Use md5 hash as role session name when assuming into customer's support role

[AlexVulaj]

What type of PR is this?

feature

What this PR does / Why we need it?

backplane-cli passes the SRE's email address as a role session name when assuming a customer's support role. We should not pass any SRE usernames to a customer when assuming into their account.

Which Jira/Github issue(s) does this PR fix?

https://issues.redhat.com/browse/OSD-19901

Special notes for your reviewer

Pre-checks (if applicable)

• Ran unit tests locally
• Validated the changes in a cluster
• Included documentation changes with PR

[codecov-commenter]

Codecov Report

Attention: 14 lines in your changes are missing coverage. Please review.

Comparison is base (52a842d) 46.83% compared to head (5d3d480) 45.87%.
Report is 32 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #283      +/-   ##
==========================================
- Coverage   46.83%   45.87%   -0.97%     
==========================================
  Files          53       53              
  Lines        3540     3758     +218     
==========================================
+ Hits         1658     1724      +66     
- Misses       1621     1759     +138     
- Partials      261      275      +14     

Files	Coverage Δ
pkg/awsutil/sts.go	53.38% <50.00%> (ø)
cmd/ocm-backplane/cloud/common.go	16.35% <0.00%> (-0.54%)	⬇️

... and 5 files with indirect coverage changes

[samanthajayasinghe]

Not a blocker, I feel that bp-cli may use ISV's for connecting to the cluster in the near future. In that case, this logic may not be accurate.
Ideally, we should move some of the assumed role logic to bp-api endpoint where API decide how to determine the session-name based on some other factors.

[AlexVulaj]

We've updated the API to determine the role session name that should be used, but the actual AssumeRole logic needs to be done client side since we use individual SRE credentials for the isolated backplane flow.

https://gitlab.cee.redhat.com/service/backplane-api/-/merge_requests/329

[jharrington22]

Is it possible to get this from the backplane API? My concern is that an update to this in the CLI or API may mean they diverge in the future, it would be good to keep this consistent.

[AlexVulaj]

It's definitely possible - it comes down to how quickly we want this out the door.

To go this route, we would add a new API endpoint that takes a string and returns an md5 hash, using the same existing functions that are used in the API today for performing that conversion. Then the bp cli would call that endpoint instead.

I'm happy to go that route, and then we can keep this PR in a "hold" until that API change gets released. Thoughts?

[AlexVulaj]

Actually another thought - since this is only for the new flow, we could update the response object of the existing API call to include a new property for the role session name to be used for the customer's support role. That would be substantially less overhead and allow us quicker turnover.

[AlexVulaj]

/hold

See this comment: https://issues.redhat.com/browse/OSD-19901?focusedId=23636518&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-23636518

[AlexVulaj]

/unhold

API changes have been promoted to production https://gitlab.cee.redhat.com/service/app-interface/-/merge_requests/92517

[bmeng]

    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "xxxxxx:RH-SRE-bmeng_sre.openshift",
        "arn": "arn:aws:sts::xxxxx:assumed-role/ManagedOpenShift-Support-98sn7d/RH-SRE-bmeng_sre.openshift",
        "accountId": "xxxxx",
        "accessKeyId": "xxxxx",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "xxxxxx",
                "arn": "arn:aws:iam::xxxxx:role/ManagedOpenShift-Support-98sn7d",
                "accountId": "xxxxx",
                "userName": "ManagedOpenShift-Support-98sn7d"
            },

I still can see my user name in the cloudtrail, but it is not in the session part. I assume it is expected for now?

[AlexVulaj]

@bmeng since the ticket specifically calls out the session name, I think we can go forward from here. I've started a thread here for further guidance on the principal being visible in cloudtrail:
https://redhat-internal.slack.com/archives/C058T1YEDPV/p1704395248986019

[bmeng]

As discussed in slack, the scope for this pr should be limit the info from the session, for the rest parts we can cover them separately.
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AlexVulaj, bmeng

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [bmeng]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@AlexVulaj: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.