📖 ROSA HCP IAM Roles proposal #5451
Conversation
k8s-ci-robot
added
release-note-none
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/L
|
/cc @PanSpagetka |
|
@serngawy: GitHub didn't allow me to assign the following users: PanSpagetka. Note that only kubernetes-sigs members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
serngawy
force-pushed
the
rosa-iam
branch
3 times, most recently
from
ffa2a6d to
52c3652
Compare
| - [Resources](#resources) | ||
|
|
||
| ## Summary | ||
| The ROSA HCP in CAPA (Cluster API Provider AWS) project currently lacks built-in support for managing IAM account roles, IAM operator roles, and OIDC configuration as Custom Resource Definitions (CRDs). This proposal suggests integrating the [ROSA library](https://github.com/openshift/rosa) to extend ROSA-HCP's functionality, enabling declarative IAM and OIDC management. |
There was a problem hiding this comment.
Would it be worth adding a way to declare IAM account roles within CAPA's shared API? Or does it not make sense in self-managed clusters?
EDIT: looks like this is addressed later under the alternatives section. Restating it here - this proposal's primarily aimed about integrating existing code from ROSA's library into a controller. This proposal isn't concerned with any other type of AWS cluster.
There was a problem hiding this comment.
yes, its only about ROSA-HCP clusters. The ROSA lib add by default some tags that are required by OCM (hypershift) to identify/own the roles.
| - Reduce operational overhead for users deploying OpenShift ROSA HCP clusters on AWS via CAPA. | ||
|
|
||
| ### Non-Goals | ||
| - Replacing existing IAM management workflows outside of CAPA. |
There was a problem hiding this comment.
Did you mean to write outside of ROSA here?
There was a problem hiding this comment.
ya , I will fix that.
|
|
||
| ### Implementation Details | ||
| 1. **Define CRDs for ROSA-HCP IAM roles and OIDC resources** | ||
| ROSARoleConfig is a cluster scope CRD defines the required IAM account roles, operator roles and OIDC configurations to create ROSA HCP cluster. Creating the Roles and oidc config should be in order as follow; |
There was a problem hiding this comment.
| ROSARoleConfig is a cluster scope CRD defines the required IAM account roles, operator roles and OIDC configurations to create ROSA HCP cluster. Creating the Roles and oidc config should be in order as follow; | |
| ROSARoleConfig is a cluster scope CRD defines the required IAM account roles, operator roles and OIDC configurations to create ROSA HCP cluster. Creating the Roles and OIDC config should be in order as follows; |
| 1. **Define CRDs for ROSA-HCP IAM roles and OIDC resources** | ||
| ROSARoleConfig is a cluster scope CRD defines the required IAM account roles, operator roles and OIDC configurations to create ROSA HCP cluster. Creating the Roles and oidc config should be in order as follow; | ||
| 1. Create ROSA HCP account roles. | ||
| 1. Create ROSA HCP oidc config & oidc provider. |
There was a problem hiding this comment.
| 1. Create ROSA HCP oidc config & oidc provider. | |
| 1. Create ROSA HCP OIDC config & OIDC provider. |
| spec: | ||
| accountRoleConfig: | ||
| # User-defined prefix for all generated AWS resources (default "ManagedOpenShift") | ||
| # required |
There was a problem hiding this comment.
If this is a required field, would the default prefix ever be used?
There was a problem hiding this comment.
yes you are right I will remove the default value from the description. The default is used with rosa command CLI
| - Ensure proper IAM permissions and security best practices. | ||
| 3. **Validate and test integration** | ||
| - Develop unit tests for ROSA HCP IAM and OIDC CRD reconciliation. |
There was a problem hiding this comment.
We need to re-open discussions about getting some community-owned, ROSA-backed clusters for CI. Right now, I think most of this testing would happen outside of this repo.
There was a problem hiding this comment.
I agree, we need to have CI test AND yes, there are some test done out of the CAPA repo.
Signed-off-by: serngawy <[email protected]>
|
@serngawy: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
What type of PR is this?
/kind documentation
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Checklist:
Release note: