diff --git a/cmd/create/accountroles/creators.go b/cmd/create/accountroles/creators.go index e8302fe956..b73873e2b9 100644 --- a/cmd/create/accountroles/creators.go +++ b/cmd/create/accountroles/creators.go @@ -8,6 +8,8 @@ import ( awscb "github.com/openshift/rosa/pkg/aws/commandbuilder" "github.com/openshift/rosa/pkg/aws/tags" "github.com/openshift/rosa/pkg/rosa" + + common "github.com/openshift-online/ocm-common/pkg/aws/validations" ) type creator interface { @@ -73,7 +75,7 @@ func (mp *managedPoliciesCreator) createRoles(r *rosa.Runtime, input *accountRol r.Reporter.Infof("Creating classic account roles using '%s'", r.Creator.ARN) for file, role := range aws.AccountRoles { - accRoleName := aws.GetRoleName(input.prefix, role.Name) + accRoleName := common.GetRoleName(input.prefix, role.Name) assumeRolePolicy := getAssumeRolePolicy(file, input) r.Reporter.Debugf("Creating role '%s'", accRoleName) @@ -117,7 +119,7 @@ func attachManagedPolicies(r *rosa.Runtime, input *accountRolesCreationInput, ro func (mp *managedPoliciesCreator) printCommands(r *rosa.Runtime, input *accountRolesCreationInput) error { commands := []string{} for file, role := range aws.AccountRoles { - accRoleName := aws.GetRoleName(input.prefix, role.Name) + accRoleName := common.GetRoleName(input.prefix, role.Name) iamTags := mp.getRoleTags(file, input) createRole := buildCreateRoleCommand(accRoleName, file, iamTags, input) @@ -143,7 +145,7 @@ func (mp *managedPoliciesCreator) printCommands(r *rosa.Runtime, input *accountR func (mp *managedPoliciesCreator) getRoleTags(roleType string, input *accountRolesCreationInput) map[string]string { tagsList := getBaseRoleTags(roleType, input) - tagsList[tags.ManagedPolicies] = tags.True + tagsList[common.ManagedPolicies] = tags.True return tagsList } @@ -154,7 +156,7 @@ func (up *unmanagedPoliciesCreator) createRoles(r *rosa.Runtime, input *accountR r.Reporter.Infof("Creating classic account roles using '%s'", r.Creator.ARN) for file, role := range aws.AccountRoles { - accRoleName := aws.GetRoleName(input.prefix, role.Name) + accRoleName := common.GetRoleName(input.prefix, role.Name) assumeRolePolicy := getAssumeRolePolicy(file, input) tagsList := up.getRoleTags(file, input) filename := fmt.Sprintf("sts_%s_permission_policy", file) @@ -171,7 +173,7 @@ func (up *unmanagedPoliciesCreator) createRoles(r *rosa.Runtime, input *accountR func (up *unmanagedPoliciesCreator) printCommands(r *rosa.Runtime, input *accountRolesCreationInput) error { commands := []string{} for file, role := range aws.AccountRoles { - accRoleName := aws.GetRoleName(input.prefix, role.Name) + accRoleName := common.GetRoleName(input.prefix, role.Name) iamTags := up.getRoleTags(file, input) createRole := buildCreateRoleCommand(accRoleName, file, iamTags, input) @@ -277,7 +279,7 @@ func (hcp *hcpManagedPoliciesCreator) createRoles(r *rosa.Runtime, input *accoun r.Reporter.Infof("Creating hosted CP account roles using '%s'", r.Creator.ARN) for file, role := range aws.HCPAccountRoles { - accRoleName := aws.GetRoleName(input.prefix, role.Name) + accRoleName := common.GetRoleName(input.prefix, role.Name) assumeRolePolicy := getAssumeRolePolicy(file, input) r.Reporter.Debugf("Creating role '%s'", accRoleName) @@ -308,7 +310,7 @@ func (hcp *hcpManagedPoliciesCreator) createRoles(r *rosa.Runtime, input *accoun func (hcp *hcpManagedPoliciesCreator) printCommands(r *rosa.Runtime, input *accountRolesCreationInput) error { commands := []string{} for file, role := range aws.HCPAccountRoles { - accRoleName := aws.GetRoleName(input.prefix, role.Name) + accRoleName := common.GetRoleName(input.prefix, role.Name) iamTags := hcp.getRoleTags(file, input) createRole := buildCreateRoleCommand(accRoleName, file, iamTags, input) @@ -331,7 +333,7 @@ func (hcp *hcpManagedPoliciesCreator) printCommands(r *rosa.Runtime, input *acco func (hcp *hcpManagedPoliciesCreator) getRoleTags(roleType string, input *accountRolesCreationInput) map[string]string { tagsList := getBaseRoleTags(roleType, input) - tagsList[tags.ManagedPolicies] = tags.True + tagsList[common.ManagedPolicies] = tags.True tagsList[tags.HypershiftPolicies] = tags.True return tagsList @@ -339,10 +341,10 @@ func (hcp *hcpManagedPoliciesCreator) getRoleTags(roleType string, input *accoun func getBaseRoleTags(roleType string, input *accountRolesCreationInput) map[string]string { return map[string]string{ - tags.OpenShiftVersion: input.defaultPolicyVersion, - tags.RolePrefix: input.prefix, - tags.RoleType: roleType, - tags.RedHatManaged: tags.True, + common.OpenShiftVersion: input.defaultPolicyVersion, + tags.RolePrefix: input.prefix, + tags.RoleType: roleType, + tags.RedHatManaged: tags.True, } } diff --git a/cmd/create/machinepool/machinepool.go b/cmd/create/machinepool/machinepool.go index 2fe1b370e6..98ba0e3075 100644 --- a/cmd/create/machinepool/machinepool.go +++ b/cmd/create/machinepool/machinepool.go @@ -9,6 +9,7 @@ import ( awssdk "github.com/aws/aws-sdk-go/aws" "github.com/briandowns/spinner" + "github.com/openshift-online/ocm-common/pkg" diskValidator "github.com/openshift-online/ocm-common/pkg/machinepool/validations" cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" "github.com/openshift/rosa/pkg/helper" @@ -429,7 +430,7 @@ func addMachinePool(cmd *cobra.Command, clusterKey string, cluster *cmv1.Cluster os.Exit(1) } if spotMaxPrice != "on-demand" { - price, _ := strconv.ParseFloat(spotMaxPrice, 64) + price, _ := strconv.ParseFloat(spotMaxPrice, pkg.MaxByteSize) maxPrice = &price } @@ -609,7 +610,7 @@ func spotMaxPriceValidator(val interface{}) error { if spotMaxPrice == "on-demand" { return nil } - price, err := strconv.ParseFloat(spotMaxPrice, 64) + price, err := strconv.ParseFloat(spotMaxPrice, pkg.MaxByteSize) if err != nil { return fmt.Errorf("Expected a numeric value for spot max price") } diff --git a/cmd/create/ocmrole/cmd.go b/cmd/create/ocmrole/cmd.go index d2c38d99cb..59b039c63c 100644 --- a/cmd/create/ocmrole/cmd.go +++ b/cmd/create/ocmrole/cmd.go @@ -32,6 +32,7 @@ import ( "github.com/openshift/rosa/pkg/ocm" "github.com/openshift/rosa/pkg/rosa" + common "github.com/openshift-online/ocm-common/pkg/aws/validations" cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" ) @@ -343,7 +344,7 @@ func buildCommands(prefix string, roleName string, rolePath string, permissionsB tags.RedHatManaged: tags.True, } if managedPolicies { - iamTags[tags.ManagedPolicies] = tags.True + iamTags[common.ManagedPolicies] = tags.True } adminTags := map[string]string{ @@ -478,7 +479,7 @@ func createRoles(r *rosa.Runtime, prefix string, roleName string, rolePath strin tags.RedHatManaged: tags.True, } if managedPolicies { - iamTags[tags.ManagedPolicies] = tags.True + iamTags[common.ManagedPolicies] = tags.True } if !exists { diff --git a/cmd/create/operatorroles/by_clusterkey.go b/cmd/create/operatorroles/by_clusterkey.go index 8f1ccdd91a..657a0da32e 100644 --- a/cmd/create/operatorroles/by_clusterkey.go +++ b/cmd/create/operatorroles/by_clusterkey.go @@ -5,6 +5,7 @@ import ( "os" "strings" + common "github.com/openshift-online/ocm-common/pkg/aws/validations" cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" "github.com/openshift/rosa/pkg/aws" awscb "github.com/openshift/rosa/pkg/aws/commandbuilder" @@ -197,11 +198,11 @@ func createRoles(r *rosa.Runtime, } operatorPolicyTags := map[string]string{ - tags.OpenShiftVersion: accountRoleVersion, - tags.RolePrefix: prefix, - tags.RedHatManaged: helper.True, - tags.OperatorNamespace: operator.Namespace(), - tags.OperatorName: operator.Name(), + common.OpenShiftVersion: accountRoleVersion, + tags.RolePrefix: prefix, + tags.RedHatManaged: helper.True, + tags.OperatorNamespace: operator.Namespace(), + tags.OperatorName: operator.Name(), } if args.forcePolicyCreation || (isSharedVpc && credrequest == aws.IngressOperatorCloudCredentialsRoleType) { @@ -235,7 +236,7 @@ func createRoles(r *rosa.Runtime, tagsList[tags.ClusterID] = cluster.ID() } if managedPolicies { - tagsList[tags.ManagedPolicies] = helper.True + tagsList[common.ManagedPolicies] = helper.True } if hostedCPPolicies { tagsList[tags.HypershiftPolicies] = helper.True @@ -305,11 +306,11 @@ func buildCommands(r *rosa.Runtime, env string, policyARN = computePolicyARN(r.Creator.AccountID, prefix, operator.Namespace(), operator.Name(), path) name := aws.GetOperatorPolicyName(prefix, operator.Namespace(), operator.Name()) iamTags := map[string]string{ - tags.OpenShiftVersion: defaultPolicyVersion, - tags.RolePrefix: prefix, - tags.OperatorNamespace: operator.Namespace(), - tags.OperatorName: operator.Name(), - tags.RedHatManaged: helper.True, + common.OpenShiftVersion: defaultPolicyVersion, + tags.RolePrefix: prefix, + tags.OperatorNamespace: operator.Namespace(), + tags.OperatorName: operator.Name(), + tags.RedHatManaged: helper.True, } operatorPolicyKey := aws.GetOperatorPolicyKey(credrequest, hostedCPPolicies, isSharedVpc) fileName := fmt.Sprintf("file://%s.json", operatorPolicyKey) @@ -361,7 +362,7 @@ func buildCommands(r *rosa.Runtime, env string, iamTags[tags.ClusterID] = cluster.ID() } if managedPolicies { - iamTags[tags.ManagedPolicies] = helper.True + iamTags[common.ManagedPolicies] = helper.True } if hostedCPPolicies { iamTags[tags.HypershiftPolicies] = helper.True diff --git a/cmd/create/operatorroles/by_prefix.go b/cmd/create/operatorroles/by_prefix.go index 5e5c50debc..58adf55b80 100644 --- a/cmd/create/operatorroles/by_prefix.go +++ b/cmd/create/operatorroles/by_prefix.go @@ -11,6 +11,7 @@ import ( cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" "github.com/spf13/cobra" + common "github.com/openshift-online/ocm-common/pkg/aws/validations" "github.com/openshift/rosa/pkg/aws" awscb "github.com/openshift/rosa/pkg/aws/commandbuilder" "github.com/openshift/rosa/pkg/aws/tags" @@ -312,11 +313,11 @@ func createRolesByPrefix(r *rosa.Runtime, prefix string, permissionsBoundary str } operatorPolicyTags := map[string]string{ - tags.OpenShiftVersion: defaultPolicyVersion, - tags.RolePrefix: prefix, - tags.RedHatManaged: helper.True, - tags.OperatorNamespace: operator.Namespace(), - tags.OperatorName: operator.Name(), + common.OpenShiftVersion: defaultPolicyVersion, + tags.RolePrefix: prefix, + tags.RedHatManaged: helper.True, + tags.OperatorNamespace: operator.Namespace(), + tags.OperatorName: operator.Name(), } if args.forcePolicyCreation || (isSharedVpc && credrequest == aws.IngressOperatorCloudCredentialsRoleType) { @@ -348,7 +349,7 @@ func createRolesByPrefix(r *rosa.Runtime, prefix string, permissionsBoundary str tags.RedHatManaged: helper.True, } if managedPolicies { - tagsList[tags.ManagedPolicies] = helper.True + tagsList[common.ManagedPolicies] = helper.True } if hostedCPPolicies { tagsList[tags.HypershiftPolicies] = helper.True @@ -407,11 +408,11 @@ func buildCommandsFromPrefix(r *rosa.Runtime, env string, policyARN = computePolicyARN(r.Creator.AccountID, prefix, operator.Namespace(), operator.Name(), path) name := aws.GetOperatorPolicyName(prefix, operator.Namespace(), operator.Name()) iamTags := map[string]string{ - tags.OpenShiftVersion: defaultPolicyVersion, - tags.RolePrefix: prefix, - tags.OperatorNamespace: operator.Namespace(), - tags.OperatorName: operator.Name(), - tags.RedHatManaged: helper.True, + common.OpenShiftVersion: defaultPolicyVersion, + tags.RolePrefix: prefix, + tags.OperatorNamespace: operator.Namespace(), + tags.OperatorName: operator.Name(), + tags.RedHatManaged: helper.True, } operatorPolicyKey := aws.GetOperatorPolicyKey(credrequest, hostedCPPolicies, isSharedVpc) fileName := fmt.Sprintf("file://%s.json", operatorPolicyKey) @@ -461,7 +462,7 @@ func buildCommandsFromPrefix(r *rosa.Runtime, env string, tags.RedHatManaged: helper.True, } if managedPolicies { - iamTags[tags.ManagedPolicies] = helper.True + iamTags[common.ManagedPolicies] = helper.True } if hostedCPPolicies { iamTags[tags.HypershiftPolicies] = helper.True diff --git a/cmd/create/operatorroles/common_utils.go b/cmd/create/operatorroles/common_utils.go index 7dd8a3a2ce..881c09cbe6 100644 --- a/cmd/create/operatorroles/common_utils.go +++ b/cmd/create/operatorroles/common_utils.go @@ -3,6 +3,7 @@ package operatorroles import ( "fmt" + "github.com/openshift-online/ocm-common/pkg" "github.com/openshift/rosa/pkg/aws" "github.com/openshift/rosa/pkg/rosa" errors "github.com/zgalor/weberr" @@ -15,8 +16,8 @@ func computePolicyARN(accountID string, prefix string, namespace string, name st prefix = aws.DefaultPrefix } policy := fmt.Sprintf("%s-%s-%s", prefix, namespace, name) - if len(policy) > 64 { - policy = policy[0:64] + if len(policy) > pkg.MaxByteSize { + policy = policy[0:pkg.MaxByteSize] } if path != "" { return fmt.Sprintf("arn:%s:iam::%s:policy%s%s", aws.GetPartition(), accountID, path, policy) diff --git a/cmd/edit/autoscaler/cmd.go b/cmd/edit/autoscaler/cmd.go index d03a642877..cd857970b9 100644 --- a/cmd/edit/autoscaler/cmd.go +++ b/cmd/edit/autoscaler/cmd.go @@ -23,6 +23,7 @@ import ( cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" "github.com/spf13/cobra" + "github.com/openshift-online/ocm-common/pkg" "github.com/openshift/rosa/pkg/clusterautoscaler" "github.com/openshift/rosa/pkg/interactive" "github.com/openshift/rosa/pkg/ocm" @@ -126,7 +127,7 @@ func run(cmd *cobra.Command, _ []string) { autoscalerArgs.ScaleDown.DelayAfterDelete = autoscaler.ScaleDown().DelayAfterDelete() autoscalerArgs.ScaleDown.DelayAfterFailure = autoscaler.ScaleDown().DelayAfterFailure() - utilizationThreshold, err := strconv.ParseFloat(autoscaler.ScaleDown().UtilizationThreshold(), 64) + utilizationThreshold, err := strconv.ParseFloat(autoscaler.ScaleDown().UtilizationThreshold(), pkg.MaxByteSize) if err != nil { r.Reporter.Errorf("Failed updating autoscaler configuration for cluster '%s': %s", cluster.ID(), err) diff --git a/cmd/install/addon/cmd.go b/cmd/install/addon/cmd.go index 251e790236..c512594145 100644 --- a/cmd/install/addon/cmd.go +++ b/cmd/install/addon/cmd.go @@ -29,6 +29,7 @@ import ( "github.com/spf13/cobra" errors "github.com/zgalor/weberr" + "github.com/openshift-online/ocm-common/pkg" "github.com/openshift/rosa/pkg/arguments" "github.com/openshift/rosa/pkg/aws" "github.com/openshift/rosa/pkg/aws/tags" @@ -358,8 +359,8 @@ func buildCommand( func generateRoleName(cr *cmv1.CredentialRequest, prefix string) string { roleName := fmt.Sprintf("%s-%s-%s", prefix, cr.Namespace(), cr.Name()) - if len(roleName) > 64 { - roleName = roleName[0:64] + if len(roleName) > pkg.MaxByteSize { + roleName = roleName[0:pkg.MaxByteSize] } return roleName } diff --git a/cmd/upgrade/accountroles/cmd.go b/cmd/upgrade/accountroles/cmd.go index 68e1547116..b0892b9483 100644 --- a/cmd/upgrade/accountroles/cmd.go +++ b/cmd/upgrade/accountroles/cmd.go @@ -36,6 +36,8 @@ import ( "github.com/openshift/rosa/pkg/ocm" rprtr "github.com/openshift/rosa/pkg/reporter" "github.com/openshift/rosa/pkg/rosa" + + common "github.com/openshift-online/ocm-common/pkg/aws/validations" ) var args struct { @@ -285,7 +287,7 @@ func LogError(key string, ocmClient *ocm.Client, defaultPolicyVersion string, er func upgradeAccountRolePolicies(reporter *rprtr.Object, awsClient aws.Client, prefix string, accountID string, policies map[string]*cmv1.AWSSTSPolicy, policyVersion string, policyPath string, isVersionChosen bool) error { for file, role := range aws.AccountRoles { - roleName := aws.GetRoleName(prefix, role.Name) + roleName := common.GetRoleName(prefix, role.Name) promptString := fmt.Sprintf("Upgrade the '%s' role policy latest version ?", roleName) if isVersionChosen { promptString = fmt.Sprintf("Upgrade the '%s' role policy to version '%s' ?", roleName, policyVersion) @@ -299,10 +301,10 @@ func upgradeAccountRolePolicies(reporter *rprtr.Object, awsClient aws.Client, pr policyDetails := aws.GetPolicyDetails(policies, filename) policyARN, err := awsClient.EnsurePolicy(policyARN, policyDetails, policyVersion, map[string]string{ - tags.OpenShiftVersion: policyVersion, - tags.RolePrefix: prefix, - tags.RoleType: file, - tags.RedHatManaged: "true", + common.OpenShiftVersion: policyVersion, + tags.RolePrefix: prefix, + tags.RoleType: file, + tags.RedHatManaged: "true", }, policyPath) if err != nil { return err @@ -335,7 +337,7 @@ func buildCommands(prefix string, accountID string, isUpgradeNeedForAccountRoleP commands := []string{} if isUpgradeNeedForAccountRolePolicies { for file, role := range aws.AccountRoles { - accRoleName := aws.GetRoleName(prefix, role.Name) + accRoleName := common.GetRoleName(prefix, role.Name) policyARN := aws.GetPolicyARN(accountID, accRoleName, policyPath) _, err := awsClient.IsPolicyExists(policyARN) hasPolicy := err == nil @@ -363,7 +365,7 @@ func buildCommands(prefix string, accountID string, isUpgradeNeedForAccountRoleP func getAccountPolicyPath(awsClient aws.Client, prefix string) (string, error) { for _, accountRole := range aws.AccountRoles { - accRoleName := aws.GetRoleName(prefix, accountRole.Name) + accRoleName := common.GetRoleName(prefix, accountRole.Name) rolePolicies, err := awsClient.GetAttachedPolicy(&accRoleName) if err != nil { return "", err diff --git a/cmd/upgrade/cluster/cmd.go b/cmd/upgrade/cluster/cmd.go index d5b72983f2..6838026303 100644 --- a/cmd/upgrade/cluster/cmd.go +++ b/cmd/upgrade/cluster/cmd.go @@ -22,6 +22,7 @@ import ( "strconv" "strings" + "github.com/openshift-online/ocm-common/pkg" cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" "github.com/openshift/rosa/cmd/upgrade/roles" "github.com/openshift/rosa/pkg/aws" @@ -548,7 +549,7 @@ func buildNodeDrainGracePeriod(r *rosa.Runtime, cmd *cobra.Command, cluster *cmv os.Exit(1) } nodeDrainParsed := strings.Split(nodeDrainGracePeriod, " ") - nodeDrainValue, err := strconv.ParseFloat(nodeDrainParsed[0], 64) + nodeDrainValue, err := strconv.ParseFloat(nodeDrainParsed[0], pkg.MaxByteSize) if err != nil { r.Reporter.Errorf("Expected a valid node drain grace period: %s", err) os.Exit(1) diff --git a/cmd/upgrade/roles/cmd.go b/cmd/upgrade/roles/cmd.go index 188175df5a..c5f2fd4678 100644 --- a/cmd/upgrade/roles/cmd.go +++ b/cmd/upgrade/roles/cmd.go @@ -27,6 +27,7 @@ import ( "github.com/spf13/cobra" "github.com/zgalor/weberr" + common "github.com/openshift-online/ocm-common/pkg/aws/validations" v1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" "github.com/openshift/rosa/pkg/aws" awscb "github.com/openshift/rosa/pkg/aws/commandbuilder" @@ -588,10 +589,10 @@ func