OCPBUGS-44698: Create AWS clients on every reconcile instead of at initialization

[csrwng]

What this PR does / why we need it:
Moves client creation for the private link endpoint controller into the reconcile loop instead of when the reconciler is initially registered. This allows the controller to recover from initial issues assuming a shared vpc role.

Adds additional error logging when AWS cloud API calls fail.

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #OCPBUGS-44698

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csrwng

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [csrwng]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@csrwng: This pull request references Jira Issue OCPBUGS-44698, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.18.0) matches configured target version for branch (4.18.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira ([email protected]), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

What this PR does / why we need it:
Moves client creation for the private link endpoint controller into the reconcile loop instead of when the reconciler is initially registered. This allows the controller to recover from initial issues assuming a shared vpc role.

Adds additional error logging when AWS cloud API calls fail.

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #OCPBUGS-44698

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@csrwng: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	2890402	link	false	/test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[enxebre]

typo sect?
Why are we unconditionally logging here then right below we are logging again via

			if supportawsutil.AWSErrorCode(err) != "InvalidPermission.Duplicate" {
				return fmt.Errorf("failed to set security group ingress rules, code: %s", supportawsutil.AWSErrorCode(err))
			}
			log.Info("WARNING: got duplicate permissions error when setting security group ingress permissions", "sgID", sgID)

[csrwng]

typo sect?
yes

Will also fix the unconditional logging

[enxebre]

why are we logging in addition to the returned error and with different message?

[enxebre]

Should this be:

func isAWSPrivate() bool {
	return os.Getenv("AWS_REGION") != "" && hcp.Spec.Platform.Type == hyperv1.AWSPlatform
}

[csrwng]

We are no longer retrieving the hcp on startup, but we're always setting AWS_REGION on the CPO when platform.Type == AWS:

hypershift/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go

Lines 2739 to 2770 in a3791d6

	switch hc.Spec.Platform.Type {
	case hyperv1.AWSPlatform:
	deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes,
	corev1.Volume{
	Name: "cloud-token",
	VolumeSource: corev1.VolumeSource{
	EmptyDir: &corev1.EmptyDirVolumeSource{
	Medium: corev1.StorageMediumMemory,
	},
	},
	},
	corev1.Volume{
	Name: "provider-creds",
	VolumeSource: corev1.VolumeSource{
	Secret: &corev1.SecretVolumeSource{
	SecretName: platformaws.ControlPlaneOperatorCredsSecret("").Name,
	},
	},
	})
	deployment.Spec.Template.Spec.Containers[0].Env = append(deployment.Spec.Template.Spec.Containers[0].Env,
	corev1.EnvVar{
	Name: "AWS_SHARED_CREDENTIALS_FILE",
	Value: "/etc/provider/credentials",
	},
	corev1.EnvVar{
	Name: "AWS_REGION",
	Value: hc.Spec.Platform.AWS.Region,
	},
	corev1.EnvVar{
	Name: "AWS_SDK_LOAD_CONFIG",
	Value: "true",
	})

So just retrieving the hcp on startup for the same check seemed unnecessary

[enxebre]

ah I see. Where I was actually trying to get is that I guess we should only run this if we are in aws private, i.e. should we check hcp.spec.EndpointAccess?

[enxebre]

nit:

// When sharedVPC we need assume these additional roles

?

[enxebre]

assumeSharedVPCEndpointRoleARN
assumeSharedVPCRoute53RoleARN
?

[enxebre]

would it make any difference if this func is just

b.warnOnDifferentValues(log, hcp)
b.setFromHCP(hcp)
b.initialized = true

without the conditional?

[csrwng]

we'd warn unnecessarily when initially setting the values