Configure AWS User Tags on Day 2 (Hosted Control Planes only)

Feature Overview (aka. Goal Summary)  

To improve automation, governance and security, AWS customers extensively use AWS Tags to track resources. Customers wants the ability to change user tags on day 2 without having to recreate a new cluster to have 1 or more tags added/modified.

Goals (aka. expected user outcomes)

The observable functionality that the user now has as a result of receiving this feature. Complete during New status.

• Cluster administrator can add one or more tags to an existing cluster. 
• Cluster administrator can remove one or more tags from an existing cluster.
• Cluster administrator can add one or more tags just to machine-pool / node-pool in the ROSA with HCP cluster.
• All ROSA client interfaces (ROSA CLI, API, UI) can utilise the day2 tagging feature on ROSA with HCP clusters
• All OSD client interfaces (API, UI, CLI) can utilize the day2 tagging feature on ROSA with HCP clusters
• This feature does not affect the Red Hat owned day1 tags built into OCP/ROSA (there are 10 reserved spaces for tags, of the 50 available, leaving 40 spaces for customer provided tags)

Requirements (aka. Acceptance Criteria):

A list of specific needs or objectives that a feature must deliver in order to be considered complete.  Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc.  Initial completion during Refinement status.

• Following capabilities are available for AWS on standalone and HCP clusters.
• OCP automatically tags the cloud resources with the Cluster's External ID. 
• Tags added by default on Day 1 are not affected.
• All existing active AWS resources in the OCP clusters have the tagging changes propagated.
• All new AWS resources created by OCP reflect the changes to tagging.
• Hive to support additional list of key=value strings on MachinePools
  • These are AWS user-defined / custom tags, not to be confused with node labels
  • ROSA CLI can accept a list of key=value strings with additional tag values
    • it currently can do this during cluster-install
  • The default tag(s) is/are still applied
  • NOTE: AWS limit of 50 tags per object (2 used automatically by OCP; with a third to be added soon; 10 reserved for Red Hat overall, as at least 2-3 are used by Managed Services) - customer's can only specify 40 tags max!
    • Source: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions
  • Must be able to modify tags after creation 
• Support for OpenShift 4.15 onwards.

Out-of-scope

This feature will only apply to ROSA with Hosted Control Planes, and ROSA Classic / standalone is excluded.

Why is this important?

• Customers want to use custom tagging for
  • access controls
  • chargeback/showback
  • cloud IAM conditional permissions

Scenarios

1. ...

Acceptance Criteria

• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.
• ...

Dependencies (internal and external)

1. ...

Previous Work (Optional):

1. …

Open questions::

1. …

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>