OCPBUGS-28231: Guard upgrading GCP from 4.14 to 4.15 without RoleAdmin permissions

[jstuever]

After adding granular permissions to the GCP platform in 4.15, new permission are required on the root credential service account. The GCP platform in mint mode now requires the upgradeable annotation to upgrade from 4.14.x to a newer minor version such as 4.15.0.

This PR should only be applied to 4.14.

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-28231, which is invalid:

• bug is open, matching expected state (open)
• bug target version (4.14.z) matches configured target version for branch (4.14.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• bug has dependents
• dependent bug CCO-522 is not in the required OCPBUGS project

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

After adding granular permissions to the GCP platform in 4.15, new permission are required on the root credential service account. The GCP platform in mint mode now requires the upgradeable annotation to upgrade from 4.14 to a newer minor version such as 4.15.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[codecov]

Codecov Report

Attention: 13 lines in your changes are missing coverage. Please review.

Comparison is base (d63895b) 48.41% compared to head (781b0ca) 48.57%.
Report is 2 commits behind head on release-4.14.

Additional details and impacted files

@@               Coverage Diff                @@
##           release-4.14     #670      +/-   ##
================================================
+ Coverage         48.41%   48.57%   +0.16%     
================================================
  Files                96       96              
  Lines             11744    11839      +95     
================================================
+ Hits               5686     5751      +65     
- Misses             5427     5453      +26     
- Partials            631      635       +4     

Files	Coverage Δ
pkg/aws/actuator/actuator.go	63.90% <100.00%> (ø)
pkg/gcp/actuator/actuator.go	57.71% <100.00%> (ø)
pkg/vsphere/actuator/actuator.go	53.60% <100.00%> (ø)
pkg/azure/actuator.go	60.97% <0.00%> (ø)
pkg/kubevirt/actuator.go	77.77% <0.00%> (ø)
pkg/openstack/actuator.go	0.00% <0.00%> (ø)
pkg/ovirt/actuator.go	10.52% <0.00%> (ø)
pkg/operator/utils/utils.go	77.73% <10.00%> (-2.74%)	⬇️

... and 1 file with indirect coverage changes

[jstuever]

/test e2e-gcp

[jstuever]

/payload-job periodic-ci-openshift-release-master-ci-4.15-e2e-gcp-ovn-upgrade-out-of-change

[openshift-ci]

@jstuever: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-ci-4.15-e2e-gcp-ovn-upgrade-out-of-change

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/703b0f70-c213-11ee-9c68-93c96ebcc1b3-0

[jstuever]

/retest

[jstuever]

/retest-required

[jstuever]

/payload-job periodic-ci-openshift-release-master-ci-4.14-e2e-gcp-ovn-upgrade-out-of-change

[jstuever]

/payload-job periodic-ci-openshift-release-master-ci-4.15-e2e-gcp-ovn-upgrade-out-of-change

[openshift-ci]

@jstuever: trigger 0 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

[openshift-ci]

@jstuever: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-ci-4.15-e2e-gcp-ovn-upgrade-out-of-change

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/620b17a0-c525-11ee-93e5-a255d268e3c8-0

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-28231, which is invalid:

• bug is open, matching expected state (open)
• bug target version (4.14.z) matches configured target version for branch (4.14.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• bug has dependents
• dependent bug CCO-522 is not in the required OCPBUGS project

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

After adding granular permissions to the GCP platform in 4.15, new permission are required on the root credential service account. The GCP platform in mint mode now requires the upgradeable annotation to upgrade from 4.14.x to a newer minor version such as 4.15.0.

This PR should only be applied to 4.14.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jstuever]

/jira refresh

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-28231, which is invalid:

• bug is open, matching expected state (open)
• bug target version (4.14.z) matches configured target version for branch (4.14.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• dependent bug Jira Issue OCPBUGS-29200 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• bug has dependents
• dependent bug CCO-522 is not in the required OCPBUGS project

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jstuever]

/jira refresh

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-28231, which is invalid:

• expected dependent Jira Issue OCPBUGS-29200 to target a version in 4.15.0, but it targets "4.15.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jstuever]

/label backport-risk-assessed

[jstuever]

/jira refresh

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-28231, which is valid. The bug has been moved to the POST state.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.14.z) matches configured target version for branch (4.14.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• dependent bug Jira Issue OCPBUGS-29200 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-29200 targets the "4.15.0" version, which is one of the valid target versions: 4.15.0
• bug has dependents

Requesting review from QA contact:
/cc @jianping-shu

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jstuever]

/assign @dlom

[dlom]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlom, jstuever

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dlom,jstuever]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jianping-shu]

Tested with OCP-71579, it looks good.
Need hold the PR for a while since I'd better to update the QE's upgrade step so the QE's upgrade prow CIs won't be blocked.
@jstuever @dlom maybe you need check if it blocks the Dev's upgrade CI too? The upgrade with --force option won't be impacted.

[jstuever]

It is my understanding that the dev ci jobs use openshift-e2e-test for upgrades, which will use the --force option as per the code here.

[jianping-shu]

QE's upgrade step update done.
/label cherry-pick-approved

[openshift-ci]

@jstuever: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@jstuever: Jira Issue OCPBUGS-28231: All pull requests linked via external trackers have merged:

• openshift/cloud-credential-operator#670

Jira Issue OCPBUGS-28231 has been moved to the MODIFIED state.

In response to this:

After adding granular permissions to the GCP platform in 4.15, new permission are required on the root credential service account. The GCP platform in mint mode now requires the upgradeable annotation to upgrade from 4.14.x to a newer minor version such as 4.15.0.

This PR should only be applied to 4.14.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-cloud-credential-operator-container-v4.14.0-202402190838.p0.g007cd00.assembly.stream.el8 for distgit ose-cloud-credential-operator.
All builds following this will include this PR.

[openshift-merge-robot]

Fix included in accepted release 4.14.0-0.nightly-2024-02-19-170131