Skip to content

Commit 9af185c

Browse files
committed
ROSAENG-60386 | test: Fixing id:84981
1 parent 0c8b7ed commit 9af185c

6 files changed

Lines changed: 451 additions & 11 deletions

File tree

Lines changed: 243 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,243 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Sid": "ReadPermissions",
6+
"Effect": "Allow",
7+
"Action": [
8+
"ec2:DescribeAvailabilityZones",
9+
"ec2:DescribeCapacityReservations",
10+
"ec2:DescribeImages",
11+
"ec2:DescribeInstances",
12+
"ec2:DescribeInstanceTypeOfferings",
13+
"ec2:DescribeInstanceTypes",
14+
"ec2:DescribeLaunchTemplates",
15+
"ec2:DescribeSecurityGroups",
16+
"ec2:DescribeSnapshots",
17+
"ec2:DescribeSpotPriceHistory",
18+
"ec2:DescribeSubnets",
19+
"ec2:DescribeVpcs"
20+
],
21+
"Resource": "*"
22+
},
23+
{
24+
"Sid": "PricingReadActions",
25+
"Effect": "Allow",
26+
"Action": [
27+
"pricing:GetProducts"
28+
],
29+
"Resource": "*"
30+
},
31+
{
32+
"Sid": "KMSPermissions",
33+
"Effect": "Allow",
34+
"Action": [
35+
"kms:DescribeKey",
36+
"kms:Encrypt",
37+
"kms:Decrypt",
38+
"kms:ReEncrypt*",
39+
"kms:GenerateDataKey*"
40+
],
41+
"Resource": "arn:aws:kms:*:*:key/*",
42+
"Condition": {
43+
"StringEquals": {
44+
"aws:ResourceTag/red-hat": "true"
45+
}
46+
}
47+
},
48+
{
49+
"Sid": "KMSGrantPermissions",
50+
"Effect": "Allow",
51+
"Action": [
52+
"kms:CreateGrant",
53+
"kms:ListGrants",
54+
"kms:RevokeGrant"
55+
],
56+
"Resource": "arn:aws:kms:*:*:key/*",
57+
"Condition": {
58+
"Bool": {
59+
"kms:GrantIsForAWSResource": true
60+
},
61+
"StringLike": {
62+
"kms:ViaService": "ec2.*.amazonaws.com"
63+
}
64+
}
65+
},
66+
{
67+
"Sid": "CreateEC2Resources",
68+
"Effect": "Allow",
69+
"Action": [
70+
"ec2:RunInstances",
71+
"ec2:CreateFleet"
72+
],
73+
"Resource": [
74+
"arn:aws:ec2:*:*:security-group/*",
75+
"arn:aws:ec2:*:*:subnet/*",
76+
"arn:aws:ec2:*:*:capacity-reservation/*"
77+
]
78+
},
79+
{
80+
"Sid": "CreateEC2ResourcesWithApprovedAMIs",
81+
"Effect": "Allow",
82+
"Action": [
83+
"ec2:RunInstances",
84+
"ec2:CreateFleet"
85+
],
86+
"Resource": "arn:aws:ec2:*::image/*",
87+
"Condition": {
88+
"StringEquals": {
89+
"ec2:Owner": [
90+
"531415883065",
91+
"251351625822",
92+
"210686502322"
93+
]
94+
}
95+
}
96+
},
97+
{
98+
"Sid": "CreateEC2ResourcesWithTags",
99+
"Effect": "Allow",
100+
"Action": [
101+
"ec2:RunInstances",
102+
"ec2:CreateFleet",
103+
"ec2:CreateLaunchTemplate"
104+
],
105+
"Resource": [
106+
"arn:aws:ec2:*:*:fleet/*",
107+
"arn:aws:ec2:*:*:instance/*",
108+
"arn:aws:ec2:*:*:volume/*",
109+
"arn:aws:ec2:*:*:network-interface/*",
110+
"arn:aws:ec2:*:*:launch-template/*",
111+
"arn:aws:ec2:*:*:spot-instances-request/*"
112+
],
113+
"Condition": {
114+
"StringEquals": {
115+
"aws:RequestTag/red-hat-managed": "true"
116+
}
117+
}
118+
},
119+
{
120+
"Sid": "CreateEC2ResourcesLaunchTemplate",
121+
"Effect": "Allow",
122+
"Action": [
123+
"ec2:RunInstances",
124+
"ec2:CreateFleet"
125+
],
126+
"Resource": "arn:aws:ec2:*:*:launch-template/*",
