-
Story
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
5
-
False
-
None
-
False
-
-
-
CLOUD Sprint 262, CLOUD Sprint 268, CLOUD Sprint 269
Background
In MAPA, we provide a way for a user to specify the credentials to use for creating and managing AWS resources. This secret comes from a CredentialsRequest and is created either by CCO, or manually, with the name `aws-cloud-credentials`.
Any Machine/MachineSet referencing these credentials is effectively using the "default".
In CAPA, the default is to us the cluster identity ref to work out what to do. When not specified, it will fallback to using the controllers role, which we populate today using a credentials request.
Therefore, any Machine using the default in MAPA/CAPA, has an option to be converted across.
Where we then have an issue, is converting non-standard credentials.
If any user has created a non-standard credential, we must set a static identity that would then be used for the entire cluster.
We must work out how to message about this/how to handle this. Initially, we can block the conversion and suggest a KCS to allow the user to set the AWSCluster IdentityRef, once the identity ref is configured, we can ignore the credentials secret.
Steps
- Implement detection and conversion of the default credentials secret as described above
- Add logic to detect non-default credentials and return an appropriate error message
- Create a KCS to explain the steps necessary to use a custom credential
Stakeholders
- Cluster Infra
Definition of Done
- Credentials secrets are converted/users are told what to do/how to convert across
- Docs
- <Add docs requirements for this card>
- Testing
- <Explain testing that will be added>
[OCPCLOUD-2713] [AWS] Handle credentials secret conversion to CAPI
joelspeed thanks. I misinterpreted which controllers were falling back to the controllers role.
Understood on the custom credential, makes total sense.
Joel Speed
added a comment - We have https://github.com/openshift/cluster-capi-operator/blob/c5a5e4ef8e201b016e27c654f84ecf8bc77e9258/manifests/0000_30_cluster-api_01_credentials-request.yaml#L1-L62 on the CAPI side
The MAO secret generates the credential in the MAPI namespace, this creates a secret in the CAPI namespace. I would expect we probably want to ignore the MAPI credential secret if the default is being used, and move over to using the default CAPI one instead.
I'm concerned though what would happen if someone is using a custom secret. Do we need to copy this to the CAPI namespaces, what are the security concerns there
Joel Speed
added a comment - We have https://github.com/openshift/cluster-capi-operator/blob/c5a5e4ef8e201b016e27c654f84ecf8bc77e9258/manifests/0000_30_cluster-api_01_credentials-request.yaml#L1-L62 on the CAPI side
The MAO secret generates the credential in the MAPI namespace, this creates a secret in the CAPI namespace. I would expect we probably want to ignore the MAPI credential secret if the default is being used, and move over to using the default CAPI one instead.
I'm concerned though what would happen if someone is using a custom secret. Do we need to copy this to the CAPI namespaces, what are the security concerns there > When not specified, it will fallback to using the controllers role, which we populate today using a credentials request.
Where is this particular credentials request? I see that there's a service account for AWS in https://github.com/openshift/machine-api-operator/blob/main/install/0000_30_machine-api-operator_00_credentials-request.yaml, but I believe that's the AWS service account associated with the `aws-cloud-credential` default secret.
Notes from today's standup: