CCO-366 Add ability to detect AWS STS and behave accordingly

Dockerfile.local

@@ -0,0 +1,18 @@
+FROM golang:1.20 AS builder
+WORKDIR /go/src/github.com/openshift/cloud-credential-operator
+COPY . .
+ENV GO_PACKAGE github.com/openshift/cloud-credential-operator
+RUN go build -ldflags "-X $GO_PACKAGE/pkg/version.versionFromGit=$(git describe --long --tags --abbrev=7 --match 'v[0-9]*')" ./cmd/cloud-credential-operator
+RUN go build -ldflags "-X $GO_PACKAGE/pkg/version.versionFromGit=$(git describe --long --tags --abbrev=7 --match 'v[0-9]*')" ./cmd/ccoctl
+
+FROM registry.access.redhat.com/ubi8/ubi:latest
+COPY --from=builder /go/src/github.com/openshift/cloud-credential-operator/cloud-credential-operator /usr/bin/
+COPY --from=builder /go/src/github.com/openshift/cloud-credential-operator/ccoctl /usr/bin/
+RUN mkdir /manifests
+COPY manifests /manifests
+# Update perms so we can copy updated CA if needed
+RUN chmod -R g+w /etc/pki/ca-trust/extracted/pem/
+LABEL io.openshift.release.operator=true
+# TODO make path explicit here to remove need for ENTRYPOINT
+# https://github.com/openshift/installer/blob/a8ddf6619794416c4600a827c2d9284724d382d8/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template#L347
+ENTRYPOINT [ "/usr/bin/cloud-credential-operator" ]

Dockerfile.local.debug.dev

@@ -0,0 +1,6 @@
+FROM golang:1.20 AS builder
+WORKDIR /go/src/github.com/openshift/cloud-credential-operator
+COPY . .
+ENV GO_PACKAGE github.com/openshift/cloud-credential-operator
+
+ENTRYPOINT [ "/bin/bash" ]

Makefile

@@ -79,37 +79,13 @@ $(call build-image,ocp-cloud-credential-operator,$(IMAGE_REGISTRY)/$(IMAGE_REPO)
 $(call add-crd-gen,cloudcredential-manifests,./pkg/apis/cloudcredential/v1,./manifests,./manifests)
 $(call add-crd-gen,cloudcredential-bindata,./pkg/apis/cloudcredential/v1,./bindata/bootstrap,./bindata/bootstrap)
 
-update: update-codegen update-bindata generate
+update: update-vendored-crds update-codegen update-bindata generate
 .PHONY: update
 
 generate:
 	go generate ${GO_TEST_PACKAGES}
 .PHONY: generate
 
-# TODO: consider migrating to the openshift/api codegen tool
-# https://github.com/openshift/api/tree/master/tools/codegen
-#
-# update-codegen-crds-cloudcredential-manifests and
-# update-codegen-crds-cloudcredential-bindata make targets override
-# "update-codegen-crds-*" targets created by the above invocations of
-# "add-crd-gen".
-#
-# We copy the cloud credential operator config CRD from the
-# openshift/api repository (via the vendor dir) and since
-# openshift/api now utilizes a different codegen utility than
-# build-machinery-go, running the schemapatch code generator against
-# the copied manifest results in a different formatting. This results
-# in a diff which causes our verify target to fail so we ensure the
-# copied manifests remain unchanged by copying the CRDs once more
-# after generating CRDs as a workaround.
-update-codegen-crds-cloudcredential-manifests: ensure-controller-gen ensure-yq ensure-yaml-patch
-	$(run-crd-gen,./pkg/apis/cloudcredential/v1,./manifests)
-	$(MAKE) update-vendored-crds
-
-update-codegen-crds-cloudcredential-bindata: ensure-controller-gen ensure-yq ensure-yaml-patch
-	$(run-crd-gen,./pkg/apis/cloudcredential/v1,./bindata/bootstrap)
-	$(MAKE) update-vendored-crds
-
 update-vendored-crds:
 	# copy config CRD from openshift/api
 	cp vendor/github.com/openshift/api/operator/v1/0000_40_cloud-credential-operator_00_config.crd.yaml ./manifests/00-config-custresdef.yaml
@@ -123,6 +99,9 @@ update-codegen: update-codegen-crds
 
 verify: verify-vendored-crds verify-codegen verify-bindata
 
+verify-codegen-crds: update-codegen-crds update-vendored-crds
+	git diff --exit-code
+
 verify-codegen: verify-codegen-crds
 	./hack/verify-codegen.sh
 .PHONY: verify-codegen

bindata/bootstrap/cloudcredential_v1_credentialsrequest_crd.yaml

@@ -41,6 +41,15 @@ spec:
             required:
             - secretRef
             properties:
+              cloudTokenPath:
+                description: cloudTokenPath is the path where the Kubernetes ServiceAccount
+                  token (JSON Web Token) is mounted on the deployment for the workload
+                  requesting a credentials secret. The presence of this field in combination
+                  with fields such as spec.providerSpec.stsIAMRoleARN indicate that
+                  CCO should broker creation of a credentials secret containing fields
+                  necessary for token based authentication methods such as with the
+                  AWS Secure Token Service (STS).
+                type: string
               providerSpec:
                 description: ProviderSpec contains the cloud provider specific credentials
                   specification.

bindata/bootstrap/cloudcredential_v1_operator_config_custresdef.yaml

@@ -73,7 +73,7 @@ spec:
                     - Trace
                     - TraceAll
                 unsupportedConfigOverrides:
-                  description: 'unsupportedConfigOverrides holds a sparse config that will override any previously set options.  It only needs to be the fields to override it will end up overlaying in the following order: 1. hardcoded defaults 2. observedConfig 3. unsupportedConfigOverrides'
+                  description: unsupportedConfigOverrides overrides the final configuration that was computed by the operator. Red Hat does not support the use of this field. Misuse of this field could lead to unexpected behavior or conflict with other configuration options. Seek guidance from the Red Hat support before using this field. Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster.
                   type: object
                   nullable: true
                   x-kubernetes-preserve-unknown-fields: true

docs/dev_how_to_override_creds_req_mgmt_by_cvo.md

@@ -0,0 +1,46 @@
+### Override the CVO stomping your CredentialsRequest changes temporarily
+
+If you are making changes to the CredentialsRequest, you may need to prevent the CVO from changing it right back:
+
+oc patch clusterversion version --type=merge -p "$(cat hack/cco-override.json)"
+
+check with:
+
+oc get clusterversion version -o jsonpath='{.spec.overrides}'
+
+then this will stay as you set it:
+
+oc replace -f bindata/bootstrap/cloudcredential_v1_credentialsrequest_crd.yaml
+
+---
+
+### If you need to permanently change the CredentialsRequest
+
+Ultimately you will need to affect a change to the release image for the CredentialsRequest CRD:
+
+we need to change this:
+0000_50_cloud-credential-operator_00-crd.yaml
+
+retrieved from here:
+oc adm release extract --to manifests quay.io/openshift-release-dev/ocp-release:4.14.0-ec.0-x86_64
+
+An old commit message has some clues about which files here are being watched for inclusion in the release image:
+
+https://github.com/openshift/cloud-credential-operator/commit/8dfd9c04027a4de097ce0f88b06613bc6d43465c
+
+Removing unneeded bits and paraphrasing:
+
+migrate the CRDs
+
+Process used was to first generate v1 CRD into a temporary location:
+`_output/tools/bin/controller-gen paths=./pkg/apis/...  crd:crdVersions=v1 output:crd:artifacts:config=tmpcrds`
+
+Next copy the CRD to manifests/00-crd.yaml, and compare for any unexpected changes.
+
+Add back the `include.release.openshift.io` annotations.
+
+Finally, copy that CRD to
+`bindata/boostrap/cloudcredential_v1_credentialsrequest_crd.yaml`.
+
+`make update` will now take any new API changes and update the generated
+CRDs appropriately (keeping the v1 CRD).

