✨ Adding second group for aws auth flow

[jaswalkiranavtar]

Summary

Adding a second group, that will be used when the spoke starts registration with aws auth type. The aws solution uses EKS access entries and an access entry cannot contain a group name with "system:" prefix. More details can be found on this slack thread.

It can’t start with system:, eks:, aws:, amazon:, or iam:.

Related issue(s)

Fixes # #514

[mikeshng]

/lgtm

Expecting test(s) to come later when we are closer to the AWS/EKS integration?

[mikeshng]

/assign @qiujian16

[jaswalkiranavtar]

/lgtm

Expecting test(s) to come later when we are closer to the AWS/EKS integration?

Yes, we will add them later when we implement hub side changes. Hopefully, this addition should not break anything existing.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 63.32%. Comparing base (ed367fd) to head (14795c2).
Report is 8 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #735      +/-   ##
==========================================
- Coverage   63.51%   63.32%   -0.19%     
==========================================
  Files         185      186       +1     
  Lines       17838    17912      +74     
==========================================
+ Hits        11329    11343      +14     
- Misses       5576     5634      +58     
- Partials      933      935       +2     

Flag	Coverage Δ
unit	63.32% <ø> (-0.19%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jaswalkiranavtar]

Looks like the e2e test failed because of intermittent error. Could you please re-run this build?

[mikeshng]

Looks like the e2e test failed because of intermittent error. Could you please re-run this build?

Re-running as requested.

[qiujian16]

please add some comments on the reasoning and plan for migration.

[jaswalkiranavtar]

We are adding a second group, as for aws flow we are trying to use eks access entries which doesn't allow us to allow access to group with system prefix "system".

Also based on kubernetes docs, "system" prefix is a reserved prefix for kubernetes internal usage.

The reason to add second group is to not update existing group abruptly and cause failure while upgrade existing installation to newer version of OCM. So, the plan is adding second group now to support aws flow and later in the next version, delete old group.

[jaswalkiranavtar]

Also request you to drive the migration of existing group for csr flow on your end.

[qiujian16]

cc @elgnay

[qiujian16]

something to followup:

1. add this group as org in csr.
2. update subject in csr to remove system prefix
3. update addon to remove system prefix ✨ Adding second group for aws auth flow #735

[elgnay]

LGTM

[qiujian16]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jaswalkiranavtar, mikeshng, qiujian16

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/registration/OWNERS [qiujian16]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment