CFE-387: Added support for sts clusters #51
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
approved
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
| @@ -50,6 +51,8 @@ const ( | |||
| controllerWebhookPort = 9443 | |||
| // common prefix for all resource of an operand | |||
| controllerResourcePrefix = "aws-load-balancer-controller" | |||
| // controllerReEnqueueDuration is the delay to re-enqueue. | |||
| controllerReEnqueueDuration = time.Second * 30 | |||
There was a problem hiding this comment.
To be precise this value is used when the secret is missing, for some other retry condition it could be something else. So a better name would be secretMissingReEnqueueDuration.
| @@ -135,6 +138,20 @@ func (r *AWSLoadBalancerControllerReconciler) Reconcile(ctx context.Context, req | |||
| return ctrl.Result{}, fmt.Errorf("failed to ensure CredentialsRequest for AWSLoadBalancerController %q: %w", req.Name, err) | |||
| } | |||
|
|
|||
| secretProvisioned, err := r.ensureCredentialsRequestSecret(ctx, credentialsRequest) | |||
There was a problem hiding this comment.
So we are not ensuring the credentials secret here. We are just checking if it is available. So something like provisioned, err := r.credentialsSecretProvisioned() would be a better fit. Also if you get a IsNotFound error then just return false. It keeps the outer calling function cleaner.
There was a problem hiding this comment.
Also if you get a IsNotFound error then just return false. It keeps the outer calling function cleaner.
It doesn't help much, since we still need to handle other types of errors (unless we suppress those errors)
if err == nil && !secretProvisioned {
// update status and re-enqueue
} else if err != nil {
// return non-NotFound errors
}There was a problem hiding this comment.
All other errors we simply return an error even if secretProvisioned is true(because we never expect secretProvisioned to be true and for there to be an error).
provisioned, err := r.credentialsSecretProvisioned()
if err!=nil {
// this is only possible when there is some error other than not found
// and we want to immediately retry because it's probably transient
return err
}
r.updateStatus(..provisioned)
| // retrying after delay to ensure secret provisioning. | ||
| return ctrl.Result{RequeueAfter: controllerReEnqueueDuration}, nil | ||
| } else if err != nil { | ||
| return ctrl.Result{}, fmt.Errorf("failed to ensure AWSLoadBalancerController %q service account: %w", req.Name, err) |
There was a problem hiding this comment.
This error message is wrong.
| Name: boundSATokenVolumeName, | ||
| VolumeSource: corev1.VolumeSource{ | ||
| Projected: &corev1.ProjectedVolumeSource{ | ||
| DefaultMode: aws.Int32(420), |
There was a problem hiding this comment.
Make this a constant. Also you shouldn't be using the aws pointer helper function. Kubernetes has it's own pointer helper called pointer.Int32().
| Sources: []corev1.VolumeProjection{{ | ||
| ServiceAccountToken: &corev1.ServiceAccountTokenProjection{ | ||
| Audience: "openshift", | ||
| ExpirationSeconds: aws.Int64(3600), |
| Sources: []corev1.VolumeProjection{{ | ||
| ServiceAccountToken: &corev1.ServiceAccountTokenProjection{ | ||
| Audience: "openshift", | ||
| ExpirationSeconds: aws.Int64(3600), |
There was a problem hiding this comment.
Change this please. Also do we have tests covering any change we make to the bound service account token?
| @@ -63,6 +64,7 @@ func desiredAWSLoadBalancerServiceAccount(namespace string, controller *albo.AWS | |||
| Namespace: namespace, | |||
| Name: fmt.Sprintf("%s-%s", controllerResourcePrefix, controller.Name), | |||
| }, | |||
| AutomountServiceAccountToken: aws.Bool(true), | |||
There was a problem hiding this comment.
Now that we are using a non default value we have to update the functions which verifies if the service account needs an update.
There was a problem hiding this comment.
Yeah, my bad, I forgot this. Added.
| CredentialsRequestAvailableCondition = "CredentialsRequestAvailable" | ||
| DeploymentAvailableCondition = "DeploymentAvailable" | ||
| DeploymentUpgradingCondition = "DeploymentUpgrading" | ||
| CredentialsRequestAvailable = "CredentialsRequestAvailable" |
There was a problem hiding this comment.
This constant should still be called CredentialsRequestAvailableCondition.
| @@ -34,42 +39,25 @@ func (r *AWSLoadBalancerControllerReconciler) updateControllerStatus(ctx context | |||
| return nil | |||
| } | |||
|
|
|||
| func credentialRequestsConditions(cr *cco.CredentialsRequest, generation int64) []metav1.Condition { | |||
| func credentialRequestsConditions(cr *cco.CredentialsRequest, secretProvisioned bool, generation int64) []metav1.Condition { | |||
| var conditions []metav1.Condition | |||
There was a problem hiding this comment.
I don't see the credentials request being used anywhere. Do we still have to pass it to this function.
There was a problem hiding this comment.
Also the condition name now doesn't make sense. We should call it something like CredentialsSecretAvailable.
There was a problem hiding this comment.
I don't see the credentials request being used anywhere. Do we still have to pass it to this function.
Changed argument to be just the secret name.
Also the condition name now doesn't make sense. We should call it something like CredentialsSecretAvailable.
Fixed
thejasn
force-pushed
the
feature/sts-mode-creds
branch
from
d889770
to
18743f0
Compare
docs/sts/sts.md
Outdated
| ### Extract and prepare the `ccoctl` binary | ||
|
|
||
| 1. Obtain the OpenShift Container Platform release image: | ||
|
|
||
| ```bash | ||
| RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}') | ||
| ``` | ||
|
|
||
| 2. Get the CCO container image from the OpenShift Container Platform release image: | ||
|
|
||
| ```bash | ||
| CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE) | ||
| ``` | ||
|
|
||
| 3. Extract the ccoctl binary from the CCO container image within the OpenShift | ||
| Container Platform release image: | ||
|
|
||
| ```bash | ||
| oc image extract $CCO_IMAGE --file="/usr/bin/ccoctl" -a ~/.pull-secret | ||
| ``` | ||
|
|
||
| 4. Change the permissions to make ccoctl executable: | ||
|
|
||
| ```bash | ||
| chmod 775 ccoctl | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Let's just link to the existing documentation where they describe how to get ccoctl.
docs/sts/sts.md
Outdated
| 3. Apply the secrets to your cluster: | ||
|
|
||
| ```bash | ||
| ls <path_to_ccoctl_output_dir>/manifests/*-credentials.yaml | xargs -I{} oc apply -f {} |
There was a problem hiding this comment.
<path_to_ccoctl_output_dir> is not defined anywhere.
| @@ -78,6 +78,19 @@ func (r *AWSLoadBalancerControllerReconciler) ensureCredentialsRequest(ctx conte | |||
| return current, nil | |||
| } | |||
|
|
|||
| func (r *AWSLoadBalancerControllerReconciler) credentialsSecretProvisioned(ctx context.Context, cr *cco.CredentialsRequest) (bool, error) { | |||
There was a problem hiding this comment.
This function should return a false, nil when the error is IsNotFound so that the caller doesn't have to handle it.
| @@ -24,6 +24,9 @@ const ( | |||
| appLabelName = "app.kubernetes.io/name" | |||
| appName = "aws-load-balancer-operator" | |||
| appInstanceName = "app.kubernetes.io/instance" | |||
| // awsSDKLoadConfigName is the name of the environment variable which enables shared configs. | |||
| // Without which certain fields in the config aren't set. Eg: role_arn. | |||
| awsSDKLoadConfigName = "AWS_SDK_LOAD_CONFIG" | |||
There was a problem hiding this comment.
Did you verify that this is actually required?
There was a problem hiding this comment.
Yes, https://github.com/aws/aws-sdk-go/blob/v1.43.42/aws/session/shared_config.go#L332 doesn't bind role_arn without setting exOpts and AWS_SDK_LOAD_CONFIG sets that value.
thejasn
force-pushed
the
feature/sts-mode-creds
branch
from
43dcee0
to
c716a9a
Compare
| @@ -135,6 +138,23 @@ func (r *AWSLoadBalancerControllerReconciler) Reconcile(ctx context.Context, req | |||
| return ctrl.Result{}, fmt.Errorf("failed to ensure CredentialsRequest for AWSLoadBalancerController %q: %w", req.Name, err) | |||
| } | |||
|
|
|||
| secretProvisioned, err := r.credentialsSecretProvisioned(ctx, credentialsRequest) | |||
| if err != nil { | |||
| return ctrl.Result{}, fmt.Errorf("failed to ensure credentialsrequest secret %q for AWSLoadBalancerController %q: %w", credentialsRequest.Spec.SecretRef.Name, req.Name, err) | |||
There was a problem hiding this comment.
The error message should be different. Probably failed to verify if credentials secret %q for AWSLoadBalancerController %q has been provisioned.
| @@ -135,6 +138,23 @@ func (r *AWSLoadBalancerControllerReconciler) Reconcile(ctx context.Context, req | |||
| return ctrl.Result{}, fmt.Errorf("failed to ensure CredentialsRequest for AWSLoadBalancerController %q: %w", req.Name, err) | |||
| } | |||
|
|
|||
| secretProvisioned, err := r.credentialsSecretProvisioned(ctx, credentialsRequest) | |||
| if err != nil { | |||
| return ctrl.Result{}, fmt.Errorf("failed to ensure credentialsrequest secret %q for AWSLoadBalancerController %q: %w", credentialsRequest.Spec.SecretRef.Name, req.Name, err) | |||
There was a problem hiding this comment.
The error message should be different. Probably failed to verify if credentials secret %q for AWSLoadBalancerController %q has been provisioned.
thejasn
force-pushed
the
feature/sts-mode-creds
branch
from
c716a9a
to
c632a75
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: arjunrn, thejasn The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/assign @lihongan |
|
/label qe-approved |
openshift-ci
bot
added
the
qe-approved
|
/label docs-approved |
openshift-ci
bot
added
docs-approved
|
@thejasn: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
No description provided.