127+
"Condition": {
128+
"StringEquals": {
129+
"aws:ResourceTag/red-hat-managed": "true"
130+
}
131+
}
132+
},
133+
{
134+
"Sid": "CreateTagsOnResources",
135+
"Effect": "Allow",
136+
"Action": [
137+
"ec2:CreateTags"
138+
],
139+
"Resource": [
140+
"arn:aws:ec2:*:*:fleet/*",
141+
"arn:aws:ec2:*:*:instance/*",
142+
"arn:aws:ec2:*:*:volume/*",
143+
"arn:aws:ec2:*:*:network-interface/*",
144+
"arn:aws:ec2:*:*:launch-template/*",
145+
"arn:aws:ec2:*:*:spot-instances-request/*"
146+
],
147+
"Condition": {
148+
"StringEquals": {
149+
"ec2:CreateAction": [
150+
"RunInstances",
151+
"CreateFleet",
152+
"CreateLaunchTemplate"
153+
],
154+
"aws:RequestTag/red-hat-managed": "true"
155+
}
156+
}
157+
},
158+
{
159+
"Sid": "ManageTagsOnManagedResources",
160+
"Effect": "Allow",
161+
"Action": [
162+
"ec2:CreateTags"
163+
],
164+
"Resource": "arn:aws:ec2:*:*:instance/*",
165+
"Condition": {
166+
"StringEquals": {
167+
"aws:ResourceTag/red-hat-managed": "true"
168+
}
169+
}
170+
},
171+
{
172+
"Sid": "TerminateManagedResources",
173+
"Effect": "Allow",
174+
"Action": [
175+
"ec2:TerminateInstances",
176+
"ec2:DeleteLaunchTemplate"
177+
],
178+
"Resource": [
179+
"arn:aws:ec2:*:*:instance/*",
180+
"arn:aws:ec2:*:*:launch-template/*"
181+
],
182+
"Condition": {
183+
"StringEquals": {
184+
"aws:ResourceTag/red-hat-managed": "true"
185+
}
186+
}
187+
},
188+
{
189+
"Sid": "PassInstanceRole",
190+
"Effect": "Allow",
191+
"Action": [
192+
"iam:PassRole"
193+
],
194+
"Resource": "arn:aws:iam::*:role/*",
195+
"Condition": {
196+
"StringEquals": {
197+
"iam:PassedToService": [
198+
"ec2.amazonaws.com"
199+
]
200+
}
201+
}
202+
},
203+
{
204+
"Sid": "ManageInstanceProfiles",
205+
"Effect": "Allow",
206+
"Action": [
207+
"iam:AddRoleToInstanceProfile",
208+
"iam:RemoveRoleFromInstanceProfile",
209+
"iam:DeleteInstanceProfile"
210+
],
211+
"Resource": [
212+
"arn:aws:iam::*:instance-profile/rosa-service-managed-*",
213+
"arn:aws:iam::*:instance-profile/*-worker"
214+
]
215+
},
216+
{
217+
"Sid": "CreateInstanceProfiles",
218+
"Effect": "Allow",
219+
"Action": [
220+
"iam:CreateInstanceProfile",
221+
"iam:TagInstanceProfile"
222+
],
223+
"Resource": [
224+
"arn:aws:iam::*:instance-profile/rosa-service-managed-*",
225+
"arn:aws:iam::*:instance-profile/*-worker"
226+
],
227+
"Condition": {
228+
"StringEquals": {
229+
"aws:RequestTag/red-hat-managed": "true"
230+
}
231+
}
232+
},
233+
{
234+
"Sid": "ReadInstanceProfiles",
235+
"Effect": "Allow",
236+
"Action": [
237+
"iam:ListInstanceProfiles",
238+
"iam:GetInstanceProfile"
239+
],
240+
"Resource": "*"
241+
}
242+
]
243+
}
Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Effect": "Allow",
6+
"Principal": {
7+
"Federated": "arn:aws:iam::{AWS_ACCOUNT_ID}:oidc-provider/{OIDC_PROVIDER_URL}"
8+
},
9+
"Action": "sts:AssumeRoleWithWebIdentity",
10+
"Condition": {
11+
"StringEquals": {
12+
"{OIDC_PROVIDER_URL}:sub": "system:serviceaccount:kube-system:karpenter"
13+
}
14+
}
15+
}
16+
]
17+
}

