Uploaded image for project: 'Container / Cluster Management (XCM) Strategy'
  1. Container / Cluster Management (XCM) Strategy
  2. XCMSTRAT-41

ROSA: Additional Security Group(s) for Optional Machine Pools (Day-2)

    XMLWordPrintable

Details

    • False
    • Hide

      None

      Show
      None
    • False
    • Green
    • 100
    • 100% 100%
    • Hide

      ------------- Status Summary as of 12/04  ----------*

      • OCM
        • API
          • Available in prod
        • ROSA CLI
          • Available in v1.2.28 
        • OCM CLI
          • Available in v0.1.71
            • UX improvement describing/listing resources - available in v0.1.72
        • TF Provider
          • Will be available in v1.5.0 (TBA ~EOD of 25th of Dec)
      • QE
        • OCM-3724 done
        • OCM-4718 done
        • Only UI card OCMUI needs to be finished
      • UI
        •  On Nov 27th, we opened the feature gate for Day2 in Production
        •  Only missing story is OCMUI-951 which is under  QE Review
      • Docs
        •  

      -----------------

      Overall summary for 15-Nov

      • QE:
        • New regression issue  of release blocker.OCM-4813
        • Working on control plane and infra security groups, not sure if any other regression will be caused. Will keep updating with the progress
        • Filed OCM-4878 for tag validation for SG
      • UI:
        • Finalizing QE review - blocker and major bugs have been fixed.
      • OCM Backend: Done
      • ROSA CLI: Done 
        • release 1.2.28
      • OCM CLI: 
        • Going through QE review
        • Will be available in v0.1.71
      • OCM UI: In progress
      • TF Provider
        • Code review - will be part of the next TF cycle

       

      Overall summary for 30-Oct

      • Feature available in CLI for day 2. (Create machine pool with SG)
      • Docs will be published by 2nd November
      • UI will be published ~ 16th November

      Note: this covers Day 2, day 1 is covered in XCMSTRAT-46

       

      OCM UI update for 31-Oct

      • Day2 MR covering STS clusters has been merged to Staging.
      • Included elements necessary to speed up the development for Day1.

      ROSA-HCP

      QE update for 16-Oct

      • Only OCM-4192 left to close OCM-3724
      • UI epic is still new

      SRE update for 3-Oct

      • Hive support for day 2 operations has been added via HIVE-2306

      Docs update for 6-Nov

      • CLI-based docs are now live on docs.openshift.com and will be on access.redhat.com within 24h; see OSDOCS-8034 for details
      Show
      ------------- Status Summary as of 12/04  ---------- * OCM API Available in prod ROSA CLI Available in v1.2.28  OCM CLI Available in v0.1.71 UX improvement describing/listing resources - available in v0.1.72 TF Provider Will be available in v1.5.0 (TBA ~EOD of 25th of Dec) QE OCM-3724 done OCM-4718 done Only UI card OCMUI needs to be finished UI  On Nov 27th, we opened the feature gate for Day2 in Production  Only missing story is OCMUI-951  which is under  QE Review Docs   ----------------- Overall summary for 15-Nov QE: New regression issue  of release blocker.OCM-4813 Working on control plane and infra security groups, not sure if any other regression will be caused. Will keep updating with the progress Filed OCM-4878 for tag validation for SG UI: Finalizing QE review - blocker and major bugs have been fixed. OCM Backend: Done ROSA CLI: Done  release 1.2.28 OCM CLI:  Going through QE review Will be available in v0.1.71 OCM UI: In progress TF Provider Code review - will be part of the next TF cycle   Overall summary for 30-Oct Feature available in CLI for day 2. (Create machine pool with SG) Docs will be published by 2nd November UI will be published ~ 16th November Note: this covers Day 2, day 1 is covered in XCMSTRAT-46   OCM UI update for 31-Oct Day2 MR covering STS clusters has been merged to Staging. Included elements necessary to speed up the development for Day1. ROSA-HCP Support for HCP is covered part of https://issues.redhat.com/browse/XCMSTRAT-320 QE update for 16-Oct Only OCM-4192 left to close OCM-3724 UI epic is still new SRE update for 3-Oct Hive support for day 2 operations has been added via HIVE-2306 Docs update for 6-Nov CLI-based docs are now live on docs.openshift.com and will be on access.redhat.com within 24h; see OSDOCS-8034 for details
    • 0

    Description

      Feature Overview (aka. Goal Summary)  

      This feature strengthens both security and AWS integration themes of ROSA service. Developers deploying workloads in ROSA service often need to connect their workloads running inside OCP to other AWS Services or applications running in other VPCs. This feature will allow cluster administrators to assign optional additional Security Groups to control plane nodes, infra nodes, and all the worker nodes of machine pools (at machine pool granularity). Following will be parts of this feature that will be delivered separately (not necessarily in the phased/ordered way)

      1. XCMSTRAT-41 (This): Support for creating additional Security Group IDs on day-two machine pools after ROSA Classic/OSD cluster creation
      2. XCMSTRAT-46 : Support for creating additional Security Group IDs on day-one machine pool + Control Plane nodes + Infra nodes during ROSA Classic /OSD cluster creation (Note: XCMSTRAT-374 is split from XCMSTRAT-46 to cover control Plane and Infra nodes)
      3. XCMSTRAT-319: Support for changing machine pools to add/remove additional Security Group IDs on ROSA Classic/OSD cluster creation
      4. XCMSTRAT-320: Support for Additional Security Group IDs on ROSA HCP clusters

      Goals (aka. expected user outcomes)

      1. Improve ROSA retention by providing an ability to add additional machine pools with additional Security Group IDs to existing clusters 
      2. Support for ROSA Classic and OSD on AWS using OCP 4.11 and above.

      Requirements (aka. Acceptance Criteria): 

      1. Ability to create machine pool in an existing cluster with additional Security Groups.
      2. Ability to apply up to 15 Security Group IDs.
      3. Ability to define additional Security Group IDs at the machine pool level and have all the worker nodes of the machine pool consistently use the SG-IDs.
      4. Support for clusters created with BYO-VPC. 
      5. Support for ROSA and OSD CCS on AWS Clusters (Support for HCP is covered part of XCMSTRAT-319)
      6. Support for OCP 4.11 and above.
      7. OCM CREATE MACHINE Pool API for CS (api.openshift.com) to support additional SG-IDs.
      8. During pre-flight, provided SG is validated for existence and AWS Quota.
      9. During pre-flight, number of total SG rules as per AWS quota is validated on top of total number of SGs attached.
      10. During pre-flight, the SG-ID tags are validated to ensure OpenShift and ROSA specific tags can be added.
      11. When the cluster is upgraded, all the nodes part of machine pool to retain the additional SG-IDs added.
      12. When the cluster is deleted, the SG-ID is unaltered/retained. 
      13. Consistent UX Support for clients - ROSA CLI, OCM UI and Terraform.
      14. OCM API for CS to support displaying/describing cluster with additional SG-IDs. Clusters that don't have additional SG-IDs to list 'None'. 
      15. ROSA CLI Describe command list additional security groups on control plane nodes, and infra nodes
      16. ROSA CLI for machine pool to display additional SG-IDs assigned .
      17. Documentation to support the field in the Cluster Creation page, ROSA CLI reference and Defaults for ROSA Cluster creation pages.
      18. Release: CLI, OCM UI and OSDOCS to release/publish on the same day. Terraform release can follow on another day. 

       

      Use Cases (Optional):

      Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.

       

      Questions to Answer (Optional):

      Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

       

      Out of Scope

      High-level list of items that are out of scope.  Initial completion during Refinement status.

       

      Background

      Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

       

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

       

      Documentation Considerations

      Provide information that needs to be considered and planned so that documentation will meet customer needs.  Initial completion during Refinement status.

       

      Interoperability Considerations

      Which other projects and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

       

      References:

       __  [1] Scenarios for connecting to RDS Database - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html#CHAP_CommonTasks.Connect.ScenariosForAccess 

       [2]Controlling access to RDS instance using Security Groups - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html 

      Attachments

        Issue Links

          is blocked by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. HIVE-2306 Add Support for configuring day 2 security group

          • Undefined - Priority not specified.
          • Closed
          is related to

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. XCMSTRAT-46 ROSA: Additional Security Group(s) during Cluster Creation (Day-1)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. XCMSTRAT-319 ROSA: Remove or Add Additional Security Group(s) on Existing Machine Pools (Day-2)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • New

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. XCMSTRAT-667 ROSA HCP: UI for Additional Security Groups on CREATE MACHINEPOOL

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Backlog

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. XCMSTRAT-320 ROSA HCP: Additional Security Group(s) on Machine Pools

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          links to

          GitHub openshift/cloud-ingress-operator#303: [XCMSTRAT-41] add annotation to the rh-api service to set the tag for SG

          GitHub openshift/openshift-docs#66328: OSDOCS#8034: additional custom security groups at ROSA cluster creation time

          Activity

            People

              rh-ee-bchandra Balachandran Chandrasekaran
              rh-ee-adejong Aaren de Jong
              Aaren de Jong, Balachandran Chandrasekaran, Manuel Dewald
              Guilherme Branco Guilherme Branco
              Xue Li Xue Li
              Laura Bailey Laura Bailey
              Balachandran Chandrasekaran Balachandran Chandrasekaran
              Nir Farkas Nir Farkas
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: