Expose functionality for creating Account/Operator roles and OIDC config/provider

Author: PanSpagetka

cmd/create/accountroles/cmd.go

@@ -511,6 +511,7 @@ func run(cmd *cobra.Command, argv []string) {
 
 	switch mode {
 	case interactive.ModeAuto:
+		// !!!!!!!!!!!!!!!!!!!!!!!!!!! HERE !!!!!!!!!!!
 		err = rolesCreator.createRoles(r, input)
 		if err != nil {
 			r.Reporter.Errorf("There was an error creating the account roles: %s", err)

cmd/create/accountroles/creators.go

@@ -2,6 +2,7 @@ package accountroles
 
 import (
 	"fmt"
+	"os"
 
 	common "github.com/openshift-online/ocm-common/pkg/aws/validations"
 	cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
@@ -86,6 +87,7 @@ func (mp *managedPoliciesCreator) createRoles(r *rosa.Runtime, input *accountRol
 
 	for file, role := range aws.AccountRoles {
 		accRoleName := common.GetRoleName(input.prefix, role.Name)
+
 		assumeRolePolicy := getAssumeRolePolicy(r.Creator.Partition, file, input)
 
 		r.Reporter.Debugf("Creating role '%s'", accRoleName)
@@ -271,6 +273,7 @@ func (db *doubleRolesCreator) getAccountRolesMap() map[string]aws.AccountRole {
 func createRoleUnmanagedPolicy(r *rosa.Runtime, input *accountRolesCreationInput, accRoleName string,
 	assumeRolePolicy string, tagsList map[string]string, filename string) error {
 	r.Reporter.Debugf("Creating role '%s'", accRoleName)
+
 	roleARN, err := r.AWSClient.EnsureRole(r.Reporter, accRoleName, assumeRolePolicy, input.permissionsBoundary,
 		input.defaultPolicyVersion, tagsList, input.path, false)
 	if err != nil {
@@ -307,17 +310,45 @@ func getAssumeRolePolicy(partition string, file string, input *accountRolesCreat
 	})
 }
 
+func CreateHCPRoles(r *rosa.Runtime, prefix string, managedPolicies bool, permissionsBoundary string, env string, policies map[string]*cmv1.AWSSTSPolicy, policyVersion string, path string, isSharedVpc bool) error {
+
+	// rolesCreator, createRoles := initCreator(r, managedPolicies, createClassic, createHostedCP, isClassicValueSet, isHostedCPValueSet)
+	rolesCreator, createRoles := initCreator(r, managedPolicies, false, true, false, true)
+
+	if !createRoles {
+		os.Exit(1)
+	}
+
+	input := buildRolesCreationInput(prefix, permissionsBoundary, r.Creator.AccountID, env, policies, policyVersion, path, isSharedVpc)
+
+	// input := &accountRolesCreationInput{
+	// 	prefix:               prefix,
+	// 	permissionsBoundary:  permissionsBoundary,
+	// 	accountID:            accountID,
+	// 	env:                  env,
+	// 	policies:             policies,
+	// 	defaultPolicyVersion: defaultPolicyVersion,
+	// 	path:                 path,
+	// 	isSharedVpc:          isSharedVpc,
+	// }
+	// hcp := &hcpManagedPoliciesCreator{}
+	err := rolesCreator.createRoles(r, input)
+	return err
+}
+
 type hcpManagedPoliciesCreator struct{}
 
 func (hcp *hcpManagedPoliciesCreator) createRoles(r *rosa.Runtime, input *accountRolesCreationInput) error {
 	r.Reporter.Infof("Creating hosted CP account roles using '%s'", r.Creator.ARN)
 
 	for file, role := range aws.HCPAccountRoles {
 		accRoleName := common.GetRoleName(input.prefix, role.Name)
+
 		assumeRolePolicy := getAssumeRolePolicy(r.Creator.Partition, file, input)
 
 		r.Reporter.Debugf("Creating role '%s'", accRoleName)
 		tagsList := hcp.getRoleTags(file, input)
+
 		roleARN, err := r.AWSClient.EnsureRole(r.Reporter, accRoleName, assumeRolePolicy, input.permissionsBoundary,
 			input.defaultPolicyVersion, tagsList, input.path, true)
 		if err != nil {

cmd/create/cluster/cmd.go

@@ -41,9 +41,9 @@ import (
 
 	"github.com/openshift/rosa/cmd/create/admin"
 	"github.com/openshift/rosa/cmd/create/idp"
-	"github.com/openshift/rosa/cmd/create/oidcprovider"
 	"github.com/openshift/rosa/cmd/create/operatorroles"
 	clusterdescribe "github.com/openshift/rosa/cmd/describe/cluster"
+	"github.com/openshift/rosa/cmd/dlt/oidcprovider"
 	installLogs "github.com/openshift/rosa/cmd/logs/install"
 	"github.com/openshift/rosa/pkg/arguments"
 	"github.com/openshift/rosa/pkg/aws"
@@ -3550,7 +3550,7 @@ func run(cmd *cobra.Command, _ []string) {
 // clusterConfigFor builds the cluster spec for the OCM API from our command-line options.
 // TODO: eventually, this method signature should be func(args) ocm.Spec.
 func clusterConfigFor(
-	reporter *reporter.Object,
+	reporter reporter.Logger,
 	clusterConfig ocm.Spec,
 	awsCreator *aws.Creator,
 	awsCredentialsGetter aws.AccessKeyGetter,

cmd/create/cmd.go

@@ -33,11 +33,11 @@ import (
 	"github.com/openshift/rosa/cmd/create/network"
 	"github.com/openshift/rosa/cmd/create/ocmrole"
 	"github.com/openshift/rosa/cmd/create/oidcconfig"
-	"github.com/openshift/rosa/cmd/create/oidcprovider"
 	"github.com/openshift/rosa/cmd/create/operatorroles"
 	"github.com/openshift/rosa/cmd/create/service"
 	"github.com/openshift/rosa/cmd/create/tuningconfigs"
 	"github.com/openshift/rosa/cmd/create/userrole"
+	"github.com/openshift/rosa/cmd/dlt/oidcprovider"
 	"github.com/openshift/rosa/pkg/arguments"
 	"github.com/openshift/rosa/pkg/interactive/confirm"
 )

cmd/create/machinepool/options.go

@@ -8,7 +8,7 @@ import (
 const instanceType = "m5.xlarge"
 
 type CreateMachinepoolOptions struct {
-	reporter *reporter.Object
+	reporter reporter.Logger
 
 	args *mpOpts.CreateMachinepoolUserOptions
 }

cmd/create/network/options.go

@@ -6,7 +6,7 @@ import (
 )
 
 type Options struct {
-	reporter *reporter.Object
+	reporter reporter.Logger
 
 	args *opts.NetworkUserOptions
 }

cmd/create/oidcconfig/cmd.go

@@ -29,7 +29,7 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/zgalor/weberr"
 
-	"github.com/openshift/rosa/cmd/create/oidcprovider"
+	"github.com/openshift/rosa/cmd/dlt/oidcprovider"
 	"github.com/openshift/rosa/pkg/arguments"
 	"github.com/openshift/rosa/pkg/aws"
 	awscb "github.com/openshift/rosa/pkg/aws/commandbuilder"
@@ -316,6 +316,21 @@ func run(cmd *cobra.Command, _ []string) {
 	}
 }
 
+func CreateOIDCConfig(r *rosa.Runtime, managed bool, userPrefix, region string) (string, error) {
+	// userPrefix, region are used only for unmanaged
+	oidcConfigInput, err := oidcconfigs.BuildOidcConfigInput(userPrefix, region)
+	if err != nil {
+		return "", nil
+	}
+	if managed {
+		strategy := CreateManagedOidcConfigAutoStrategy{oidcConfigInput: &oidcConfigInput}
+		return strategy.executeNoExit(r)
+	}
+
+	strategy := CreateUnmanagedOidcConfigAutoStrategy{oidcConfig: &oidcConfigInput}
+	return strategy.executeNoExit(r)
+}
+
 type CreateOidcConfigStrategy interface {
 	execute(r *rosa.Runtime) string
 }
@@ -364,6 +379,50 @@ const (
 	jwksKey              = "keys.json"
 )
 
+func (s *CreateUnmanagedOidcConfigAutoStrategy) executeNoExit(r *rosa.Runtime) (string, error) {
+	bucketUrl := s.oidcConfig.IssuerUrl
+	bucketName := s.oidcConfig.BucketName
+	discoveryDocument := s.oidcConfig.DiscoveryDocument
+	jwks := s.oidcConfig.Jwks
+	privateKey := s.oidcConfig.PrivateKey
+	privateKeySecretName := s.oidcConfig.PrivateKeySecretName
+	installerRoleArn := args.installerRoleArn
+	err := r.AWSClient.CreateS3Bucket(bucketName, args.region)
+	if err != nil {
+		return "", fmt.Errorf("There was a problem creating S3 bucket '%s': %s", bucketName, err)
+	}
+	err = r.AWSClient.PutPublicReadObjectInS3Bucket(bucketName, strings.NewReader(discoveryDocument), discoveryDocumentKey)
+	if err != nil {
+		return "", fmt.Errorf("There was a problem populating discovery "+
+			"document to S3 bucket '%s': %s", bucketName, err)
+	}
+	err = r.AWSClient.PutPublicReadObjectInS3Bucket(bucketName, bytes.NewReader(jwks), jwksKey)
+	if err != nil {
+		return "", fmt.Errorf("There was a problem populating JWKS "+
+			"to S3 bucket '%s': %s", bucketName, err)
+	}
+	secretARN, err := r.AWSClient.CreateSecretInSecretsManager(privateKeySecretName, string(privateKey[:]))
+	if err != nil {
+		r.Reporter.Errorf("There was a problem saving private key to secrets manager: %s", err)
+	}
+	oidcConfig, err := v1.NewOidcConfig().
+		Managed(false).
+		SecretArn(secretARN).
+		IssuerUrl(bucketUrl).
+		InstallerRoleArn(installerRoleArn).
+		Build()
+	if err == nil {
+		oidcConfig, err = r.OCMClient.CreateOidcConfig(oidcConfig)
+	}
+	if err != nil {
+		return "", fmt.Errorf("There was a problem building your unmanaged OIDC Configuration %v.\n"+
+			"Please refer to documentation and try again through:\n"+
+			"\trosa register oidc-config --issuer-url %s --secret-arn %s --role-arn %s",
+			err, bucketUrl, secretARN, installerRoleArn)
+	}
+	return oidcConfig.ID(), nil
+}
+
 func (s *CreateUnmanagedOidcConfigAutoStrategy) execute(r *rosa.Runtime) string {
 	bucketUrl := s.oidcConfig.IssuerUrl
 	bucketName := s.oidcConfig.BucketName
@@ -598,6 +657,19 @@ func (s *CreateManagedOidcConfigAutoStrategy) execute(r *rosa.Runtime) string {
 	return oidcConfig.ID()
 }
 
+func (s *CreateManagedOidcConfigAutoStrategy) executeNoExit(r *rosa.Runtime) (string, error) {
+	oidcConfig, err := v1.NewOidcConfig().Managed(true).Build()
+	if err != nil {
+		return "", fmt.Errorf("There was a problem building the managed OIDC Configuration: %v", err)
+	}
+	oidcConfig, err = r.OCMClient.CreateOidcConfig(oidcConfig)
+	if err != nil {
+		return "", fmt.Errorf("There was a problem building the managed OIDC Configuration: %v", err)
+	}
+	s.oidcConfigInput.IssuerUrl = oidcConfig.IssuerUrl()
+	return oidcConfig.ID(), nil
+}
+
 func getOidcConfigStrategy(mode string, input *oidcconfigs.OidcConfigInput) (CreateOidcConfigStrategy, error) {
 	if args.rawFiles {
 		return &CreateUnmanagedOidcConfigRawStrategy{oidcConfig: input}, nil

cmd/create/oidcprovider/cmd.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package oidcprovider
+package oidcprovideru
 
 import (
 	"fmt"
@@ -228,6 +228,18 @@ func run(cmd *cobra.Command, argv []string) {
 	}
 }
 
