Bug 1948628

Summary: ccoctl needs to plan for future (non-AWS) platform support in the CLI
Product: OpenShift Container Platform Reporter: Akhil Rane <arane>
Component: Cloud Credential OperatorAssignee: Akhil Rane <arane>
Status: CLOSED ERRATA QA Contact: wang lin <lwan>
Severity: high Docs Contact:
Priority: urgent    
Version: 4.8CC: lwan
Target Milestone: ---Flags: lwan: needinfo-
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: Refactoring ccoctl to make it more extensible Reason: To support more cloud providers in future Result: Completed successfully
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 22:59:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Akhil Rane 2021-04-12 16:15:48 UTC 
Description of problem:
Currently, ccoctl tool for credentials management only supports the AWS cloud. We need to revamp ccoctl so that that it becomes easy to extend it for other cloud platforms in the future.

Version-Release number of selected component (if applicable):
4.8


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 wang lin 2021-04-13 06:56:46 UTC 
Hi Akhil, there is an issue for roles created by ccoctl, the trust relationships for components are wrong.

The trust relationship ccoctl created is below:
##Such as role for image registry as below, the StringEquals have the wrong values.
$ aws iam get-role --role-name lwan-tt-1-openshift-image-registry-installer-cloud-credentials | jq -r .Role.AssumeRolePolicyDocument
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::XXXXXXXXXX:oidc-provider/lwan-tt-1-oidc.s3.us-east-1.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "lwan-tt-1-oidc.s3.us-east-1.amazonaws.com:sub": [
            "system:serviceaccount:cluster-image-registry-operator:cluster-image-registry-operator",
            "system:serviceaccount:registry:registry"
          ]
        }
      }
    }
  ]
}

But it should be as below:
$ aws iam get-role --role-name lwan-ccoctl-openshift-image-registry-installer-cloud-credentials | jq -r .Role.AssumeRolePolicyDocument
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::XXXXXXXXXX:oidc-provider/lwan-ccoctl-oidc.s3.us-east-2.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "lwan-ccoctl-oidc.s3.us-east-2.amazonaws.com:sub": [
            "system:serviceaccount:openshift-image-registry:registry",
            "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator"
          ]
        }
      }
    }
  ]
}

All components have the same issue.


And the doc has a small issue in https://github.com/openshift/cloud-credential-operator/blob/master/docs/ccoctl.md#creating-openid-connect-provider
for creating-openid-connect-provider subcommand, the parameter should be "--public-key-file", rather than 
"--public-key"
Comment 2 Akhil Rane 2021-04-13 23:04:02 UTC 
Hi Lin,

Thanks for reporting this issue. I have opened a PR to fix it and docs correction https://github.com/openshift/cloud-credential-operator/pull/325
Comment 4 wang lin 2021-04-15 05:59:42 UTC 
The `ccoctl create-iam-roles` issue has fix in commitid fed3bffc9d

$ aws iam get-role --role-name lwan-tt-cco-5-openshift-image-registry-installer-cloud-credentia | jq -r .Role.AssumeRolePolicyDocument
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::XXXXXXXXXX:oidc-provider/lwan-tt-cco-5-oidc.s3.us-east-2.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "lwan-tt-cco-5-oidc.s3.us-east-2.amazonaws.com:sub": [
            "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator",
            "system:serviceaccount:openshift-image-registry:registry"
          ]
        }
      }
    }
  ]
}
Comment 7 errata-xmlrpc 2021-07-27 22:59:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438