upgradeAccountRolePoliciesFromCluster( policyDetails := aws.GetPolicyDetails(policies, filename) policyARN, err = awsClient.EnsurePolicy(policyARN, policyDetails, policyVersion, map[string]string{ - tags.OpenShiftVersion: policyVersion, - tags.RolePrefix: prefix, - tags.RoleType: file, - tags.RedHatManaged: "true", + common.OpenShiftVersion: policyVersion, + tags.RolePrefix: prefix, + tags.RoleType: file, + tags.RedHatManaged: "true", }, accountPolicyPath) if err != nil { return err @@ -835,10 +836,10 @@ func upgradeOperatorRolePoliciesFromCluster( } policyARN, err = awsClient.EnsurePolicy(policyARN, policyDetails, defaultPolicyVersion, map[string]string{ - tags.OpenShiftVersion: defaultPolicyVersion, - tags.RolePrefix: operatorRolePolicyPrefix, - tags.OperatorNamespace: operator.Namespace(), - tags.OperatorName: operator.Name(), + common.OpenShiftVersion: defaultPolicyVersion, + tags.RolePrefix: operatorRolePolicyPrefix, + tags.OperatorNamespace: operator.Namespace(), + tags.OperatorName: operator.Name(), }, operatorPolicyPath) if err != nil { return err diff --git a/pkg/aws/client.go b/pkg/aws/client.go index 1f9b1854f1..bfe940a90e 100644 --- a/pkg/aws/client.go +++ b/pkg/aws/client.go @@ -127,7 +127,6 @@ type Client interface { ListOperatorRoles(version string, clusterID string) (map[string][]OperatorRoleDetail, error) ListOidcProviders(targetClusterId string) ([]OidcProviderOutput, error) GetRoleByARN(roleARN string) (*iam.Role, error) - HasCompatibleVersionTags(iamTags []*iam.Tag, version string) (bool, error) DeleteOperatorRole(roles string, managedPolicies bool) error GetOperatorRolesFromAccountByClusterID(clusterID string, credRequests map[string]*cmv1.STSOperator) ([]string, error) GetOperatorRolesFromAccountByPrefix(prefix string, credRequest map[string]*cmv1.STSOperator) ([]string, error) diff --git a/pkg/aws/client_test.go b/pkg/aws/client_test.go index 1b5a939eb3..08b7fbaacb 100644 --- a/pkg/aws/client_test.go +++ b/pkg/aws/client_test.go @@ -15,6 +15,7 @@ import ( . "github.com/onsi/gomega" "github.com/sirupsen/logrus" + common "github.com/openshift-online/ocm-common/pkg/aws/validations" "github.com/openshift/rosa/pkg/aws" "github.com/openshift/rosa/pkg/aws/mocks" rosaTags "github.com/openshift/rosa/pkg/aws/tags" @@ -207,7 +208,7 @@ var _ = Describe("Client", func() { var testArn = "arn:aws:iam::765374464689:role/test-Installer-Role" var testName = "test-Installer-Role" var tags = []*iam.Tag{ - {Key: awsSdk.String(rosaTags.ManagedPolicies), Value: awsSdk.String(rosaTags.True)}, + {Key: awsSdk.String(common.ManagedPolicies), Value: awsSdk.String(rosaTags.True)}, {Key: awsSdk.String(rosaTags.RoleType), Value: awsSdk.String(aws.InstallerAccountRole)}, } diff --git a/pkg/aws/commandbuilder/helper/roles/roles.go b/pkg/aws/commandbuilder/helper/roles/roles.go index a68681a1c6..90c3ede951 100644 --- a/pkg/aws/commandbuilder/helper/roles/roles.go +++ b/pkg/aws/commandbuilder/helper/roles/roles.go @@ -3,6 +3,7 @@ package roles import ( "fmt" + common "github.com/openshift-online/ocm-common/pkg/aws/validations" cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" awscb "github.com/openshift/rosa/pkg/aws/commandbuilder" "github.com/openshift/rosa/pkg/aws/tags" @@ -29,7 +30,7 @@ func ManualCommandsForMissingOperatorRole(input ManualCommandsForMissingOperator tags.RedHatManaged: "true", } if input.ManagedPolicies { - iamTags[tags.ManagedPolicies] = "true" + iamTags[common.ManagedPolicies] = "true" } createRole := awscb.NewIAMCommandBuilder(). @@ -66,11 +67,11 @@ func ManualCommandsForUpgradeOperatorRolePolicy(input ManualCommandsForUpgradeOp commands := make([]string, 0) if !input.HasPolicy { iamTags := map[string]string{ - tags.OpenShiftVersion: input.DefaultPolicyVersion, - tags.RolePrefix: input.OperatorRolePolicyPrefix, - tags.OperatorNamespace: input.Operator.Namespace(), - tags.OperatorName: input.Operator.Name(), - tags.RedHatManaged: "true", + common.OpenShiftVersion: input.DefaultPolicyVersion, + tags.RolePrefix: input.OperatorRolePolicyPrefix, + tags.OperatorNamespace: input.Operator.Namespace(), + tags.OperatorName: input.Operator.Name(), + tags.RedHatManaged: "true", } createPolicy := awscb.NewIAMCommandBuilder(). SetCommand(awscb.CreatePolicy). @@ -90,7 +91,7 @@ func ManualCommandsForUpgradeOperatorRolePolicy(input ManualCommandsForUpgradeOp commands = append(commands, attachRolePolicy) } policyTags := map[string]string{ - tags.OpenShiftVersion: input.DefaultPolicyVersion, + common.OpenShiftVersion: input.DefaultPolicyVersion, } createPolicyVersion := awscb.NewIAMCommandBuilder(). @@ -126,7 +127,7 @@ type ManualCommandsForUpgradeAccountRolePolicyInput struct { func ManualCommandsForUpgradeAccountRolePolicy(input ManualCommandsForUpgradeAccountRolePolicyInput) []string { commands := make([]string, 0) iamRoleTags := map[string]string{ - tags.OpenShiftVersion: input.DefaultPolicyVersion, + common.OpenShiftVersion: input.DefaultPolicyVersion, } tagRole := awscb.NewIAMCommandBuilder(). @@ -142,10 +143,10 @@ func ManualCommandsForUpgradeAccountRolePolicy(input ManualCommandsForUpgradeAcc Build() if !input.HasPolicy { iamTags := map[string]string{ - tags.OpenShiftVersion: input.DefaultPolicyVersion, - tags.RolePrefix: input.Prefix, - tags.RoleType: input.File, - tags.RedHatManaged: "true", + common.OpenShiftVersion: input.DefaultPolicyVersion, + tags.RolePrefix: input.Prefix, + tags.RoleType: input.File, + tags.RedHatManaged: "true", } createPolicy := awscb.NewIAMCommandBuilder(). SetCommand(awscb.CreatePolicy). diff --git a/pkg/aws/helpers.go b/pkg/aws/helpers.go index d86bbd9475..7c94011d1c 100644 --- a/pkg/aws/helpers.go +++ b/pkg/aws/helpers.go @@ -21,6 +21,8 @@ import ( cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" awscb "github.com/openshift/rosa/pkg/aws/commandbuilder" + "github.com/openshift-online/ocm-common/pkg" + common "github.com/openshift-online/ocm-common/pkg/aws/validations" "github.com/openshift/rosa/pkg/arguments" "github.com/openshift/rosa/pkg/aws/tags" "github.com/openshift/rosa/pkg/constants" @@ -406,41 +408,33 @@ func GetTagValues(tagsValue []*iam.Tag) (roleType string, version