Add credentials secret to AWS provider config in order to support CredentialsRequest

[spangenberg]

/cc bison

[spangenberg]

/hold

[dgoodwin]

If we do this by setting a secret on every MachineSet, and ultimately remove the IAM role that allows the machine API to work today, the default state for anyone who creates a MachineSet would be broken?

Just wondering if this would be best done by default in the machine-api, rather than having it pinned on every MachineSet.

[bison]

If we do this by setting a secret on every MachineSet, and ultimately remove the IAM role that allows the machine API to work today, the default state for anyone who creates a MachineSet would be broken?

Just wondering if this would be best done by default in the machine-api, rather than having it pinned on every MachineSet.

Any defaults would have to go into the controllers in our fork of the cluster-api, and further deviate from upstream. Users already have to choose quite a few things in the providerConfig that we can't provide sensible defaults for. Either that, or they copy an existing MachineSet created by the installer. The latter is probably the more common case right now.

We probably want to start using MachineClass objects for this kind of thing, but I'm not sure where we're at with that.

[dgoodwin]

I understand, thanks!

[spangenberg]

/retest

[bison]

This isn't going to pass until openshift/machine-api-operator#199 is merged.

[spangenberg]

This isn't going to pass until openshift/machine-api-operator#199 is merged.

@bison you sure, because they still have the same thing in their repository:
https://github.com/openshift/cloud-credential-operator/blob/47261953fd5974ba24072148d53ec4c919f6ad8f/manifests/0000_30_cloud-credential-operator_03_cred-openshift-cluster-api.yaml

[bison]

@spangenberg, ah, I forgot about that. That is using the wrong namespace though. We changed it to openshift-machine-api.

[spangenberg]

/test e2e-aws

openshift/machine-api-operator#199 got merged 🎉

[spangenberg]

/retest

[spangenberg]

/retest

[spangenberg]

/hold cancel

[spangenberg]

/retest

[spangenberg]

/retest

[enxebre]

can we then get rid of https://github.com/openshift/installer/blob/master/data/data/aws/master/main.tf#L36 as part of this PR? cc @dgoodwin @abhinavdahiya @spangenberg

[dgoodwin]

Hopefully we'd be at a point where we can try at least, I think that was an end goal of all this.

[spangenberg]

Machine controller is throwing errors:

	status code: 403, request id: 6a61f19a-5257-4a07-bd58-35eb654c7a7d
E0228 16:31:15.172013       1 actuator.go:106] Machine error: error launching instance: error creating EC2 instance: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: qM5RU2SzLuICZYAmY10kX86MSaRNCbibh7MjtAO6tV0oBYF2oEigg3sv4jVvck9l8_Lq40Jd9nvvweD_XTY6EAZvZ94yNidNVDOQcChaOewOZWXSZWHsVIKRWckGMrDYRu84TxnxsV2EdbHqHQVhL39GFuyBgFUhsx2i0hj2Ep2qYmUk2_JU4tTlHN7_iS-hAY5in0qx5gEHKrZw16dNpiHzsvEg1o6HN4krQDoSqPae8FswngSd-1PaRPlIXCqBFO28D34i5BfrYH7-Sc-6K8C99hcjDullKTH_Wb8EDU5VgPIKdFHDOP5tC1XdmNvCYLAlRHdQYJaTT3GCHymx9RD3sIFK5HLNwcGBAeCZ--9qFGhtnJWx91nGD1pps8DqAONLvmOUXNc6jLqdPUZm_OGSVgX5VpgOpa5onzQa-jAxdRK1iNBZtYWWBvIAwfo-T1fjSWDlK5BpRRs1aZEAOIg63rD37ey3F7eMLMqYMrygyBKpXEo8mTTqMdm47xOFzmoMfq6oD0tP4OKEJtThwS1NfJd6Nt-6qJ9f6wVTo-TdxujlYChx-haxc5L2PMh1Y6D_5itSYy_5GiU3GcJfUUq1AqJXUagyExVJCyf8LWN8b-vSUJOFm3fwbuDLDqJWPvvV5NNFOERZBZ9yiPF_m2zKqmLQn--bNa__SqzqIIGgFE1Ifouw-tKZqaNgM3Nbzc8zOx7O8oNPoqpCYVgeMwtsyyS0iAWPFdtjviBlFOQgaMFoB7B3z_M_UFA
	status code: 403, request id: 6a61f19a-5257-4a07-bd58-35eb654c7a7d
E0228 16:31:15.172025       1 actuator.go:115] error creating machine: error launching instance: error creating EC2 instance: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: qM5RU2SzLuICZYAmY10kX86MSaRNCbibh7MjtAO6tV0oBYF2oEigg3sv4jVvck9l8_Lq40Jd9nvvweD_XTY6EAZvZ94yNidNVDOQcChaOewOZWXSZWHsVIKRWckGMrDYRu84TxnxsV2EdbHqHQVhL39GFuyBgFUhsx2i0hj2Ep2qYmUk2_JU4tTlHN7_iS-hAY5in0qx5gEHKrZw16dNpiHzsvEg1o6HN4krQDoSqPae8FswngSd-1PaRPlIXCqBFO28D34i5BfrYH7-Sc-6K8C99hcjDullKTH_Wb8EDU5VgPIKdFHDOP5tC1XdmNvCYLAlRHdQYJaTT3GCHymx9RD3sIFK5HLNwcGBAeCZ--9qFGhtnJWx91nGD1pps8DqAONLvmOUXNc6jLqdPUZm_OGSVgX5VpgOpa5onzQa-jAxdRK1iNBZtYWWBvIAwfo-T1fjSWDlK5BpRRs1aZEAOIg63rD37ey3F7eMLMqYMrygyBKpXEo8mTTqMdm47xOFzmoMfq6oD0tP4OKEJtThwS1NfJd6Nt-6qJ9f6wVTo-TdxujlYChx-haxc5L2PMh1Y6D_5itSYy_5GiU3GcJfUUq1AqJXUagyExVJCyf8LWN8b-vSUJOFm3fwbuDLDqJWPvvV5NNFOERZBZ9yiPF_m2zKqmLQn--bNa__SqzqIIGgFE1Ifouw-tKZqaNgM3Nbzc8zOx7O8oNPoqpCYVgeMwtsyyS0iAWPFdtjviBlFOQgaMFoB7B3z_M_UFA
	status code: 403, request id: 6a61f19a-5257-4a07-bd58-35eb654c7a7d

[enxebre]

some perm must me missed, you should be able to use aws sts decode-authorization-message --encoded-message and go from there

[spangenberg]

This should be unblocked by openshift/cloud-credential-operator#37 and additionally openshift/machine-api-operator#241.

[spangenberg]

Depending PRs are all merged now.

/retest

[abhinavdahiya]

We need the iam policy for kubelet to running. also the kube-controller-manager would need access to AWS api too.

[spangenberg]

I removed the change, something like this can happen in another PR if wanted.

[spangenberg]

/retest

[spangenberg]

/cc @wking @abhinavdahiya

[abhinavdahiya]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya, spangenberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [abhinavdahiya]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.