Bug 1945907
Summary: | [aws] support byo iam roles for instances | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Matthew Staebler <mstaeble> | |
Component: | Installer | Assignee: | Matthew Staebler <mstaeble> | |
Installer sub component: | openshift-installer | QA Contact: | Pedro Amoedo <pamoedom> | |
Status: | CLOSED ERRATA | Docs Contact: | ||
Severity: | high | |||
Priority: | urgent | CC: | choag, pamoedom | |
Version: | 4.7 | |||
Target Milestone: | --- | |||
Target Release: | 4.7.z | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1945910 (view as bug list) | Environment: | ||
Last Closed: | 2021-05-19 15:15:46 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1945910, 1946119, 1948359 | |||
Bug Blocks: |
Description
Matthew Staebler
2021-04-02 16:09:04 UTC
[QA Summary] [Version] ~~~ $ ./openshift-install version ./openshift-install 4.7.0-0.nightly-2021-05-01-081439 built from commit 3d157f47000c2a9963527ad1dc8c69b77053a4a6 release image registry.ci.openshift.org/ocp/release@sha256:eddc92aceef5e655e74015248e7d5f4b76fafe18bfc61f9e86648a77b1ca922d $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.0-0.nightly-2021-05-01-081439 True False 34m Cluster version is 4.7.0-0.nightly-2021-05-01-081439 ~~~ [Parameters] ~~~ apiVersion: v1 baseDomain: qe.devcluster.openshift.com compute: - hyperthreading: Enabled name: worker platform: aws: type: m5.large iamRole: testcluster-982-8z8kf-worker-role replicas: 2 controlPlane: hyperthreading: Enabled name: master platform: aws: type: m5.xlarge iamRole: testcluster-982-8z8kf-master-role replicas: 3 metadata: creationTimestamp: null name: pamoedo-bz1945907 networking: clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 machineCIDR: 10.0.0.0/16 networkType: OpenShiftSDN serviceNetwork: - 172.30.0.0/16 platform: aws: region: eu-west-3 publish: External ~~~ [Results] To expedite the testing, and avoid issues with the policies, I've taken some pre-existing iam roles from a previous OCP installation and reuse them for the custom "iamRole" selection for the new cluster, the installation was successful, the new instances are associated with the pre-existing roles as expected and the installer hasn't created new ones: ~~~ $ aws iam get-instance-profile --instance-profile-name pamoedo-bz1945907-5ldhb-master-profile INSTANCEPROFILE arn:aws:iam::301721915996:instance-profile/pamoedo-bz1945907-5ldhb-master-profile 2021-05-04T09:34:15Z AIPAUMQAHCJOHGXZ2GD3U pamoedo-bz1945907-5ldhb-master-profile/ ROLES arn:aws:iam::301721915996:role/testcluster-982-8z8kf-master-role 2021-05-03T08:41:20Z / AROAUMQAHCJOAWK6FRKFX testcluster-982-8z8kf-master-role ASSUMEROLEPOLICYDOCUMENT 2012-10-17 STATEMENT sts:AssumeRole Allow PRINCIPAL ec2.amazonaws.com $ aws iam get-instance-profile --instance-profile-name pamoedo-bz1945907-5ldhb-worker-profile INSTANCEPROFILE arn:aws:iam::301721915996:instance-profile/pamoedo-bz1945907-5ldhb-worker-profile 2021-05-04T09:34:15Z AIPAUMQAHCJONYRDZOZQD pamoedo-bz1945907-5ldhb-worker-profile/ ROLES arn:aws:iam::301721915996:role/testcluster-982-8z8kf-worker-role 2021-05-03T08:41:20Z / AROAUMQAHCJOGNLD23FTU testcluster-982-8z8kf-worker-role ASSUMEROLEPOLICYDOCUMENT 2012-10-17 STATEMENT sts:AssumeRole Allow PRINCIPAL ec2.amazonaws.com $ aws iam list-roles | grep pamoedo (void) ~~~ Best Regards. This bug will be shipped as part of next z-stream release 4.7.11 on May 19th, as 4.7.10 was dropped due to a blocker https://bugzilla.redhat.com/show_bug.cgi?id=1958518. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.7.11 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1550 |