docs: add readme about controller's credentials requests

openshift · Dec 5, 2023 · cf2dcd7 · cf2dcd7
1 parent d791013
commit cf2dcd7
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -134,11 +134,11 @@ vet: ## Run go vet against code.
 .PHONY: iamctl-gen
 iamctl-gen: iamctl-build iam-gen
 	# generate controller's IAM policy without minify.
-	@# This policy is for STS clusters as it's turned into a role policy which is limited to 10240 by AWS.
+	@# This policy is for STS clusters as it's turned into a role inline policy which is limited to 10240 by AWS.
 	$(IAMCTL_BINARY) -i $(IAMCTL_ASSETS_DIR)/iam-policy.json -o $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_FILE) -p $(IAMCTL_GO_PACKAGE) -c $(IAMCTL_OUTPUT_CR_FILE) -n -s
 
 	# generate controller's IAM policy with minify.
-	@# This policy is for non STS clusters as it's turned into an inline policy which is limited to 2048 by AWS.
+	@# This policy is for non STS clusters as it's turned into a user inline policy which is limited to 2048 by AWS.
 	$(IAMCTL_BINARY) -i $(IAMCTL_ASSETS_DIR)/iam-policy.json -o $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_MINIFY_FILE) -p $(IAMCTL_GO_PACKAGE) -f GetIAMPolicyMinify  -c $(IAMCTL_OUTPUT_MINIFY_CR_FILE)
 
 	go fmt -mod=vendor $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_FILE) $(IAMCTL_OUTPUT_DIR)/$(IAMCTL_OUTPUT_MINIFY_FILE)

diff --git a/hack/controller/README.md b/hack/controller/README.md
@@ -0,0 +1,23 @@
+## Overview
+This directory contains `CredentialsRequest`s for the aws-load-balancer-controller, all generated from the same [source IAM policy](../../assets/iam-policy.json). The difference lays in the size of the policies they define. 
+
+## Limits
+The Cloud Credential Operator and `ccoclt` generate two different inline policies:
+- The Cloud Credential Operator generates a **user** inline policy whose limit is **2048** characters.
+- `ccoctl` generates a **role** inline policy which has a limit of **10240** characters.
+
+Link: [IAM and STS character limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length).
+
+## controller-credentials-request.yaml
+
+This `CrendetialsRequest` is semantically equivalent to the source IAM policy.
+The Cloud Credential Operator cannot create a policy defined in this `CredentialsRequest` because it exceeds the limit of the user inline policy.      
+The recommended way to use this `CrendetialsRequest` is to submit it to `ccoctl` as described in [the post installation instructions](../../docs/install.md#option-1-using-ccoctl).
+
+## controller-credentials-request-minify.yaml
+
+This `CrendetialsRequest` is a compact ("minified") version of the source IAM policy. Its goal is to fit within the user inline policy's size limit.
+This allows it can be created by both the Cloud Credential Operator and `ccoctl`.   
+Currently, this `CrendetialsRequest` is only used by [the aws-load-balancer pre-install CI step](https://github.com/openshift/release/blob/master/ci-operator/step-registry/aws-load-balancer/pre-install/aws-load-balancer-pre-install-commands.sh#L14) to create a secret for [some e2e test cases](https://github.com/openshift/aws-load-balancer-operator/blob/main/test/e2e/operator_test.go#L324).
+
+**Note**: this `CredentialsRequest` has broader permissions than the source IAM policy!