SPLAT-2253: CCM-AWS config enforce to provision Service NLB with SG under gate

[mtulio]

Updating the k/cloud-provider-aws to gather the feature of Service type-loadBalancer NLB with managed Security Group through cloud-config under the OpenShift feature set TechPreviewNoUpgrade.

Upstream feature:

• Upstream feature: https://github.com/kubernetes/cloud-provider-aws/pull/1158
• OpenShift feature planning: SPLAT-2353
• QA validation: https://issues.redhat.com/browse/SPLAT-2353?focusedId=28449797&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-28449797

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2253 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Bumping cloud-provider-aws are crashing, focusing in the change for now to be able to validate with cluster-bot.

this PR is created to be used with cluster-bot:

Ref: openshift/cloud-provider-aws#108

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtulio]

/test all

[mtulio]

PR rebased with upstream updates, and CCCMO FG support by #400

[mtulio]

Next step: create a CI job to exercise this scenario.

[mtulio]

/test ?

[openshift-ci]

@mtulio: The following commands are available to trigger required jobs:

/test e2e-aws-ovn

/test e2e-aws-ovn-upgrade

/test fmt

/test images

/test lint

/test okd-scos-images

/test security

/test unit

/test vendor

/test verify-deps

/test vet

The following commands are available to trigger optional jobs:

/test e2e-azure-manual-oidc

/test e2e-azure-ovn

/test e2e-azure-ovn-upgrade

/test e2e-gcp-ovn

/test e2e-gcp-ovn-upgrade

/test e2e-ibmcloud-ovn

/test e2e-nutanix-ovn

/test e2e-openstack-ovn

/test e2e-vsphere-ovn

/test level0-clusterinfra-azure-ipi-proxy-tests

/test okd-scos-e2e-aws-ovn

/test regression-clusterinfra-vsphere-ipi-ccm

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-e2e-aws-ovn

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-e2e-aws-ovn-upgrade

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-e2e-azure-ovn

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-e2e-azure-ovn-upgrade

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-e2e-gcp-ovn

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-e2e-gcp-ovn-upgrade

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-e2e-openstack-ovn

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-e2e-vsphere-ovn

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-fmt

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-images

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-level0-clusterinfra-azure-ipi-proxy-tests

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-lint

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-okd-scos-e2e-aws-ovn

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-okd-scos-images

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-regression-clusterinfra-vsphere-ipi-ccm

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-security

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-unit

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-vendor

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-verify-deps

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-vet

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2253 which is a valid jira issue.

In response to this:

Bumping cloud-provider-aws are crashing, focusing in the change for now to be able to validate with cluster-bot.

this PR is created to be used with cluster-bot:

Ref: openshift/cloud-provider-aws#117

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@mtulio: No Jira issue is referenced in the title of this pull request.
To reference a jira issue, add 'XYZ-NNN:' to the title of this pull request and request another refresh with /jira refresh.

In response to this:

Bumping cloud-provider-aws are crashing, focusing in the change for now to be able to validate with cluster-bot.

this PR is created to be used with cluster-bot:

Ref: openshift/cloud-provider-aws#117

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtulio]

/payload-job ?

[openshift-ci]

@mtulio: it appears that you have attempted to use some version of the payload command, but your comment was incorrectly formatted and cannot be acted upon. See the docs for usage info.

[mtulio]

/testwith openshift/cluster-cloud-controller-manager-operator/main/e2e-aws-ovn openshift/origin#30235 openshift/cloud-provider-aws#117

[deepsm007]

/testwith openshift/cluster-cloud-controller-manager-operator/main/e2e-aws-ovn openshift/cloud-provider-aws#117

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2253 which is a valid jira issue.

In response to this:

Updating the cloud-provider-aws and OpenShift clients to gather the NLB+SG feature, enabling the configuration to provision SGs for all NLBs through the sync transformer.

Ref: openshift/cloud-provider-aws#117

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtulio]

Upgrading from k8s 1.33 to 1.34 introduced JSON marshaling behavior changed, and looks like when updating openshift clients it is hitting the unit tests resourceapply to fail when calculating the hash of object.

Considering this would be unrelated with changes introduced to this PR, I will open a different thread to discuss the correct approach. As for now my view is this is blocking this PR as it requires to update cloud-provider-aws to 1.34 (which requires o && k 1.34)

> The Problem
The spec-hash annotation is used in production to detect if a resource's spec has changed. Looking at the code:
- Change Detection: The hash is compared to determine if an update is needed
- Backward Compatibility: If the hash calculation changes between library versions, existing resources with old hashes will be incorrectly detected as "changed" and unnecessarily updated

> The Risk
When upgrading from 1.33 to 1.34:
- Existing resources in production will have hashes computed with the old JSON marshaling
- New code will compute different hashes for the same spec due to JSON marshaling changes
- This will cause unnecessary updates to all existing resources on first deployment after upgrade

cc @rvanderp3 @damdo

[mtulio]

This PR is blocked by #428 where there will provide the bump as well fixes found in the unit tests.

/hold

[mtulio]

/test e2e-aws-ovn-techpreview

[mtulio]

weird, locally is passing.

/test unmit

[openshift-ci]

@mtulio: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test e2e-aws-ovn

/test e2e-aws-ovn-upgrade

/test fmt

/test images

/test lint

/test okd-scos-images

/test unit

/test vendor

/test verify-deps

/test vet

The following commands are available to trigger optional jobs:

/test e2e-aws-ovn-techpreview

/test e2e-azure-manual-oidc

/test e2e-azure-ovn

/test e2e-azure-ovn-upgrade

/test e2e-gcp-ovn

/test e2e-gcp-ovn-upgrade

/test e2e-ibmcloud-ovn

/test e2e-nutanix-ovn

/test e2e-openstack-ovn

/test e2e-vsphere-ovn

/test level0-clusterinfra-azure-ipi-proxy-tests

/test okd-scos-e2e-aws-ovn

/test regression-clusterinfra-vsphere-ipi-ccm

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-e2e-aws-ovn

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-e2e-aws-ovn-upgrade

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-fmt

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-images

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-level0-clusterinfra-azure-ipi-proxy-tests

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-lint

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-okd-scos-e2e-aws-ovn

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-okd-scos-images

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-regression-clusterinfra-vsphere-ipi-ccm

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-unit

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-vendor

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-verify-deps

pull-ci-openshift-cluster-cloud-controller-manager-operator-main-vet

In response to this:

weird, locally is passing.

/test unmit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mtulio]

/test unit

[mtulio]

We've found a bug in the unit tests where sections where not ordered correctly making unit to flake. The commit also propose to make sure sections are ordered targeting to address this question:

● Perfect! I've found the root cause!

  Root Cause Analysis

  The test TestCloudConfigTransformer/with_existing_configuration_and_overrides is flaky because of the following:

  1. Map iteration order is non-deterministic in Go: On line 63 of aws_config_transformer.go, there's a loop: for id, override := range 
  cfg.ServiceOverride. The ServiceOverride field is a map[string], and Go explicitly randomizes map iteration order.
  2. Sorting happens but uses string comparison: On line 80, there's a sort: sort.Slice(file.Sections(), func(i, j int) bool { return 
  file.Sections()[i].Name() < file.Sections()[j].Name() }). This sorts section names alphabetically.
  3. The issue: When sorting [ServiceOverride "1"] and [ServiceOverride "2"] alphabetically:
    - Sometimes the sections are added in the order "1", "2"
    - Sometimes they're added in the order "2", "1"
    - When sorted, [ServiceOverride "2"] comes before [ServiceOverride "1"] alphabetically because the string comparison includes the quotes!
    - "2" < "1" is FALSE in string comparison, so the actual sort is correct lexicographically

credits to @jcpowermac :)

[mtulio]

/test e2e-aws-ovn-techpreview

[huali9]

/verified by @huali9

Details are on https://issues.redhat.com/browse/SPLAT-2377

[openshift-ci-robot]

@huali9: This PR has been marked as verified by @huali9.

In response to this:

/verified by @huali9

Details are on https://issues.redhat.com/browse/SPLAT-2377

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2253 which is a valid jira issue.

In response to this:

Updating the k/cloud-provider-aws to gather the feature of Service type-loadBalancer NLB with managed Security Group through cloud-config under the OpenShift feature set TechPreviewNoUpgrade.

Upstream feature:

• Upstream feature: https://github.com/kubernetes/cloud-provider-aws/pull/1158
• OpenShift feature planning: SPLAT-2353
• QA validation: https://issues.redhat.com/browse/SPLAT-2353?focusedId=28449797&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-28449797

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtulio]

/test e2e-azure-ovn

[mtulio]

/assign @damdo @nrb

[damdo]

/assign @theobarberbany

[openshift-ci]

@mtulio: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[mtulio]

Removing the hold as this PR is already ready.

/hold cancel