Bug 2035315: fix passthrough test cases

[joelddiaz]

AWS passthrough test cases were not asserting that the
CredentialsRequest .spec.secretRef contents matched the root
secret creds.

Fixing this revealed several places in the passthrough path where we
could be doing a better job of bubbling up appropriate errors when the
root credentials are simply not good enough to be passed through to
satisfy the CredentialsRequest.

Lastly, check for and return a potential error that was being ignored.

Add test cases to cover root credentials rotation, and test cases for
when insufficient root creds are found.

[joelddiaz]

/assign @akhil-rane

[codecov]

Codecov Report

Merging #438 (994d336) into master (9906c6a) will increase coverage by 0.18%.
The diff coverage is 39.65%.

@@            Coverage Diff             @@
##           master     #438      +/-   ##
==========================================
+ Coverage   46.17%   46.36%   +0.18%     
==========================================
  Files          91       92       +1     
  Lines        9236     9204      -32     
==========================================
+ Hits         4265     4267       +2     
+ Misses       4455     4417      -38     
- Partials      516      520       +4     

Impacted Files	Coverage Δ
pkg/aws/actuator/actuator.go	62.60% <39.65%> (-2.01%)	⬇️
pkg/cmd/provisioning/ibmcloud/create_service_id.go	44.30% <0.00%> (-7.66%)	⬇️
pkg/aws/mock/client_generated.go	56.59% <0.00%> (ø)
pkg/gcp/mock/client_generated.go	82.15% <0.00%> (ø)
pkg/ibmcloud/mock/client_generated.go	82.35% <0.00%> (ø)
pkg/cmd/provisioning/ibmcloud/refresh-keys.go	38.20% <0.00%> (ø)
pkg/cmd/provisioning/ibmcloud/delete_service_id.go	34.14% <0.00%> (ø)
...rator/secretannotator/azure/mock/adal_generated.go	0.00% <0.00%> (ø)
pkg/cmd/provisioning/utils.go	78.49% <0.00%> (+2.93%)	⬆️
... and 1 more

[openshift-ci]

@joelddiaz: This pull request references Bugzilla bug 2035315, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.10.0) matches configured target release for branch (4.10.0)
• bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @lwan-wanglin

Details

In response to this:

Bug 2035315: fix passthrough test cases

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[akhil-rane]

why do we again need to confirm the mode here if we are already syncing for passthrough?

[joelddiaz]

So there's a difference between the Secret being annotated with "passthrough" and the CloudCredential Operator config saying that the mode is explicitly "Passthrough".
When the operator is explicitly configured with a non-default mode (eg not the empty string ""), then it is a way to tell CCO not to perform permissions validations. We came up with this behavior to address the case where a cluster is installed in an account where SCP policies would keep us from reliably being able to SimulatePolicy(). https://github.com/openshift/enhancements/blob/ce4d303db807622687159eb9d3248285a003fabb/enhancements/installer/aws-permissions-check-bypass.md
So in the mode = "" case (the default), CCO will see if the creds can do Mint, and use that if possible. If that fails, it will check for Passthrough, and use that if possible. But in either case where CCO dynamically determined Mint or Passthrough (ie CCO wasn't explicitly told), CCO will do the SimulatePolicy() calls to check whether the creds really are good enough.

[akhil-rane]

ok that makes sense

[akhil-rane]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: akhil-rane, joelddiaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [akhil-rane,joelddiaz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci]

@joelddiaz: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci]

@joelddiaz: All pull requests linked via external trackers have merged:

• openshift/cloud-credential-operator#438

Bugzilla bug 2035315 has been moved to the MODIFIED state.

Details

In response to this:

Bug 2035315: fix passthrough test cases

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.