Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check Role Definition for MIWI #3876

Merged
merged 18 commits into from
Oct 24, 2024
Merged

Check Role Definition for MIWI #3876

merged 18 commits into from
Oct 24, 2024

Conversation

bitoku
Copy link
Collaborator

@bitoku bitoku commented Oct 1, 2024

Which issue this PR addresses:

Fixes https://issues.redhat.com/browse/ARO-10153

What this PR does / why we need it:

This PR adds a new hack script that checks the current role definitions align with the credentials requests in the release image of certain version.

The general overview of the hack script:

  1. It takes an OCP version as an argument.
    It uses the version as a standard version and assumes the credreqs are covered by the current role definitions.
  2. It fetches the latest version of each Y version later than the given version.
    Those versions are something we should validate.
  3. It compares between the credreqs of the given version and ones of the later versions first.
    This check is required because some credreqs are not supposed to be the same as the role definition because those use wildcards and the role definitions are not allowed to have them.
    Thus if the new credreq is the same as the one of the given version, we can assume that the new one is also fulfilled by the current role definitions.
  4. If there's a difference between the old and the new credreq, it fetches the corresponding roledefinition and compares them.
  5. Once we fixed the roledefinitions, we'll update the standard version to avoid redundant checks.

After it gets merged, I'll ask someone to create a pipeline in ADO according to validate-roledef.yml, and have it run periodically (weekly or monthly).

Test plan for issue:

I already checks in the pipeline.
https://msazure.visualstudio.com/AzureRedHatOpenShift/_build/results?buildId=104604435&view=logs&j=011e1ec8-6569-5e69-4f06-baf193d1351e&t=2c2a3fcd-a26b-5bdf-f2af-a3624a4b9e28

Also you can run locally OCP_VERSION=4.14.37 make validate-roledef.

Is there any documentation that needs to be updated for this PR?

Please let me know if there is.

How do you know this will function as expected in production?

It doesn't affect production.

cadenmarchese
cadenmarchese reviewed Oct 2, 2024
View reviewed changes
Copy link
Collaborator

@cadenmarchese cadenmarchese left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you! I have just a few questions about the automation.

.pipelines/validate-roledef.yml Outdated Show resolved Hide resolved
.pipelines/validate-roledef.yml Outdated Show resolved Hide resolved
hack/role/role.go Outdated Show resolved Hide resolved
hack/role/role.go Outdated Show resolved Hide resolved
@bitoku bitoku requested a review from cadenmarchese October 3, 2024 14:24
@bitoku
Copy link
Collaborator Author

bitoku commented Oct 15, 2024

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 2 pipeline(s).

cadenmarchese
cadenmarchese reviewed Oct 15, 2024
View reviewed changes
Copy link
Collaborator

@cadenmarchese cadenmarchese left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested it locally and it worked for me! I'm still concerned about the lack of checks on engineering builds or release candidate builds that aren't available in upgrade channels yet (such as 4.18.0-ec.2-x86_64) - I left a comment.

hack/role/role.go Outdated Show resolved Hide resolved
hack/role/role.go Outdated Show resolved Hide resolved
hack/role/role.go Outdated

var vers []string
for ; ; v.V[1]++ {
res, err := http.Get(fmt.Sprintf("https://api.openshift.com/api/upgrades_info/v1/graph?channel=candidate-%s", v.MinorVersion()))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to find a way to handle engineering builds as well (for example, the 4.18 builds currently in https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags). Otherwise, we end up in a tough spot with role updates. If we can't rely on the automation to tell us when a permissions change is upcoming in the upgradeable channels and instead only checks what's available for upgrade from a given version, I'm not sure how it will be used.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One potential idea - rather than looking at the upgrade graph, can the automation just compare the latest OCP build (right now, it's 4.18.0-ec.2-x86_64) with the verified-version provided to the command? We will always want to make sure our roles match the permissions extracted from the latest build.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually candidate channel has the rc/ec versions, but I decided to chang to use quay.io API (see the commit for details).
The only concern about rc/ec was that it's impossible to tell which is newer just based on the version.
By using quay.io, we can use last_modified date time to determine which is the latest.
Although it doesn't represent the exact release date, it's safe to assume that last modified one should be the latest version because they're pushed by CI.

This is the local output.

Details 

❯ OCP_VERSION=4.14.37 make validate-roledef
go run ./hack/role -verified-version "4.14.37" -oc-bin=oc
Extracting 4.14.37
Checking 4.14.38
Extracting 4.14.38
Validating permissions
Checking 4.15.36
Extracting 4.15.36
Validating permissions
        MachineApiOperator: missing actions:
                Microsoft.Network/virtualNetworks/join/action
        ImageRegistryOperator: missing actions:
                Microsoft.Network/privateEndpoints/write
                Microsoft.Network/privateEndpoints/read
                Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write
                Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
                Microsoft.Network/privateDnsZones/read
                Microsoft.Network/privateDnsZones/write
                Microsoft.Network/privateDnsZones/join/action
                Microsoft.Network/privateDnsZones/A/write
                Microsoft.Network/privateDnsZones/virtualNetworkLinks/write
                Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
                Microsoft.Network/networkInterfaces/read
                Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action
                Microsoft.Network/virtualNetworks/subnets/read
                Microsoft.Network/virtualNetworks/subnets/join/action
                Microsoft.Network/virtualNetworks/join/action
Checking 4.16.17
Extracting 4.16.17
Validating permissions
        MachineApiOperator: missing actions:
                Microsoft.Network/virtualNetworks/join/action
        ImageRegistryOperator: missing actions:
                Microsoft.Network/privateEndpoints/write
                Microsoft.Network/privateEndpoints/read
                Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write
                Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
                Microsoft.Network/privateDnsZones/read
                Microsoft.Network/privateDnsZones/write
                Microsoft.Network/privateDnsZones/join/action
                Microsoft.Network/privateDnsZones/A/write
                Microsoft.Network/privateDnsZones/virtualNetworkLinks/write
                Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
                Microsoft.Network/networkInterfaces/read
                Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action
                Microsoft.Network/virtualNetworks/subnets/read
                Microsoft.Network/virtualNetworks/subnets/join/action
                Microsoft.Network/virtualNetworks/join/action
        ClusterIngressOperator: missing actions:
                Microsoft.Network/virtualNetworks/subnets/read
                Microsoft.Network/virtualNetworks/subnets/join/action
Checking 4.17.1
Extracting 4.17.1
Validating permissions
        MachineApiOperator: missing actions:
                Microsoft.Network/virtualNetworks/join/action
        ImageRegistryOperator: missing actions:
                Microsoft.Storage/storageAccounts/blobServices/containers/delete
                Microsoft.Network/privateEndpoints/write
                Microsoft.Network/privateEndpoints/read
                Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write
                Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
                Microsoft.Network/privateDnsZones/read
                Microsoft.Network/privateDnsZones/write
                Microsoft.Network/privateDnsZones/join/action
                Microsoft.Network/privateDnsZones/A/write
                Microsoft.Network/privateDnsZones/virtualNetworkLinks/write
                Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
                Microsoft.Network/networkInterfaces/read
                Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action
                Microsoft.Network/virtualNetworks/subnets/read
                Microsoft.Network/virtualNetworks/subnets/join/action
                Microsoft.Network/virtualNetworks/join/action
        ClusterIngressOperator: missing actions:
                Microsoft.Network/virtualNetworks/subnets/read
                Microsoft.Network/virtualNetworks/subnets/join/action
        AzureFilesStorageOperator: missing actions:
                Microsoft.Network/routeTables/join/action
Checking 4.18.0-ec.2
Extracting 4.18.0-ec.2
Validating permissions
        MachineApiOperator: missing actions:
                Microsoft.Network/virtualNetworks/join/action
        ImageRegistryOperator: missing actions:
                Microsoft.Storage/storageAccounts/blobServices/containers/delete
                Microsoft.Network/privateEndpoints/write
                Microsoft.Network/privateEndpoints/read
                Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write
                Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
                Microsoft.Network/privateDnsZones/read
                Microsoft.Network/privateDnsZones/write
                Microsoft.Network/privateDnsZones/join/action
                Microsoft.Network/privateDnsZones/A/write
                Microsoft.Network/privateDnsZones/virtualNetworkLinks/write
                Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
                Microsoft.Network/networkInterfaces/read
                Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action
                Microsoft.Network/virtualNetworks/subnets/read
                Microsoft.Network/virtualNetworks/subnets/join/action
                Microsoft.Network/virtualNetworks/join/action
        ClusterIngressOperator: missing actions:
                Microsoft.Network/virtualNetworks/subnets/read
                Microsoft.Network/virtualNetworks/subnets/join/action
        AzureFilesStorageOperator: missing actions:
                Microsoft.Network/routeTables/join/action
Permissions are missing in 4.15.36
Permissions are missing in 4.16.17
Permissions are missing in 4.17.1
Permissions are missing in 4.18.0-ec.2
exit status 1
make: *** [validate-roledef] Error 1

@bitoku bitoku requested a review from cadenmarchese October 16, 2024 15:14
kimorris27
kimorris27 reviewed Oct 16, 2024
View reviewed changes
Copy link
Contributor

@kimorris27 kimorris27 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! I left a question about the pipeline YAML and noted a few spots where I think comments could be added or tweaked so that readers can understand things just a little bit faster.

.pipelines/validate-roledef.yml Outdated Show resolved Hide resolved
hack/role/role.go Outdated Show resolved Hide resolved
hack/role/role.go Outdated Show resolved Hide resolved
hack/role/role.go Show resolved Hide resolved
hack/role/role.go Show resolved Hide resolved
@bitoku bitoku requested a review from kimorris27 October 18, 2024 08:21
@kimorris27
Copy link
Contributor

/azp run ci

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@bitoku
Copy link
Collaborator Author

bitoku commented Oct 18, 2024
edited
Loading

ci-go failed because of #3908. CI should fail as well. #3908 is merged. thanks!

@bitoku
Copy link
Collaborator Author

bitoku commented Oct 18, 2024

/azp run ci

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@bitoku
Copy link
Collaborator Author

bitoku commented Oct 18, 2024

/azp run ci

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

kimorris27
kimorris27 previously approved these changes Oct 18, 2024
View reviewed changes
@dkeohane
Copy link

@cadenmarchese we got this approved, can we merge?

cadenmarchese
cadenmarchese reviewed Oct 24, 2024
View reviewed changes
hack/role/role.go Outdated Show resolved Hide resolved
@bitoku
Copy link
Collaborator Author

bitoku commented Oct 24, 2024

/azp run ci

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@bitoku bitoku requested a review from cadenmarchese October 24, 2024 14:19
@cadenmarchese cadenmarchese merged commit d89a378 into master Oct 24, 2024
19 checks passed
shubhadapaithankar pushed a commit that referenced this pull request Oct 31, 2024
@bitoku @shubhadapaithankar
Check Role Definition for MIWI (#3876)
c32efae 
* bump cluster-credentials-operator

* add Get to roledefinitions client

* check script

* pipeline

* use parameters

* change target-version help message

* vendor

* fix role.go

* use candidate channel

* use operator names in RP-Config

* modify the output format

* changed to use quay.io API

* add some comments

* remove pipeline resource

* change role definition names
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cadenmarchese cadenmarchese cadenmarchese approved these changes

@kimorris27 kimorris27 kimorris27 left review comments

@jewzaam jewzaam Awaiting requested review from jewzaam jewzaam is a code owner

@bennerv bennerv Awaiting requested review from bennerv bennerv is a code owner

@hawkowl hawkowl Awaiting requested review from hawkowl hawkowl is a code owner

@rogbas rogbas Awaiting requested review from rogbas rogbas is a code owner

@petrkotas petrkotas Awaiting requested review from petrkotas petrkotas is a code owner

@jharrington22 jharrington22 Awaiting requested review from jharrington22 jharrington22 is a code owner

@cblecker cblecker Awaiting requested review from cblecker cblecker is a code owner

@UlrichSchlueter UlrichSchlueter Awaiting requested review from UlrichSchlueter UlrichSchlueter is a code owner

@SudoBrendan SudoBrendan Awaiting requested review from SudoBrendan SudoBrendan is a code owner

@yjst2012 yjst2012 Awaiting requested review from yjst2012 yjst2012 is a code owner

@jaitaiwan jaitaiwan Awaiting requested review from jaitaiwan jaitaiwan is a code owner

@anshulvermapatel anshulvermapatel Awaiting requested review from anshulvermapatel anshulvermapatel is a code owner

@hlipsig hlipsig Awaiting requested review from hlipsig hlipsig is a code owner

@tiguelu tiguelu Awaiting requested review from tiguelu tiguelu is a code owner

@SrinivasAtmakuri SrinivasAtmakuri Awaiting requested review from SrinivasAtmakuri

@mociarain mociarain Awaiting requested review from mociarain mociarain is a code owner

@tsatam tsatam Awaiting requested review from tsatam tsatam is a code owner

@fahlmant fahlmant Awaiting requested review from fahlmant fahlmant is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bitoku @kimorris27 @dkeohane @cadenmarchese