Merge pull request #1604 from thomasmckay/rc2-cherry-picks

OCM-4794 | chore: cherry-picks 1.2.31-rc2
openshift · Nov 14, 2023 · 3255447 · 3255447
2 parents 58af583 + fbbd81e
commit 3255447
Show file tree

Hide file tree

Showing 9 changed files with 53 additions and 29 deletions.
diff --git a/cmd/create/accountroles/creators.go b/cmd/create/accountroles/creators.go
@@ -20,6 +20,11 @@ type creator interface {
 
 func initCreator(r *rosa.Runtime, managedPolicies bool, classic bool, hostedCP bool, isClassicValueSet bool,
 	isHostedCPValueSet bool) (creator, bool) {
+	// Unmanaged should be used for fedramp
+	if r.Creator.IsGovcloud {
+		return &unmanagedPoliciesCreator{}, true
+	}
+
 	// Classic ROSA managed policies
 	if managedPolicies && !hostedCP {
 		return &managedPoliciesCreator{}, true

diff --git a/cmd/create/cluster/cmd.go b/cmd/create/cluster/cmd.go
@@ -758,23 +758,23 @@ func init() {
 
 	flags.StringSliceVar(
 		&args.additionalComputeSecurityGroupIds,
-		securitygroups.SgKindFlagMap["Compute"],
+		securitygroups.ComputeSecurityGroupFlag,
 		nil,
 		"The additional Security Group IDs to be added to the default worker machine pool. "+
 			listInputMessage,
 	)
 
 	flags.StringSliceVar(
 		&args.additionalInfraSecurityGroupIds,
-		securitygroups.SgKindFlagMap["Infra"],
+		securitygroups.InfraSecurityGroupFlag,
 		nil,
 		"The additional Security Group IDs to be added to the default infra machine pool. "+
 			listInputMessage,
 	)
 
 	flags.StringSliceVar(
 		&args.additionalControlPlaneSecurityGroupIds,
-		securitygroups.SgKindFlagMap["Control Plane"],
+		securitygroups.ControlPlaneSecurityGroupFlag,
 		nil,
 		"The additional Security Group IDs to be added to the default control plane machine pool. "+
 			listInputMessage,
@@ -2429,15 +2429,18 @@ func run(cmd *cobra.Command, _ []string) {
 	}
 	additionalComputeSecurityGroupIds := args.additionalComputeSecurityGroupIds
 	getSecurityGroups(r, cmd, isVersionCompatibleComputeSgIds,
-		"Compute", useExistingVPC, isHostedCP, subnets, subnetIDs, &additionalComputeSecurityGroupIds)
+		securitygroups.ComputeKind, useExistingVPC, isHostedCP, subnets,
+		subnetIDs, &additionalComputeSecurityGroupIds)
 
 	additionalInfraSecurityGroupIds := args.additionalInfraSecurityGroupIds
 	getSecurityGroups(r, cmd, isVersionCompatibleComputeSgIds,
-		"Infra", useExistingVPC, isHostedCP, subnets, subnetIDs, &additionalInfraSecurityGroupIds)
+		securitygroups.InfraKind, useExistingVPC, isHostedCP, subnets,
+		subnetIDs, &additionalInfraSecurityGroupIds)
 
 	additionalControlPlaneSecurityGroupIds := args.additionalControlPlaneSecurityGroupIds
 	getSecurityGroups(r, cmd, isVersionCompatibleComputeSgIds,
-		"Control Plane", useExistingVPC, isHostedCP, subnets, subnetIDs, &additionalControlPlaneSecurityGroupIds)
+		securitygroups.ControlPlaneKind, useExistingVPC, isHostedCP, subnets,
+		subnetIDs, &additionalControlPlaneSecurityGroupIds)
 
 	// Validate all remaining flags:
 	expiration, err := validateExpiration()
@@ -3557,17 +3560,20 @@ func buildCommand(spec ocm.Spec, operatorRolesPrefix string,
 
 	if len(spec.AdditionalComputeSecurityGroupIds) > 0 {
 		command += fmt.Sprintf(" --%s %s",
-			securitygroups.SgKindFlagMap["Compute"], strings.Join(spec.AdditionalComputeSecurityGroupIds, ","))
+			securitygroups.ComputeSecurityGroupFlag,
+			strings.Join(spec.AdditionalComputeSecurityGroupIds, ","))
 	}
 
 	if len(spec.AdditionalInfraSecurityGroupIds) > 0 {
 		command += fmt.Sprintf(" --%s %s",
-			securitygroups.SgKindFlagMap["Infra"], strings.Join(spec.AdditionalInfraSecurityGroupIds, ","))
+			securitygroups.InfraSecurityGroupFlag,
+			strings.Join(spec.AdditionalInfraSecurityGroupIds, ","))
 	}
 
 	if len(spec.AdditionalControlPlaneSecurityGroupIds) > 0 {
 		command += fmt.Sprintf(" --%s %s",
-			securitygroups.SgKindFlagMap["Control Plane"], strings.Join(spec.AdditionalControlPlaneSecurityGroupIds, ","))
+			securitygroups.ControlPlaneSecurityGroupFlag,
+			strings.Join(spec.AdditionalControlPlaneSecurityGroupIds, ","))
 	}
 
 	for _, p := range properties {

diff --git a/cmd/create/machinepool/cmd.go b/cmd/create/machinepool/cmd.go
@@ -22,6 +22,7 @@ import (
 
 	cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
 	"github.com/openshift/rosa/pkg/aws"
+	"github.com/openshift/rosa/pkg/interactive/securitygroups"
 	"github.com/openshift/rosa/pkg/output"
 	"github.com/openshift/rosa/pkg/properties"
 	"github.com/openshift/rosa/pkg/rosa"
@@ -206,7 +207,7 @@ func init() {
 	)
 
 	flags.StringSliceVar(&args.securityGroupIds,
-		securityGroupIdsFlag,
+		securitygroups.MachinePoolSecurityGroupFlag,
 		nil,
 		"The additional Security Group IDs to be added to the machine pool. "+
 			"Format should be a comma-separated list.",

diff --git a/cmd/create/machinepool/machinepool.go b/cmd/create/machinepool/machinepool.go
@@ -17,17 +17,14 @@ import (
 	"github.com/openshift/rosa/pkg/helper/versions"
 	"github.com/openshift/rosa/pkg/interactive"
 	"github.com/openshift/rosa/pkg/interactive/confirm"
+	"github.com/openshift/rosa/pkg/interactive/securitygroups"
 	interactiveSgs "github.com/openshift/rosa/pkg/interactive/securitygroups"
 	"github.com/openshift/rosa/pkg/ocm"
 	"github.com/openshift/rosa/pkg/output"
 	"github.com/openshift/rosa/pkg/rosa"
 	"github.com/spf13/cobra"
 )
 
-const (
-	securityGroupIdsFlag = "additional-security-group-ids"
-)
-
 func addMachinePool(cmd *cobra.Command, clusterKey string, cluster *cmv1.Cluster, r *rosa.Runtime) {
 	var err error
 
@@ -51,7 +48,7 @@ func addMachinePool(cmd *cobra.Command, clusterKey string, cluster *cmv1.Cluster
 		os.Exit(1)
 	}
 
-	isSecurityGroupIdsSet := cmd.Flags().Changed(securityGroupIdsFlag)
+	isSecurityGroupIdsSet := cmd.Flags().Changed(securitygroups.MachinePoolSecurityGroupFlag)
 	isVersionCompatibleComputeSgIds, err := versions.IsGreaterThanOrEqual(
 		cluster.Version().RawID(), ocm.MinVersionForAdditionalComputeSecurityGroupIdsDay2)
 	if err != nil {
@@ -61,12 +58,13 @@ func addMachinePool(cmd *cobra.Command, clusterKey string, cluster *cmv1.Cluster
 	isHcpCluster := ocm.IsHyperShiftCluster(cluster)
 	if isSecurityGroupIdsSet {
 		if !isByoVpc {
-			r.Reporter.Errorf("Setting the `%s` flag is only allowed for BYOVPC clusters", securityGroupIdsFlag)
+			r.Reporter.Errorf("Setting the `%s` flag is only allowed for BYOVPC clusters",
+				securitygroups.MachinePoolSecurityGroupFlag)
 			os.Exit(1)
 		}
 		if isHcpCluster {
 			r.Reporter.Errorf("Parameter '%s' is not supported for Hosted Control Plane clusters",
-				securityGroupIdsFlag)
+				securitygroups.MachinePoolSecurityGroupFlag)
 			os.Exit(1)
 		}
 		if !isVersionCompatibleComputeSgIds {
@@ -76,7 +74,7 @@ func addMachinePool(cmd *cobra.Command, clusterKey string, cluster *cmv1.Cluster
 				os.Exit(1)
 			}
 			r.Reporter.Errorf("Parameter '%s' is not supported prior to version '%s'",
-				securityGroupIdsFlag, formattedVersion)
+				securitygroups.MachinePoolSecurityGroupFlag, formattedVersion)
 			os.Exit(1)
 		}
 	}
@@ -305,7 +303,7 @@ func addMachinePool(cmd *cobra.Command, clusterKey string, cluster *cmv1.Cluster
 			r.Reporter.Warnf("Unexpected situation a VPC ID should have been selected based on chosen subnets")
 			os.Exit(1)
 		}
-		securityGroupIds = interactiveSgs.GetSecurityGroupIds(r, cmd, vpcId, securityGroupIdsFlag)
+		securityGroupIds = interactiveSgs.GetSecurityGroupIds(r, cmd, vpcId, interactiveSgs.MachinePoolKind)
 	}
 	for i, sg := range securityGroupIds {
 		securityGroupIds[i] = strings.TrimSpace(sg)

diff --git a/cmd/create/machinepool/nodepool.go b/cmd/create/machinepool/nodepool.go
@@ -14,6 +14,7 @@ import (
 	mpHelpers "github.com/openshift/rosa/pkg/helper/machinepools"
 	"github.com/openshift/rosa/pkg/helper/versions"
 	"github.com/openshift/rosa/pkg/interactive"
+	"github.com/openshift/rosa/pkg/interactive/securitygroups"
 	"github.com/openshift/rosa/pkg/output"
 	"github.com/openshift/rosa/pkg/rosa"
 )
@@ -29,10 +30,10 @@ func addNodePool(cmd *cobra.Command, clusterKey string, cluster *cmv1.Cluster, r
 		os.Exit(1)
 	}
 
-	isSecurityGroupIdsSet := cmd.Flags().Changed(securityGroupIdsFlag)
+	isSecurityGroupIdsSet := cmd.Flags().Changed(securitygroups.MachinePoolSecurityGroupFlag)
 	if isSecurityGroupIdsSet {
 		r.Reporter.Errorf("Parameter '%s' is not supported for Hosted Control Plane clusters",
-			securityGroupIdsFlag)
+			securitygroups.MachinePoolSecurityGroupFlag)
 		os.Exit(1)
 	}
 

diff --git a/pkg/interactive/securitygroups/security_groups.go b/pkg/interactive/securitygroups/security_groups.go
@@ -14,13 +14,26 @@ const (
 	additionalComputeSecurityGroupIdsFlag      = "additional-compute-security-group-ids"
 	additionalInfraSecurityGroupIdsFlag        = "additional-infra-security-group-ids"
 	additionalControlPlaneSecurityGroupIdsFlag = "additional-control-plane-security-group-ids"
+	securityGroupIdsFlag                       = "additional-security-group-ids"
+
+	ComputeKind      = "Compute"
+	InfraKind        = "Infra"
+	ControlPlaneKind = "Control Plane"
+	MachinePoolKind  = "Machine Pool"
 )
 
-var SgKindFlagMap = map[string]string{
-	"Compute":       additionalComputeSecurityGroupIdsFlag,
-	"Infra":         additionalInfraSecurityGroupIdsFlag,
-	"Control Plane": additionalControlPlaneSecurityGroupIdsFlag,
-}
+var (
+	SgKindFlagMap = map[string]string{
+		ComputeKind:      additionalComputeSecurityGroupIdsFlag,
+		InfraKind:        additionalInfraSecurityGroupIdsFlag,
+		ControlPlaneKind: additionalControlPlaneSecurityGroupIdsFlag,
+		MachinePoolKind:  securityGroupIdsFlag,
+	}
+	ComputeSecurityGroupFlag      = SgKindFlagMap[ComputeKind]
+	InfraSecurityGroupFlag        = SgKindFlagMap[InfraKind]
+	ControlPlaneSecurityGroupFlag = SgKindFlagMap[ControlPlaneKind]
+	MachinePoolSecurityGroupFlag  = SgKindFlagMap[MachinePoolKind]
+)
 
 func GetSecurityGroupIds(r *rosa.Runtime, cmd *cobra.Command,
 	targetVpcId string, kind string) []string {

diff --git a/pkg/kubeletconfig/config.go b/pkg/kubeletconfig/config.go
@@ -34,7 +34,7 @@ func GetInteractiveMaxPidsLimitHelp(maxPidsLimit int) string {
 
 func GetInteractiveInput(maxPidsLimit int, kubeletConfig *v1.KubeletConfig) interactive.Input {
 
-	var defaultLimit = PodPidsLimitOptionDefaultValue
+	var defaultLimit = MinPodPidsLimit
 	if kubeletConfig != nil {
 		defaultLimit = kubeletConfig.PodPidsLimit()
 	}

diff --git a/pkg/kubeletconfig/config_test.go b/pkg/kubeletconfig/config_test.go
@@ -65,7 +65,7 @@ var _ = Describe("KubeletConfig Config", func() {
 			Expect(input.Question).To(Equal(InteractivePodPidsLimitPrompt))
 			Expect(input.Help).To(Equal(GetInteractiveMaxPidsLimitHelp(5000)))
 			Expect(len(input.Validators)).To(Equal(2))
-			Expect(input.Default).To(Equal(PodPidsLimitOptionDefaultValue))
+			Expect(input.Default).To(Equal(MinPodPidsLimit))
 		})
 	})
 })
diff --git a/pkg/kubeletconfig/consts.go b/pkg/kubeletconfig/consts.go
@@ -6,7 +6,7 @@ const (
 	MaxUnsafePodPidsLimit          = 3694303
 	PodPidsLimitOption             = "pod-pids-limit"
 	PodPidsLimitOptionUsage        = "Sets the requested pod_pids_limit for your custom KubeletConfig."
-	PodPidsLimitOptionDefaultValue = -1
+	PodPidsLimitOptionDefaultValue = 0
 	InteractivePodPidsLimitPrompt  = "Pod Pids Limit?"
 	InteractivePodPidsLimitHelp    = "Set the Pod Pids Limit field to a value between 4096 and %d"
 	ByPassPidsLimitCapability      = "capability.organization.bypass_pids_limits"