[OCPCLOUD-1436] Introduce workflow with IMDSv2 enforced for AWS machines during installation#28236
[OCPCLOUD-1436] Introduce workflow with IMDSv2 enforced for AWS machines during installation#28236openshift-merge-robot merged 1 commit intoopenshift:masterfrom lobziik:imdsv2-install
Conversation
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
lobziik
changed the title
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
|
Rebased due to conflicts. Previous rehearse job finished successfully. Think it should be ready to go. /cc @JoelSpeed |
|
The only question which i have is about owners... Who might be there? |
patrickdillon
left a comment
patrickdillon
left a comment
There was a problem hiding this comment.
This LGTM, but I would prefer the job name be shorter. Typically for IPI these follow a pattern of:
e2e-- so in this case I suggested e2e-aws-imdsv2 although there might be a better name
|
I did shorten the name of the installer job. Updated OWNERS, hope it is fine at this point :) |
|
/approve |
|
I don't have an objection to adding this right now, but I would like to know if there are any future plans to remove it? I would expect that once we have proved this is stable, we could turn this on by default for our CI. This would then catch any other components that aren't compliant before they enter payload (because this test doesn't run everywhere). We may not make this the default in the installer for some time, but that doesn't stop it being the default for our testing IMO |
Another way of accomplishing this in the short term could be to create a periodic. That would test the release payload on a regular basis, rather than just indirectly through installer presubmits.
This makes sense. Perhaps create a card to check in after a month or x amount of data? If this is going to happen regularly perhaps it is worth defining a process. |
That's a good idea, @lobziik what do you think to adding a release informing job?
Will do |
There was a problem hiding this comment.
Dunno why, but all steps all around there have 4.5. Just made it the same, since i don't understand the reasons why it's 4.5 all around and for keep stuff consistent.
There was a problem hiding this comment.
Ok, good enough reasoning for me
There was a problem hiding this comment.
The proxy setup step pinned to 4.5 back in #11453 because it was writing Ignition config. If you don't have a reason to pin a specific version for your step, I'd strongly recommend not pinning.
There was a problem hiding this comment.
Who knows. Purposes of this file and directory are a bit cryptic for me. This entry was generated by make release-controllers.
There was a problem hiding this comment.
All entries here have "disabled": true
|
/retest |
|
/lgtm |
|
/retest |
|
@deads2k @smarterclayton @wking Hello! Can you please take a look? :) This pr touches quite a lot around, due to new workflow and informing jobs addition... |
There was a problem hiding this comment.
I'm not TRT, so not really my business, but... are they really interested in being approvers for this specific step?
There was a problem hiding this comment.
nit: inconsistent indentation for these two lines.
There was a problem hiding this comment.
Neither the cluster profile nor input files come into this step, do they? It's just AWS_METADATA_SERVICE_AUTH?
There was a problem hiding this comment.
The existing ipi-aws-pre chain already contains a bunch of environment knobs. It's unclear to me why you want a new workflow for this knob, vs. adding the knob to the existing chain and then setting the env you want in your job configuration. Using a workload to centralize config between multiple jobs makes sense for flavors that have lots of consuming jobs, but you only have the two consuming jobs...
There was a problem hiding this comment.
Hm, I can not clearly explain the reasoning, why i did exactly that there. Thought that it should be the right thing. :D Maybe i tried to minimize rehearse load and do not touch other jobs, I don't remember exactly.
Would it be better to extend ipi-conf-aws instead and expose extra knob there?
There was a problem hiding this comment.
Touching the main workload will indeed create a bunch of rehearsals on this one release PR. But how often do we expect to have to touch this logic in the release repo? I expect it will be rare, and the maintenance overhead of having devs keeping track of more decoupled pieces isn't free either 😉
I'm not all that concerned either way though, so 🤷 whatever makes the most sense to the folks who will be maintaining this code.
There was a problem hiding this comment.
https://github.com/lobziik/release/pull/1 - i prepared patch which adds env knob to ipi-conf-aws step. Would like to get a review before i will update this pr... Still a bit afraid of massive rehearsals. Can you please check if it looks sane? :)
openshift-ci
Bot
added
needs-rebase
|
I extended |
openshift-ci
Bot
added
needs-rebase
|
@wking can you please take a look? I really want to merge it, rebased it for 4th time already... |
|
/retest |
|
/approve Rehearsals didn't pass just yet, but looks good so far |
Introduces AWS_METADATA_SERVICE_AUTH env variable to enable IMDSv2 on AWS during installation time. Adds job which uses that to the installer presubmits.
|
I excluded infroming jobs from this pr since it violates the process described https://docs.ci.openshift.org/docs/architecture/release-gating/#add-a-periodic-informative-job here. |
openshift-ci
Bot
added
the
approved
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JoelSpeed, lobziik, patrickdillon, vrutkovs The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@lobziik: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@lobziik: Updated the following 3 configmaps:
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
6 participants
This pr introduces separate workflow which installs openshift with
enforced auth requirement on metadata service for control-plane and
compute machines. Adds a respective job for installer repo.
Enhancements document with more details:
https://github.com/openshift/enhancements/blob/master/enhancements/machine-api/aws-imds-v2-support.md