OCPBUGS-26544: Replace GCP role with explicit permissions

[Miciah]

This is a manual cherry-pick of #844, which merged as a feature and therefore cannot be automatically cherry-picked.

--

Instead of using a predefined role in the cloud credentials request for GCP, enumerate permissions explicitly.

The Google Cloud DNS API permissions are documented here: https://cloud.google.com/dns/docs/access-control

Each method in the Cloud DNS API has a corresponding permission. The operator's DNS provider implementation for GCP only calls two methods:

• dns.changes.create
• dns.resourcerecordsets.list

These methods require the following permissions:

• dns.changes.create
• dns.resourceRecordSets.create
• dns.resourceRecordSets.update
• dns.resourceRecordSets.delete
• dns.resourceRecordSets.list

This PR replaces the dns.admin role with these permissions in the credentials request.

• manifests/00-ingress-credentials-request.yaml: Replace the roles/dns.admin predefined role with an explicit list of permissions.

[openshift-ci-robot]

@Miciah: This pull request references Jira Issue OCPBUGS-26544, which is valid. The bug has been moved to the POST state.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.15.0) matches configured target version for branch (4.15.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• dependent bug Jira Issue OCPBUGS-26543 is in the state Verified, which is one of the valid states (MODIFIED, ON_QA, VERIFIED)
• dependent Jira Issue OCPBUGS-26543 targets the "4.16.0" version, which is one of the valid target versions: 4.16.0
• bug has dependents

Requesting review from QA contact:
/cc @lihongan

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This is a manual cherry-pick of #844, which merged as a feature and therefore cannot be automatically cherry-picked.

--

Instead of using a predefined role in the cloud credentials request for GCP, enumerate permissions explicitly.

The Google Cloud DNS API permissions are documented here: https://cloud.google.com/dns/docs/access-control

Each method in the Cloud DNS API has a corresponding permission. The operator's DNS provider implementation for GCP only calls two methods:

• dns.changes.create
• dns.resourcerecordsets.list

These methods require the following permissions:

• dns.changes.create
• dns.resourceRecordSets.create
• dns.resourceRecordSets.update
• dns.resourceRecordSets.delete
• dns.resourceRecordSets.list

This PR replaces the dns.admin role with these permissions in the credentials request.

• manifests/00-ingress-credentials-request.yaml: Replace the roles/dns.admin predefined role with an explicit list of permissions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[candita]

/assign

[candita]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: candita

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [candita]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@Miciah: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[candita]

/label backport-risk-assessed

[lihongan]

verified with pre-merge testing

$ oc -n openshift-cloud-credential-operator get credentialsrequests openshift-ingress-gcp -oyaml | yq .spec
providerSpec:
  apiVersion: cloudcredential.openshift.io/v1
  kind: GCPProviderSpec
  permissions:
    - dns.changes.create
    - dns.resourceRecordSets.create
    - dns.resourceRecordSets.update
    - dns.resourceRecordSets.delete
    - dns.resourceRecordSets.list
secretRef:
  name: cloud-credentials
  namespace: openshift-ingress-operator
serviceAccountNames:
  - ingress-operator

[lihongan]

/label qe-approved
/label cherry-pick-approved

[openshift-ci-robot]

@Miciah: This pull request references Jira Issue OCPBUGS-26544, which is valid.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.15.0) matches configured target version for branch (4.15.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• dependent bug Jira Issue OCPBUGS-26543 is in the state Verified, which is one of the valid states (MODIFIED, ON_QA, VERIFIED)
• dependent Jira Issue OCPBUGS-26543 targets the "4.16.0" version, which is one of the valid target versions: 4.16.0
• bug has dependents

Requesting review from QA contact:
/cc @lihongan

Details

In response to this:

This is a manual cherry-pick of #844, which merged as a feature and therefore cannot be automatically cherry-picked.

--

Instead of using a predefined role in the cloud credentials request for GCP, enumerate permissions explicitly.

The Google Cloud DNS API permissions are documented here: https://cloud.google.com/dns/docs/access-control

Each method in the Cloud DNS API has a corresponding permission. The operator's DNS provider implementation for GCP only calls two methods:

• dns.changes.create
• dns.resourcerecordsets.list

These methods require the following permissions:

• dns.changes.create
• dns.resourceRecordSets.create
• dns.resourceRecordSets.update
• dns.resourceRecordSets.delete
• dns.resourceRecordSets.list

This PR replaces the dns.admin role with these permissions in the credentials request.

• manifests/00-ingress-credentials-request.yaml: Replace the roles/dns.admin predefined role with an explicit list of permissions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@Miciah: Jira Issue OCPBUGS-26544: All pull requests linked via external trackers have merged:

• openshift/cluster-ingress-operator#1015

Jira Issue OCPBUGS-26544 has been moved to the MODIFIED state.

Details

In response to this:

This is a manual cherry-pick of #844, which merged as a feature and therefore cannot be automatically cherry-picked.

--

Instead of using a predefined role in the cloud credentials request for GCP, enumerate permissions explicitly.

The Google Cloud DNS API permissions are documented here: https://cloud.google.com/dns/docs/access-control

Each method in the Cloud DNS API has a corresponding permission. The operator's DNS provider implementation for GCP only calls two methods:

• dns.changes.create
• dns.resourcerecordsets.list

These methods require the following permissions:

• dns.changes.create
• dns.resourceRecordSets.create
• dns.resourceRecordSets.update
• dns.resourceRecordSets.delete
• dns.resourceRecordSets.list

This PR replaces the dns.admin role with these permissions in the credentials request.

• manifests/00-ingress-credentials-request.yaml: Replace the roles/dns.admin predefined role with an explicit list of permissions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-cluster-ingress-operator-container-v4.15.0-202401100831.p0.g611011b.assembly.stream for distgit ose-cluster-ingress-operator.
All builds following this will include this PR.

[openshift-merge-robot]

Fix included in accepted release 4.15.0-0.nightly-2024-01-13-050900