diff --git a/pkg/aws/helpers.go b/pkg/aws/helpers.go index 7c94011d1c..8cddf1a45b 100644 --- a/pkg/aws/helpers.go +++ b/pkg/aws/helpers.go @@ -539,7 +539,7 @@ func GetPrefixFromInstallerAccountRole(cluster *cmv1.Cluster) (string, error) { return GetPrefixFromAccountRole(cluster, AccountRoles[InstallerAccountRole].Name) } -// Role names can be truncated if they are over pkg.MaxByteSize chars, so we need to make sure we aren't missing a truncated suffix +// Role names can be truncated if they are over 64 chars, so we need to make sure we aren't missing a truncated suffix func TrimRoleSuffix(orig, sufix string) string { for i := len(sufix); i >= 0; i-- { if strings.HasSuffix(orig, sufix[:i]) { diff --git a/vendor/github.com/openshift-online/ocm-common/pkg/aws/validations/iam_helpers.go b/vendor/github.com/openshift-online/ocm-common/pkg/aws/validations/iam_helpers.go new file mode 100644 index 0000000000..24621ce394 --- /dev/null +++ b/vendor/github.com/openshift-online/ocm-common/pkg/aws/validations/iam_helpers.go @@ -0,0 +1,63 @@ +package validations + +import ( + "fmt" + "github.com/aws/aws-sdk-go/service/iam" + "github.com/aws/aws-sdk-go/aws" + semver "github.com/hashicorp/go-version" + "github.com/openshift-online/ocm-common/pkg" +) + +func GetRoleName(prefix string, role string) string { + name := fmt.Sprintf("%s-%s-Role", prefix, role) + if len(name) > pkg.MaxByteSize { + name = name[0:pkg.MaxByteSize] + } + return name +} + +func IsManagedRole(roleTags []*iam.Tag) bool { + for _, tag := range roleTags { + if aws.StringValue(tag.Key) == ManagedPolicies && aws.StringValue(tag.Value) == "true" { + return true + } + } + + return false +} + +func HasCompatibleVersionTags(iamTags []*iam.Tag, version string) (bool, error) { + if len(iamTags) == 0 { + return false, nil + } + + wantedVersion, err := semver.NewVersion(version) + if err != nil { + return false, err + } + + for _, tag := range iamTags { + if aws.StringValue(tag.Key) == OpenShiftVersion { + if version == aws.StringValue(tag.Value) { + return true, nil + } + + currentVersion, err := semver.NewVersion(aws.StringValue(tag.Value)) + if err != nil { + return false, err + } + return currentVersion.GreaterThanOrEqual(wantedVersion), nil + } + } + return false, nil +} + +func IamResourceHasTag(iamTags []*iam.Tag, tagKey string, tagValue string) bool { + for _, tag := range iamTags { + if aws.StringValue(tag.Key) == tagKey && aws.StringValue(tag.Value) == tagValue { + return true + } + } + + return false +} diff --git a/vendor/github.com/openshift-online/ocm-common/pkg/aws/validations/tags.go b/vendor/github.com/openshift-online/ocm-common/pkg/aws/validations/tags.go new file mode 100644 index 0000000000..a307708731 --- /dev/null +++ b/vendor/github.com/openshift-online/ocm-common/pkg/aws/validations/tags.go @@ -0,0 +1,9 @@ +package validations + +const prefix = "rosa_" + +const ManagedPolicies = prefix + "managed_policies" + +// OpenShiftVersion is the name of the tag that will contain +// the version of OpenShift that the resources are used for +const OpenShiftVersion = prefix + "openshift_version" diff --git a/vendor/github.com/openshift-online/ocm-common/pkg/consts.go b/vendor/github.com/openshift-online/ocm-common/pkg/consts.go new file mode 100644 index 0000000000..58feee9530 --- /dev/null +++ b/vendor/github.com/openshift-online/ocm-common/pkg/consts.go @@ -0,0 +1,3 @@ +package pkg + +const MaxByteSize = 64 diff --git a/vendor/github.com/openshift-online/ocm-common/pkg/ocm/validations/helpers.go b/vendor/github.com/openshift-online/ocm-common/pkg/ocm/validations/helpers.go new file mode 100644 index 0000000000..0f7b33cc9a --- /dev/null +++ b/vendor/github.com/openshift-online/ocm-common/pkg/ocm/validations/helpers.go @@ -0,0 +1,24 @@ +package validations + +import ( + "fmt" + "net/url" + "strings" +) + +func ValidateIssuerUrlMatchesAssumePolicyDocument( + roleArn string, parsedUrl *url.URL, assumePolicyDocument string) error { + issuerUrl := parsedUrl.Host + if parsedUrl.Path != "" { + issuerUrl += parsedUrl.Path + } + decodedAssumePolicyDocument, err := url.QueryUnescape(assumePolicyDocument) + if err != nil { + return err + } + if !strings.Contains(decodedAssumePolicyDocument, issuerUrl) { + return fmt.Errorf("Operator role '%s' does not have trusted relationship to '%s' issuer URL", + roleArn, issuerUrl) + } + return nil +} diff --git a/vendor/modules.txt b/vendor/modules.txt index bf3d6d7413..2cc7d3565d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -266,9 +266,12 @@ github.com/onsi/gomega/matchers/support/goraph/util github.com/onsi/gomega/types # github.com/openshift-online/ocm-common v0.0.0-20231018131954-d0be7f2dc287 ## explicit; go 1.19 +github.com/openshift-online/ocm-common/pkg +github.com/openshift-online/ocm-common/pkg/aws/validations github.com/openshift-online/ocm-common/pkg/cluster/validations github.com/openshift-online/ocm-common/pkg/idp/validations github.com/openshift-online/ocm-common/pkg/machinepool/validations +github.com/openshift-online/ocm-common/pkg/ocm/validations # github.com/openshift-online/ocm-sdk-go v0.1.370 ## explicit; go 1.16 github.com/openshift-online/ocm-sdk-go @@ -455,4 +458,4 @@ k8s.io/apimachinery/pkg/util/validation/field ## explicit; go 1.18 k8s.io/utils/internal/third_party/forked/golang/net k8s.io/utils/net -# github.com/golang/glog => github.com/kubermatic/glog-logrus v0.0.0-20180829085450-3fa5b9870d1d \ No newline at end of file +# github.com/golang/glog => github.com/kubermatic/glog-logrus v0.0.0-20180829085450-3fa5b9870d1d