CCO-366 Add ability to detect AWS STS and behave accordingly

[bentito]

Adds capability to detect AWS STS enabled clusters and behave a bit like Mint mode when detected.

There is now a small unit test suite. And a single e2e test that uses an STS workflow.

Notes:

• Will need changes to allow for move of the TAT data to AWSProviderSpec;
• Is the e2e really working? Lack of "STS detection" related logging and lack of created Secret in the must-gather make me unsure:

$  yq '.items[].metadata.name' /tmp/artifacts/registry*/namespaces/default/core/secrets.yaml
builder-dockercfg-l6mps
builder-token-6skc2
default-dockercfg-28hgj
default-token-pr62d
deployer-dockercfg-p248v
deployer-token-djlzm

Ah, it seems to be working, see inline comment with log lines showing Secret creation/deletion on CredentialsRequest
addition in the e2e test.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[codecov]

Codecov Report

Merging #542 (a3b71ca) into master (ee67cc6) will decrease coverage by 0.23%.
The diff coverage is 44.72%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #542      +/-   ##
==========================================
- Coverage   48.06%   47.84%   -0.23%     
==========================================
  Files          93       93              
  Lines       11305    11488     +183     
==========================================
+ Hits         5434     5496      +62     
- Misses       5251     5359     +108     
- Partials      620      633      +13     

Impacted Files	Coverage Δ
pkg/assets/bootstrap/bindata.go	23.85% <ø> (ø)
pkg/kubevirt/actuator.go	67.60% <0.00%> (-0.97%)	⬇️
pkg/openstack/actuator.go	0.00% <0.00%> (ø)
...awspodidentity/awspodidentitywebhook_controller.go	32.21% <0.00%> (-0.22%)	⬇️
pkg/operator/cleanup/cleanup_controller.go	52.32% <0.00%> (ø)
...g/operator/credentialsrequest/actuator/actuator.go	39.13% <0.00%> (-3.73%)	⬇️
pkg/operator/loglevel/controller.go	49.15% <0.00%> (ø)
pkg/operator/platform/platform.go	11.11% <0.00%> (-19.66%)	⬇️
pkg/operator/secretannotator/aws/reconciler.go	45.29% <0.00%> (ø)
pkg/operator/secretannotator/azure/reconciler.go	35.52% <0.00%> (ø)
... and 12 more

[bentito]

After this change e2e started working. I am kind of unsure about it though.

[bentito]

Okay, here is logging from a Clusterbot cluster launched with workflow-launch openshift-e2e-aws-manual-oidc-sts https://github.com/openshift/cloud-credential-operator/pull/542 and then having run make test-e2e-sts manually:

