credentials validation

[joelddiaz]

do a pre-flight check of permissions using cloud-credentials-operator validation to do a check on the creds being used for installation

the initial list of permissions that gathers the AWS actions needed to perform an installation are taken verbatim from the IAM group permissions the hive team has been using to perform installation/uninstallation with (there absolutely could be some excess actions that used to be needed, but may no longer be needed)

note that the permissions checks are done with the assumption of IAM policies consisting of 'Resource: "*"'. so a list of ["ec2:CreateRoute", "ec2:CreateSubnet"] is evaluated as whether we can peform

{
    "Statement": [
        {
            "Action": [
                "ec2:CreateRoute",
                "ec2:CreateSubnet"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

[joelddiaz]

@abhinavdahiya @wking this is the direction i'm heading with this credential validation work. what do you think?
also, that static list of aws actions is probably worth a review with someone familiar with the installer's needs

[wking]

The approach looks good to me. I've left a few minor nits inline.

[wking]

Ugh :p. I think annotating our calls with something like 2658145 would be a more sustainable approach towards maintaining this slice. But hard-coding is fine in the short-term.

[wking]

nit: we generally use errors.Errorf instead of fmt.Errorf.

[wking]

nit: this doesn't need string formatting, so it should use errors.New.

[wking]

nit: client is probably sufficiently unique for validateAWSCreds.

[joelddiaz]

@wking broke out the vendor into its own commit, and addressed the feedback

[staebler]

This will swallow any error from the call to awsconfig.GetSession.

[staebler]

The AWS part of installPermissionsAWS is redundant with the package.

[staebler]

The AWS part of ValidateAWSCreds is redundant with the package.

[staebler]

I think you should pass in the session as a parameter to ValidateAWSCreds. This will (1) fit in better with the long-term plans of getting the session from an asset in the store and (2) consolidate the 2 calls to GetSession in PlatformCredsChecker.Generate into a single call.

[joelddiaz]

@staebler thanks for the review. i've fixed the swallowing of the err and made the other changes as requested

[wking]

This should be errors.Errorf, and once you make that change you can drop the fmt import.

[wking]

Actually, no, you're adding context to an existing error. It should be:

return errors.Wrap(err, "initialize cloud-credentials client")

The "to check credentials" bit should be addressed at the call-site in platformcredscheck.go, with something like:

ssn, err := awsconfig.GetSession()
if err != nil {
  return err
}
err = awsconfig.ValidateCreds(ssn)
if err != nil {
  return errors.Wrap(err, "validate AWS credentials")
}

[wking]

Sorry for my poor earlier advice. When you have an error, you should use errors.Wrap (or Wrapf), not Errorf). See here. This applies to some of your other error-handling blocks as well.

[staebler]

This sets the err variable local to this case and not the err variable that is returned from the Generate function. In other words, errors from awsconfig.ValidateCreds will be ignored.

Personally, I would much rather see each of these cases check err and return when there is an error within the case block rather than fill out a shared err variable that is returned at the end of the function.

[joelddiaz]

@wking now using the errors.Wrap() where appropriate (tricky behavior when err is actually nil!!)

@staebler fixed the silly error assignment issue with the most recent push

[staebler]

Wrap this error, too.

[staebler]

Wrap this error, too, while we're here.

[joelddiaz]

/retest

[openshift-ci-robot]

@joelddiaz: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/e2e-libvirt	170d41db9c2de36da1dd6a96b6b4680c935df1fd	link	/test e2e-libvirt
ci/prow/e2e-openstack	170d41db9c2de36da1dd6a96b6b4680c935df1fd	link	/test e2e-openstack
ci/prow/launch-aws	170d41db9c2de36da1dd6a96b6b4680c935df1fd	link	/test launch-aws

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[joelddiaz]

/test e2e-aws

[joelddiaz]

@wking @staebler what's the next step for this PR (besides un-WIP)?

[staebler]

@wking @staebler what's the next step for this PR (besides un-WIP)?

The works looks good to me. Does this need a feature exception?

[joelddiaz]

/hold

[joelddiaz]

@staebler @wking we've got the exception request +1d now

[staebler]

/hold cancel
/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: joelddiaz, staebler

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [staebler]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment