Uploaded image for project: 'Container / Cluster Management (XCM) Strategy'
  1. Container / Cluster Management (XCM) Strategy
  2. XCMSTRAT-46

ROSA: Additional Security Group(s) during Cluster Creation (Day-1)

XMLWordPrintable

    • False
    • False
    • Green
    • 0% To Do, 0% In Progress, 100% Done
    • Hide

      Feature is GA. Waiting on BU to close the xcmstrat

       

      Overall summary for 13-Dec{}

      • OCM UI:
        • Day1 was released to Production on Dec-12, feature gate lifted ~4pm ET
        • Day2 was released weeks ago. Pending story is OCMUI-951 - fixed and released
      • oCM
        • OCM CLI
          • Available in v0.1.71
            • UX improvements - available in v0.1.72
        • TF Provider
          • Will be available in v1.5.0 (TDa ~EOD of 25th of Dec)

      Overall summary for 11-Dec{}

      • OCM UI:
        • Day1 was released to Production on Dec-7th, under a feature gate (not visible to users yet)
        • Day2 was released weeks ago. Only missing story is OCMUI-951 which is under  QE Review

      Overall summary for 04-Dec

      • OCM
        • OCM CLI
          • Available in v0.1.71
            • UX improvements will be available in v0.1.72
        • TF Provider
          • Will be available in v1.5.0 (TDB EOD of 8th of Dec)
      • QE
        • OCM CLI testing finished a ticket about description show needs to fix
        • Verifying QE opened issues around preflights
        • Terraform provider testing and automation finished with latest code, one bug OCM-5079  needs to fix
        • Trying on compatibility testing with released version now.
      • OCM UI:
        • Day 1 features will be opened within the week 
        • ROSA (worker + controlPlane + infra): going through QE, and fixing reported bugs. 
        • OSD: MR is open, but will need adjustments related to the bugs mentioned for ROSA.
      • Docs
        • UI docs for create worker machine pools and CLI clarity updates for create cluster or machine pool expected to merge Nov 27
        • UI docs for create cluster and UI and CLI docs for create infra and control plane pools expected Dec 12

      Overall summary for 22-Nov

      • OCM Backend: Done
      • ROSA CLI: Done 
        • release 1.2.28
      • OCM CLI: 
        • Going through QE review
        • Will be available in v0.1.71
      • OCM UI:
        • Will have an MR soon for ROSA classic, which also includes Infra + Control plane nodes.
        • We'll continue with OSD later
      • TF Provider
        • Going through QE review 
        • Will be available in v1.4.1
      • QE:
        • Preflight issue OCM-4631
        • Backend testing passed
        • ROSACLI testing passed
        • OCM CLI ready for testing
        • TF ready for testing
        • UI not ready for testing

      OCM update for 6-Nov

      OSD AWS / ROSA

      • OCM backend: Done
      • ROSA CLI: Done
        • Released v1.2.28
      • OCM CLI
        • Under development - not a blocker
      • TF Provider
        • Under development - current focus

      UI update Nov 2

      • Created a pre-requisite MR that adds the VPC dropdown to the ROSA classic Wizard. In Review process.
      • Currently implementing SGs - Day1 for ROSA classic for applying SGs to machine pools

      *At Risk for exiting timelines It was confirmed this week that SGs need to be applied not only to machine pools (in progress) but also to control plane and infra nodes. The UI create cluster flow for ROSA/OSD does NOT expose the concept of control plane and infra nodes so far, so adding the SG option (many to many mapping and selection) will require a major changes in the UI - assessing impact.
      Also this is NOT the recommended user experience as per the UX team. It is confusing and increases the cognitive load for a UI customer wanting to quickly create a ROSA/OSD cluster. They now have to read / understand / select advanced options like SGs which they can not change later on

      QE update for 16-Oct

      • Closed OCM-3691 for backend and rosacli
      • UI card HAC-4962 not ready for testing
      • DOC OSDOCS-7730 not ready for reviewing