time="2023-06-12T13:40:45Z" level=info msg="reconciling clusteroperator status"
time="2023-06-12T13:40:45Z" level=info msg="operator set to disabled / manual mode" controller=credreq cr=openshift-cloud-credential-operator/test-sts-creds-req
time="2023-06-12T13:40:45Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/test-sts-creds-req
time="2023-06-12T13:40:45Z" level=info msg="adding finalizer: cloudcredential.openshift.io/deprovision" controller=credreq cr=openshift-cloud-credential-operator/test-sts-creds-req secret=default/test-sts-secret
time="2023-06-12T13:40:45Z" level=info msg="operator set to disabled / manual mode" controller=credreq cr=openshift-cloud-credential-operator/test-sts-creds-req
time="2023-06-12T13:40:45Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/test-sts-creds-req
time="2023-06-12T13:40:45Z" level=info msg="timed token access cluster detected: true, so not trying to provision with root secret" controller=credreq cr=openshift-cloud-credential-operator/test-sts-creds-req secret=default/test-sts-secret
time="2023-06-12T13:40:45Z" level=info msg="actuator detected STS enabled cluster making secret" actuator=aws cr=openshift-cloud-credential-operator/test-sts-creds-req
time="2023-06-12T13:40:45Z" level=info msg="creating secret" actuator=aws cr=openshift-cloud-credential-operator/test-sts-creds-req
time="2023-06-12T13:40:45Z" level=info msg="clusteroperator status updated" controller=status
time="2023-06-12T13:40:45Z" level=info msg="reconciling clusteroperator status"
time="2023-06-12T13:40:45Z" level=info msg="secret created successfully" actuator=aws cr=openshift-cloud-credential-operator/test-sts-creds-req
time="2023-06-12T13:40:56Z" level=info msg="calculating metrics for all CredentialsRequests" controller=metrics
time="2023-06-12T13:40:56Z" level=info msg="reconcile complete" controller=metrics elapsed=4.220597ms
time="2023-06-12T13:41:56Z" level=info msg="reconciling clusteroperator status"
time="2023-06-12T13:42:56Z" level=info msg="calculating metrics for all CredentialsRequests" controller=metrics
time="2023-06-12T13:42:56Z" level=info msg="reconcile complete" controller=metrics elapsed=4.133929ms
time="2023-06-12T13:44:45Z" level=info msg="reconciling clusteroperator status"
time="2023-06-12T13:44:45Z" level=info msg="operator set to disabled / manual mode" controller=credreq cr=openshift-cloud-credential-operator/test-sts-creds-req
time="2023-06-12T13:44:45Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/test-sts-creds-req
time="2023-06-12T13:44:45Z" level=warning msg="no user name set on credentials being deleted, most likely were never provisioned or using passthrough creds" actuator=aws cr=openshift-cloud-credential-operator/test-sts-creds-req
time="2023-06-12T13:44:45Z" level=info msg="target secret deleted successfully" controller=credreq cr=openshift-cloud-credential-operator/test-sts-creds-req secret=default/test-sts-secret targetSecret=default/test-sts-secret
time="2023-06-12T13:44:45Z" level=info msg="actuator deletion complete, removing finalizer" controller=credreq cr=openshift-cloud-credential-operator/test-sts-creds-req secret=default/test-sts-secret
time="2023-06-12T13:44:45Z" level=info msg="reconciling clusteroperator status"
time="2023-06-12T13:44:45Z" level=info msg="operator set to disabled / manual mode" controller=credreq cr=openshift-cloud-credential-operator/test-sts-creds-req
time="2023-06-12T13:44:45Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/test-sts-creds-req
time="2023-06-12T13:44:45Z" level=info msg="clusteroperator status updated" controller=status
time="2023-06-12T13:44:56Z" level=info msg="calculating metrics for all CredentialsRequests" controller=metrics
time="2023-06-12T13:44:56Z" level=info msg="reconcile complete" controller=metrics elapsed=3.554297ms
time="2023-06-12T13:46:56Z" level=info msg="calculating metrics for all CredentialsRequests" controller=metrics
time="2023-06-12T13:46:56Z" level=info msg="reconcile complete" controller=metrics elapsed=4.054413ms
time="2023-06-12T13:46:56Z" level=info msg="reconciling clusteroperator status"

So I feel more confident the test is really passing.

[bentito]

This is because of unsureness about Secret really existing here, despite this being a callback from the watch on the Secret.

[stevekuznetsov]

The obj interface{} passed to this func is the object that was just added - perhaps use that? 2min wait should not be needed here

[bentito]

/assign @abutcher

[abutcher]

Couple small things. Wondering if some of the new Info logs should be moved to Debug based on their potential noise level but those can be moved or followed up on.

[stevekuznetsov]

What if this is not set?

[bentito]

You don't get to use the feature gate? As featuregates.NewFeatureGateAccess likely doesn't do much for nil as the desired version.

[jstuever]

A string cannot be nil in golang, it will instead be an empty string. So, in such a case it will be looking for the cluster version to be an empty string. In such a case, I expect a lot of other things will also be broken. The good news is RELEASE_VERSION is defined in the 03-deployment.yaml and should always be non-empty.

[stevekuznetsov]

super-nit: is manual not a constant somewhere?

[bentito]

yikes! investigating I find that mode referred to as both "manual" and "Manual" in yamls, docs and code. Yes, there is a constant, that has it as "manual" (1b384cc#diff-f6d93feef6d59ca8ced14b54fe0058d41f14de44450baf6b723cc1c2ec280c54R25) but it doesn't seem to be used everywhere now....

So I'm a little leery to start using the constant version here until CCO team can review a bit more. I'd say it can wait until another day to get better?

[jstuever]

GitOperatorConfiguration() returns an operatorv1.CloudCredentialsMode which has a constant CloudCredentialsModeManual = "Manual".

[stevekuznetsov]

The obj interface{} passed to this func is the object that was just added - perhaps use that? 2min wait should not be needed here

[bentito]

Couple small things. Wondering if some of the new Info logs should be moved to Debug based on their potential noise level but those can be moved or followed up on.

Changed all 3 instances to Debug in d6bb916

[abutcher]

This return short circuits continuing through the controller to create the secret for the CredentialsRequest.

[abutcher]

Worth adding a test to the credentials request controller tests to ensure we go through the motions.

[bentito]

It's the end of the day and it's been a long one for me, again, I'm not seeing a good way to create a test on the controller with STS enabled. There might be one, I'm just kind of lost at the moment. Maybe we should add a card to Jira for "Streamline Credentials Request Controller Unit Tests and add STS enabled and feature gate flags"?

[abutcher]

The role ARN validation is causing CRD generation to fail which for some reason fails silently when ran via make update. The silently failing part is possibly related to the openshift/api workaround.

'_output/tools/bin/controller-gen-v0.2.5' schemapatch:manifests="./manifests" paths="./pkg/apis/cloudcredential/v1" 'output:dir="./manifests"'
/home/abutcher/go/src/github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1/types_aws.go:36:2: invalid char escape (at <input>:1:1)
/home/abutcher/go/src/github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1/types_aws.go:36:2: invalid char escape (at <input>:1:1)
/home/abutcher/go/src/github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1/types_aws.go:36:2: unable to parse string: invalid syntax (at <input>:1:1)
/home/abutcher/go/src/github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1/types_aws.go:36:2: invalid char escape (at <input>:1:1)
/home/abutcher/go/src/github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1/types_aws.go:36:2: invalid char escape (at <input>:1:1)
/home/abutcher/go/src/github.com/openshift/cloud-credential-operator/pkg/apis/cloudcredential/v1/types_aws.go:36:2: unable to parse string: invalid syntax (at <input>:1:1)
Error: not all generators ran successfully

[bentito]

In reply to #542 (comment)
There is another constants file floating around this codebase and it's confusing:

pkg/operator/constants/constants.go has it as "manual"

[bentito]

/test e2e-aws-manual-oidc

[jstuever]

Responding to #542 (comment)

I agree, the constants file is confusing. I had to dig in to understand how it is used. It looks like they are used solely for keys (string) in a mapping in the metrics operator. The mapping appears to be more of a status use case than a desired configuration. There also appear to be additional status options compared to CloudCredentialsMode type definition. Why the statuses were selected to be lowercase, I do not know.

[openshift-ci]

@bentito: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[stevekuznetsov]

/lgtm

@abutcher gave his blessing last week, the new e2e are passing, @bentito let's do this!

[2uasimojo]

/approve

proxy for @abutcher

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo, bentito, stevekuznetsov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [2uasimojo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stevekuznetsov]

/cherry-pick release-4.13

[openshift-cherrypick-robot]

@stevekuznetsov: #542 failed to apply on top of branch "release-4.13":

Applying: Add & logic - new token CredReq.spec.cred* fields
Applying: Add a timed access token detection capability
Applying: Add test suite and util funcs for detect STS
Applying: Add test - detect STS & new token fields present
Applying: Add e2e AWS STS Secret creation test
Using index info to reconstruct a base tree...
M	Makefile
A	test/e2e/aws/sts/actutator_e2e_test.go
Falling back to patching base and 3-way merge...
CONFLICT (modify/delete): test/e2e/aws/sts/actutator_e2e_test.go deleted in HEAD and modified in Add e2e AWS STS Secret creation test. Version Add e2e AWS STS Secret creation test of test/e2e/aws/sts/actutator_e2e_test.go left in tree.
Auto-merging Makefile
CONFLICT (content): Merge conflict in Makefile
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0005 Add e2e AWS STS Secret creation test
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Details

In response to this:

/cherry-pick release-4.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.