✨ Rosa Config implementaiton

[PanSpagetka]

Based on proposal #5451
Adding RosaRoleConfig API with implementation. that should create Account/Operator roles and OIDC config/provider necessary to create ROSA cluster.

We need to move RosaMachinePoolAutoScaling definition to controlplane, because otherwise there would be circular dependency.

What type of PR is this?
/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist:

• squashed commits
• includes documentation
• includes emoji in title
• adds unit tests
• adds or updates e2e tests

Release note:

[k8s-ci-robot]

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign neolit123 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @PanSpagetka. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[serngawy]

why are we adding this ? what is the rosa file

[serngawy]

no need for this line

[serngawy]

can you just add the RosaRoleConfig item without changing the order of other items

[serngawy]

why do we need this file ?

[serngawy]

I believe you need to uncomment this line

[serngawy]

I believe you should check/set the RosaRoleConfig condition first , then get the oidc using OCM client if it is not exist then create it.
Same applied for account-roles and operator-roles

[serngawy]

Do we need to delete the operator roles before the oidc-provider ?

[PanSpagetka]

Nope, a changed it so it matches reverse creation order.

[serngawy]

I guess the order here is not correct, deleting the operatrRoles first then oidc-provider then odic-config ?

[serngawy]

please move this to another file , better to be under pkg/.../rosa

[PanSpagetka]

/test pull-cluster-api-provider-aws-e2e-blocking

[PanSpagetka]

/test pull-cluster-api-provider-aws-e2e-blocking

[serngawy]

Suggested change

	// OIDCID is the ID of the OIDC config that will be used to create the operator roles.
	// OIDCID is the ID of the OIDC config that will be used to create the operator roles. A managed OIDC-provider will be created if the OIDCID not specified

[serngawy]

as we discussed no need for region

[serngawy]

We don't delete the oidc-provider if the user set it under the spec.operatorRole.OIDCConfig

[PanSpagetka]

/retest-required

[PanSpagetka]

/test pull-cluster-api-provider-aws-test

[PanSpagetka]

/test pull-cluster-api-provider-aws-test

[PanSpagetka]

/test pull-cluster-api-provider-aws-apidiff-main

[serngawy]

The OIDC is immutable , so validation should be applied (could be in the webhook update ) that RosaRoleConfigRef cannot be change if the cluster is provisioned

[serngawy]

I guess the order here is not correct, deleting the operatrRoles first then oidc-provider then odic-config ?

[serngawy]

why strings.contain not exact string equal by name ?

[serngawy]

The logic here is not correct , what if one Role is missing not all of them ? we create 8 operator Roles, we should check every single one

[PanSpagetka]

No, if there is one role missing we don't create 8 roles because you can't have 2 roles with same name. And in rosa cli we handle roles creation as a batch operation, so we are consistent with that.

[serngawy]

that is not correct , rosa lib will re-create the missing operator roles if there are any. You can reproduce this scenario with rosa-cli

[serngawy]

Suggested change

	if strings.Contains(role.RoleName, fmt.Sprintf("%s-openshift-image-registry-installer-cloud-credentials", config.Prefix)) {
	else if strings.Contains(role.RoleName, fmt.Sprintf("%s-openshift-image-registry-installer-cloud-credentials", config.Prefix)) {

better to set else if with the following if(s) check

[serngawy]

better to have the RoleNames in list/map so easier for you to check the roles count and existence

[PanSpagetka]

No having roles names in list doesn't help, every role has its own field so every condition needs to be spelled out.

[PanSpagetka]

/retest-required

[PanSpagetka]

/retest-required

[serngawy]

Thanks @PanSpagetka, sounds good in general we can add more test in future PRs

[serngawy]

Please add release note , mention adding Rosa RoleConfig API

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[nrb]

Some questions and style suggestions.

[nrb]

Why are these fields being updated with omitempty?

[nrb]

True, but you don't know which field is missing without checking all of them.

I can see why this information is being moved into a RoleConfig, because checking all these fields individually is tricky.

[nrb]

For the sake of clarity, perhaps we could use a r.Spec.RolesRef == nil check to demonstrate that there is no RolesRef at all, without checking every field within it.

We can look at the specific RolesRef fields themselves further down in the function, since up here we're just looking for a high level conflict.

[nrb]

Probably also want to make sure that r.Spec.RolesRef isn't nil at some point, possibly up above where my previous comment is.

Another suggestion would be to say if you reach this point in the code, you know all the previous fields aren't "", because the function would have returned.

Knowing that, we could say that at this point if r.Spec.RolesRef is not nil, then the user has specified all the direct fields and a RolesRef, triggering the mutual exclusion.

In terms of clarity, I think it would also be worth having a couple helper functions for checking the direct fields and the RolesRef fields; it keeps the conditionals grouped into smaller chunks.

[nrb]

Suggested change

	// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
	// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.

[nrb]

Could import these directly without an alias now that there's no reference to the older SDK.

[nrb]

Suggested change

	context.TODO(),
	context.Background(),

[nrb]

Why have this wrapper function?

[nrb]

These functions just swallow the input? Are you trying to hide the output?

[nrb]

Leave this at 1.23.0.