CCO-249: Replace GCP role with explicit permissions

[Miciah]

Instead of using a predefined role in the cloud credentials request for GCP, enumerate permissions explicitly.

The Google Cloud DNS API permissions are documented here: https://cloud.google.com/dns/docs/access-control

Each method in the Cloud DNS API has a corresponding permission. The operator's DNS provider implementation for GCP only calls two methods:

• dns.changes.create
• dns.resourcerecordsets.list

These methods require the following permissions:

• dns.changes.create
• dns.resourceRecordSets.create
• dns.resourceRecordSets.update
• dns.resourceRecordSets.delete
• dns.resourceRecordSets.list

This PR replaces the dns.admin role with these permissions in the credentials request.

• manifests/00-ingress-credentials-request.yaml: Replace the roles/dns.admin predefined role with an explicit list of permissions.

[Miciah]

/test e2e-gcp-operator

[Miciah]

/test e2e-gcp-operator

[Miciah]

/test e2e-gcp-operator

[Miciah]

e2e-gcp-operator failed because of a nil-pointer dereference in TestRouterCompressionOperation, which should be fixed by #843.

[Miciah]

e2e-aws-operator failed because of an installer issue, which should be fixed by openshift/installer#6489.

[davemulford]

@Miciah it looks like dns.changes.create is listed twice?

[Miciah]

@Miciah it looks like dns.changes.create is listed twice?

Indeed. Thanks for pointing that out! I'll fix that in the next push.

[huangmingxia]

@Miciah I tested with case OCP-55034 , PTAL, thank you.

[candita]

/assign @gcs278 @suleymanakbas91

[gcs278]

nit your PR description is a little off, probably just want to make it match your latest commit message.
Otherwise, reviewed permissions and code using permissions. Makes sense. CI will be the real test here to see if we miss something.
/lgtm

[Miciah]

nit your PR description is a little off, probably just want to make it match your latest commit message.

Thanks! I think I've corrected the discrepancies.

[Miciah]

/test e2e-gcp-operator
This should pass now that #843 has merged.

[Miciah]

e2e-gcp-operator failed because kube-apiserver reported NodeInstallerProgressing.
/test e2e-gcp-operator

[gcs278]

All look like cluster install failures and etcd issues.
/retest

[gcs278]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gcs278

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [gcs278]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gcs278]

disruption and deprovisioning issues
/retest

[gcs278]

disruption issues, DNS e2e failure, and deprovision issues.
/retest

[gcs278]

e2e-gcp-ovn-serial is a little suspicious with a GCP Service unavailable, but seems transient.
e2e-aws-operator deprovisioning issue
/retest

[abutcher]

Holding due to custom role leak in CI https://issues.redhat.com/browse/CCO-243.
/hold

[Miciah]

/remove-lifecycle rotten

/hold cancel
now that openshift/cloud-credential-operator#611 merged.

[openshift-ci-robot]

@Miciah: This pull request references CCO-249 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set.

In response to this:

Instead of using a predefined role in the cloud credentials request for GCP, enumerate permissions explicitly.

The Google Cloud DNS API permissions are documented here: https://cloud.google.com/dns/docs/access-control

Each method in the Cloud DNS API has a corresponding permission. The operator's DNS provider implementation for GCP only calls two methods:

• dns.changes.create
• dns.resourcerecordsets.list

These methods require the following permissions:

• dns.changes.create
• dns.resourceRecordSets.create
• dns.resourceRecordSets.update
• dns.resourceRecordSets.delete
• dns.resourceRecordSets.list

This PR replaces the dns.admin role with these permissions in the credentials request.

• manifests/00-ingress-credentials-request.yaml: Replace the roles/dns.admin predefined role with an explicit list of permissions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[frobware]

/lgtm

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 23ee5be and 2 for PR HEAD a236822 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 9e77590 and 1 for PR HEAD a236822 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 9e77590 and 2 for PR HEAD a236822 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 30833ad and 1 for PR HEAD a236822 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD bd29f8a and 0 for PR HEAD a236822 in total

[openshift-ci]

@Miciah: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-ovn-serial	677106a	link	true	/test e2e-gcp-ovn-serial

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

/hold

Revision a236822 was retested 3 times: holding

[Miciah]

e2e-gcp-operator failed because TestUnmanagedDNSToManagedDNSInternalIngressController failed; this failure is a known issue (OCPBUGS-24044), so we can override the CI job.
/override ci/prow/e2e-gcp-operator

[openshift-ci]

@Miciah: Overrode contexts on behalf of Miciah: ci/prow/e2e-gcp-operator

In response to this:

e2e-gcp-operator failed because TestUnmanagedDNSToManagedDNSInternalIngressController failed; this failure is a known issue (OCPBUGS-24044), so we can override the CI job.
/override ci/prow/e2e-gcp-operator

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ShudiLi]

Tested it with 4.15.0-0.ci.test-2023-12-11-002730-ci-ln-zm90s6t-latest, created an internal and an external gcp ingress controller, two routes for the ingresscontrollers worked well. Also the dnsrecords were in good status.
`
1.
% oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.15.0-0.ci.test-2023-12-11-002730-ci-ln-zm90s6t-latest True False 67m Cluster version is 4.15.0-0.ci.test-2023-12-11-002730-ci-ln-zm90s6t-latest

% oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
edge1 edg1.shard.ci-ln-zm90s6t-72292.origin-ci-int-gce.dev.rhcloud.com ... 1 more unsec-server3 http edge None
unsec-server3 http1.int11.ci-ln-zm90s6t-72292.origin-ci-int-gce.dev.rhcloud.com unsec-server3 http None

% oc -n openshift-ingress get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
router-default LoadBalancer 172.30.246.63 34.66.75.23 80:30733/TCP,443:31449/TCP 93m
router-int11 LoadBalancer 172.30.169.31 10.0.128.5 80:31203/TCP,443:32639/TCP 49m
router-internal-default ClusterIP 172.30.169.27 80/TCP,443/TCP,1936/TCP 93m
router-internal-int11 ClusterIP 172.30.32.7 80/TCP,443/TCP,1936/TCP 49m
router-internal-shard ClusterIP 172.30.50.0 80/TCP,443/TCP,1936/TCP 49m
router-shard LoadBalancer 172.30.72.171 34.135.238.13 80:30382/TCP,443:30878/TCP 49m

4. curl the routes
   % curl https://edg1.shard.ci-ln-zm90s6t-72292.origin-ci-int-gce.dev.rhcloud.com -k
   this a test!
   %
   sh-4.4# curl http://http1.int11.ci-ln-zm90s6t-72292.origin-ci-int-gce.dev.rhcloud.com
   this a test!
   sh-4.4#

%oc -n openshift-ingress-operator get dnsrecords shard-wildcard -oyaml
...
spec:
dnsManagementPolicy: Managed
dnsName: '*.shard.ci-ln-zm90s6t-72292.origin-ci-int-gce.dev.rhcloud.com.'
recordTTL: 30
recordType: A
targets:

• 34.135.238.13
  status:
  observedGeneration: 1
  zones:

• conditions:

  • lastTransitionTime: "2023-12-11T01:30:08Z"
    message: The DNS provider succeeded in ensuring the record
    reason: ProviderSuccess
    status: "True"
    type: Published
    dnsZone:
    id: ci-ln-zm90s6t-72292-m5rhf-private-zone

• conditions:

  • lastTransitionTime: "2023-12-11T01:30:08Z"
    message: The DNS provider succeeded in ensuring the record
    reason: ProviderSuccess
    status: "True"
    type: Published
    dnsZone:
    id: origin-ci-int-gce

  % oc -n openshift-ingress-operator get dnsrecords int11-wildcard -oyaml
  ...
  spec:
  dnsManagementPolicy: Managed
  dnsName: '*.int11.ci-ln-zm90s6t-72292.origin-ci-int-gce.dev.rhcloud.com.'
  recordTTL: 30
  recordType: A
  targets:

• 10.0.128.5
  status:
  observedGeneration: 1
  zones:

• conditions:

  • lastTransitionTime: "2023-12-11T01:29:29Z"
    message: The DNS provider succeeded in ensuring the record
    reason: ProviderSuccess
    status: "True"
    type: Published
    dnsZone:
    id: ci-ln-zm90s6t-72292-m5rhf-private-zone

• conditions:

  • lastTransitionTime: "2023-12-11T01:29:29Z"
    message: The DNS provider succeeded in ensuring the record
    reason: ProviderSuccess
    status: "True"
    type: Published
    dnsZone:
    id: origin-ci-int-gce

`

[ShudiLi]

@huangmingxia @lihongan worked well from network edge side, please take a look at the above my comment, thanks.

[huangmingxia]

/label qe-approved
Thanks @ShudiLi @lihongan

[huangmingxia]

/label qe-approved

[openshift-ci-robot]

@Miciah: This pull request references CCO-249 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

Instead of using a predefined role in the cloud credentials request for GCP, enumerate permissions explicitly.

The Google Cloud DNS API permissions are documented here: https://cloud.google.com/dns/docs/access-control

Each method in the Cloud DNS API has a corresponding permission. The operator's DNS provider implementation for GCP only calls two methods:

• dns.changes.create
• dns.resourcerecordsets.list

These methods require the following permissions:

• dns.changes.create
• dns.resourceRecordSets.create
• dns.resourceRecordSets.update
• dns.resourceRecordSets.delete
• dns.resourceRecordSets.list

This PR replaces the dns.admin role with these permissions in the credentials request.

• manifests/00-ingress-credentials-request.yaml: Replace the roles/dns.admin predefined role with an explicit list of permissions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Miciah]

/hold cancel

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD d09611e and 2 for PR HEAD a236822 in total