OCPBUGS-44698: Create AWS clients on every reconcile instead of at initialization

[csrwng]

What this PR does / why we need it:
Moves client creation for the private link endpoint controller into the reconcile loop instead of when the reconciler is initially registered. This allows the controller to recover from initial issues assuming a shared vpc role.

Adds additional error logging when AWS cloud API calls fail.

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #OCPBUGS-44698

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csrwng

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [csrwng]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@csrwng: This pull request references Jira Issue OCPBUGS-44698, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.18.0) matches configured target version for branch (4.18.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (jiezhao@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

What this PR does / why we need it:
Moves client creation for the private link endpoint controller into the reconcile loop instead of when the reconciler is initially registered. This allows the controller to recover from initial issues assuming a shared vpc role.

Adds additional error logging when AWS cloud API calls fail.

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #OCPBUGS-44698

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[enxebre]

typo sect?
Why are we unconditionally logging here then right below we are logging again via

			if supportawsutil.AWSErrorCode(err) != "InvalidPermission.Duplicate" {
				return fmt.Errorf("failed to set security group ingress rules, code: %s", supportawsutil.AWSErrorCode(err))
			}
			log.Info("WARNING: got duplicate permissions error when setting security group ingress permissions", "sgID", sgID)

[csrwng]

typo sect?
yes

Will also fix the unconditional logging

[enxebre]

why are we logging in addition to the returned error and with different message?

[csrwng]

The difference is that the returned error only contains the error code (it goes in the status of the resource) while the log line includes the full error returned from AWS.

I fixed the different error messages

[enxebre]

So for example here we'll log
"failed to wait for security group to exist", "id", sgID"
and the controller runtime will log
"failed to wait for security group to exist (id: %s), code: %s", sgID, supportawsutil.AWSErrorCode(err)"

Seems unncecesary?

[csrwng]

The difference is that the latter will also go into the status of the AWSEndpointService

[enxebre]

Should this be:

func isAWSPrivate() bool {
	return os.Getenv("AWS_REGION") != "" && hcp.Spec.Platform.Type == hyperv1.AWSPlatform
}

[csrwng]

We are no longer retrieving the hcp on startup, but we're always setting AWS_REGION on the CPO when platform.Type == AWS:

hypershift/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go

Lines 2739 to 2770 in a3791d6

	switch hc.Spec.Platform.Type {
	case hyperv1.AWSPlatform:
	deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes,
	corev1.Volume{
	Name: "cloud-token",
	VolumeSource: corev1.VolumeSource{
	EmptyDir: &corev1.EmptyDirVolumeSource{
	Medium: corev1.StorageMediumMemory,
	},
	},
	},
	corev1.Volume{
	Name: "provider-creds",
	VolumeSource: corev1.VolumeSource{
	Secret: &corev1.SecretVolumeSource{
	SecretName: platformaws.ControlPlaneOperatorCredsSecret("").Name,
	},
	},
	})
	deployment.Spec.Template.Spec.Containers[0].Env = append(deployment.Spec.Template.Spec.Containers[0].Env,
	corev1.EnvVar{
	Name: "AWS_SHARED_CREDENTIALS_FILE",
	Value: "/etc/provider/credentials",
	},
	corev1.EnvVar{
	Name: "AWS_REGION",
	Value: hc.Spec.Platform.AWS.Region,
	},
	corev1.EnvVar{
	Name: "AWS_SDK_LOAD_CONFIG",
	Value: "true",
	})

So just retrieving the hcp on startup for the same check seemed unnecessary

[enxebre]

ah I see. Where I was actually trying to get is that I guess we should only run this if we are in aws private, i.e. should we check hcp.spec.EndpointAccess?

[csrwng]

Yup, we can. Since we need the hcp for that, I'll restore the code that fetched it on startup.

[enxebre]

nit:

// When sharedVPC we need assume these additional roles

?

[enxebre]

assumeSharedVPCEndpointRoleARN
assumeSharedVPCRoute53RoleARN
?

[enxebre]

would it make any difference if this func is just

b.warnOnDifferentValues(log, hcp)
b.setFromHCP(hcp)
b.initialized = true

without the conditional?

[csrwng]

we'd warn unnecessarily when initially setting the values

[enxebre]

does this introduce a new scenario that wasn't possible before? we remove the finalizer if say a transient issue fails to get the client?

[csrwng]

The only 2 possible errors are that the session cannot be created because env/cfg is incomplete or that the client builder was not initialized from a hcp. Either case is not recoverable with a retry.

[enxebre]

https://github.com/openshift/hypershift/pull/5179/files#r1856712444
#5179 (comment)
#5179 (comment)
/lgtm
/hold
feel free to cancel

[enxebre]

/retest

[csrwng]

/hold cancel

[enxebre]

/lgtm
/test e2e-aks

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD da24e17 and 2 for PR HEAD fda98ca in total

[openshift-ci]

@csrwng: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD f2d9716 and 2 for PR HEAD fda98ca in total