go.mod

@@ -25,30 +25,30 @@ require (
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/mitchellh/mapstructure v1.4.1 // indirect
 	github.com/nutanix-cloud-native/prism-go-client v0.2.1-0.20220804130801-c8a253627c64
-	github.com/openshift/api v0.0.0-20230120195050-6ba31fa438f2
+	github.com/openshift/api v0.0.0-20230615102559-2d36f534f273
 	github.com/openshift/build-machinery-go v0.0.0-20230306181456-d321ffa04533
-	github.com/openshift/library-go v0.0.0-20230130232623-47904dd9ff5a
+	github.com/openshift/library-go v0.0.0-20230620084201-504ca4bd5a83
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.14.0
-	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/cobra v1.6.0
+	github.com/prometheus/client_golang v1.15.1
+	github.com/sirupsen/logrus v1.9.0
+	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.2
 	go.mongodb.org/mongo-driver v1.8.0 // indirect
-	golang.org/x/mod v0.6.0
-	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
+	golang.org/x/mod v0.10.0
+	golang.org/x/oauth2 v0.5.0
 	golang.org/x/time v0.3.0
 	google.golang.org/api v0.58.0
 	google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21
-	google.golang.org/grpc v1.49.0
-	gopkg.in/square/go-jose.v2 v2.5.1
+	google.golang.org/grpc v1.51.0
+	gopkg.in/square/go-jose.v2 v2.6.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.26.1
-	k8s.io/apimachinery v0.26.1
-	k8s.io/client-go v0.26.1
-	k8s.io/code-generator v0.26.1
-	k8s.io/utils v0.0.0-20221128185143-99ec85e7a448
-	sigs.k8s.io/controller-runtime v0.14.2
+	k8s.io/api v0.27.3
+	k8s.io/apimachinery v0.27.3
+	k8s.io/client-go v0.27.3
+	k8s.io/code-generator v0.27.2
+	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
+	sigs.k8s.io/controller-runtime v0.15.0
 	sigs.k8s.io/yaml v1.3.0
 )
 
@@ -60,8 +60,12 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.1.0
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1
+	github.com/go-logr/logr v1.2.4
 	github.com/microsoft/kiota-authentication-azure-go v0.6.0
 	github.com/microsoftgraph/msgraph-sdk-go v0.59.0
+	github.com/openshift/client-go v0.0.0-20230503144108-75015d2347cb
+	k8s.io/klog/v2 v2.90.1
+	sigs.k8s.io/e2e-framework v0.2.0
 )
 
 require (
@@ -72,26 +76,25 @@ require (
 	github.com/AzureAD/microsoft-authentication-library-for-go v0.9.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/cjlapao/common-go v0.0.39 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.1 // indirect
 	github.com/go-openapi/strfmt v0.20.1 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/go-playground/locales v0.14.0 // indirect
 	github.com/go-stack/stack v1.8.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
@@ -103,52 +106,54 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.16 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
 	github.com/microsoft/kiota-abstractions-go v0.18.0 // indirect
 	github.com/microsoft/kiota-http-go v0.16.0 // indirect
 	github.com/microsoft/kiota-serialization-form-go v0.9.0 // indirect
 	github.com/microsoft/kiota-serialization-json-go v0.9.0 // indirect
 	github.com/microsoft/kiota-serialization-text-go v0.7.0 // indirect
 	github.com/microsoftgraph/msgraph-sdk-go-core v0.34.1 // indirect
+	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/common v0.37.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/common v0.42.0 // indirect
+	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/robfig/cron v1.2.0 // indirect
+	github.com/vladimirvivien/gexe v0.2.0 // indirect
 	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.opentelemetry.io/otel v1.14.0 // indirect
 	go.opentelemetry.io/otel/trace v1.14.0 // indirect
 	golang.org/x/crypto v0.6.0 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/term v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
-	golang.org/x/tools v0.2.0 // indirect
-	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/term v0.8.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/tools v0.9.1 // indirect
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/apiextensions-apiserver v0.26.1 // indirect
-	k8s.io/component-base v0.26.1 // indirect
+	k8s.io/apiextensions-apiserver v0.27.2 // indirect
+	k8s.io/apiserver v0.27.2 // indirect
+	k8s.io/component-base v0.27.2 // indirect
 	k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect
-	k8s.io/klog/v2 v2.80.1 // indirect
-	k8s.io/kube-aggregator v0.26.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	k8s.io/kube-aggregator v0.27.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kube-storage-version-migrator v0.0.4 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )