @PanSpagetka. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[serngawy]

why are we adding this ? what is the rosa file

[serngawy]

no need for this line

[serngawy]

can you just add the RosaRoleConfig item without changing the order of other items

[serngawy]

why do we need this file ?

[serngawy]

I believe you need to uncomment this line

[serngawy]

I believe you should check/set the RosaRoleConfig condition first , then get the oidc using OCM client if it is not exist then create it.
Same applied for account-roles and operator-roles

[serngawy]

Do we need to delete the operator roles before the oidc-provider ?

[PanSpagetka]

Nope, a changed it so it matches reverse creation order.

[serngawy]

please move this to another file , better to be under pkg/.../rosa

[serngawy]

Not sure if the logic here is valid, hasDirectRoleFields will be true even if one condition is true and others are false. Ex; r.Spec.OIDCID can be true but all others fields can be false that case hasDirectRoleFields will be true.

[PanSpagetka]

This is intended, but we need both && and || of all values to make behavior you described in comment below.

[serngawy]

Lets make the logic as below;
if RosaRoleConfigRef is set, we use the roleConfigRef to get all roles (ignore all other role fields even if set) just log warning.
if RosaRoleConfigRef not set and all other Role fields are set, we use the roles fields
if RosaRoleConfigRef not set and some Roles fields are missing we raise error
if RosaRoleConfigRef not set and all Roles fields are missing we raise error

[serngawy]

This logic is not correct, If the user is already setting those fields value, we are updating those values. I believe we should define internal roleConfig in rosacontrolPlane scope and then check which roles to use based on availability

[serngawy]

Missing description and kbuilder tags.

[serngawy]

as we discussed no need for region

[serngawy]

Missing description and kbuilder tags.

[serngawy]

Prefix must be immutable cause changing the prefix will create new role

[serngawy]

Prefix must be immutable cause changing the prefix will create new roles

[mzazrivec]

This routine is never called from main.go, which is why I'm getting:

$ kubectl apply -f rosa-roleconfig-01.yaml
Error from server (InternalError): error when creating "rosa-roleconfig-01.yaml": Internal error occurred: failed calling webhook "default.rosaroleconfig.infrastructure.cluster.x-k8s.io": failed to call webhook: the server could not find the requested resource

With this change in place the above error goes away:

$ git diff
diff --git a/main.go b/main.go
index c65ff7356..6348fd0de 100644
--- a/main.go
+++ b/main.go
@@ -285,6 +285,11 @@ func main() {
                        setupLog.Error(err, "unable to create webhook", "webhook", "ROSAMachinePool")
                        os.Exit(1)
                }
+
+               if err := (&expinfrav1.ROSARoleConfig{}).SetupWebhookWithManager(mgr); err != nil {
+                       setupLog.Error(err, "unable to create webhook", "webhook", "ROSARoleConfig")
+                       os.Exit(1)
+               }
        }
 
        if err = (&expcontrollers.ROSARoleConfigReconciler{

[mzazrivec]

Although I don't quite understand the point of this webhook, since it's currently not doing anything.

[mzazrivec]

The above line (and all the other returns with non empty result and non-nil error) will produce the following log entry:

I0722 11:52:38.495821      15 controller.go:345] "Warning: Reconciler returned both a non-zero result and a non-nil error. The result will always be ignored if the error is non-nil and the non-nil error causes requeuing with exponential backoff. For more details, see: https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/reconcile#Reconciler" controller="rosaroleconfig" 

[serngawy]

Please remove those 2 lines. Currently the secret is having other info to authenticate

[serngawy]

Not sure why you making this check; if the rosaRoleConfig is defined we use it ignore the other roles fields check here

[serngawy]

no need to check with || having 1 field missing should raise error if the rosaRoleConfig not set

[serngawy]

Suggested change

	hasRosaRoleConfigRef := r.Spec.RosaRoleConfigRef != nil
	if r.Spec.RosaRoleConfigRef != nil {
	return nil
	}

[serngawy]

Suggested change

	if !hasRosaRoleConfigRef && !hasAllDirectRoleFields {
	if !hasAllDirectRoleFields {
	// raise error here specifying which fields are missing
	// OR do check for every field once it is missing return field.invalid
	}

[serngawy]

lets make all the prefix fields have limit length 4

[serngawy]

The region is defined above for all accountRole, operatorRole and oidcConfig

[serngawy]

the logic need to change as follow;
First you get the oidcConfig using ocm client;
1- if the oidcConfig exist we set the oidcConfig status info and condition
2- if the oidcConfig not exist, we create the oidcConfig then set the oidcConfig stats info and condition
Same applied to accountRoles, operatorRoles and oidcProvider

[mzazrivec]

I think it would be more suitable to log an info message here and just requeue without returning the error.

[serngawy]

Please follow the proposal definition for the OperatorRoleConfig. OperatorRoleConfig must have the option to assign the oidc-Id AND it should be mutual exclusive with the oidcConfig->createManagedOIDC

[serngawy]

the OidcConfig is missing in the ROSARoleConfig API .

[serngawy]

ExternalAuth need to be defined as well in the ROSARoleConfig and assigned to the cluster spec similar to here

[PanSpagetka]

We have discussed this on meeting and we dont need to include ExternalAuth in RosaRoleConfig.

[PanSpagetka]

/test pull-cluster-api-provider-aws-e2e-blocking

[PanSpagetka]

/test pull-cluster-api-provider-aws-e2e-blocking

[serngawy]

Suggested change

	// OIDCID is the ID of the OIDC config that will be used to create the operator roles.
	// OIDCID is the ID of the OIDC config that will be used to create the operator roles. A managed OIDC-provider will be created if the OIDCID not specified

[serngawy]

as we discussed no need for region

[serngawy]

We don't delete the oidc-provider if the user set it under the spec.operatorRole.OIDCConfig

[PanSpagetka]

/retest-required

[PanSpagetka]

/test pull-cluster-api-provider-aws-test

[PanSpagetka]

/test pull-cluster-api-provider-aws-test

[PanSpagetka]

/test pull-cluster-api-provider-aws-apidiff-main

[k8s-ci-robot]

@PanSpagetka: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cluster-api-provider-aws-apidiff-main	bc8e7af	link	false	/test pull-cluster-api-provider-aws-apidiff-main

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.