diff --git a/cmd/create/accountroles/creators.go b/cmd/create/accountroles/creators.go index b73873e2b..95dfe05c5 100644 --- a/cmd/create/accountroles/creators.go +++ b/cmd/create/accountroles/creators.go @@ -20,6 +20,11 @@ type creator interface { func initCreator(r *rosa.Runtime, managedPolicies bool, classic bool, hostedCP bool, isClassicValueSet bool, isHostedCPValueSet bool) (creator, bool) { + // Unmanaged should be used for fedramp + if r.Creator.IsGovcloud { + return &unmanagedPoliciesCreator{}, true + } + // Classic ROSA managed policies if managedPolicies && !hostedCP { return &managedPoliciesCreator{}, true diff --git a/cmd/create/cluster/cmd.go b/cmd/create/cluster/cmd.go index 990748fec..39dfb1129 100644 --- a/cmd/create/cluster/cmd.go +++ b/cmd/create/cluster/cmd.go @@ -758,7 +758,7 @@ func init() { flags.StringSliceVar( &args.additionalComputeSecurityGroupIds, - securitygroups.SgKindFlagMap["Compute"], + securitygroups.ComputeSecurityGroupFlag, nil, "The additional Security Group IDs to be added to the default worker machine pool. "+ listInputMessage, @@ -766,7 +766,7 @@ func init() { flags.StringSliceVar( &args.additionalInfraSecurityGroupIds, - securitygroups.SgKindFlagMap["Infra"], + securitygroups.InfraSecurityGroupFlag, nil, "The additional Security Group IDs to be added to the default infra machine pool. "+ listInputMessage, @@ -774,7 +774,7 @@ func init() { flags.StringSliceVar( &args.additionalControlPlaneSecurityGroupIds, - securitygroups.SgKindFlagMap["Control Plane"], + securitygroups.ControlPlaneSecurityGroupFlag, nil, "The additional Security Group IDs to be added to the default control plane machine pool. "+ listInputMessage, @@ -2429,15 +2429,18 @@ func run(cmd *cobra.Command, _ []string) { } additionalComputeSecurityGroupIds := args.additionalComputeSecurityGroupIds getSecurityGroups(r, cmd, isVersionCompatibleComputeSgIds, - "Compute", useExistingVPC, isHostedCP, subnets, subnetIDs, &additionalComputeSecurityGroupIds) + securitygroups.ComputeKind, useExistingVPC, isHostedCP, subnets, + subnetIDs, &additionalComputeSecurityGroupIds) additionalInfraSecurityGroupIds := args.additionalInfraSecurityGroupIds getSecurityGroups(r, cmd, isVersionCompatibleComputeSgIds, - "Infra", useExistingVPC, isHostedCP, subnets, subnetIDs, &additionalInfraSecurityGroupIds) + securitygroups.InfraKind, useExistingVPC, isHostedCP, subnets, + subnetIDs, &additionalInfraSecurityGroupIds) additionalControlPlaneSecurityGroupIds := args.additionalControlPlaneSecurityGroupIds getSecurityGroups(r, cmd, isVersionCompatibleComputeSgIds, - "Control Plane", useExistingVPC, isHostedCP, subnets, subnetIDs, &additionalControlPlaneSecurityGroupIds) + securitygroups.ControlPlaneKind, useExistingVPC, isHostedCP, subnets, + subnetIDs, &additionalControlPlaneSecurityGroupIds) // Validate all remaining flags: expiration, err := validateExpiration() @@ -3557,17 +3560,20 @@ func buildCommand(spec ocm.Spec, operatorRolesPrefix string, if len(spec.AdditionalComputeSecurityGroupIds) > 0 { command += fmt.Sprintf(" --%s %s", - securitygroups.SgKindFlagMap["Compute"], strings.Join(spec.AdditionalComputeSecurityGroupIds, ",")) + securitygroups.ComputeSecurityGroupFlag, + strings.Join(spec.AdditionalComputeSecurityGroupIds, ",")) } if len(spec.AdditionalInfraSecurityGroupIds) > 0 { command += fmt.Sprintf(" --%s %s", - securitygroups.SgKindFlagMap["Infra"], strings.Join(spec.AdditionalInfraSecurityGroupIds, ",")) + securitygroups.InfraSecurityGroupFlag, + strings.Join(spec.AdditionalInfraSecurityGroupIds, ",")) } if len(spec.AdditionalControlPlaneSecurityGroupIds) > 0 { command += fmt.Sprintf(" --%s %s", - securitygroups.SgKindFlagMap["Control Plane"], strings.Join(spec.AdditionalControlPlaneSecurityGroupIds, ",")) + securitygroups.ControlPlaneSecurityGroupFlag, + strings.Join(spec.AdditionalControlPlaneSecurityGroupIds, ",")) } for _, p := range properties { diff --git a/cmd/create/machinepool/cmd.go b/cmd/create/machinepool/cmd.go index 30d21be47..86000a008 100644 --- a/cmd/create/machinepool/cmd.go +++ b/cmd/create/machinepool/cmd.go @@ -22,6 +22,7 @@ import ( cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" "github.com/openshift/rosa/pkg/aws" + "github.com/openshift/rosa/pkg/interactive/securitygroups" "github.com/openshift/rosa/pkg/output" "github.com/openshift/rosa/pkg/properties" "github.com/openshift/rosa/pkg/rosa" @@ -206,7 +207,7 @@ func init() { ) flags.StringSliceVar(&args.securityGroupIds, - securityGroupIdsFlag, + securitygroups.MachinePoolSecurityGroupFlag, nil, "The additional Security Group IDs to be added to the machine pool. "+ "Format should be a comma-separated list.", diff --git a/cmd/create/machinepool/machinepool.go b/cmd/create/machinepool/machinepool.go index 98c2c326b..abc2f8929 100644 --- a/cmd/create/machinepool/machinepool.go +++ b/cmd/create/machinepool/machinepool.go @@ -17,6 +17,7 @@ import ( "github.com/openshift/rosa/pkg/helper/versions" "github.com/openshift/rosa/pkg/interactive" "github.com/openshift/rosa/pkg/interactive/confirm" + "github.com/openshift/rosa/pkg/interactive/securitygroups" interactiveSgs "github.com/openshift/rosa/pkg/interactive/securitygroups" "github.com/openshift/rosa/pkg/ocm" "github.com/openshift/rosa/pkg/output" @@ -24,10 +25,6 @@ import ( "github.com/spf13/cobra" ) -const ( - securityGroupIdsFlag = "additional-security-group-ids" -) - func addMachinePool(cmd *cobra.Command, clusterKey string, cluster *cmv1.Cluster, r *rosa.Runtime) { var err error @@ -51,7 +48,7 @@ func addMachinePool(cmd *cobra.Command, clusterKey string, cluster *cmv1.Cluster os.Exit(1) } - isSecurityGroupIdsSet := cmd.Flags().Changed(securityGroupIdsFlag) + isSecurityGroupIdsSet := cmd.Flags().Changed(securitygroups.MachinePoolSecurityGroupFlag) isVersionCompatibleComputeSgIds, err := versions.IsGreaterThanOrEqual( cluster.Version().RawID(), ocm.MinVersionForAdditionalComputeSecurityGroupIdsDay2) if err != nil { @@ -61,12 +58,13 @@ func addMachinePool(cmd *cobra.Command, clusterKey string, cluster *cmv1.Cluster isHcpCluster := ocm.IsHyperShiftCluster(cluster) if isSecurityGroupIdsSet { if !isByoVpc { - r.Reporter.Errorf("Setting the `%s` flag is only allowed for BYOVPC clusters", securityGroupIdsFlag) + r.Reporter.Errorf("Setting the `%s` flag is only allowed for BYOVPC clusters", + securitygroups.MachinePoolSecurityGroupFlag) os.Exit(1) } if isHcpCluster { r.Reporter.Errorf("Parameter '%s' is not supported for Hosted Control Plane clusters", - securityGroupIdsFlag) + securitygroups.MachinePoolSecurityGroupFlag) os.Exit(1) } if !isVersionCompatibleComputeSgIds { @@ -76,7 +74,7 @@ func addMachinePool(cmd *cobra.Command, clusterKey string, cluster *cmv1.Cluster os.Exit(1) } r.Reporter.Errorf("Parameter '%s' is not supported prior to version '%s'", - securityGroupIdsFlag, formattedVersion) + securitygroups.MachinePoolSecurityGroupFlag, formattedVersion) os.Exit(1) } } @@ -305,7 +303,7 @@ func addMachinePool(cmd *cobra.Command, clusterKey string, cluster *cmv1.Cluster r.Reporter.Warnf("Unexpected situation a VPC ID should have been selected based on chosen subnets") os.Exit(1) } - securityGroupIds = interactiveSgs.GetSecurityGroupIds(r, cmd, vpcId, securityGroupIdsFlag) + securityGroupIds = interactiveSgs.GetSecurityGroupIds(r, cmd, vpcId, interactiveSgs.MachinePoolKind) } for i, sg := range securityGroupIds { securityGroupIds[i] = strings.TrimSpace(sg) diff --git a/cmd/create/machinepool/nodepool.go b/cmd/create/machinepool/nodepool.go index 447b1d2db..48e032e7b 100644 --- a/cmd/create/machinepool/nodepool.go +++ b/cmd/create/machinepool/nodepool.go @@ -14,6 +14,7 @@ import ( mpHelpers "github.com/openshift/rosa/pkg/helper/machinepools" "github.com/openshift/rosa/pkg/helper/versions" "github.com/openshift/rosa/pkg/interactive" + "github.com/openshift/rosa/pkg/interactive/securitygroups" "github.com/openshift/rosa/pkg/output" "github.com/openshift/rosa/pkg/rosa" ) @@ -29,10 +30,10 @@ func addNodePool(cmd *cobra.Command, clusterKey string, cluster *cmv1.Cluster, r os.Exit(1) } - isSecurityGroupIdsSet := cmd.Flags().Changed(securityGroupIdsFlag) + isSecurityGroupIdsSet := cmd.Flags().Changed(securitygroups.MachinePoolSecurityGroupFlag) if isSecurityGroupIdsSet { r.Reporter.Errorf("Parameter '%s' is not supported for Hosted Control Plane clusters", - securityGroupIdsFlag) + securitygroups.MachinePoolSecurityGroupFlag) os.Exit(1) } diff --git a/pkg/interactive/securitygroups/security_groups.go b/pkg/interactive/securitygroups/security_groups.go index 788490881..be7f24c9c 100644 --- a/pkg/interactive/securitygroups/security_groups.go +++ b/pkg/interactive/securitygroups/security_groups.go @@ -14,13 +14,26 @@ const ( additionalComputeSecurityGroupIdsFlag = "additional-compute-security-group-ids" additionalInfraSecurityGroupIdsFlag = "additional-infra-security-group-ids" additionalControlPlaneSecurityGroupIdsFlag = "additional-control-plane-security-group-ids" + securityGroupIdsFlag = "additional-security-group-ids" + + ComputeKind = "Compute" + InfraKind = "Infra" + ControlPlaneKind = "Control Plane" + MachinePoolKind = "Machine Pool" ) -var SgKindFlagMap = map[string]string{ - "Compute": additionalComputeSecurityGroupIdsFlag, - "Infra": additionalInfraSecurityGroupIdsFlag, - "Control Plane": additionalControlPlaneSecurityGroupIdsFlag, -} +var ( + SgKindFlagMap = map[string]string{ + ComputeKind: additionalComputeSecurityGroupIdsFlag, + InfraKind: additionalInfraSecurityGroupIdsFlag, + ControlPlaneKind: additionalControlPlaneSecurityGroupIdsFlag, + MachinePoolKind: securityGroupIdsFlag, + } + ComputeSecurityGroupFlag = SgKindFlagMap[ComputeKind] + InfraSecurityGroupFlag = SgKindFlagMap[InfraKind] + ControlPlaneSecurityGroupFlag = SgKindFlagMap[ControlPlaneKind] + MachinePoolSecurityGroupFlag = SgKindFlagMap[MachinePoolKind] +) func GetSecurityGroupIds(r *rosa.Runtime, cmd *cobra.Command, targetVpcId string, kind string) []string { diff --git a/pkg/kubeletconfig/config.go b/pkg/kubeletconfig/config.go index 08f73e518..a99978dd9 100644 --- a/pkg/kubeletconfig/config.go +++ b/pkg/kubeletconfig/config.go @@ -34,7 +34,7 @@ func GetInteractiveMaxPidsLimitHelp(maxPidsLimit int) string { func GetInteractiveInput(maxPidsLimit int, kubeletConfig *v1.KubeletConfig) interactive.Input { - var defaultLimit = PodPidsLimitOptionDefaultValue + var defaultLimit = MinPodPidsLimit if kubeletConfig != nil { defaultLimit = kubeletConfig.PodPidsLimit() } diff --git a/pkg/kubeletconfig/config_test.go b/pkg/kubeletconfig/config_test.go index b005523bb..4f0069c78 100644 --- a/pkg/kubeletconfig/config_test.go +++ b/pkg/kubeletconfig/config_test.go @@ -65,7 +65,7 @@ var _ = Describe("KubeletConfig Config", func() { Expect(input.Question).To(Equal(InteractivePodPidsLimitPrompt)) Expect(input.Help).To(Equal(GetInteractiveMaxPidsLimitHelp(5000))) Expect(len(input.Validators)).To(Equal(2)) - Expect(input.Default).To(Equal(PodPidsLimitOptionDefaultValue)) + Expect(input.Default).To(Equal(MinPodPidsLimit)) }) }) }) diff --git a/pkg/kubeletconfig/consts.go b/pkg/kubeletconfig/consts.go index 7e06506fb..2048a7b8f 100644 --- a/pkg/kubeletconfig/consts.go +++ b/pkg/kubeletconfig/consts.go @@ -6,7 +6,7 @@ const ( MaxUnsafePodPidsLimit = 3694303 PodPidsLimitOption = "pod-pids-limit" PodPidsLimitOptionUsage = "Sets the requested pod_pids_limit for your custom KubeletConfig." - PodPidsLimitOptionDefaultValue = -1 + PodPidsLimitOptionDefaultValue = 0 InteractivePodPidsLimitPrompt = "Pod Pids Limit?" InteractivePodPidsLimitHelp = "Set the Pod Pids Limit field to a value between 4096 and %d" ByPassPidsLimitCapability = "capability.organization.bypass_pids_limits"