Uploaded image for project: 'OpenShift Cloud Credential Operator'
  1. OpenShift Cloud Credential Operator
  2. CCO-78

Apply user defined tags in AWS - CCO - minted users


    • Icon: Epic Epic
    • Resolution: Won't Do
    • Icon: Critical Critical
    • None
    • None
    • Apply User Tags in AWS
    • 2
    • False
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-787 - Configure AWS User Tags on Day 2 (Hosted Control Planes only)
    • OCPSTRAT-787Configure AWS User Tags on Day 2 (Hosted Control Planes only)
    • Undefined

      Apply user defined tags in AWS - CCO - minted users

      See CCO-77 and OCPPLAN-6006

      Only need to apply for new IAM users.

      Needs to be applied at create time, and not separately afterwards. Check if can be done at create time on roles and users.

      However because we already have code that reconciles, we may as well keep it.

      After further discussions (hat tip dhellman@redhat.com ), we're going to go the route of constant reconciliation of tags. But it will be implemented in a way that allows users to add their own tags outside of the cluster without CCO stomping over those externally set tags.

      To be clear, this means if tagA=valueA was applied, then the user externally set tagA=valueB, CCO will revert back to tagA=valueA. But the user is free to set tagZ=valueZ, and CCO will leave tagZ alone.

      For posterity, the proposed flow will look something like this:

      Extend the CredentialsRequest status to hold desiredTags and lastAppliedTags.

      if desiredTags != lastAppliedTags {

          applyErr := applyTags()

          if applyErr != nil {

              updateErr := updateLastAppliedTags()

              if updateErr != nil {

                              return updateErr


          return applyErr // always return here so we can re-reconcile after a successful lastApplliedTags update



      if clusterWideTags != desiredTags {

           err := updateDesiredTags()

           return err



      This flow should allow CCO to not leak tags in the even that tags are applied, but CCO fails to save the lastApplliedTags status. Then on re-reconcile (because of the failed status update), the clusterWideTag list changes, and CCO potentially leaks a tag.

      It is possible that the cluster will not allow changes to the clusterwideTagList, but by implementing things this way, if the clusterwideTagList becomes/is editable, CCO can accommodate that change in behavior w/o any code changes.

            jdiaz@redhat.com Joel Diaz (Inactive)
            rhn-engineering-gshereme Greg Sheremeta
            Ju Lim Ju Lim
            0 Vote for this issue
            7 Start watching this issue