managed-cluster-config icon indicating copy to clipboard operation
managed-cluster-config copied to clipboard

Published 20 hours ago verified publisher icon openshift

feat(OSD-24893): add 4.17 wif config

Open typeid opened this issue 6 months ago • 4 comments

What type of PR is this?

feature

What this PR does / why we need it?

This PR adds GCP WIF template for 4.17.

  1. Credential request diffs:

    ./dist/osdctl_linux_amd64_v1/osdctl iampermissions diff -c gcp -b 4.16.0 -t 4.17.0-rc.0
Downloading Credential Requests for 4.16.0
Downloading Credential Requests for 4.17.0-rc.0
Only in /tmp/osdctl-crs-3601789188: 0000_30_cluster-api_00_credentials-request.yaml
Only in /tmp/osdctl-crs-1398950497: 0000_30_cluster-api_01_credentials-request.yaml
diff /tmp/osdctl-crs-3601789188/0000_50_cluster-image-registry-operator_01-registry-credentials-request-gcs.yaml /tmp/osdctl-crs-1398950497/0000_50_cluster-image-registry-operator_01-registry-credentials-request-gcs.yaml
29a30,32
>     - resourcemanager.tagValueBindings.create
>     - resourcemanager.tagValues.get
>     - resourcemanager.tagValues.list
diff /tmp/osdctl-crs-3601789188/0000_50_cluster-storage-operator_03_credentials_request_gcp.yaml /tmp/osdctl-crs-1398950497/0000_50_cluster-storage-operator_03_credentials_request_gcp.yaml
21a22
>     - roles/resourcemanager.tagUser

  2. 4.17 hive permissions

    Additionally to these new permissions, hive needs the permissions documented in https://issues.redhat.com/browse/OSD-24893 for GCP PSC, this manifests in the following 3 additions:

    compute.serviceAttachments.create
compute.serviceAttachments.delete
compute.serviceAttachments.get

  3. Additional permissions found to be missing by the OCM team

    9d8
< - compute.backendServices.list
24,25d22
< - compute.globalAddresses.list
< - compute.globalForwardingRules.list
68d64
< - compute.regionHealthChecks.list
91d89
< - compute.targetTcpProxies.list
115d112
< - iam.serviceAccounts.signBlob

Total diffs to 4.16:

diff resources/wif/4.16/vanilla.yaml resources/wif/4.17/vanilla.yaml 
1c1
< id: v4.16
---
> id: v4.17
18a19
>           - compute.backendServices.list
32a34,35
>           - compute.globalAddresses.list
>           - compute.globalForwardingRules.list
68a72
>           - compute.regionHealthChecks.list
83a88,90
>           - compute.serviceAttachments.create
>           - compute.serviceAttachments.delete
>           - compute.serviceAttachments.get
96a104
>           - compute.targetTcpProxies.list
119a128
>           - iam.serviceAccounts.signBlob
269a279,281
>       - id: resourcemanager.tagUser
>         kind: Role
>         predefined: true
300a313,315
>           - resourcemanager.tagValueBindings.create
>           - resourcemanager.tagValues.get
>           - resourcemanager.tagValues.list

Which Jira/Github issue(s) this PR fixes?

Fixes https://issues.redhat.com/browse/OSD-24893

Special notes for your reviewer:

Pre-checks (if applicable):

  • [ ] Tested latest changes against a cluster

  • [ ] Included documentation changes with PR

  • [ ] If this is a new object that is not intended for the FedRAMP environment (if unsure, please reach out to team FedRAMP), please exclude it with:

    matchExpressions:
- key: api.openshift.com/fedramp
  operator: NotIn
  values: ["true"]

typeid avatar Aug 22 '24 14:08 typeid