tests/e2e/hcp_cluster_test.go

Lines changed: 30 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -782,14 +782,35 @@ var _ = Describe("HCP cluster testing",
782782
It("edit ROSA HCP with autonode configuration via rosa cli - [id:84981]",
783783
labels.High, labels.Runtime.Day2,
784784
func() {
785-
By("Get the installer role arn")
785+
By("Create the autonode IAM role")
786+
786787
rosaClient.Runner.JsonFormat()
787788
jsonOutput, err := clusterService.DescribeCluster(clusterID)
788-
Expect(err).To(BeNil())
789789
rosaClient.Runner.UnsetFormat()
790+
Expect(err).To(BeNil())
790791
jsonData := rosaClient.Parser.JsonData.Input(jsonOutput).Parse()
791-
installRoleArn := jsonData.DigString("aws", "sts", "role_arn")
792-
supportRoleArn := jsonData.DigString("aws", "sts", "support_role_arn")
792+
793+
autonodeEnabled := jsonData.DigString("auto_node", "mode")
794+
if autonodeEnabled == "enabled" {
795+
Skip("Autonode is already enabled on this cluster (and currently can't be disabled)")
796+
}
797+
798+
oidcProviderURL := jsonData.DigString("aws", "sts", "oidc_config", "issuer_url")
799+
autonodePrefix1 := clusterID + "-1"
800+
autonodePrefix2 := clusterID + "-2"
801+
autonodeRoleARN, err := config.PrepareAutonodeRoleAndPolicy(autonodePrefix1, oidcProviderURL, profile.Region)
802+
defer func() {
803+
err := config.DeleteAutonodeRoleAndPolicy(autonodePrefix1, profile.Region)
804+
Expect(err).ToNot(HaveOccurred())
805+
}()
806+
Expect(err).ToNot(HaveOccurred())
807+
808+
autonodeRoleARN2, err := config.PrepareAutonodeRoleAndPolicy(autonodePrefix2, oidcProviderURL, profile.Region)
809+
defer func() {
810+
err := config.DeleteAutonodeRoleAndPolicy(autonodePrefix2, profile.Region)
811+
Expect(err).ToNot(HaveOccurred())
812+
}()
813+
Expect(err).ToNot(HaveOccurred())
793814

794815
By("Edit cluster autonode configuration with invalid flag value")
795816
out, err := clusterService.EditCluster(
@@ -811,7 +832,7 @@ var _ = Describe("HCP cluster testing",
811832
By("Edit role arn when autonode configuration is not enabled")
812833
out, err = clusterService.EditCluster(
813834
clusterID,
814-
"--autonode-iam-role-arn", installRoleArn,
835+
"--autonode-iam-role-arn", autonodeRoleARN,
815836
)
816837
Expect(err).To(HaveOccurred())
817838
Expect(out.String()).To(ContainSubstring("cannot update IAM role ARN when AutoNode is not enabled"))
@@ -820,28 +841,28 @@ var _ = Describe("HCP cluster testing",
820841
out, err = clusterService.EditCluster(
821842
clusterID,
822843
"--autonode=enabled",
823-
"--autonode-iam-role-arn", installRoleArn,
844+
"--autonode-iam-role-arn", autonodeRoleARN,
824845
)
825846
Expect(err).ToNot(HaveOccurred())
826847
Expect(out.String()).To(ContainSubstring("Updated cluster"))
827848

828849
jsonData, err = clusterService.GetJSONClusterDescription(clusterID)
829850
Expect(err).To(BeNil())
830851
Expect(jsonData.DigString("auto_node", "mode")).To(Equal("enabled"))
831-
Expect(jsonData.DigString("aws", "auto_node", "role_arn")).To(Equal(installRoleArn))
852+
Expect(jsonData.DigString("aws", "auto_node", "role_arn")).To(Equal(autonodeRoleARN))
832853

833854
By("Update the autonode configuration on cluster")
834855
out, err = clusterService.EditCluster(
835856
clusterID,
836-
"--autonode-iam-role-arn", supportRoleArn,
857+
"--autonode-iam-role-arn", autonodeRoleARN2,
837858
)
838859
Expect(err).ToNot(HaveOccurred())
839860
Expect(out.String()).To(ContainSubstring("Updated cluster"))
840861

841862
jsonData, err = clusterService.GetJSONClusterDescription(clusterID)
842863
Expect(err).To(BeNil())
843864
Expect(jsonData.DigString("auto_node", "mode")).To(Equal("enabled"))
844-
Expect(jsonData.DigString("aws", "auto_node", "role_arn")).To(Equal(supportRoleArn))
865+
Expect(jsonData.DigString("aws", "auto_node", "role_arn")).To(Equal(autonodeRoleARN2))
845866
})
846867
})
847868
var _ = Describe("hosted-cp cluster creation",

0 commit comments

Comments
 (0)