Replumb AssumeRole (AWS)

[2uasimojo]

Simplify the AssumeRole flow: Rather than doing it via credential_process as a callback from within the creds file used by the provision pod, flatten this out so the AssumeRole is done implicitly by the AWS SDK.

This flow remains unchanged:

The clusterdeployment controller:

• Copies the service provider secret into the CD namespace
• Creates an AWS credentials secret
• Creates the provision pod

The provision pod:

• Loads the credentials secret
• Projects the AWS config therein onto the file system
• Invokes the installer

The installer:

• Creates an AWS client using that config file
• Proceeds with installation

Before this commit:
The AWS config contained a credential_process which invoked hiveutil install-manager aws-credentials which...

• Loaded the service provider secret
• Created an AWS client
• Used the client to AssumeRole and generate credentials with a 15m expiration
• Printed the credentials to stdout in the format expected by AWS.

Per AWS docs[1], the SDK will automatically rerun the credential_process before the expiration time to refresh the creds.

With this commit:
The clusterdeployment controller loads the service provider secret and folds it into the AWS config as a separate profile, referenced from the default via source_profile:

[default]
source_profile = source
role_arn = arn:aws:iam::123456789012:role/assume-role-customer

[profile source]
aws_access_key_id: ABCDEFGHIJKLMNOPQRST
aws_secret_access_key: 1234567890abcdefghijklmnopqrstuvwxyz0123
role_arn = arn:aws:iam::210987654321:role/assume-role-provider

Per AWS docs[2], the SDK will use the source creds to AssumeRole to generate temporary creds, which it will automatically refresh as they expire -- i.e. natively performing the same function as hiveutil install-manager aws-credentials.

As a security measure, we will now check AWS config/credential files for credential_process, and explode if found. However, since existing clusters in the field may still be configured with the old mechanism in the relevant Secrets, we will convert such Secrets to use the new mechanism.

[1] https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-sourcing-external.html
[2] https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html

HIVE-2485
HIVE-2529

[cebarks]

This issue has been assigned CVE-2024-25133 by Red Hat Product Security.

[2uasimojo]

/cc @abutcher @jharrington22
/assign @suhanime

[2uasimojo]

/retest

[codecov]

Codecov Report

Attention: Patch coverage is 6.50407% with 115 lines in your changes missing coverage. Please review.

Project coverage is 58.54%. Comparing base (1fce770) to head (13ea4f4).
Report is 6 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2306      +/-   ##
==========================================
+ Coverage   58.51%   58.54%   +0.02%     
==========================================
  Files         182      181       -1     
  Lines       25884    25863      -21     
==========================================
- Hits        15147    15141       -6     
+ Misses       9460     9447      -13     
+ Partials     1277     1275       -2     

Files	Coverage Δ
...roller/awsprivatelink/awsprivatelink_controller.go	67.81% <100.00%> (ø)
contrib/pkg/utils/azure/azure.go	0.00% <0.00%> (ø)
contrib/pkg/utils/gcp/gcp.go	0.00% <0.00%> (ø)
pkg/controller/clusterdeprovision/awsactuator.go	34.48% <0.00%> (ø)
pkg/controller/dnszone/dnszone_controller.go	28.79% <0.00%> (ø)
pkg/controller/hibernation/aws_actuator.go	64.36% <0.00%> (ø)
...g/controller/machinepool/machinepool_controller.go	53.48% <0.00%> (ø)
contrib/pkg/utils/openstack/openstack.go	0.00% <0.00%> (ø)
contrib/pkg/utils/ovirt/ovirt.go	0.00% <0.00%> (ø)
contrib/pkg/utils/vsphere/vsphere.go	0.00% <0.00%> (ø)
... and 8 more

[2uasimojo]

/override ci/prow/security

Addressed via #2308

[openshift-ci]

@2uasimojo: Overrode contexts on behalf of 2uasimojo: ci/prow/security

In response to this:

/override ci/prow/security

Addressed via #2308

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[2uasimojo]

/hold for testing

[jharrington22]

Is this the same path for deporovisions or do we need to generate credentials there too?

[2uasimojo]

Deprovision path is below...

[2uasimojo]

...here

[jharrington22]

Overall LGTM @2uasimojo

[jstuever]

/cc

[2uasimojo]

/assign @jstuever

[jstuever]

/assign

[jstuever]

/hold for pre-merge testing

[jstuever]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo, jstuever

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [2uasimojo,jstuever]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[2uasimojo]

MachinePool scaling, hopefully a flake

/test e2e-gcp

[2uasimojo]

@jharrington22 agrees to merge.

/override "Red Hat Konflux / hive-on-pull-request"

/hold cancel

[openshift-ci]

@2uasimojo: Overrode contexts on behalf of 2uasimojo: Red Hat Konflux / hive-on-pull-request

In response to this:

@jharrington22 agrees to merge.

/override "Red Hat Konflux / hive-on-pull-request"

/hold cancel

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c5571a9 and 2 for PR HEAD 13ea4f4 in total

[openshift-ci]

@2uasimojo: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.