DNM/SPLAT-2587: aws/ccm configuration#7961
Conversation
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
openshift-ci-robot
added
the
jira/valid-reference
|
@mtulio: This pull request references SPLAT-2587 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are limited based on label configuration. 🚫 Excluded labels (none allowed) (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
openshift-ci
bot
added
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
/test e2e-aws-techpreview |
openshift-ci
bot
added
area/cli
mtulio
force-pushed
the
feat-ccm-nlb-sg-exp
branch
from
c57d2c2 to
48f51a0
Compare
|
/test e2e-aws-techpreview |
Test Resultse2e-aws
|
mtulio
force-pushed
the
feat-ccm-nlb-sg-exp
branch
from
48f51a0 to
bff6cb6
Compare
openshift-ci
bot
added
the
needs-rebase
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mtulio The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
This commit updates IAM permissions to support AWS CCM managing security groups for Network Load Balancers, following least-privilege security principles. Changes: - cmd/infra/aws/iam.go: * Added 19 specific ELBv2 permissions required for NLB lifecycle management: - CreateLoadBalancer, DeleteLoadBalancer, DescribeLoadBalancers - ModifyLoadBalancerAttributes - CreateTargetGroup, DeleteTargetGroup, DescribeTargetGroups (critical - was missing) - DescribeTargetGroupAttributes, ModifyTargetGroupAttributes - DescribeTargetHealth, RegisterTargets, DeregisterTargets - CreateListener, DeleteListener, DescribeListeners - SetSecurityGroups (required for managed SG feature) - DescribeTags, AddTags, RemoveTags * Added 10 specific EC2 permissions for security group management: - CreateSecurityGroup, DeleteSecurityGroup, DescribeSecurityGroups - AuthorizeSecurityGroupIngress, RevokeSecurityGroupIngress - DescribeSubnets, DescribeVpcs, DescribeInstances - CreateTags * Added comprehensive documentation explaining each permission category and why it's needed for the CCM's NLB management functionality. Root cause: CI job failures showed "AccessDenied" for elasticloadbalancing:CreateTargetGroup. Analysis of CCM controller logs revealed the exact permissions needed for the complete NLB provisioning workflow with managed security groups. This change ensures the CCM has sufficient permissions to manage NLBs with security groups while maintaining security best practices by granting only necessary permissions.
This commit implements feature gate support for AWS CCM NLBSecurityGroupMode configuration, enabling managed security groups for Network Load Balancers. This enables the AWS Cloud Controller Manager to automatically create and manage security groups for NLBs when the feature gate is enabled, reducing manual infrastructure management overhead. Changes: * Modified adaptConfig() to dynamically set the CCM configuration "NLBSecurityGroupMode" to "Managed" value to when the feature is enabled.
This commit adds comprehensive E2E testing for the AWSServiceLBNetworkSecurityGroup feature gate and fixes critical test issues. Changes: * Added featuregates.ConfigureFeatureSet(string(featureSet)) call to synchronize the global feature gate state with the cluster's feature set. Without this, tests checking featuregates.Gate().Enabled() were incorrectly using the default feature set instead of TechPreviewNoUpgrade. * Added test case: "When NLBSecurityGroupMode is enabled it must have config NLBSecurityGroupMode=Managed entry in cloud-config configmap" to validate the CCM configuration contains the required setting when the feature gate is enabled. * Added test case: "When AWSServiceLBNetworkSecurityGroup is enabled it must create a LoadBalancer NLB with managed security group attached" to validate end-to-end NLB creation with managed security groups. * Fixed TestOnCreateAPIUX GCP validation by adding missing CloudController field to ServiceAccountsEmails struct (was causing "Required value" error).
…e evaluation Updates AWS CCM configuration tests to explicitly verify that the config adapter reads feature gates from HCP.Spec.Configuration rather than relying on the global operator feature set. Changes: - Set global feature gate to Default at test start to prove the adapter correctly reads from HCP configuration, not the global gate - Added explanatory comments documenting this proves the fix for the issue where global gate was incorrectly used instead of per-cluster configuration This change is critical for validating the fix to PR openshift#7460 e2e test failures where: - E2E tests create clusters with TechPreviewNoUpgrade feature set - HypershiftOperator runs with Default feature set (HYPERSHIFT_FEATURESET env) - Tests were failing because adapter checked global gate (Default) instead of cluster's configuration (TechPreviewNoUpgrade) - Result: NLBSecurityGroupMode was missing from aws-cloud-config even though cluster's feature set should enable it With this test change, we verify all scenarios work correctly: - Default feature set: NLBSecurityGroupMode NOT added - TechPreviewNoUpgrade: NLBSecurityGroupMode = Managed added - CustomNoUpgrade with explicit enable: NLBSecurityGroupMode = Managed added All tests pass, proving the adapter now correctly evaluates per-cluster feature configuration regardless of the global operator feature set. Signed-off-by: Marco Braga <mrbraga@redhat.com> Assisted-by: Claude Sonnet 4.5 (via Claude Code)
Fixes AWS CCM config adapter to read feature gates from per-cluster HostedControlPlane configuration instead of the global operator feature set. Problem: The AWS CCM configuration adapter was incorrectly using the global feature gate (configured from HYPERSHIFT_FEATURESET environment variable) instead of reading the per-cluster configuration from HCP.Spec.Configuration.FeatureGate. This caused e2e test failures in PR openshift#7460 where: 1. Tests create clusters with TechPreviewNoUpgrade feature set (version >= 4.18) 2. hypershift-operator runs with HYPERSHIFT_FEATURESET=Default (or unset) 3. control-plane-operator inherits Default feature set via env var 4. AWS CCM adapter checked global gate (Default) → AWSServiceLBNetworkSecurityGroup NOT enabled 5. Result: NLBSecurityGroupMode missing from aws-cloud-config even though cluster's feature set enables it Evidence: Test artifacts showed feature-gate.yaml with TechPreviewNoUpgrade (correct), but aws-cloud-config.yaml missing NLBSecurityGroupMode (incorrect). Solution: 1. Added IsFeatureEnabledInFeatureGateSpec() helper in featuregates package to evaluate feature gates based on FeatureGateSpec rather than global gate 2. Modified AWS CCM config adapter to use this helper with HCP.Spec.Configuration.FeatureGate Why a new helper function instead of reusing existing ones: - Existing FeatureGatesForFeatureSet() only handles fixed feature sets by name (Default, TechPreviewNoUpgrade, DevPreviewNoUpgrade) - We need to evaluate complete FeatureGateSpec including CustomNoUpgrade with explicit enabled/disabled feature lists - This matches the pattern used by CVO, KAS, and other components that correctly read from HCP.Spec.Configuration Changes: - control-plane-operator/featuregates/featuregates.go: New helper function - control-plane-operator/.../aws/config.go: Use helper to read per-cluster config Testing: Unit tests pass for all scenarios (Default, TechPreviewNoUpgrade, CustomNoUpgrade) Signed-off-by: Marco Braga <mrbraga@redhat.com> Assisted-by: Claude Sonnet 4.5 (via Claude Code)
mtulio
force-pushed
the
feat-ccm-nlb-sg-exp
branch
from
80ae47e to
4079af6
Compare
openshift-ci
bot
removed
the
needs-rebase
|
/test e2e-aws-techpreview |
|
/test e2e-aws |
|
/test ? |
|
/test e2e-aws |
|
@mtulio: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
3 participants
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes
Special notes for your reviewer:
Checklist: