[OSD-22253] refactor sts command to support wif as well

[mrWinston]

Description

This PR is part of the ongoing effort to support gcp WIF the same way we do for aws sts.

It rewrites the osdctl sts subcommand to support both aws sts policies as well as gcp wif templates. To reflect the change, the command was renamed to osdctl managedpolicies and it's subcommands were renamed to get and diff respectively:

• osdctl sts policy 4.15.0 --> osdctl iampermissions get -c aws -r 4.15.0
• osdctl sts policy-diff 4.14.0 4.15.0 --> osdctl iampermissions diff -c aws -b 4.15.0 -t 4.15.0

Furthermore, a new command is added to convert the credentialsrequests for a given cloud and version to a format that can be consumed directly by managed-cluster-config. osdctl managedpolicies save creates a json or yaml file (json for aws, yaml for gcp) for each credentialsrequest in a given folder. These contain the neccessary permissions for the service accounts.

Examples

• Download CredentialsRequests:

# download aws credentialsrequests for 4.15.0 
./osdctl -S iampermissions get -c aws -r 4.15.0

OCP managed policy files for aws have been saved in /tmp/osdctl-crs-2292554493 directory

# same for gcp
./osdctl -S iampermissions get -c gcp -r 4.15.0

OCP managed policy files for gcp have been saved in /tmp/osdctl-crs-2900638342 directory

• Diff between versions

./osdctl -S iampermissions diff -c aws -b 4.15.0 -t 4.16.0-rc.0
Downloading Credential Requests for 4.15.0
Downloading Credential Requests for 4.16.0-rc.0
diff /tmp/osdctl-crs-1845971928/0000_50_cluster-image-registry-operator_01-registry-credentials-request.yaml /tmp/osdctl-crs-2115331329/0000_50_cluster-image-registry-operator_01-registry-credentials-request.yaml
6a7
>     include.release.openshift.io/hypershift: "true"
diff /tmp/osdctl-crs-1845971928/0000_50_cluster-ingress-operator_00-ingress-credentials-request.yaml /tmp/osdctl-crs-2115331329/0000_50_cluster-ingress-operator_00-ingress-credentials-request.yaml
6c6
<     capability.openshift.io/name: CloudCredential
---
>     capability.openshift.io/name: CloudCredential+Ingress

• Extract managedpolicies from the credentialsrequests and save them to a local folder:

$ ./osdctl -S iampermissions save -d ./aws1 -c aws -r 4.16.0-rc.0
Writing aws1/openshift-ingress.json
Writing aws1/openshift-cloud-network-config-controller-aws.json
Writing aws1/aws-ebs-csi-driver-operator.json
Writing aws1/openshift-cluster-api-aws.json
Writing aws1/openshift-machine-api-aws.json
Writing aws1/cloud-credential-operator-iam-ro.json
Writing aws1/openshift-image-registry.json

# same for gcp

$ ./osdctl -S iampermissions save -d ./gcp -c gcp -r 4.16.0-rc.0
Writing gcp/openshift-image-registry-gcs.yaml
Writing gcp/openshift-ingress-gcp.yaml
Writing gcp/openshift-cloud-network-config-controller-gcp.yaml
Writing gcp/openshift-gcp-pd-csi-driver-operator.yaml
Writing gcp/openshift-gcp-ccm.yaml
Writing gcp/openshift-cluster-api-gcp.yaml
Writing gcp/openshift-machine-api-gcp.yaml
Writing gcp/cloud-credential-operator-gcp-ro-creds.yaml

[fahlmant]

@mrWinston Why was this renamed to managed policies? That has a specific meaning in ROSA, so it may be confusing to change this command to that name when it doesn't directly relate to the ROSA meaning.

[mrWinston]

@mrWinston Why was this renamed to managed policies? That has a specific meaning in ROSA, so it may be confusing to change this command to that name when it doesn't directly relate to the ROSA meaning.

In general, the name sts for the command would be confusing when it also supported gcp wif. managedpolicies was the first thing that came to my mind when thinking about a new name. But naming is hard and i wasn't aware that it's also a thing in rosa. Let's rename it to something else.

Do you already have an idea for a better name?

[fahlmant]

Maybe something like cloud-permissions or iam-permissions since both AWS and GCP use the IAM terminology?

[mrWinston]

Renamed the command to iampermissions to avoid confusion.

[openshift-ci]

@mrWinston: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[AlexVulaj]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AlexVulaj, mrWinston

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [AlexVulaj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment