CORS-4161: Add GCP Service Endpoint overrides

[barbacbd]

pkg/cmd/provisioning:

** Temporarily updated to pass nil for service endpoints. This is a placeholder while ccoctl does not support user supplied service endpoints.

pkg/gcp/actuator:

** Actuator will get the infrastructure object and pass the endpoints during client creation.

pkg/operator/secretannotator/gcp:

** Reconciler will get the infrastructure object and pass the endpoints during client creation.

pkg/gcp/client.go:

** Client will now accept endpoints when creating the service cleints (ex: compute).

[openshift-ci-robot]

@barbacbd: This pull request references CORS-4161 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

pkg/cmd/provisioning:

** Temporarily updated to pass nil for service endpoints. This is a placeholder while ccoctl does not support user supplied service endpoints.

pkg/gcp/actuator:

** Actuator will get the infrastructure object and pass the endpoints during client creation.

pkg/operator/secretannotator/gcp:

** Reconciler will get the infrastructure object and pass the endpoints during client creation.

pkg/gcp/client.go:

** Client will now accept endpoints when creating the service cleints (ex: compute).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[barbacbd]

/jira refresh

[openshift-ci-robot]

@barbacbd: This pull request references CORS-4161 which is a valid jira issue.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[barbacbd]

/cc @patrickdillon
/cc @jstuever

[codecov]

Codecov Report

❌ Patch coverage is 2.67857% with 109 lines in your changes missing coverage. Please review.
✅ Project coverage is 46.50%. Comparing base (c8ddc52) to head (e6541be).
⚠️ Report is 10 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/util/featuregate.go	0.00%	44 Missing ⚠️
pkg/gcp/client.go	0.00%	30 Missing ⚠️
pkg/gcp/actuator/actuator.go	15.38%	11 Missing ⚠️
pkg/operator/secretannotator/gcp/reconciler.go	8.33%	11 Missing ⚠️
pkg/operator/utils/gcp/utils.go	0.00%	8 Missing ⚠️
pkg/cmd/provisioning/gcp/create_all.go	0.00%	1 Missing ⚠️
...kg/cmd/provisioning/gcp/create_service_accounts.go	0.00%	1 Missing ⚠️
.../provisioning/gcp/create_workload_identity_pool.go	0.00%	1 Missing ⚠️
...visioning/gcp/create_workload_identity_provider.go	0.00%	1 Missing ⚠️
pkg/cmd/provisioning/gcp/delete.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #896      +/-   ##
==========================================
- Coverage   47.00%   46.50%   -0.50%     
==========================================
  Files          97       98       +1     
  Lines       11917    12053     +136     
==========================================
+ Hits         5601     5605       +4     
- Misses       5698     5830     +132     
  Partials      618      618              

Files with missing lines	Coverage Δ
pkg/cmd/provisioning/gcp/create_all.go	0.00% <0.00%> (ø)
...kg/cmd/provisioning/gcp/create_service_accounts.go	52.50% <0.00%> (ø)
.../provisioning/gcp/create_workload_identity_pool.go	39.72% <0.00%> (ø)
...visioning/gcp/create_workload_identity_provider.go	49.42% <0.00%> (ø)
pkg/cmd/provisioning/gcp/delete.go	0.00% <0.00%> (ø)
pkg/operator/utils/gcp/utils.go	64.35% <0.00%> (-5.54%)	⬇️
pkg/gcp/actuator/actuator.go	49.55% <15.38%> (-1.00%)	⬇️
pkg/operator/secretannotator/gcp/reconciler.go	41.02% <8.33%> (-4.26%)	⬇️
pkg/gcp/client.go	0.00% <0.00%> (ø)
pkg/util/featuregate.go	0.00% <0.00%> (ø)

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[barbacbd]

/retest-required

[jstuever]

In addition to the inline comments, this appears to be missing feature gate.

[barbacbd]

/hold

[jstuever]

/assign

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: barbacbd
Once this PR has been reviewed and has the lgtm label, please ask for approval from jstuever. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jstuever]

Instead, let's have this function GetCurrentFeatureGates and return the currentFeatureGates from line 47. This will change the behavior in pkg/operator/controller.go as mentioned in the correlated comment.

return featureGateAccessor.CurrentFeatureGates()

[jstuever]

In conjunction with the comment in pkg/util/featuregate.go, modify this to get currentFeatureGates, and then check for gcpCustomEndpointsEnabled separately.

	currentFeatureGates, err := util.GetCurrentFeatureGates()
	if err != nil {
		return err
	}

That block should be included in the prior commit so it remains after the featuregate is removed. And then for this specific feature gate, you would add

	gcpCustomEndpointsEnabled := currentFeatureGates.Enabled(features.FeatureGateGCPCustomAPIEndpoints)

[jstuever]

nit: this feels replicated from the case above.

[jstuever]

I don't think CCO properly handles versioning. We might have to set desiredVersion equal to missingVersion here to make this work, which looks like it will then read the version from CVO.

[barbacbd]

Currently this is on hold for multiple reasons:
[1]: There needs to be overrides for STS, IAMCredentials, and OAuth -> find those here openshift/api#2444
[2]: The templates need to be updated for STS and IAMCredentials overrides. These appear to be required for WIF installs. This will also require updates to the CCOCTL where the endpoint overrides can be entered as command line options.
[3]: Oauth2 endpoint needs to be overridden. This may occur in the osServiceAccount file but I am currently unsure about that. There is no explicit call to be able to override this endpoint unless we were to completely change how our credentials are initialized.

[openshift-ci]

@barbacbd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-openstack	91b7741	link	false	/test e2e-openstack
ci/prow/e2e-gcp-manual-oidc	91b7741	link	false	/test e2e-gcp-manual-oidc
ci/prow/e2e-azure-upgrade	91b7741	link	false	/test e2e-azure-upgrade
ci/prow/e2e-gcp	91b7741	link	false	/test e2e-gcp

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.