      SRE update for 3-Oct

      • Hive was supported from start for day1 operations

      Docs update for 6 Nov

      • CLI-based create cluster and machinepool changes are live on docs.openshift.com, will be on access.redhat.com by EOD Nov 7
      • beginning work on UI-based docs
      Show
      Feature is GA. Waiting on BU to close the xcmstrat   Overall summary for 13-Dec { } OCM UI: Day1 was released to Production on Dec-12, feature gate lifted ~4pm ET Day2 was released weeks ago. Pending story is OCMUI-951 - fixed and released oCM OCM CLI Available in v0.1.71 UX improvements - available in v0.1.72 TF Provider Will be available in v1.5.0 (TDa ~EOD of 25th of Dec) Overall summary for 11-Dec { } OCM UI: Day1 was released to Production on Dec-7th, under a feature gate (not visible to users yet) Day2 was released weeks ago. Only missing story is OCMUI-951 which is under  QE Review Overall summary for 04-Dec OCM OCM CLI Available in v0.1.71 UX improvements will be available in v0.1.72 TF Provider Will be available in v1.5.0 (TDB EOD of 8th of Dec) QE OCM CLI testing finished a ticket about description show needs to fix Verifying QE opened issues around preflights Terraform provider testing and automation finished with latest code, one bug OCM-5079  needs to fix Trying on compatibility testing with released version now. OCM UI: Day 1 features will be opened within the week  ROSA (worker + controlPlane + infra): going through QE, and fixing reported bugs.  OSD: MR is open, but will need adjustments related to the bugs mentioned for ROSA. Docs UI docs for create worker machine pools and CLI clarity updates for create cluster or machine pool expected to merge Nov 27 UI docs for create cluster and UI and CLI docs for create infra and control plane pools expected Dec 12 Overall summary for 22-Nov OCM Backend: Done ROSA CLI: Done  release 1.2.28 OCM CLI:  Going through QE review Will be available in v0.1.71 OCM UI: Will have an MR soon for ROSA classic, which also includes Infra + Control plane nodes. We'll continue with OSD later TF Provider Going through QE review  Will be available in v1.4.1 QE: Preflight issue OCM-4631 Backend testing passed ROSACLI testing passed OCM CLI ready for testing TF ready for testing UI not ready for testing OCM update for 6-Nov OSD AWS / ROSA OCM backend: Done ROSA CLI: Done Released v1.2.28 OCM CLI Under development - not a blocker TF Provider Under development - current focus UI update Nov 2 Created a pre-requisite MR that adds the VPC dropdown to the ROSA classic Wizard. In Review process. Currently implementing SGs - Day1 for ROSA classic for applying SGs to machine pools * At Risk for exiting timelines It was confirmed this week that SGs need to be applied not only to machine pools (in progress) but also to control plane and infra nodes. The UI create cluster flow for ROSA/OSD does NOT expose the concept of control plane and infra nodes so far, so adding the SG option (many to many mapping and selection) will require a major changes in the UI - assessing impact. Also this is NOT the recommended user experience as per the UX team. It is confusing and increases the cognitive load for a UI customer wanting to quickly create a ROSA/OSD cluster. They now have to read / understand / select advanced options like SGs which they can not change later on QE update for 16-Oct Closed OCM-3691 for backend and rosacli UI card HAC-4962 not ready for testing DOC OSDOCS-7730 not ready for reviewing SRE update for 3-Oct Hive was supported from start for day1 operations Docs update for 6 Nov CLI-based create cluster and machinepool changes are live on docs.openshift.com, will be on access.redhat.com by EOD Nov 7 beginning work on UI-based docs
    • Yes
    • 0

      Feature Overview (aka. Goal Summary)  

      This feature strengthens both security and AWS integration themes of ROSA service. Developers deploying workloads in ROSA service often need to connect their workloads running inside OCP to other AWS Services or applications running in other VPCs. This feature will allow cluster administrators to assign optional additional Security Groups to control plane nodes, infra nodes, and all the worker nodes of machine pools (at machine pool granularity). Following will be parts of this feature that will be delivered separately (not necessarily in the phased/ordered way) :

      1. XCMSTRAT-46 (This): Support for creating additional Security Group IDs on day-one machine pool + Control Plane nodes + Infra nodes during ROSA Classic /OSD cluster creation
        1. Note: XCMSTRAT-374 is split from XCMSTRAT-46 to cover control Plane and Infra nodes
      2. XCMSTRAT-41: Support for creating additional Security Group IDs on day-two machine pools after ROSA Classic/OSD cluster creation
      3. XCMSTRAT-319: Support for changing machine pools to add/remove additional Security Group IDs on ROSA Classic/OSD cluster creation
      4. XCMSTRAT-320: Support for Additional Security Group IDs on ROSA HCP clusters

      Goals (aka. expected user outcomes)

      1. Improve ROSA adoption by providing an ability to optionally set additional Security Group IDs at the time of cluster creation
      2. Support for ROSA Classic and OSD on AWS cluster installations using OCP 4.14 and above

      Requirements (aka. Acceptance Criteria):

      A list of specific needs or objectives that a feature must deliver in order to be considered complete.  Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc.  Initial completion during Refinement status.

      1. Ability to set different additional security group IDs to control plane nodes, infra nodes, and day-one machine pool nodes. 
      2. Ability to apply up to 15 5 (soft limit) Security Group IDs.
      3. Ability to define additional Security Group IDs at the machine pool level and have all the worker nodes of the machine pool consistently use the SG-IDs.
      4. Support for day-one machine pool created along with the cluster. (Support for day-two machine pools are covered as part of XCMSTRAT-41)
      5. Support for clusters created with BYO-VPC. 
      6. Support for ROSA and OSD CCS on AWS Clusters (Support for HCP is covered part of XCMSTRAT-319)
      7. Support for OCP 4.14 and above.
      8. OCM CREATE API for CS (api.openshift.com) to support additional SG-IDs.
      9. OCM API for CS to support displaying/describing cluster with additional SG-IDs. Clusters that don't have additional SG-IDs to list 'None'. 
      10. During pre-flight, provided SG is validated for existence and AWS Quota.
      11. During pre-flight, number of total SG rules as per AWS quota is validated on top of total number of SGs attached.
      12. During pre-flight, the SG-ID tags are validated to ensure OpenShift and ROSA specific tags can be added.
      13. When the cluster is upgraded, all the nodes part of machine pool to retain the additional SG-IDs added.
      14. When the cluster is deleted, the SG-ID is unaltered/retained. 
      15. Consistent UX Support for clients - ROSA CLI, OCM UI and Terraform.
      16. Documentation to support the field in the Cluster Creation page, ROSA CLI reference and Defaults for ROSA Cluster creation pages.
      17. Release: CLI, OCM UI and OSDOCS to release/publish on the same day. Terraform release can follow on another day. 

      Use Cases (Optional):

      Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.

      1. Connect from ROSA/ OSD applications running on worker machine pools to VPC resources secured by one or more security group. A most common example is to allow a deployment in ROSA service persist data in Amazon Relational Database Service (RDS) databases [1].
      2. Define NodePort services that require opening 30000-32767 port range outside the cluster in case of using external Load balancer
      3. Use Rosa machine pools in AWS Local Zones where ELBV2 (NLB, ALB) or ELB are not supported

      Questions to Answer (Optional):

      Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

      1. Does https://issues.redhat.com/browse/OCPBUGS-11524 affect delivery of this feature? This is pending discussion with node + network team
      2.  

      Out of Scope

      High-level list of items that are out of scope.  Initial completion during Refinement status.

      1. Creation of SG during the cluster installation 
      2. Support for ROSA/Installer-provided VPC
      3. Validation of rules in the additionalSecurity Group IDs that may or may not reference SGs from peered VPC
      4. Changing or removing default SGs created by Installer [Contains necessary rules for cluster functions, governed by Appendix 4]
      5. Day-2 and support for HCP (that are covered by other XCMSTRAT JIRAs highlighted in the overview section)

      Background

      Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

       

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

       

      Documentation Considerations

      Provide information that needs to be considered and planned so that documentation will meet customer needs.  Initial completion during Refinement status.

       

      Interoperability Considerations

      Which other projects and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

       

      References:

       __  [1] Scenarios for connecting to RDS Database - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html#CHAP_CommonTasks.Connect.ScenariosForAccess 

       [2]Controlling access to RDS instance using Security Groups - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html 

            rh-ee-bchandra Balachandran Chandrasekaran
            rh-ee-adejong Aaren de Jong
            Aaren de Jong, Balachandran Chandrasekaran, Celia Amador Gonzalez, Manuel Dewald
            Guilherme Branco Guilherme Branco
            Xue Li Xue Li
            Laura Bailey Laura Bailey
            Balachandran Chandrasekaran Balachandran Chandrasekaran
            OCM-ROSA
            Nir Farkas Nir Farkas
            Votes:
            0 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated:
              Resolved: