openshift / cloud-credential-operator

Manage cloud provider credentials as Kubernetes CRDs
Apache License 2.0
62 stars 145 forks source link

OCPBUGS-36140: GCP passthrough permissions check to ignore problematic permissions. #712

Closed jstuever closed 3 months ago

jstuever commented 3 months ago

Currently, the GCP passthrough permissions check generates a list of required permissions from the credential requests, queries and caches a list of valid permissions for the project, filters the required list to only include those that are valid, and then ensures the provided service account has the filtered list of permissions on the project. However, for whatever reason, sometimes the check errors stating that the permission is invalid.

This change attempts to discover when this happens and removes the problematic permission from the cached list of valid permissions. This enables the check to function properly for the remaining duration of the cache.

openshift-ci-robot commented 3 months ago

@jstuever: This pull request references Jira Issue OCPBUGS-36140, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug * bug is open, matching expected state (open) * bug target version (4.17.0) matches configured target version for branch (4.17.0) * bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @jianping-shu

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/712): >Currently, the GCP passthrough permissions check generates a list of required permissions from the credential requests, queries and caches a list of valid permissions for the project, filters the required list to only include those that are valid, and then ensures the provided service account has the filtered list of permissions on the project. However, for whatever reason, sometimes an invalid permission makes it into the filtered list and an error is thrown. > >This change attempts to discover when this happens and removes the invalid permission from the cached list of valid permissions. This enables the check to function properly for the remaining duration of the cache. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcloud-credential-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
codecov[bot] commented 3 months ago

Codecov Report

Attention: Patch coverage is 0% with 4 lines in your changes missing coverage. Please review.

Project coverage is 48.33%. Comparing base (35088a0) to head (a1b62cc).

Additional details and impacted files [![Impacted file tree graph](https://app.codecov.io/gh/openshift/cloud-credential-operator/pull/712/graphs/tree.svg?width=650&height=150&src=pr&token=MSJhsyXrnA&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=openshift)](https://app.codecov.io/gh/openshift/cloud-credential-operator/pull/712?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=openshift) ```diff @@ Coverage Diff @@ ## master #712 +/- ## ========================================== - Coverage 48.35% 48.33% -0.02% ========================================== Files 96 96 Lines 11797 11801 +4 ========================================== Hits 5704 5704 - Misses 5460 5464 +4 Partials 633 633 ``` | [Files](https://app.codecov.io/gh/openshift/cloud-credential-operator/pull/712?dropdown=coverage&src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=openshift) | Coverage Δ | | |---|---|---| | [pkg/operator/utils/gcp/utils.go](https://app.codecov.io/gh/openshift/cloud-credential-operator/pull/712?src=pr&el=tree&filepath=pkg%2Foperator%2Futils%2Fgcp%2Futils.go&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=openshift#diff-cGtnL29wZXJhdG9yL3V0aWxzL2djcC91dGlscy5nbw==) | `69.89% <0.00%> (-3.15%)` | :arrow_down: |
openshift-ci-robot commented 3 months ago

@jstuever: This pull request references Jira Issue OCPBUGS-36140, which is valid.

3 validation(s) were run on this bug * bug is open, matching expected state (open) * bug target version (4.17.0) matches configured target version for branch (4.17.0) * bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @jianping-shu

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/712): >Currently, the GCP passthrough permissions check generates a list of >required permissions from the credential requests, queries and caches a >list of valid permissions for the project, filters the required list to >only include those that are valid, and then ensures the provided service >account has the filtered list of permissions on the project. However, >for whatever reason, sometimes the check errors stating that the >permission is invalid. > >This change attempts to discover when this happens and removes the >problematic permission from the cached list of valid permissions. This >enables the check to function properly for the remaining duration of the >cache. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcloud-credential-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
jstuever commented 3 months ago

/cherry-pick release-4.16 release-4.15 release-4.14

openshift-cherrypick-robot commented 3 months ago

@jstuever: once the present PR merges, I will cherry-pick it on top of release-4.16 in a new PR and assign it to you.

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/712#issuecomment-2215491117): >/cherry-pick release-4.16 release-4.15 release-4.14 Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
jstuever commented 3 months ago

/assign @dlom /override ci/prow/security

openshift-ci[bot] commented 3 months ago

@jstuever: Overrode contexts on behalf of jstuever: ci/prow/security

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/712#issuecomment-2218490917): >/assign @dlom >/override ci/prow/security Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
openshift-ci[bot] commented 3 months ago

@jstuever: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
dlom commented 3 months ago

/lgtm

openshift-ci[bot] commented 3 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlom, jstuever

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/cloud-credential-operator/blob/master/OWNERS)~~ [dlom,jstuever] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
openshift-ci-robot commented 3 months ago

@jstuever: Jira Issue OCPBUGS-36140: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-36140 has been moved to the MODIFIED state.

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/712): >Currently, the GCP passthrough permissions check generates a list of >required permissions from the credential requests, queries and caches a >list of valid permissions for the project, filters the required list to >only include those that are valid, and then ensures the provided service >account has the filtered list of permissions on the project. However, >for whatever reason, sometimes the check errors stating that the >permission is invalid. > >This change attempts to discover when this happens and removes the >problematic permission from the cached list of valid permissions. This >enables the check to function properly for the remaining duration of the >cache. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcloud-credential-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-cherrypick-robot commented 3 months ago

@jstuever: new pull request created: #714

In response to [this](https://github.com/openshift/cloud-credential-operator/pull/712#issuecomment-2215491117): >/cherry-pick release-4.16 release-4.15 release-4.14 Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
openshift-bot commented 3 months ago

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-cloud-credential-operator-container-v4.17.0-202407102011.p0.g2fceb62.assembly.stream.el9 for distgit ose-cloud-credential-operator. All builds following this will include this PR.