You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -62,22 +62,21 @@ list of user-defined tags to the OpenShift Installer, and everything created by
62
62
bootstrapped components will apply those tags to all resources created in AWS, for the life of the cluster, and where supported by AWS.
63
63
- Tags must be applied at creation time, in an atomic operation. It isn't acceptable to create an object and,
64
64
after some period of time, apply the tags post-creation.
65
+
- Tags can be updated day2 on the AWS resources.
65
66
66
67
### Non-Goals
67
68
68
-
- To reduce initial scope, tags are applied only at creation time and not reconciled. If an administrator manually
69
-
changes the tags stored in the infrastructure resource, behavior is undefined. See below.
70
-
- To reduce initial scope, we are not implementing this for clouds other than AWS. We will not take any actions
69
+
- To reduce initial scope, in case of standalone OpenShift, tags are applied only at creation time and not reconciled. If an administrator manually
70
+
changes the tags stored in the infrastructure resource, behavior is undefined.
71
+
- To reduce initial scope, for hosted control plane deployments, we are not implementing this for clouds other than AWS. We will not take any actions
71
72
to prohibit that later.
72
73
73
74
## Proposal
74
75
75
-
### Existing design details
76
-
77
-
New `experimentalPropagateUserTags` field added to `.platform.aws` of install config to indicate that the user tags should be applied to AWS
76
+
New `propagateUserTags` field added to `.platform.aws` of install config to indicate that the user tags should be applied to AWS
78
77
resources created by in-cluster operators.
79
78
80
-
If `experimentalPropagateUserTags` is true, install validation will fail if there is any tag that starts with `kubernetes.io` or `openshift.io`.
79
+
If `propagateUserTags` is true, install validation will fail if there is any tag that starts with `kubernetes.io` or `openshift.io`.
81
80
82
81
Add a new field `resourceTags` to `.status.aws` of the `infrastructure.config.openshift.io` type. Tags included in the
83
82
`resourceTags` field will be applied to new resources created for the cluster. The `resourceTags` field will be populated by the installer only if the `experimentalPropagateUserTags` field is true.
@@ -91,19 +90,20 @@ userTags that are specified in the infrastructure resource will merge with userT
91
90
92
91
The userTags field is intended to be set at install time and is considered immutable. Components that respect this field must only ever add tags that they retrieve from this field to cloud resources, they must never remove tags from the existing underlying cloud resource even if the tags are removed from this field(despite it being immutable).
93
92
94
-
If the userTags field is changed post-install, there is no guarantee about how an in-cluster operator will respond to the change. Some operators may reconcile the change and change tags on the AWS resource. Some operators may ignore the change. However, if tags are removed from userTags, the tag will not be removed from the AWS resource.
95
-
96
-
### Updated design details
93
+
In case of hosted control plane deployments, the userTags field is updated with latest updates requested by user. The merge logic gives higher precedence to userTags when there is duplicate tag found on the AWS resource.
97
94
98
-
A new field `propagateUserTags` is added in GA release version. The `experimentalPropagateUserTags` field will be deprecated. In future release versions, `experimentalPropagateUserTags` will be removed.
99
-
When both fields are set, `experimentalPropagateUserTags` takes precedence.
95
+
If the userTags field is changed post-install, all AWS resources created and managed by in-cluster and RedHat supported operators will be reconciled. Non-redhat supported operators may reconcile the change and change tags on the AWS resource or may ignore the change. However, if tags are removed from userTags, the tag will not be removed from the AWS resource.
100
96
97
+
For the resources created and managed by hosted control plane, cluster api provider for aws reconciles the user tags on AWS resources. The hosted control plane updates the `infrastructure.config.openshift.io` resource to reflect new tags in `resourceTags`. The OpenShift operators, both core and non-core (managed by RedHat), reconcile the respective AWS resources created and managed by them.
98
+
Given that, there is no universal controller to update all resources created by OpenShift, the day2 updates of tags is not supported for standalone OpenShift deployments.
101
99
### User Stories
102
100
103
-
https://issues.redhat.com/browse/SDE-1146 - IAM users and roles can only operate on resources with specific tags
101
+
1.https://issues.redhat.com/browse/SDE-1146 - IAM users and roles can only operate on resources with specific tags
104
102
As a security-conscious ROSA customer, I want to restrict the permissions granted to Red Hat in my AWS account by using
105
103
AWS resource tags.
106
104
105
+
2.https://issues.redhat.com/browse/OCPSTRAT-787 - As a user of ROSA with HCP, I want to add and update tags on all AWS resources created by OpenShift, given that there is security limitation on direct access to update to AWS resources.
description: ExperimentalPropagateUserTags is an experimental
124
-
flag that directs in-cluster operators to include the specified
125
-
user tags in the tags of the AWS resources that the operators
126
-
create. The field is deprecated.
127
-
type: boolean
128
122
propagateUserTags:
129
123
description: PropagateUserTags is a flag that directs in-cluster operators to include the specified
130
124
user tags in the tags of the AWS resources that the operators create.
131
125
type: boolean
132
126
```
127
+
### Implementation constraints
128
+
- The NLB is not reconciled with tag updates from service annotations by cloud-provider-aws controller. The [possible mitigations](https://github.com/openshift/cluster-ingress-operator/pull/1148#issuecomment-2423161470) are in discussions by stakeholders on possible actions.
129
+
- The AWS load balancer controller implementation considers tag information arguments as single source of truth. Hence, removes any differing tag keys set on the load balancer. As a mitigation, it is suggested for user to set the tags on service annotations rather than AWS resource directly.
133
130
134
131
### Risks and Mitigations
135
132
@@ -157,7 +154,6 @@ This enhancement updates `experimentalPropagateUserTags` field.
157
154
On upgrade:
158
155
159
156
- The new status field won't be populated since it is only populated by the installer and that can't have happened if the cluster was installed from a prior version. Components that consume the new field should take no action since they will see no additional tags.
160
-
- The `experimentalPropagateUserTags` field will be deprecated in the GA release version to support updates to existing usages in scripts or configs and will be removed in the version after the GA release version.
161
157
162
158
On downgrade:
163
159
@@ -552,3 +548,5 @@ As AWS considers empty string as a valid tag value, the behaviour becomes ambigu
![openshift-merge-bot[bot]](https://avatars.githubusercontent.com/in/412865?v=4&size=40){kind=avatar}
0 commit comments