Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5360

Disable GCP Role Generation for ccoctl binary

XMLWordPrintable

    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request

      Disable GCP Role Generation for ccoctl binary

      2. What is the nature and description of the request?

      CCOCTL in 4.15 now generates roles against a gcp project, Customer do not allow this and wants to use predefined roles, that they have custom defined in our GCP Tenant.

      Desired Behavior:
      1. Create Custom Roles for the Google Service Accounts.
      2. Pass those Roles into CCOCTL

      Example Patching

      for CRED in "${WIF_CRED_REQ_DIR}"/*; do
yq -i 'del(.spec.providerSpec.predefinedRoles[] | select(. == "roles/iam.serviceAccountUser"))' "${CRED}"
yq -i '((.spec.providerSpec.predefinedRoles[] | select(. == "roles/storage.admin")) |= "organizations/X/roles/custom.cloud.storage.provisioner")' "${CRED}"
yq -i '((.spec.providerSpec.predefinedRoles[] | select(. == "roles/compute.admin")) |= "organizations/X/roles/custom.vm.provisioner")' "${CRED}"
yq -i '((.spec.providerSpec.predefinedRoles[] | select(. == "roles/compute.instanceAdmin.v1")) |= "organizations/X/roles/custom.openshift.instance.v1.provisioner")' "${CRED}"
yq -i '((.spec.providerSpec.predefinedRoles[] | select(. == "roles/compute.instanceAdmin")) |= "organizations/X/roles/custom.openshift.instance.provisioner")' "${CRED}"
yq -i '((.spec.providerSpec.predefinedRoles[] | select(. == "roles/compute.loadBalancerAdmin")) |= "organizations/X/roles/custom.openshift.loadBalancer.provisioner")' "${CRED}"
yq -i '((.spec.providerSpec.predefinedRoles[] | select(. == "roles/compute.storageAdmin")) |= "organizations/X/roles/custom.openshift.storage.provisioner")' "${CRED}"
yq -i '((.spec.providerSpec.predefinedRoles[] | select(. == "roles/dns.admin")) |= "organizations/X/roles/custom.cloud.dns.provisioner")' "${CRED}"
done

      Example Credential Request:

      ---
apiVersion:
cloudcredential.openshift.io/v1

kind: CredentialsRequest
metadata:
annotations:
capability.openshift.io/name
: Storage+CloudCredential
include.release.openshift.io/self-managed-high-availability
: "true"
include.release.openshift.io/single-node-developer
: "true"
name: openshift-gcp-pd-csi-driver-operator
namespace: openshift-cloud-credential-operator
spec:
providerSpec:
apiVersion:
cloudcredential.openshift.io/v1

kind: GCPProviderSpec
permissions:
- compute.instances.get
- compute.instances.attachDisk
- compute.instances.detachDisk
predefinedRoles:
- roles/compute.storageAdmin
- roles/iam.serviceAccountUser
skipServiceCheck: true
secretRef:
name: gcp-pd-cloud-credentials
namespace: openshift-cluster-csi-drivers
serviceAccountNames:
- gcp-pd-csi-driver-operator
- gcp-pd-csi-driver-controller-sa

      also, - roles/iam.serviceAccountUser should be not be assigned project wide.
      We are patching that as well to the appropriate service accounts

      gcloud iam service-accounts add-iam-policy-binding "${CONTROL_PLANE_SERVICE_ACCOUNT}" \
--member="serviceAccount:${MACHINE_API_SA_EMAIL}" \
--project="${CLUSTER_PROJECT_ID}" \
--role=roles/iam.serviceAccountUser \
--condition=None

gcloud iam service-accounts add-iam-policy-binding "${WORKER_SA_EMAIL}" \
--member="serviceAccount:${MACHINE_API_SA_EMAIL}" \
--project="${CLUSTER_PROJECT_ID}" \
--role=roles/iam.serviceAccountUser \
--condition=None

gcloud iam service-accounts add-iam-policy-binding "${WORKER_SA_EMAIL}" \
--member="serviceAccount:${CSI_API_SA_EMAIL}" \
--project="${CLUSTER_PROJECT_ID}" \
--role=roles/iam.serviceAccountUser \
--condition=None

      3. Why does the customer need this? (List the business requirements here)

      In 4.14 Customer is doing custom patching of CCOCTL to achieve this, but at this point customer need this to be natively supported.

      4. List any affected packages or components.

      ccoctl 

              julim Ju Lim
              rhn-support-chdeshpa Chinmay Deshpande
              Ju Lim
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: