Service Account IAM Role names are too long

[rifelpet]

The service account IAM roles created by the PublicJWKS feature flag can exceed the IAM role name length limit. See the failing job logs here.

W1206 04:58:15.902425 1067 executor.go:131] error running task "IAMRole/dns-controller.kube-system.sa.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io" (5m52s remaining to succeed): error getting role: ValidationError: 1 validation error detected: Value 'dns-controller.kube-system.sa.e2e-kops-scenario-public-jwks.test-cncf-aws.k8s.io' at 'roleName' failed to satisfy constraint: Member must have length less than or equal to 64

A reasonable solution would be to hash a portion of the name:

kops/pkg/model/iam/types.go

Line 51 in 2f6c67e

return serviceAccount.Name + "." + serviceAccount.Namespace + ".sa." + b.ClusterName(), nil

but I'm wondering if others have opinions about which portion(s) to hash. We still don't tag IAM roles even though they support tagging, so to maintain discoverability to users we could add the service account name and namespace as tags in addition to the usual cloud tags.

[justinsb]

I implemented a workaround for the failing test in #10437.

I really like the idea of tagging these roles now that they support tagging - it would make cleanup easier, and we could detect collisions (unlikely as they are)

[rifelpet]

confirmed this is no longer an issue
/close

[k8s-ci-robot]

@rifelpet: Closing this issue.

In response to this:

confirmed this is no longer an issue
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.