-
Epic
-
Resolution: Won't Do
-
Critical
-
None
-
None
-
Apply User Tags in AWS
-
2
-
False
-
False
-
Not Selected
-
To Do
-
OCPSTRAT-787 - Configure AWS User Tags on Day 2 (Hosted Control Planes only)
-
OCPSTRAT-787Configure AWS User Tags on Day 2 (Hosted Control Planes only)
-
Undefined
Apply user defined tags in AWS - CCO - minted users
See CCO-77 and OCPPLAN-6006
Only need to apply for new IAM users.
Needs to be applied at create time, and not separately afterwards. Check if can be done at create time on roles and users.
However because we already have code that reconciles, we may as well keep it.
After further discussions (hat tip dhellman@redhat.com ), we're going to go the route of constant reconciliation of tags. But it will be implemented in a way that allows users to add their own tags outside of the cluster without CCO stomping over those externally set tags.
To be clear, this means if tagA=valueA was applied, then the user externally set tagA=valueB, CCO will revert back to tagA=valueA. But the user is free to set tagZ=valueZ, and CCO will leave tagZ alone.
For posterity, the proposed flow will look something like this:
Extend the CredentialsRequest status to hold desiredTags and lastAppliedTags.
if desiredTags != lastAppliedTags {
applyErr := applyTags()
if applyErr != nil {
updateErr := updateLastAppliedTags()
if updateErr != nil {
return updateErr
}
return applyErr // always return here so we can re-reconcile after a successful lastApplliedTags update
}
if clusterWideTags != desiredTags {
err := updateDesiredTags()
return err
}
This flow should allow CCO to not leak tags in the even that tags are applied, but CCO fails to save the lastApplliedTags status. Then on re-reconcile (because of the failed status update), the clusterWideTag list changes, and CCO potentially leaks a tag.
It is possible that the cluster will not allow changes to the clusterwideTagList, but by implementing things this way, if the clusterwideTagList becomes/is editable, CCO can accommodate that change in behavior w/o any code changes.
- depends on
-
OCPPLAN-6006 Apply user defined tags to all AWS resources created by OpenShift
- Closed
- is related to
-
HIVE-2290 Configure AWS User Tags on MachinePools
- Closed
-
CFE-69 User defined tags for AWS Resources GA
- Closed
-
CFE-73 Make user defined resource tags on Cloud Credential Operator resources updatable
- Closed
-
OCPSTRAT-787 Configure AWS User Tags on Day 2 (Hosted Control Planes only)
- In Progress
- links to