New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-16181: Write manifests when AWS IAM roles already exist. #514
Conversation
Holding for testing & to check if manifest generation for other clouds will have the same issue. |
@@ -227,6 +227,11 @@ func createRole(awsClient aws.Client, name string, credReq *credreqv1.Credential | |||
} else { | |||
role = outRole.Role | |||
log.Printf("Existing role %s found", *role.Arn) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC we get here if there's a role of the expected name. How confident can we be that it has the right settings? Should we validate them? What would be the right behavior if they don't match?
- Delete the role and recreate it? If this is right, then we could simplify by simply doing that regardless.
- Modify the role to have the right attributes? For some deltas -- like tags -- this might make sense; but for others, it could be Bad™ -- like if it would change the actual security-ness of the role.
- ...so probably the only right answer is to error. Which may be why the code was the way it was in the first place.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like we apply policy derived from the provided CredentialsRequests
on roles after this even if the role already existed so we may already be stomping the existing role policy to be what we expect based on the invocation.
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #514 +/- ##
==========================================
+ Coverage 48.19% 50.46% +2.27%
==========================================
Files 96 96
Lines 11635 12853 +1218
==========================================
+ Hits 5607 6486 +879
- Misses 5415 5696 +281
- Partials 613 671 +58
|
Okay, I was getting confused about what we were writing here. It's the secret in the cluster, not the policy in the cloud. This makes sense. Add UT? Like here? |
Yep! This writes the secrets we put into the manifests directory to be read by the installer. There was some more discussion on the card so may need more changes depending on what the UX should be when the user running |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
@openshift-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@abutcher: This pull request references Jira Issue OCPBUGS-16181, which is invalid:
Comment In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@abutcher: This pull request references Jira Issue OCPBUGS-16181, which is invalid:
Comment In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/jira refresh |
@abutcher: This pull request references Jira Issue OCPBUGS-16181, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/jira refresh |
@abutcher: This pull request references Jira Issue OCPBUGS-16181, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/jira refresh |
@abutcher: This pull request references Jira Issue OCPBUGS-16181, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-aws-ovn |
/jira refresh |
@jstuever: This pull request references Jira Issue OCPBUGS-16181, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/assign |
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abutcher, jstuever The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
@abutcher: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@abutcher: Jira Issue OCPBUGS-16181: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-16181 has been moved to the MODIFIED state. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/cherry-pick release-4.15 |
@jstuever: new pull request created: #653 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[ART PR BUILD NOTIFIER] This PR has been included in build ose-cloud-credential-operator-container-v4.16.0-202401141455.p0.g8bca79f.assembly.stream for distgit ose-cloud-credential-operator. |
No description provided.