Draft: aws efs cross account workflow

Author: Phaow

ci-operator/config/openshift/csi-operator/openshift-csi-operator-main.yaml

@@ -224,13 +224,14 @@ tests:
     workflow: openshift-e2e-aws-csi-extended
 - as: aws-efs-operator-e2e
   steps:
-    cluster_profile: aws-2
+    cluster_profile: aws-qe
     dependencies:
       OO_INDEX: ci-index-aws-efs-csi-driver-operator-bundle
     env:
       OO_CHANNEL: stable
       TEST_SUITE: openshift/csi
-    workflow: openshift-e2e-aws-csi-efs
+    workflow: openshift-e2e-aws-csi-efs-cross-account
+  timeout: 8h0m0s
 - as: aws-efs-operator-e2e-extended
   optional: true
   run_if_changed: ^(Dockerfile\.aws-efs|assets\/overlays\/aws-efs\/.*|pkg\/driver\/aws-efs\/.*|pkg\/operator\/.*)

ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml

@@ -208,16 +208,17 @@ tests:
     test:
     - chain: openshift-e2e-test-qe-destructive
     workflow: cucushift-installer-rehearse-aws-ipi-disconnected-private-cco-manual-security-token-service-private-s3-with-ep-sts-ec2-elb
-- as: aws-ipi-efa-pg-mini-perm-f7
+- as: aws-ipi-efs-cross-account-f7
   cron: 36 16 2,9,16,23 * *
   steps:
     cluster_profile: aws-1-qe
+    dependency_overrides:
+      OO_INDEX: quay.io/openshift-qe-optional-operators/aosqe-index:v4.19
     env:
-      AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes"
       BASE_DOMAIN: qe.devcluster.openshift.com
     test:
     - chain: openshift-e2e-test-qe
-    workflow: cucushift-installer-rehearse-aws-ipi-efa-pg
+    workflow: openshift-e2e-aws-csi-efs-cross-account
 - as: aws-ipi-efa-pg-mini-perm-f28-destructive
   cron: 28 13 27 * *
   steps:

ci-operator/jobs/openshift/csi-operator/openshift-csi-operator-main-presubmits.yaml

@@ -8,9 +8,11 @@ presubmits:
     cluster: build03
     context: ci/prow/aws-efs-operator-e2e
     decorate: true
+    decoration_config:
+      timeout: 8h0m0s
     labels:
       ci-operator.openshift.io/cloud: aws
-      ci-operator.openshift.io/cloud-cluster-profile: aws-2
+      ci-operator.openshift.io/cloud-cluster-profile: aws-qe
       ci.openshift.io/generator: prowgen
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
     name: pull-ci-openshift-csi-operator-main-aws-efs-operator-e2e

ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19-periodics.yaml

@@ -17741,7 +17741,7 @@ periodics:
     ci.openshift.io/generator: prowgen
     job-release: "4.19"
     pj-rehearse.openshift.io/can-be-rehearsed: "true"
-  name: periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-aws-ipi-efa-pg-mini-perm-f7
+  name: periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-aws-ipi-efs-cross-account-f7
   spec:
     containers:
     - args:
@@ -17751,7 +17751,7 @@ periodics:
       - --oauth-token-path=/usr/local/github-credentials/oauth
       - --report-credentials-file=/etc/report/credentials
       - --secret-dir=/secrets/ci-pull-credentials
-      - --target=aws-ipi-efa-pg-mini-perm-f7
+      - --target=aws-ipi-efs-cross-account-f7
       - --variant=amd64-nightly
       command:
       - ci-operator

ci-operator/step-registry/openshift/e2e/aws/csi/efs/cross-account/OWNERS

@@ -0,0 +1 @@
+../OWNERS

ci-operator/step-registry/openshift/e2e/aws/csi/efs/cross-account/openshift-e2e-aws-csi-efs-cross-account-workflow.metadata.json

@@ -0,0 +1,11 @@
+{
+	"path": "openshift/e2e/aws/csi/efs/cross-account/openshift-e2e-aws-csi-efs-cross-account-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"storage-approvers"
+		],
+		"reviewers": [
+			"storage-reviewers"
+		]
+	}
+}

ci-operator/step-registry/openshift/e2e/aws/csi/efs/cross-account/openshift-e2e-aws-csi-efs-cross-account-workflow.yaml

@@ -0,0 +1,32 @@
+workflow:
+  as: openshift-e2e-aws-csi-efs-cross-account
+  steps:
+    pre:
+    - chain: ipi-aws-pre
+    - ref: aws-provision-vpc-shared
+    - ref: storage-create-csi-shared-aws-efs
+    - ref: optional-operators-subscribe
+    - ref: storage-conf-wait-for-csi-driver
+    - ref: storage-conf-storageclass-set-default-storageclass
+    test:
+    - ref: openshift-e2e-test
+    post:
+    - chain: ipi-aws-post
+    - ref: storage-destroy-csi-aws-efs
+    - ref: aws-deprovision-stacks
+    env:
+     ENABLE_SHARED_VPC: yes
+     TEST_SUITE: openshift/csi
+     TEST_CSI_DRIVER_MANIFEST: manifest-aws-efs.yaml
+     TEST_OCP_CSI_DRIVER_MANIFEST: ocp-manifest-aws-efs.yaml
+     VPC_CIDR: 172.20.0.0/16
+     REQUIRED_DEFAULT_STORAGECLASS: efs-sc
+     CLUSTERCSIDRIVER: efs.csi.aws.com
+     OO_PACKAGE: aws-efs-csi-driver-operator
+     OO_CHANNEL: stable
+     OO_INSTALL_NAMESPACE: openshift-cluster-csi-drivers
+     OO_TARGET_NAMESPACES: '!all'
+     TRUECONDITIONS: AWSEFSDriverControllerServiceControllerAvailable AWSEFSDriverNodeServiceControllerAvailable
+
+  documentation: |-
+    The Openshift E2E AWS `csi` workflow executes the `openshift/csi` end-to-end test suite on AWS EFS CSI driver that was installed during cluster setup.

ci-operator/step-registry/storage/create/csi-shared-aws-efs/OWNERS

@@ -0,0 +1 @@
+../../OWNERS

ci-operator/step-registry/storage/create/csi-shared-aws-efs/storage-create-csi-shared-aws-efs-commands.sh

@@ -0,0 +1,208 @@
+#!/bin/bash
+set -o errexit
+set -o nounset
+set -o pipefail
+
+set -x
+
+# For disconnected or otherwise unreachable environments, we want to
+# have steps use an HTTP(S) proxy to reach the API server. This proxy
+# configuration file should export HTTP_PROXY, HTTPS_PROXY, and NO_PROXY
+# environment variables, as well as their lowercase equivalents (note
+# that libcurl doesn't recognize the uppercase variables).
+if test -f "${SHARED_DIR}/proxy-conf.sh"
+then
+	# shellcheck disable=SC1091
+	source "${SHARED_DIR}/proxy-conf.sh"
+fi
+
+# logger function prints standard logs
+logger() {
+    local level="$1"
+    local message="$2"
+    local timestamp
+
+    # Generate a timestamp for the log entry
+    timestamp=$(date +"%Y-%m-%d %H:%M:%S")
+
+    # Print the log message with the level and timestamp
+    echo "[$timestamp] [$level] $message"
+}
+
+switch_aws_credentials() {
+  local mode="$1"
+  if [[ "$mode" == "shared" ]]; then
+    export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred_shared_account"
+    logger "INFO" "Using shared AWS account(B)."
+  else
+    export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred"
+    logger "INFO" "Using default AWS account(A)."
+  fi
+}
+
+REGION=${REGION:-$LEASED_RESOURCE}
+switch_aws_credentials default
+AWS_ACCOUNT_A_ARN=$(aws sts get-caller-identity | jq -r '.Arn')
+AWS_ACCOUNT_A_ID=$(echo "$AWS_ACCOUNT_A_ARN" | awk -F ":" '{print $5}') || return 1
+export AWS_ACCOUNT_A_ID
+AWS_ACCOUNT_A_VPC_ID=$(oc get infrastructure cluster -o jsonpath='{.status.platformStatus.aws.vpc.id}')
+AWS_ACCOUNT_A_VPC_CIDR=$(aws ec2 describe-vpcs \
+  --vpc-ids "$AWS_ACCOUNT_A_VPC_ID" \
+  --output json | jq -r '.Vpcs[0].CidrBlock')
+switch_aws_credentials shared
+AWS_ACCOUNT_B_ARN=$(aws sts get-caller-identity | jq -r '.Arn')
+AWS_ACCOUNT_B_ID=$(echo "$AWS_ACCOUNT_B_ARN" | awk -F ":" '{print $5}') || return 1
+export AWS_ACCOUNT_B_ID
+CLUSTER_NAME="$(jq -r .clusterName "${SHARED_DIR}/metadata.json")"
+
+
+# Get the VPC ID from the shared account
+AWS_ACCOUNT_B_VPC_ID=$(cat "${SHARED_DIR}/vpc_id")
+
+# Creating a region-wide EFS filesystem in Account B
+ACROSS_ACCOUNT_FS_ID=$(aws efs create-file-system --creation-token ci-cross-account-token \
+   --region "${AWS_REGION}" \
+   --encrypted | jq -r '.FileSystemId')
+logger "INFO" "Created efs volume FileSystemId:$ACROSS_ACCOUNT_FS_ID"
+
+# Configure a region-wide Mount Target for EFS (this will create a mount point in each subnet of your VPC by default)
+aws efs create-mount-target --file-system-id "$ACROSS_ACCOUNT_FS_ID" \
+   --subnet-id "${AWS_ACCOUNT_B_VPC_ID}" \
+   --security-groups "${SECURITY_GROUP_ID}" \
+   --region "${AWS_REGION}" \
+   --tag-specifications "ResourceType=mount-target,Tags=[{Key=Name,Value=ci-cross-account-mount-target}]" \
+   --client-token ci-cross-account-token
+AWS_ACCOUNT_B_PRIVATE_SUBNET_IDS=$(tr -d "[],'" < "${SHARED_DIR}/private_subnet_ids")
+for SUBNET in $AWS_ACCOUNT_B_PRIVATE_SUBNET_IDS; do \
+    MOUNT_TARGET=$(aws efs create-mount-target --file-system-id "$ACROSS_ACCOUNT_FS_ID" \
+       --subnet-id "$SUBNET" \
+       --region "$AWS_REGION" \
+       | jq -r '.MountTargetId'); \
+    logger "INFO" "Created $MOUNT_TARGET for $SUBNET"; \
+ done
+
+# Prepare the security groups on Account B to allow NFS traffic to EFS
+AWS_ACCOUNT_B_VPC_CIDR=$(aws ec2 describe-vpcs \
+  --vpc-ids "$AWS_ACCOUNT_B_VPC_ID" \
+  --output json | jq -r '.Vpcs[0].CidrBlock')
+SECURITY_GROUP_ID=$(aws ec2 describe-security-groups --filters Name=vpc-id,Values="$AWS_ACCOUNT_B_VPC_ID" | jq -r '.SecurityGroups[].GroupId')
+aws ec2 authorize-security-group-ingress \
+ --group-id "$SECURITY_GROUP_ID" \
+ --protocol tcp \
+ --port 2049 \
+ --cidr "$AWS_ACCOUNT_A_VPC_CIDR" | jq .
+
+# Create VPC peering between the Red Hat OpenShift cluster VPC in AWS account A and the AWS EFS VPC in AWS account B
+PEER_REQUEST_ID=$(aws ec2 create-vpc-peering-connection \
+  --vpc-id "${ACCOUNT_B_VPC_ID}" \
+  --peer-vpc-id "${ACCOUNT_A_VPC_ID}" \
+  --peer-owner-id "${AWS_ACCOUNT_A_ID}" \
+  --output json | jq -r '.VpcPeeringConnection.VpcPeeringConnectionId')
+
+switch_aws_credentials default
+aws ec2 accept-vpc-peering-connection --vpc-peering-connection-id "${PEER_REQUEST_ID}"
+SUBNETS=$(aws ec2 describe-subnets \
+  --filters Name=vpc-id,Values="${AWS_ACCOUNT_A_VPC_ID}" \
+  | jq -r '.Subnets[].SubnetId')
+
+for subnet in $SUBNETS; do
+  # Get route table associated with this subnet (specific or main)
+  RTB=$(aws ec2 describe-route-tables \
+    --filters Name=association.subnet-id,Values="$subnet" \
+    | jq -r '.RouteTables[0].RouteTableId')
+
+  if [ "$RTB" == "null" ]; then
+    # No subnet-specific route table, fall back to main route table
+    RTB=$(aws ec2 describe-route-tables \
+      --filters Name=vpc-id,Values="${AWS_ACCOUNT_A_VPC_ID}" Name=association.main,Values=true \
+      | jq -r '.RouteTables[0].RouteTableId')
+  fi
+
+  # Check if the route table has a route to an Internet Gateway
+  HAS_IGW=$(aws ec2 describe-route-tables --route-table-ids "$RTB" \
+    | jq -e '.RouteTables[0].Routes[] | select(.GatewayId | startswith("igw-"))' > /dev/null && echo "yes" || echo "no")
+
+  # If no IGW, it's private
+  if [ "$HAS_IGW" == "no" ]; then
+    ROUTE_TABLE_ID=$(aws ec2 describe-route-tables --filters "Name=association.subnet-id,Values=${SUBNET}" --query 'RouteTables[*].RouteTableId' | jq -r '.[0]')
+    aws ec2 create-route --route-table-id "${ROUTE_TABLE_ID}" --destination-cidr-block "${AWS_ACCOUNT_B_VPC_CIDR}" --vpc-peering-connection-id "${PEER_REQUEST_ID}"
+    logger "INFO" "Created route for $SUBNET to peering-connection in account A"
+  fi
+done
+
+switch_aws_credentials shared
+for SUBNET in $AWS_ACCOUNT_B_PRIVATE_SUBNET_IDS; do 
+  ROUTE_TABLE_ID=$(aws ec2 describe-route-tables --filters "Name=association.subnet-id,Values=${SUBNET}" --query 'RouteTables[*].RouteTableId' | jq -r '.[0]')
+  aws ec2 create-route --route-table-id "${ROUTE_TABLE_ID}" --destination-cidr-block "${AWS_ACCOUNT_A_VPC_CIDR}" --vpc-peering-connection-id "${PEER_REQUEST_ID}"
+  logger "INFO" "Created route for $SUBNET to peering-connection in account B"
+done
+
+sleep 6h
+
+cat << EOF > "${SHARED_DIR}"/EfsPolicyInAccountB.json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeNetworkInterfaces",
+                "ec2:DescribeSubnets"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "VisualEditor1",
+            "Effect": "Allow",
+            "Action": [
+                "elasticfilesystem:DescribeMountTargets",
+                "elasticfilesystem:DeleteAccessPoint",
+                "elasticfilesystem:ClientMount",
+                "elasticfilesystem:DescribeAccessPoints",
+                "elasticfilesystem:ClientWrite",
+                "elasticfilesystem:ClientRootAccess",
+                "elasticfilesystem:DescribeFileSystems",
+                "elasticfilesystem:CreateAccessPoint"
+            ],
+            "Resource": [
+                "arn:aws:elasticfilesystem:*:${AWS_ACCOUNT_B_ID}:access-point/*",
+                "arn:aws:elasticfilesystem:*:${AWS_ACCOUNT_B_ID}:file-system/*"
+            ]
+        }
+    ]
+}
+EOF
+
+cat <<EOF > "${SHARED_DIR}"/TrustPolicyInAccountB.json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::${AWS_ACCOUNT_A_ID}:root"
+            },
+            "Action": "sts:AssumeRole",
+            "Condition": {}
+        }
+    ]
+}
+EOF
+
+ACCOUNT_B_POLICY=$(aws iam create-policy --policy-name "${CLUSTER_NAME}-efs-csi" \
+   --policy-document file://"${SHARED_DIR}"/efs-policy.json \
+   --query 'Policy.Arn' --output text) || \
+logger "INFO" "Created efs policy $ACCOUNT_B_POLICY in account B"
+
+# Create Role for the EFS CSI Driver Operator
+ACCOUNT_B_ROLE_ARN=$(aws iam create-role \
+  --role-name "${CLUSTER_NAME}-aws-efs-csi-operator" \
+  --assume-role-policy-document file://"${SHARED_DIR}"/TrustPolicy.json \
+  --query "Role.Arn" --output text)
+logger "INFO" "Created efs csi driver role $ACCOUNT_B_ROLE_ARN in account B"
+
+aws iam attach-role-policy \
+   --role-name "${CLUSTER_NAME}-aws-efs-csi-operator" \
+   --policy-arn "${ACCOUNT_B_POLICY}"
+logger "INFO" "Attach the Policies to the Role in account B"

ci-operator/step-registry/storage/create/csi-shared-aws-efs/storage-create-csi-shared-aws-efs-ref.metadata.json

@@ -0,0 +1,11 @@
+{
+	"path": "storage/create/csi-shared-aws-efs/storage-create-csi-shared-aws-efs-ref.yaml",
+	"owners": {
+		"approvers": [
+			"storage-approvers"
+		],
+		"reviewers": [
+			"storage-reviewers"
+		]
+	}
+}