CORS-2645: AWS Cross-Account Private Hosted Zone: Add Further Validations#7253
Conversation
Adds validation to require that either manual or passthrough credentials mode is used when specifying hosted zone role. In order to perform the AssumeRole operation on the provided role, a policy must be in place to establish a trust reltionship between the role and the IAM credential (for the installer and ingress operator). Because mint mode will create new credentials with non-deterministic unique identifiers in the cluster, it is impossible to generate the policy in advance.
When users bring their own hosted zone, the installer no longer requires permissions to create or destroy zones.
patrickdillon
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@patrickdillon: This pull request references CORS-2645 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@yunjiang29 PTAL |
Small refactoring of destroy code for increasing readibility for cross-account private hosted zones.
Improves wording of hostedZoneRole comment/godoc.
patrickdillon
force-pushed
the
aws-shared-phz-2
branch
from
0cb1c3b to
8a7779c
Compare
|
@patrickdillon while doing AssumeRole validation tests, is the below message expected? It looks like it's a real "No Permission" error instead of a "current credentials insufficient for performing cluster installation" [2] [2] compare to missing |
|
/test okd-images |
I think this should now be fixed in bfd54274464407ca988cde3624d88a4e2d54043a. I would expect a But we are not testing the provided role for permissions, so if the role is missing route53 or tagging permissions, we will get an actual error and that is expected. I hope that makes sense! LMK if it is unclear. |
|
I don't think the |
@patrickdillon it looks like the issue is still there: |
patrickdillon
force-pushed
the
aws-shared-phz-2
branch
from
7d77d76 to
7b02db3
Compare
🤦 In any case, I have removed the commit changing the resource dependency so this doesn't need to be updated anymore. |
On further examination, it appears that there are no permissions that need to be checked in Account B to perform this assume role option: all of the permissions reside within Account A. We could potentially check the permissions for the role in Account A, but that would require expanding the permissions needed by the role in Account A (such as the IAM simulate policy role). Considering that in this case a user-friendly permissions error will appear before any resources have been created (or when attempting to destroy DNS records), it does not seem like a good idea to pursue further permissions checking. Therefore I have removed the check for sts:AssumeRole (because it does nothing), and we should expect errors like the one Yunfei posted #7253 (comment) in the case of an incorrect configuration. |
|
@patrickdillon: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: r4f4 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
@patrickdillon thanks for the detailed explanation, the pre-merge test gets passed. |
|
/lgtm |
7 participants
Adds/refines validations for the cross-account private hosted zone use case:
Also includes some refactoring that did not make it into the previous PR.
ccing previous reviewers:
/cc @barbacbd @r4f4 @mtulio @sadasu