✨ ROSA: Support for OCM service account credentials

[mzazrivec]

What type of PR is this?
/kind feature

What this PR does / why we need it:
This pull request implements support for OCM (aka api.openshift.com) authentication using service account credentials.

The previous authentication mechanism (known as offline tokens) will be deprecated in few months, therefore we need to implement the alternative way. The offline token autentication is still being supported with my changes, though a deprecation
warning will be printed in the CAPA manager logs.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist:

• squashed commits
• includes documentation
• includes emojis
• adds unit tests
• adds or updates e2e tests

Release note:

feat: enable support for service account authentication in ROSA installations

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: mzazrivec / name: Milan Zázrivec (c504cee)

[k8s-ci-robot]

Welcome @mzazrivec!

It looks like this is your first PR to kubernetes-sigs/cluster-api-provider-aws 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cluster-api-provider-aws has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @mzazrivec. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign stevekuznetsov for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• docs/book/src/topics/rosa/OWNERS
• pkg/rosa/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[serngawy]

I believe its better to add a section in doc (OR another md file) show old endUsers how to migrate their current ROSA-HCP clusters from using offline token to service-account. If there is any risk of doing this should be mentioned as well in the doc.

[serngawy]

The endUser still should be able to use the os.Getenv to set the token and url for at least 1 releases. The order of getting the cred is 1- ROSAScop-secret 2- rosa-creds-secret 3-os.Getenv
if the endUser still use the os.Env raise warning logs mentioning that OCM_TOKEN & OCM_API_URL will not be used for next release.

[serngawy]

ocmToken still valid to be used, keep it in the doc with deprecation note so old users be aware of the migration to service-account.

[serngawy]

Same as above, add deprecation Note

[serngawy]

few comments and please add unit test

[serngawy]

This may raise error the secret not found which is okay if the user still using the os.env to set the OCM_TOKEN

[serngawy]

no need to set those key values , better to add the doc url

[serngawy]

no need to set those key values , better to add the doc url

[serngawy]

no need to define those clientId & clientSecret if the secret is not used

[serngawy]

please add TODO: note to remove this part of the code next release

[serngawy]

please mention it must be in the same namespace as capa-controller-manager deployment and better secret naming is rosa-creds-secret

[serngawy]

please add section , for old user how to migrate from using the offline token to service account.

[serngawy]

better name rosa-creds-secret

[serngawy]

@faiq @nrb would you add ok-to-test

[nrb]

/ok-to-test

[serngawy]

few comments and please run make lint-fix before you push your code to fix all golang-ci errors

[serngawy]

remove ':' (usually capa-system).

[mzazrivec]

Fixed.

[serngawy]

Suggested change

	Instead of the service account credentials you can use SSO offline token, that you can specify either as a secret or specify the offline token
	The SSO offline token is been deprecated, it is recommended to use the service account as mentioned above. However, for old users you still can visit https://console.redhat.com/openshift/token to retrieve your SSO offline authentication token.

[mzazrivec]

I restructured the text a bit, but I'd rather not call any CAPI users "old". The instructions to go to consoleDot to retrieve the token are part of the text below.

[serngawy]

better to create another function named createFakeClientWithObjects and give it the obj (secrets) as param return a fakeClient then use it to createROSAControlPlaneScope

[mzazrivec]

Nah, that would be just one more function created just for tests. Maybe in the future, if we'll need to call it separately, then we can extract it, but I'd rather leave it as it is right now.

I simplified the createROSAControlPlaneScope() function and made it a varadic fn. That way the function is much shorter.

[serngawy]

why do you create a dummy secrets in createROSAControlPlaneScope that you don't need in the test

[mzazrivec]

Yea, I rewrote createROSAControlPlaneScope() as varadic to make this more simple.

[serngawy]

Almost there, few comments

[serngawy]

No need for this, the CredentialsSecretRef is already set in the createCP function

[mzazrivec]

OK

[serngawy]

No need to create the wlSecret, no use for it as RosaControlPlaneSpec has no ref for it

[mzazrivec]

OK

[serngawy]

No need for lines 115 & 116 already same as 104 & 105

[mzazrivec]

OK

[serngawy]

ROSA-HCP not ROSA

[mzazrivec]

I'm assuming you meant to write that comment one line below.

Not saying I cannot change it, but ...

$ git checkout main
$ git grep ROSA docs/book/src/topics/rosa/creating-a-cluster.md
docs/book/src/topics/rosa/creating-a-cluster.md:# Creating a ROSA cluster
docs/book/src/topics/rosa/creating-a-cluster.md:CAPA controller requires service account credentials to be able to provision ROSA clusters:
docs/book/src/topics/rosa/creating-a-cluster.md:1. Create a new kubernetes secret with the service account credentials to be referenced later by `ROSAControlPlane`
docs/book/src/topics/rosa/creating-a-cluster.md:    Note: to consume the secret without the need to reference it from your `ROSAControlPlane`, name your secret as `rosa-creds-secret` and create it in the CAPA manager namespace (usually `capa-system`)
docs/book/src/topics/rosa/creating-a-cluster.md:1. Create a credentials secret within the target namespace with the token to be referenced later by `ROSAControlePlane`
docs/book/src/topics/rosa/creating-a-cluster.md:Follow the guide [here](https://docs.aws.amazon.com/ROSA/latest/userguide/getting-started-hcp.html) up until [Step 3](https://docs.aws.amazon.com/ROSA/latest/userguide/getting-started-hcp.html#getting-started-hcp-step-3) 
docs/book/src/topics/rosa/creating-a-cluster.md:Once Step 3 is done, you will be ready to proceed with creating a ROSA cluster using cluster-api.
docs/book/src/topics/rosa/creating-a-cluster.md:1. Render the cluster manifest using the ROSA cluster template:
docs/book/src/topics/rosa/creating-a-cluster.md:1. If a credentials secret was created earlier, edit `ROSAControlPlane` to reference it:
docs/book/src/topics/rosa/creating-a-cluster.md:    kind: ROSAControlPlane
docs/book/src/topics/rosa/creating-a-cluster.md:    kind: ROSAControlPlane
docs/book/src/topics/rosa/creating-a-cluster.md:see [ROSAControlPlane CRD Reference](https://cluster-api-aws.sigs.k8s.io/crd/#controlplane.cluster.x-k8s.io/v1beta2.ROSAControlPlane) for all possible configurations.

[serngawy]

most of our doc distinguish between ROSA (classic) and ROSA with HCP like the aws doc here so better to mention it as "ROSA-HCP" or "ROSA with HCP".

[mzazrivec]

Yep. As I said, I can change it. My point was that the .md document in question uses just ROSA. No HCP, no Hypershift.

[serngawy]

Okay then, lets do it in another PR change all docs at once.
Would you create an issue mentioning that we need to change ROSA to ROSA-HCP in docs so we don't forget it.

[mzazrivec]

#5257

[serngawy]

Change the name then, if you want to keep this function as is. ROSAControlPlaneScope doesn't required secrets to be created. Better naming like creaeROSAControlPlanScopWithSecrets

[mzazrivec]

Umm, OK :-)

[serngawy]

most of our doc distinguish between ROSA (classic) and ROSA with HCP like the aws doc here so better to mention it as "ROSA-HCP" or "ROSA with HCP".

[serngawy]

@nrb @faiq would you review & lgtm this PR