✨ Rosa Config implementaiton

[PanSpagetka]

Based on proposal #5451
Adding RosaRoleConfig API with implementation. that should create Account/Operator roles and OIDC config/provider necessary to create ROSA cluster.

We need to move RosaMachinePoolAutoScaling definition to controlplane, because otherwise there would be circular dependency.

What type of PR is this?
/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist:

• [] squashed commits
• includes documentation
• includes emoji in title
• adds unit tests
• adds or updates e2e tests

Release note:

Add Rosa Role Config API and implementation

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign neolit123 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @PanSpagetka. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[serngawy]

why are we adding this ? what is the rosa file

[serngawy]

no need for this line

[serngawy]

can you just add the RosaRoleConfig item without changing the order of other items

[serngawy]

why do we need this file ?

[serngawy]

I believe you need to uncomment this line

[serngawy]

I believe you should check/set the RosaRoleConfig condition first , then get the oidc using OCM client if it is not exist then create it.
Same applied for account-roles and operator-roles

[serngawy]

Do we need to delete the operator roles before the oidc-provider ?

[PanSpagetka]

Nope, a changed it so it matches reverse creation order.

[serngawy]

I guess the order here is not correct, deleting the operatrRoles first then oidc-provider then odic-config ?

[serngawy]

please move this to another file , better to be under pkg/.../rosa

[PanSpagetka]

@nrb Thank you for review! I created new temporary commit with changes, so its easier to review. I will squash it when we agree that code is good enough.

[serngawy]

@PanSpagetka Not sure if I understand your comment , The case we were discussing is We have the 8 Roles ARN are created for first time so all of them exist, then one or more roles get deleted by aws admin using aws console for example (not using our CR) . when reconcile happen some of those 8 roles will not retrieved by awsClient. So we will re-create the missing roles and set the ARN. Why we you need to set it empty ? there is no chance we will have this case.

[serngawy]

@PanSpagetka the logic here not make sense , if there is an error we don't re-create the oidc config we return the error.

[PanSpagetka]

Its because scope.IAMClient().GetRole returns error when role is not found. And if the role is not found, we cant derive the OIDC id from it.

[serngawy]

same here.

[PanSpagetka]

Similarly GetOIDCIDFromOperatorRole returns error when we cant get OIDC id from the role. So we create new one

[PanSpagetka]

/retest-required

[PanSpagetka]

/retest-required

[PanSpagetka]

@nrb @serngawy could you take another look? I think we should be good now

[serngawy]

/hold

[serngawy]

/close
for the favor of this one #5667

[k8s-ci-robot]

@serngawy: Closed this PR.

In response to this:

/close
for the favor of this one #5667

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.