Bug 1945907

Summary: [aws] support byo iam roles for instances
Product: OpenShift Container Platform Reporter: Matthew Staebler <mstaeble>
Component: InstallerAssignee: Matthew Staebler <mstaeble>
Installer sub component: openshift-installer QA Contact: Pedro Amoedo <pamoedom>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: urgent CC: choag, pamoedom
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1945910 (view as bug list) Environment:
Last Closed: 2021-05-19 15:15:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1945910, 1946119, 1948359    
Bug Blocks:    

Description Matthew Staebler 2021-04-02 16:09:04 UTC 
This is a clone of https://issues.redhat.com/browse/CORS-1653.

1. Proposed title of this feature request
    Permit using existing IAM roles for bootstrap, worker and control plane nodes in installer. Implementation should support AWS, Azure, and GCP.
2. What is the nature and description of the request?
    Enhance the installer to allow the customer to pre-create the IAM roles used by the bootstrap, worker and control plane nodes and supply those roles to the installer in IPI mode.
3. Why does the customer need this? (List the business requirements here)
    It is currently impossible to perform an IPI mode installation of OCP in the public cloud with additional restrictions. For instance, some customers require that all roles match a specific naming scheme and/or include a predefined permissions boundary in the role creation process.
4. List any affected packages or components.
    Installer
Comment 3 Pedro Amoedo 2021-05-04 10:57:34 UTC 
[QA Summary]

[Version]

~~~
$ ./openshift-install version
./openshift-install 4.7.0-0.nightly-2021-05-01-081439
built from commit 3d157f47000c2a9963527ad1dc8c69b77053a4a6
release image registry.ci.openshift.org/ocp/release@sha256:eddc92aceef5e655e74015248e7d5f4b76fafe18bfc61f9e86648a77b1ca922d

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-05-01-081439   True        False         34m     Cluster version is 4.7.0-0.nightly-2021-05-01-081439
~~~

[Parameters]

~~~
apiVersion: v1
baseDomain: qe.devcluster.openshift.com
compute:
- hyperthreading: Enabled
  name: worker
  platform:
    aws:
      type: m5.large
      iamRole: testcluster-982-8z8kf-worker-role
  replicas: 2
controlPlane:
  hyperthreading: Enabled
  name: master
  platform:
    aws:
      type: m5.xlarge
      iamRole: testcluster-982-8z8kf-master-role
  replicas: 3
metadata:
  creationTimestamp: null
  name: pamoedo-bz1945907
networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineCIDR: 10.0.0.0/16
  networkType: OpenShiftSDN
  serviceNetwork:
  - 172.30.0.0/16
platform:
  aws:
    region: eu-west-3
publish: External
~~~

[Results]

To expedite the testing, and avoid issues with the policies, I've taken some pre-existing iam roles from a previous OCP installation and reuse them for the custom "iamRole" selection for the new cluster, the installation was successful, the new instances are associated with the pre-existing roles as expected and the installer hasn't created new ones:

~~~
$ aws iam get-instance-profile --instance-profile-name pamoedo-bz1945907-5ldhb-master-profile
INSTANCEPROFILE	arn:aws:iam::301721915996:instance-profile/pamoedo-bz1945907-5ldhb-master-profile	2021-05-04T09:34:15Z	AIPAUMQAHCJOHGXZ2GD3U	pamoedo-bz1945907-5ldhb-master-profile/
ROLES	arn:aws:iam::301721915996:role/testcluster-982-8z8kf-master-role	2021-05-03T08:41:20Z	/	AROAUMQAHCJOAWK6FRKFX	testcluster-982-8z8kf-master-role
ASSUMEROLEPOLICYDOCUMENT	2012-10-17
STATEMENT	sts:AssumeRole	Allow	
PRINCIPAL	ec2.amazonaws.com

$ aws iam get-instance-profile --instance-profile-name pamoedo-bz1945907-5ldhb-worker-profile
INSTANCEPROFILE	arn:aws:iam::301721915996:instance-profile/pamoedo-bz1945907-5ldhb-worker-profile	2021-05-04T09:34:15Z	AIPAUMQAHCJONYRDZOZQD	pamoedo-bz1945907-5ldhb-worker-profile/
ROLES	arn:aws:iam::301721915996:role/testcluster-982-8z8kf-worker-role	2021-05-03T08:41:20Z	/	AROAUMQAHCJOGNLD23FTU	testcluster-982-8z8kf-worker-role
ASSUMEROLEPOLICYDOCUMENT	2012-10-17
STATEMENT	sts:AssumeRole	Allow	
PRINCIPAL	ec2.amazonaws.com

$ aws iam list-roles | grep pamoedo
(void)
~~~

Best Regards.
Comment 4 Siddharth Sharma 2021-05-10 17:58:19 UTC 
This bug will be shipped as part of next z-stream release 4.7.11 on May 19th, as 4.7.10 was dropped due to a blocker https://bugzilla.redhat.com/show_bug.cgi?id=1958518.
Comment 8 errata-xmlrpc 2021-05-19 15:15:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.11 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1550