string) { switch aws.StringValue(tag.Key) { case tags.RoleType: roleType = aws.StringValue(tag.Value) - case tags.OpenShiftVersion: + case common.OpenShiftVersion: version = aws.StringValue(tag.Value) } } return } -func GetRoleName(prefix string, role string) string { - name := fmt.Sprintf("%s-%s-Role", prefix, role) - if len(name) > 64 { - name = name[0:64] - } - return name -} - func GetOCMRoleName(prefix string, role string, postfix string) string { name := fmt.Sprintf("%s-%s-Role-%s", prefix, role, postfix) - if len(name) > 64 { - name = name[0:64] + if len(name) > pkg.MaxByteSize { + name = name[0:pkg.MaxByteSize] } return name } func GetUserRoleName(prefix string, role string, userName string) string { name := fmt.Sprintf("%s-%s-%s-Role", prefix, role, userName) - if len(name) > 64 { - name = name[0:64] + if len(name) > pkg.MaxByteSize { + name = name[0:pkg.MaxByteSize] } return name } func GetOperatorPolicyName(prefix string, namespace string, name string) string { policy := fmt.Sprintf("%s-%s-%s", prefix, namespace, name) - if len(policy) > 64 { - policy = policy[0:64] + if len(policy) > pkg.MaxByteSize { + policy = policy[0:pkg.MaxByteSize] } return policy } @@ -545,7 +539,7 @@ func GetPrefixFromInstallerAccountRole(cluster *cmv1.Cluster) (string, error) { return GetPrefixFromAccountRole(cluster, AccountRoles[InstallerAccountRole].Name) } -// Role names can be truncated if they are over 64 chars, so we need to make sure we aren't missing a truncated suffix +// Role names can be truncated if they are over pkg.MaxByteSize chars, so we need to make sure we aren't missing a truncated suffix func TrimRoleSuffix(orig, sufix string) string { for i := len(sufix); i >= 0; i-- { if strings.HasSuffix(orig, sufix[:i]) { @@ -724,11 +718,11 @@ func BuildOperatorRolePolicies(prefix string, accountID string, awsClient Client if err != nil { name := GetOperatorPolicyName(prefix, operator.Namespace(), operator.Name()) iamTags := map[string]string{ - tags.OpenShiftVersion: defaultPolicyVersion, - tags.RolePrefix: prefix, - tags.OperatorNamespace: operator.Namespace(), - tags.OperatorName: operator.Name(), - tags.RedHatManaged: "true", + common.OpenShiftVersion: defaultPolicyVersion, + tags.RolePrefix: prefix, + tags.OperatorNamespace: operator.Namespace(), + tags.OperatorName: operator.Name(), + tags.RedHatManaged: "true", } createPolicy := awscb.NewIAMCommandBuilder(). SetCommand(awscb.CreatePolicy). @@ -739,7 +733,7 @@ func BuildOperatorRolePolicies(prefix string, accountID string, awsClient Client commands = append(commands, createPolicy) } else { policyTags := map[string]string{ - tags.OpenShiftVersion: defaultPolicyVersion, + common.OpenShiftVersion: defaultPolicyVersion, } createPolicy := awscb.NewIAMCommandBuilder(). @@ -802,10 +796,10 @@ func UpgradeOperatorRolePolicies( } policyARN, err := awsClient.EnsurePolicy(policyARN, policyDetails, defaultPolicyVersion, map[string]string{ - tags.OpenShiftVersion: defaultPolicyVersion, - tags.RolePrefix: prefix, - tags.OperatorNamespace: operator.Namespace(), - tags.OperatorName: operator.Name(), + common.OpenShiftVersion: defaultPolicyVersion, + tags.RolePrefix: prefix, + tags.OperatorNamespace: operator.Namespace(), + tags.OperatorName: operator.Name(), }, path) if err != nil { return err @@ -982,8 +976,8 @@ func GetAccountRolePolicyKeys(roleType string) []string { func ComputeOperatorRoleArn(prefix string, operator *cmv1.STSOperator, creator *Creator, path string) string { role := fmt.Sprintf("%s-%s-%s", prefix, operator.Namespace(), operator.Name()) - if len(role) > 64 { - role = role[0:64] + if len(role) > pkg.MaxByteSize { + role = role[0:pkg.MaxByteSize] } str := fmt.Sprintf("arn:%s:iam::%s:role", GetPartition(), creator.AccountID) if path != "" { diff --git a/pkg/aws/policies.go b/pkg/aws/policies.go index b78cb480b8..51c346a3b5 100644 --- a/pkg/aws/policies.go +++ b/pkg/aws/policies.go @@ -29,6 +29,7 @@ import ( cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" errors "github.com/zgalor/weberr" + common "github.com/openshift-online/ocm-common/pkg/aws/validations" "github.com/openshift/rosa/pkg/aws/tags" "github.com/openshift/rosa/pkg/helper" ) @@ -157,7 +158,7 @@ func (c *awsClient) EnsureRole(name string, policy string, permissionsBoundary s } } - if managedPolicies && !c.isManagedRole(output.Role.Tags) { + if managedPolicies && !common.IsManagedRole(output.Role.Tags) { return "", fmt.Errorf("Role '%s' with unmanaged policies already exists", *output.Role.Arn) } @@ -270,16 +271,6 @@ func (c *awsClient) createRole(name string, policy string, permissionsBoundary s return aws.StringValue(output.Role.Arn), nil } -func (c *awsClient) isManagedRole(roleTags []*iam.Tag) bool { - for _, tag := range roleTags { - if aws.StringValue(tag.Key) == tags.ManagedPolicies && aws.StringValue(tag.Value) == "true" { - return true - } - } - - return false -} - func (c *awsClient) isRoleCompatible(name string, version string) (bool, error) { // Ignore if there is no version if version == "" { @@ -427,30 +418,7 @@ func (c *awsClient) IsPolicyCompatible(policyArn string, version string) (bool, return false, err } - return c.HasCompatibleVersionTags(output.Tags, version) -} - -func (c *awsClient) HasCompatibleVersionTags(iamTags []*iam.Tag, version string) (bool, error) { - if len(iamTags) == 0 { - return false, nil - } - for _, tag := range iamTags { - if aws.StringValue(tag.Key) == tags.OpenShiftVersion { - if version == aws.StringValue(tag.Value) { - return true, nil - } - wantedVersion, err := semver.NewVersion(version) - if err != nil { - return false, err - } - currentVersion, err := semver.NewVersion(aws.StringValue(tag.Value)) - if err != nil { - return false, err - } - return currentVersion.GreaterThanOrEqual(wantedVersion), nil - } - } - return false, nil + return common.HasCompatibleVersionTags(output.Tags, version) } func (c *awsClient) hasCompatibleMajorMinorVersionTags(iamTags []*iam.Tag, version string) (bool, error) { @@ -458,7 +426,7 @@ func (c *awsClient) hasCompatibleMajorMinorVersionTags(iamTags []*iam.Tag, versi return false, nil } for _, tag := range iamTags { - if aws.StringValue(tag.Key) == tags.OpenShiftVersion { + if aws.StringValue(tag.Key) == common.OpenShiftVersion { if version == aws.StringValue(tag.Value) { return true, nil } @@ -538,10 +506,10 @@ func (c *awsClient) ValidateAccountRoleVersionCompatibility( skip = true break } - case tags.OpenShiftVersion: + case common.OpenShiftVersion: isTagged = true - if tags.IamResourceHasTag(listRoleTagsOutput.Tags, tags.ManagedPolicies, tags.True) { + if common.IamResourceHasTag(listRoleTagsOutput.Tags, common.ManagedPolicies, tags.True) { // Managed policies will be up-to-date no need to check version tags break } @@ -615,7 +583,7 @@ func (c *awsClient) FindPolicyARN(operator Operator, version string) (string, er skip = true break } - case tags.OpenShiftVersion: + case common.OpenShiftVersion: isTagged = true if tagValue != version { skip = true @@ -655,7 +623,7 @@ func (c *awsClient) IsUserRole(roleName *string) (bool, error) { return false, err } - return tags.IamResourceHasTag(roleTags.Tags, tags.RoleType, OCMUserRole), nil + return common.IamResourceHasTag(roleTags.Tags, tags.RoleType, OCMUserRole), nil } return false, nil @@ -705,12 +673,12 @@ func (c *awsClient) ListOCMRoles() ([]Role, error) { if err != nil { return nil, err } - if tags.IamResourceHasTag(roleTags.Tags, tags.AdminRole, tags.True) { + if common.IamResourceHasTag(roleTags.Tags, tags.AdminRole, tags.True) { ocmRole.Admin = "Yes" } else { ocmRole.Admin = "No" } - if tags.IamResourceHasTag(roleTags.Tags, tags.ManagedPolicies, tags.True) { + if common.IamResourceHasTag(roleTags.Tags, common.ManagedPolicies, tags.True) { ocmRole.ManagedPolicy = true } @@ -787,14 +755,14 @@ func (c *awsClient) mapToAccountRole(version string, role *iam.Role) (*Role, err case tags.RoleType: isTagged = true accountRole.RoleType = roleTypeMap[aws.StringValue(tag.Value)] - case tags.OpenShiftVersion: + case common.OpenShiftVersion: tagValue := aws.StringValue(tag.Value) if version != "" && tagValue != version { return nil, nil } isTagged = true accountRole.Version = tagValue - case tags.ManagedPolicies: + case common.ManagedPolicies: if aws.StringValue(tag.Value) == tags.True { accountRole.ManagedPolicy = true } @@ -868,7 +836,7 @@ func (c *awsClient) ListOperatorRoles(version string, targetClusterId string) (m skip := false for _, tag := range listRoleTagsOutput.Tags { switch aws.StringValue(tag.Key) { - case tags.ManagedPolicies: + case common.ManagedPolicies: if aws.StringValue(tag.Value) == tags.True { operatorRole.ManagedPolicy = true } @@ -922,7 +890,7 @@ func (c *awsClient) ListOperatorRoles(version string, targetClusterId string) (m skip := false for _, tag := range listPolicyTagsOutput.Tags { switch aws.StringValue(tag.Key) { - case tags.OpenShiftVersion: + case common.OpenShiftVersion: tagValue := aws.StringValue(tag.Value) if version != "" && tagValue != version { skip = true @@ -956,7 +924,7 @@ func (c *awsClient) ListOperatorRoles(version string, targetClusterId string) (m // Check if it is one of the ROSA account roles func checkIfAccountRole(roleName *string) bool { for _, prefix := range AccountRoles { - if strings.Contains(aws.StringValue(roleName), GetRoleName("", prefix.Name)) { + if strings.Contains(aws.StringValue(roleName), common.GetRoleName("", prefix.Name)) { return true } } @@ -1668,7 +1636,7 @@ func (c *awsClient) HasHostedCPPolicies(roleARN string) (bool, error) { return false, err } - return tags.IamResourceHasTag(role.Tags, tags.HypershiftPolicies, tags.True), nil + return common.IamResourceHasTag(role.Tags, tags.HypershiftPolicies, tags.True), nil } func (c *awsClient) HasManagedPolicies(roleARN string) (bool, error) { @@ -1681,7 +1649,7 @@ func (c *awsClient) HasManagedPolicies(roleARN string) (bool, error) { return false, err } - return c.isManagedRole(role.Tags), nil + return common.IsManagedRole(role.Tags), nil } func (c *awsClient) IsUpgradedNeededForAccountRolePoliciesUsingCluster( @@ -1707,7 +1675,7 @@ func (c *awsClient) IsUpgradedNeededForAccountRolePoliciesUsingCluster( } func (c *awsClient) UpdateTag(roleName string, defaultPolicyVersion string) error { - return c.AddRoleTag(roleName, tags.OpenShiftVersion, defaultPolicyVersion) + return c.AddRoleTag(roleName, common.OpenShiftVersion, defaultPolicyVersion) } func (c *awsClient) AddRoleTag(roleName string, key string, value string) error { @@ -1883,7 +1851,7 @@ func (c *awsClient) IsAdminRole(roleName string) (bool, error) { func (c *awsClient) GetAccountRoleARN(prefix string, roleType string) (string, error) { output, err := c.iamClient.GetRole(&iam.GetRoleInput{ - RoleName: aws.String(GetRoleName(prefix, roleType)), + RoleName: aws.String(common.GetRoleName(prefix, roleType)), }) if err != nil { if awsErr, ok := err.(awserr.Error); ok { @@ -1919,7 +1887,7 @@ func (c *awsClient) ValidateOperatorRolesManagedPolicies(cluster *cmv1.Cluster, func (c *awsClient) ValidateAccountRolesManagedPolicies(prefix string, policies map[string]*cmv1.AWSSTSPolicy) error { for roleType, accountRole := range AccountRoles { - roleName := GetRoleName(prefix, accountRole.Name) + roleName := common.GetRoleName(prefix, accountRole.Name) policyKeys := GetAccountRolePolicyKeys(roleType) for _, policyKey := range policyKeys { @@ -1936,7 +1904,7 @@ func (c *awsClient) ValidateAccountRolesManagedPolicies(prefix string, policies func (c *awsClient) ValidateHCPAccountRolesManagedPolicies(prefix string, policies map[string]*cmv1.AWSSTSPolicy) error { for roleType, accountRole := range HCPAccountRoles { - roleName := GetRoleName(prefix, accountRole.Name) + roleName := common.GetRoleName(prefix, accountRole.Name) policyKey := fmt.Sprintf("sts_hcp_%s_permission_policy", roleType) err := c.validateManagedPolicy(policies, policyKey, roleName) diff --git a/pkg/aws/sts.go b/pkg/aws/sts.go index b84decd59b..e906f4b73a 100644 --- a/pkg/aws/sts.go +++ b/pkg/aws/sts.go @@ -24,6 +24,7 @@ import ( "github.com/aws/aws-sdk-go/aws/arn" "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/service/iam" + common "github.com/openshift-online/ocm-common/pkg/aws/validations" cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" awscbRoles "github.com/openshift/rosa/pkg/aws/commandbuilder/helper/roles" "github.com/openshift/rosa/pkg/aws/tags" @@ -155,11 +156,11 @@ func UpgradeOperatorPolicies(reporter *rprtr.Object, awsClient Client, accountID policy := policies[filename] policyARN, err := awsClient.EnsurePolicy(policyARN, policy, defaultPolicyVersion, map[string]string{ - tags.OpenShiftVersion: defaultPolicyVersion, - tags.RolePrefix: prefix, - tags.RedHatManaged: "true", - tags.OperatorNamespace: operator.Namespace(), - tags.OperatorName: operator.Name(), + common.OpenShiftVersion: defaultPolicyVersion, + tags.RolePrefix: prefix, + tags.RedHatManaged: "true", + tags.OperatorNamespace: operator.Namespace(), + tags.OperatorName: operator.Name(), }, "") if err != nil { return err diff --git a/pkg/aws/tags/tags.go b/pkg/aws/tags/tags.go index 39229b4d5a..fe204755cd 100644 --- a/pkg/aws/tags/tags.go +++ b/pkg/aws/tags/tags.go @@ -31,10 +31,6 @@ const ClusterID = prefix + "cluster_id" // ClusterID is the name of the tag that will contain the identifier of the cluster. const ClusterRegion = prefix + "region" -// OpenShiftVersion is the name of the tag that will contain -// the version of OpenShift that the resources are used for -const OpenShiftVersion = prefix + "openshift_version" - // RoleType is the name of the tag that will contain the purpose of the role (installer, support, etc.) const RoleType = prefix + "role_type" @@ -50,8 +46,6 @@ const AdminRole = prefix + "admin_role" // RedHatManaged tags the role as red_hat_managed const RedHatManaged = "red-hat-managed" -const ManagedPolicies = prefix + "managed_policies" - const HypershiftPolicies = prefix + "hcp_policies" const OperatorNamespace = "operator_namespace" diff --git a/pkg/aws/tags/utils.go b/pkg/aws/tags/utils.go index 2dcabcbb3d..71364b3dd0 100644 --- a/pkg/aws/tags/utils.go +++ b/pkg/aws/tags/utils.go @@ -3,19 +3,8 @@ package tags import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/ec2" - "github.com/aws/aws-sdk-go/service/iam" ) -func IamResourceHasTag(iamTags []*iam.Tag, tagKey string, tagValue string) bool { - for _, tag := range iamTags { - if aws.StringValue(tag.Key) == tagKey && aws.StringValue(tag.Value) == tagValue { - return true - } - } - - return false -} - func Ec2ResourceHasTag(ec2Tags []*ec2.Tag, tagKey string, tagValue string) bool { for _, tag := range ec2Tags { if aws.StringValue(tag.Key) == tagKey && aws.StringValue(tag.Value) == tagValue { diff --git a/pkg/helper/roles/helpers.go b/pkg/helper/roles/helpers.go index 2d819fb120..ffb1fa47db 100644 --- a/pkg/helper/roles/helpers.go +++ b/pkg/helper/roles/helpers.go @@ -5,6 +5,8 @@ import ( "os" "time" + "github.com/openshift-online/ocm-common/pkg" + common "github.com/openshift-online/ocm-common/pkg/aws/validations" cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" "github.com/openshift/rosa/pkg/aws" awscb "github.com/openshift/rosa/pkg/aws/commandbuilder" @@ -23,8 +25,8 @@ const ( func GetOperatorRoleName(cluster *cmv1.Cluster, missingOperator *cmv1.STSOperator) string { rolePrefix := cluster.AWS().STS().OperatorRolePrefix() role := fmt.Sprintf("%s-%s-%s", rolePrefix, missingOperator.Namespace(), missingOperator.Name()) - if len(role) > 64 { - role = role[0:64] + if len(role) > pkg.MaxByteSize { + role = role[0:pkg.MaxByteSize] } return role } @@ -114,7 +116,7 @@ func ValidateUnmanagedAccountRoles(roleARNs []string, awsClient aws.Client, vers return fmt.Errorf("Could not get Role '%s' : %v", ARN, err) } - validVersion, err := awsClient.HasCompatibleVersionTags(role.Tags, ocm.GetVersionMinor(version)) + validVersion, err := common.HasCompatibleVersionTags(role.Tags, ocm.GetVersionMinor(version)) if err != nil { return fmt.Errorf("Could not validate Role '%s' : %v", ARN, err) } @@ -236,7 +238,7 @@ func upgradeMissingOperatorRole(missingRoles map[string]*cmv1.STSOperator, clust tags.RedHatManaged: "true", } if managedPolicies { - tagsList[tags.ManagedPolicies] = "true" + tagsList[common.ManagedPolicies] = "true" } r.Reporter.Debugf("Creating role '%s'", roleName) roleARN, err := r.AWSClient.EnsureRole(roleName, policy, "", "", diff --git a/pkg/interactive/interactive.go b/pkg/interactive/interactive.go index f6f1fe8030..d3dd431158 100644 --- a/pkg/interactive/interactive.go +++ b/pkg/interactive/interactive.go @@ -26,6 +26,7 @@ import ( "github.com/AlecAivazis/survey/v2/core" "github.com/AlecAivazis/survey/v2/terminal" + "github.com/openshift-online/ocm-common/pkg" "github.com/openshift/rosa/pkg/color" "github.com/openshift/rosa/pkg/helper" "github.com/openshift/rosa/pkg/interactive/consts" @@ -140,7 +141,7 @@ func GetFloat(input Input) (a float64, err error) { } func parseFloat(str string) (num float64, err error) { - return strconv.ParseFloat(str, 64) + return strconv.ParseFloat(str, pkg.MaxByteSize) } // Asks for multiple options selection diff --git a/pkg/ocm/helpers.go b/pkg/ocm/helpers.go index 03a712ccd4..b6c7d7ba62 100644 --- a/pkg/ocm/helpers.go +++ b/pkg/ocm/helpers.go @@ -43,6 +43,8 @@ import ( ocmerrors "github.com/openshift-online/ocm-sdk-go/errors" "github.com/openshift/rosa/pkg/helper" + + common "github.com/openshift-online/ocm-common/pkg/ocm/validations" ) const ( @@ -841,7 +843,7 @@ func ValidateOperatorRolesMatchOidcProvider(reporter *reporter.Object, awsClient return errors.Errorf("Computed Operator Role '%s' does not match role ARN found in AWS '%s', "+ "please check if the correct parameters have been supplied.", operatorIAMRole.RoleARN, roleARN) } - err = validateIssuerUrlMatchesAssumePolicyDocument( + err = common.ValidateIssuerUrlMatchesAssumePolicyDocument( roleARN, parsedUrl, *roleObject.AssumeRolePolicyDocument) if err != nil { return err @@ -898,23 +900,6 @@ func ValidateHttpTokensValue(val interface{}) error { return fmt.Errorf("can only validate strings, got %v", val) } -func validateIssuerUrlMatchesAssumePolicyDocument( - roleArn string, parsedUrl *url.URL, assumePolicyDocument string) error { - issuerUrl := parsedUrl.Host - if parsedUrl.Path != "" { - issuerUrl += parsedUrl.Path - } - decodedAssumePolicyDocument, err := url.QueryUnescape(assumePolicyDocument) - if err != nil { - return err - } - if !strings.Contains(decodedAssumePolicyDocument, issuerUrl) { - return errors.Errorf("Operator role '%s' does not have trusted relationship to '%s' issuer URL", - roleArn, issuerUrl) - } - return nil -} - func ParseDiskSizeToGigibyte(size string) (int, error) { // Empty string is valid, a default will be set later if size == "" { diff --git a/pkg/ocm/helpers_test.go b/pkg/ocm/helpers_test.go index 10d7a62545..9580b6e265 100644 --- a/pkg/ocm/helpers_test.go +++ b/pkg/ocm/helpers_test.go @@ -23,6 +23,8 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + "github.com/openshift-online/ocm-common/pkg" + common "github.com/openshift-online/ocm-common/pkg/ocm/validations" cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" ) @@ -57,7 +59,7 @@ var _ = Describe("Validate Issuer Url Matches Assume Policy Document", func() { //nolint fakeAssumePolicyDocument := `%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Federated%22%3A%22arn%3Aaws%3Aiam%3A%3A765374464689%3Aoidc-provider%2Ffake-oidc.s3.us-east-1.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRoleWithWebIdentity%22%2C%22Condition%22%3A%7B%22StringEquals%22%3A%7B%22fake.s3.us-east-1.amazonaws.com%3Asub%22%3A%5B%22system%3Aserviceaccount%3Aopenshift-image-registry%3Acluster-image-registry-operator%22%2C%22system%3Aserviceaccount%3Aopenshift-image-registry%3Aregistry%22%5D%7D%7D%7D%5D%7D` parsedUrl, _ := url.Parse("https://fake-oidc.s3.us-east-1.amazonaws.com") - err := validateIssuerUrlMatchesAssumePolicyDocument( + err := common.ValidateIssuerUrlMatchesAssumePolicyDocument( fakeOperatorRoleArn, parsedUrl, fakeAssumePolicyDocument) Expect(err).NotTo(HaveOccurred()) }) @@ -65,7 +67,7 @@ var _ = Describe("Validate Issuer Url Matches Assume Policy Document", func() { //nolint fakeAssumePolicyDocument := `%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Federated%22%3A%22arn%3Aaws%3Aiam%3A%3A765374464689%3Aoidc-provider%2Ffake-oidc.s3.us-east-1.amazonaws.com%2F23g84jr4cdfpej0ghlr4teqiog8747gt%22%7D%2C%22Action%22%3A%22sts%3AAssumeRoleWithWebIdentity%22%2C%22Condition%22%3A%7B%22StringEquals%22%3A%7B%22fake.s3.us-east-1.amazonaws.com%2F23g84jr4cdfpej0ghlr4teqiog8747gt%3Asub%22%3A%5B%22system%3Aserviceaccount%3Aopenshift-image-registry%3Acluster-image-registry-operator%22%2C%22system%3Aserviceaccount%3Aopenshift-image-registry%3Aregistry%22%5D%7D%7D%7D%5D%7D` parsedUrl, _ := url.Parse("https://fake-oidc.s3.us-east-1.amazonaws.com/23g84jr4cdfpej0ghlr4teqiog8747gt") - err := validateIssuerUrlMatchesAssumePolicyDocument( + err := common.ValidateIssuerUrlMatchesAssumePolicyDocument( fakeOperatorRoleArn, parsedUrl, fakeAssumePolicyDocument) Expect(err).NotTo(HaveOccurred()) }) @@ -74,7 +76,7 @@ var _ = Describe("Validate Issuer Url Matches Assume Policy Document", func() { fakeAssumePolicyDocument := `%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Federated%22%3A%22arn%3Aaws%3Aiam%3A%3A765374464689%3Aoidc-provider%2Ffake-oidc.s3.us-east-1.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRoleWithWebIdentity%22%2C%22Condition%22%3A%7B%22StringEquals%22%3A%7B%22fake.s3.us-east-1.amazonaws.com%3Asub%22%3A%5B%22system%3Aserviceaccount%3Aopenshift-image-registry%3Acluster-image-registry-operator%22%2C%22system%3Aserviceaccount%3Aopenshift-image-registry%3Aregistry%22%5D%7D%7D%7D%5D%7D` fakeIssuerUrl := "https://fake-oidc-2.s3.us-east-1.amazonaws.com" parsedUrl, _ := url.Parse(fakeIssuerUrl) - err := validateIssuerUrlMatchesAssumePolicyDocument( + err := common.ValidateIssuerUrlMatchesAssumePolicyDocument( fakeOperatorRoleArn, parsedUrl, fakeAssumePolicyDocument) Expect(err).To(HaveOccurred()) //nolint @@ -85,7 +87,7 @@ var _ = Describe("Validate Issuer Url Matches Assume Policy Document", func() { fakeAssumePolicyDocument := `%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Federated%22%3A%22arn%3Aaws%3Aiam%3A%3A765374464689%3Aoidc-provider%2Ffake-oidc.s3.us-east-1.amazonaws.com%2F23g84jr4cdfpej0ghlr4teqiog8747gt%22%7D%2C%22Action%22%3A%22sts%3AAssumeRoleWithWebIdentity%22%2C%22Condition%22%3A%7B%22StringEquals%22%3A%7B%22fake.s3.us-east-1.amazonaws.com%2F23g84jr4cdfpej0ghlr4teqiog8747gt%3Asub%22%3A%5B%22system%3Aserviceaccount%3Aopenshift-image-registry%3Acluster-image-registry-operator%22%2C%22system%3Aserviceaccount%3Aopenshift-image-registry%3Aregistry%22%5D%7D%7D%7D%5D%7D` fakeIssuerUrl := "https://fake-oidc-2.s3.us-east-1.amazonaws.com/23g84jr4cdfpej0ghlr4teqiog8747g" parsedUrl, _ := url.Parse(fakeIssuerUrl) - err := validateIssuerUrlMatchesAssumePolicyDocument( + err := common.ValidateIssuerUrlMatchesAssumePolicyDocument( fakeOperatorRoleArn, parsedUrl, fakeAssumePolicyDocument) Expect(err).To(HaveOccurred()) //nolint @@ -272,7 +274,7 @@ var _ = Describe("ValidateBalancingIgnoredLabels", func() { }) It("returns an error for a label that exceeds 63 characters", func() { - var val interface{} = strings.Repeat("a", 64) + var val interface{} = strings.Repeat("a", pkg.MaxByteSize) err := ValidateBalancingIgnoredLabels(val) Expect(err).To(HaveOccurred()) }) diff --git a/pkg/ocm/validators.go b/pkg/ocm/validators.go index 6dd3e6a4ad..c69fca8c0e 100644 --- a/pkg/ocm/validators.go +++ b/pkg/ocm/validators.go @@ -2,6 +2,7 @@ package ocm import ( "fmt" + "github.com/openshift-online/ocm-common/pkg" "strconv" "time" ) @@ -58,7 +59,7 @@ func PercentageValidator(val interface{}) error { return nil } - number, err := strconv.ParseFloat(fmt.Sprintf("%v", val), 64) + number, err := strconv.ParseFloat(fmt.Sprintf("%v", val), pkg.MaxByteSize) if err != nil { return fmt.Errorf("Failed parsing '%v' into a floating-point number.", val) } diff --git a/vendor/modules.txt b/vendor/modules.txt index 0546f9de79..bf3d6d7413 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -455,4 +455,4 @@ k8s.io/apimachinery/pkg/util/validation/field ## explicit; go 1.18 k8s.io/utils/internal/third_party/forked/golang/net k8s.io/utils/net -# github.com/golang/glog => github.com/kubermatic/glog-logrus v0.0.0-20180829085450-3fa5b9870d1d +# github.com/golang/glog => github.com/kubermatic/glog-logrus v0.0.0-20180829085450-3fa5b9870d1d \ No newline at end of file