OCM-5397 | add aws, account roles and oidc config common

openshift-online · Jan 5, 2024 · b763036 · b763036
1 parent 50125cc
commit b763036
Show file tree

Hide file tree

Showing 11 changed files with 367 additions and 490 deletions.
diff --git a/go.mod b/go.mod
@@ -8,44 +8,31 @@ require (
 	github.com/hashicorp/go-version v1.6.0
 	github.com/onsi/ginkgo/v2 v2.11.0
 	github.com/onsi/gomega v1.27.8
+	github.com/openshift-online/ocm-sdk-go v0.1.391
+	go.uber.org/mock v0.3.0
+	gopkg.in/square/go-jose.v2 v2.6.0
 )
 
 require (
-	github.com/aws/smithy-go v1.16.0 // indirect
+	github.com/aws/smithy-go v1.16.0
 	github.com/kr/pretty v0.1.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 )
 
 require (
-	github.com/aymerick/douceur v0.2.0 // indirect
-	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
-	github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
 	github.com/golang/glog v1.0.0 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/gorilla/css v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
-	github.com/microcosm-cc/bluemonday v1.0.18 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/openshift-online/ocm-sdk-go v0.1.388 // indirect
-	github.com/prometheus/client_golang v1.12.1 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.32.1 // indirect
-	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/stretchr/testify v1.7.0 // indirect
-	go.uber.org/mock v0.3.0 // indirect
+	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
 	golang.org/x/net v0.10.0 // indirect
 	golang.org/x/sys v0.9.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/tools v0.9.3 // indirect
-	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
diff --git a/pkg/aws/utils/utils.go b/pkg/aws/utils/utils.go
@@ -0,0 +1,22 @@
+package utils
+
+import (
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+)
+
+func GetPathFromArn(arnStr string) (string, error) {
+	parse, err := arn.Parse(arnStr)
+	if err != nil {
+		return "", err
+	}
+	resource := parse.Resource
+	firstIndex := strings.Index(resource, "/")
+	lastIndex := strings.LastIndex(resource, "/")
+	if firstIndex == lastIndex {
+		return "", nil
+	}
+	path := resource[firstIndex : lastIndex+1]
+	return path, nil
+}
diff --git a/pkg/aws/validations/iam_helpers.go b/pkg/aws/validations/iam_helpers.go
@@ -3,28 +3,31 @@ package validations
 import (
 	"fmt"
 
-	iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
 	"github.com/aws/aws-sdk-go-v2/aws"
+	iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"
 	semver "github.com/hashicorp/go-version"
-	"github.com/openshift-online/ocm-common/pkg"
+)
+
+const (
+	maxByteSize = 64
 )
 
 func GetRoleName(prefix string, role string) string {
 	name := fmt.Sprintf("%s-%s-Role", prefix, role)
-	if len(name) > pkg.MaxByteSize {
-		name = name[0:pkg.MaxByteSize]
+	if len(name) > maxByteSize {
+		name = name[0:maxByteSize]
 	}
 	return name
 }
 
 func IsManagedRole(roleTags []iamtypes.Tag) bool {
-    for _, tag := range roleTags {
-        if aws.ToString(tag.Key) == ManagedPolicies && aws.ToString(tag.Value) == "true" {
-            return true
-        }
-    }
+	for _, tag := range roleTags {
+		if aws.ToString(tag.Key) == ManagedPolicies && aws.ToString(tag.Value) == "true" {
+			return true
+		}
+	}
 
-    return false
+	return false
 }
 
 func HasCompatibleVersionTags(iamTags []iamtypes.Tag, version string) (bool, error) {
@@ -36,13 +39,13 @@ func HasCompatibleVersionTags(iamTags []iamtypes.Tag, version string) (bool, err
 	if err != nil {
 		return false, err
 	}
-	
+
 	for _, tag := range iamTags {
 		if aws.ToString(tag.Key) == OpenShiftVersion {
 			if version == aws.ToString(tag.Value) {
 				return true, nil
 			}
-			
+
 			currentVersion, err := semver.NewVersion(aws.ToString(tag.Value))
 			if err != nil {
 				return false, err

diff --git a/pkg/consts.go b/pkg/consts.go
diff --git a/pkg/ocm/consts/custom_properties.go b/pkg/ocm/consts/custom_properties.go
@@ -0,0 +1,6 @@
+package consts
+
+const (
+	rosa_prefix = "rosa_"
+	CreatorArn  = rosa_prefix + "creator_arn"
+)
diff --git a/pkg/ocm/consts/version.go b/pkg/ocm/consts/version.go
@@ -0,0 +1,5 @@
+package consts
+
+const (
+	DefaultChannelGroup = "stable"
+)
diff --git a/pkg/ocm/utils/versions.go b/pkg/ocm/utils/versions.go
@@ -0,0 +1,15 @@
+package utils
+
+import (
+	"fmt"
+
+	"github.com/openshift-online/ocm-common/pkg/ocm/consts"
+)
+
+func CreateVersionId(version string, channelGroup string) string {
+	versionId := fmt.Sprintf("openshift-v%s", version)
+	if channelGroup != consts.DefaultChannelGroup {
+		versionId = fmt.Sprintf("%s-%s", versionId, channelGroup)
+	}
+	return versionId
+}
diff --git a/pkg/rosa/accountroles/accountroles.go b/pkg/rosa/accountroles/accountroles.go
@@ -0,0 +1,42 @@
+package accountroles
+
+import (
+	awsUtils "github.com/openshift-online/ocm-common/pkg/aws/utils"
+	cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
+)
+
+const (
+	InstallerAccountRole    = "installer"
+	ControlPlaneAccountRole = "instance_controlplane"
+	WorkerAccountRole       = "instance_worker"
+	SupportAccountRole      = "support"
+)
+
+type AccountRole struct {
+	Name string
+	Flag string
+}
+
+var AccountRoles = map[string]AccountRole{
+	InstallerAccountRole:    {Name: "Installer", Flag: "role-arn"},
+	ControlPlaneAccountRole: {Name: "ControlPlane", Flag: "controlplane-iam-role"},
+	WorkerAccountRole:       {Name: "Worker", Flag: "worker-iam-role"},
+	SupportAccountRole:      {Name: "Support", Flag: "support-role-arn"},
+}
+
+func GetPathFromAccountRole(cluster *cmv1.Cluster, roleNameSuffix string) (string, error) {
+	accRoles := GetAccountRolesArnsMap(cluster)
+	if accRoles[roleNameSuffix] == "" {
+		return "", nil
+	}
+	return awsUtils.GetPathFromArn(accRoles[roleNameSuffix])
+}
+
+func GetAccountRolesArnsMap(cluster *cmv1.Cluster) map[string]string {
+	return map[string]string{
+		AccountRoles[InstallerAccountRole].Name:    cluster.AWS().STS().RoleARN(),
+		AccountRoles[SupportAccountRole].Name:      cluster.AWS().STS().SupportRoleARN(),
+		AccountRoles[ControlPlaneAccountRole].Name: cluster.AWS().STS().InstanceIAMRoles().MasterRoleARN(),
+		AccountRoles[WorkerAccountRole].Name:       cluster.AWS().STS().InstanceIAMRoles().WorkerRoleARN(),
+	}
+}