+func CreateOIDCProvider(r *rosa.Runtime, oidcConfigId string, clusterId string, isProgrammaticallyCalled bool) error {
+	fmt.Println("CreateOIDCProvider")
+	args.oidcConfigId = oidcConfigId
+	oidcConfig, err := r.OCMClient.GetOidcConfig(oidcConfigId)
+	if err != nil {
+		r.Reporter.Errorf("There was a problem retrieving OIDC Config '%s': %v", oidcConfigId, err)
+		return err
+	}
+	oidcEndpointURL := oidcConfig.IssuerUrl()
+	return createProvider(r, oidcEndpointURL, clusterId, isProgrammaticallyCalled)
+}
+
 func createProvider(r *rosa.Runtime, oidcEndpointUrl string, clusterId string, isProgrammaticallyCalled bool) error {
 	inputBuilder := cmv1.NewOidcThumbprintInput()
 	if (isProgrammaticallyCalled || clusterId == "") && args.oidcConfigId != "" {

cmd/create/operatorroles/by_prefix.go

@@ -76,7 +76,22 @@ func handleOperatorRolesPrefixOptions(r *rosa.Runtime, cmd *cobra.Command) {
 	}
 }
 
-func handleOperatorRoleCreationByPrefix(r *rosa.Runtime, env string,
+func Knedlik(r *rosa.Runtime, env string, permissionsBoundary string, mode string, policies map[string]*cmv1.AWSSTSPolicy, defaultPolicyVersion string, isSharedVpc bool,
+	prefix string, hostedCp bool, installerRoleArn string, forcePolicyCreation bool, oidcConfigId string, sharedVpcRoleArn string, channelGroup string, vpcEndpointRoleArn string) error {
+	args.prefix = prefix
+	args.hostedCp = hostedCp
+	args.installerRoleArn = installerRoleArn
+	args.permissionsBoundary = permissionsBoundary
+	args.forcePolicyCreation = forcePolicyCreation
+	args.oidcConfigId = oidcConfigId
+	args.sharedVpcRoleArn = sharedVpcRoleArn
+	args.channelGroup = channelGroup
+	args.vpcEndpointRoleArn = vpcEndpointRoleArn
+
+	return HandleOperatorRoleCreationByPrefix(r, env, permissionsBoundary, mode, policies, defaultPolicyVersion, isSharedVpc)
+}
+
+func HandleOperatorRoleCreationByPrefix(r *rosa.Runtime, env string,
 	permissionsBoundary string, mode string,
 	policies map[string]*cmv1.AWSSTSPolicy,
 	defaultPolicyVersion string, isSharedVpc bool) error {
@@ -99,6 +114,7 @@ func handleOperatorRoleCreationByPrefix(r *rosa.Runtime, env string,
 		r.Reporter.Errorf("%s", err)
 		os.Exit(1)
 	}
+
 	path, err := aws.GetPathFromARN(installerRoleArn)
 	if err != nil {
 		r.Reporter.Errorf("Expected a valid path for '%s': %v", installerRoleArn, err)
@@ -117,16 +133,19 @@ func handleOperatorRoleCreationByPrefix(r *rosa.Runtime, env string,
 		os.Exit(1)
 	}
 	operatorRolePolicyPrefix := installerRolePrefix
+
 	credRequests, err := r.OCMClient.GetCredRequests(includeHostedCpSet)
 	if err != nil {
 		r.Reporter.Errorf("Error getting operator credential request from OCM %s", err)
 		os.Exit(1)
 	}
+
 	managedPolicies, err := r.AWSClient.HasManagedPolicies(installerRoleArn)
 	if err != nil {
 		r.Reporter.Errorf("Failed to determine if cluster has managed policies: %v", err)
 		os.Exit(1)
 	}
+
 	awsCreator, err := r.AWSClient.GetCreator()
 	if err != nil {
 		r.Reporter.Errorf("Unable to get IAM credentials: %v", err)
@@ -161,6 +180,7 @@ func handleOperatorRoleCreationByPrefix(r *rosa.Runtime, env string,
 		r.Reporter.Errorf("%v", err)
 		os.Exit(1)
 	}
+
 	err = ocm.ValidateOperatorRolesMatchOidcProvider(r.Reporter, r.AWSClient,
 		operatorRolesList, oidcConfig.IssuerUrl(), "4.0", path, managedPolicies, true)
 	if err != nil && !awserr.IsNoSuchEntityException(err) {
@@ -259,6 +279,7 @@ func convertCredRequestsOperatorRolesIntoV1OperatorIAMRole(credRequests map[stri
 
 func validateArgumentsOperatorRolesCreationByPrefix(r *rosa.Runtime, operatorRolesPrefix string,
 	oidcEndpointUrl string, installerRoleArn string) {
+	fmt.Println("validateArgumentsOperatorRolesCreationByPrefix")
 	if len(operatorRolesPrefix) == 0 {
 		r.Reporter.Errorf("Expected a prefix for the operator IAM roles")
 		os.Exit(1)
@@ -296,6 +317,7 @@ func createRolesByPrefix(r *rosa.Runtime, prefix string, permissionsBoundary str
 
 	isSharedVpc := sharedVpcRoleArn != ""
 
+	fmt.Println("createRolesByPrefix IN")
 	for credrequest, operator := range credRequests {
 		roleArn := aws.FindOperatorRoleBySTSOperator(operatorIAMRoleList, operator)
 		roleName, err := aws.GetResourceIdFromARN(roleArn)

cmd/create/operatorroles/cmd.go

@@ -371,7 +371,7 @@ func run(cmd *cobra.Command, argv []string) {
 			r.Reporter.Errorf("Error getting latest version: %s", err)
 			os.Exit(1)
 		}
-		err = handleOperatorRoleCreationByPrefix(r, env, permissionsBoundary,
+		err = HandleOperatorRoleCreationByPrefix(r, env, permissionsBoundary,
 			mode, policies, latestPolicyVersion, isHcpSharedVpc)
 		if err != nil {
 			r.Reporter.Errorf("Error creating operator roles: %s", err)

cmd/create/userrole/cmd.go

@@ -32,7 +32,7 @@ import (
 	"github.com/openshift/rosa/pkg/interactive"
 	"github.com/openshift/rosa/pkg/interactive/confirm"
 	"github.com/openshift/rosa/pkg/ocm"
-	rprtr "github.com/openshift/rosa/pkg/reporter"
+	"github.com/openshift/rosa/pkg/reporter"
 	"github.com/openshift/rosa/pkg/rosa"
 )
 
@@ -312,7 +312,7 @@ func createRoles(r *rosa.Runtime,
 	return roleARN, nil
 }
 
-func generateUserRolePolicyFiles(reporter *rprtr.Object, env string, partition string, accountID string,
+func generateUserRolePolicyFiles(reporter reporter.Logger, env string, partition string, accountID string,
 	policies map[string]*cmv1.AWSSTSPolicy) error {
 	filename := fmt.Sprintf("sts_%s_trust_policy", aws.OCMUserRolePolicyFile)
 	policyDetail := aws.GetPolicyDetails(policies, filename)

cmd/describe/ingress/options.go

@@ -11,7 +11,7 @@ type DescribeIngressUserOptions struct {
 }
 
 type DescribeIngressOptions struct {
-	reporter *reporter.Object
+	reporter reporter.Logger
 	args     DescribeIngressUserOptions
 }
 

cmd/describe/machinepool/options.go

@@ -11,7 +11,7 @@ type DescribeMachinepoolUserOptions struct {
 }
 
 type DescribeMachinepoolOptions struct {
-	reporter *reporter.Object
+	reporter reporter.Logger
 
 	args *DescribeMachinepoolUserOptions
 }

cmd/dlt/machinepool/options.go

@@ -12,7 +12,7 @@ type DeleteMachinepoolUserOptions struct {
 }
 
 type DeleteMachinepoolOptions struct {
-	reporter *reporter.Object
+	reporter reporter.Logger
 
 	args *DeleteMachinepoolUserOptions
 }

cmd/edit/machinepool/options.go

@@ -24,7 +24,7 @@ type EditMachinepoolUserOptions struct {
 }
 
 type EditMachinepoolOptions struct {
-	reporter *reporter.Object
+	reporter reporter.Logger
 
 	args *EditMachinepoolUserOptions
 }