diff --git a/pkg/asset/installconfig/aws/permissions.go b/pkg/asset/installconfig/aws/permissions.go index 531e11dcc16..42734e1e34c 100644 --- a/pkg/asset/installconfig/aws/permissions.go +++ b/pkg/asset/installconfig/aws/permissions.go @@ -499,8 +499,13 @@ func RequiredPermissionGroups(ic *types.InstallConfig) []PermissionGroup { permissionGroups = append(permissionGroups, PermissionKMSEncryptionKeys) } + isSecretRegion, err := IsSecretRegion(ic.AWS.Region) + if err != nil { + logrus.Warnf("Unable to determine if AWS region is secret: %v", err) + return permissionGroups + } // Add delete permissions for non-C2S installs. - if !aws.IsSecretRegion(ic.AWS.Region) { + if !isSecretRegion { permissionGroups = append(permissionGroups, PermissionDeleteBase) if usingExistingVPC { permissionGroups = append(permissionGroups, PermissionDeleteSharedNetworking) diff --git a/pkg/asset/installconfig/aws/regions.go b/pkg/asset/installconfig/aws/regions.go index f1d9b7a7e67..58d2ba023b5 100644 --- a/pkg/asset/installconfig/aws/regions.go +++ b/pkg/asset/installconfig/aws/regions.go @@ -4,12 +4,18 @@ import ( "context" "fmt" + "github.com/aws/aws-sdk-go-v2/service/ec2" "k8s.io/apimachinery/pkg/util/sets" "github.com/openshift/installer/pkg/rhcos" "github.com/openshift/installer/pkg/types" ) +const ( + isoPartition = "aws-iso" + isobPartition = "aws-iso-b" +) + // knownPublicRegions is the subset of public AWS regions where RHEL CoreOS images are published. // This subset does not include supported regions which are found in other partitions, such as us-gov-east-1. // Returns: a list of region names. @@ -39,3 +45,18 @@ func IsKnownPublicRegion(region string, architecture types.Architecture) (bool, } return sets.New(publicRegions...).Has(region), nil } + +// IsSecretRegion determines if the region is part of a secret partition. +func IsSecretRegion(region string) (bool, error) { + endpoint, err := ec2.NewDefaultEndpointResolver().ResolveEndpoint(region, ec2.EndpointResolverOptions{}) + if err != nil { + return false, fmt.Errorf("failed to resolve AWS ec2 endpoint: %w", err) + } + + switch endpoint.PartitionID { + case isoPartition, isobPartition: + return true, nil + } + + return false, nil +} diff --git a/pkg/asset/manifests/cloudproviderconfig.go b/pkg/asset/manifests/cloudproviderconfig.go index 324f8ba71b9..bd6b7665a62 100644 --- a/pkg/asset/manifests/cloudproviderconfig.go +++ b/pkg/asset/manifests/cloudproviderconfig.go @@ -14,6 +14,7 @@ import ( configv1 "github.com/openshift/api/config/v1" "github.com/openshift/installer/pkg/asset" "github.com/openshift/installer/pkg/asset/installconfig" + awsic "github.com/openshift/installer/pkg/asset/installconfig/aws" ibmcloudmachines "github.com/openshift/installer/pkg/asset/machines/ibmcloud" "github.com/openshift/installer/pkg/asset/manifests/azure" "github.com/openshift/installer/pkg/asset/manifests/capiutils" @@ -101,7 +102,11 @@ func (cpc *CloudProviderConfig) Generate(ctx context.Context, dependencies asset case awstypes.Name: // Store the additional trust bundle in the ca-bundle.pem key if the cluster is being installed on a C2S region. trustBundle := installConfig.Config.AdditionalTrustBundle - if trustBundle != "" && awstypes.IsSecretRegion(installConfig.Config.AWS.Region) { + isSecretRegion, err := awsic.IsSecretRegion(installConfig.Config.AWS.Region) + if err != nil { + return fmt.Errorf("failed to determine if AWS region is secret: %w", err) + } + if trustBundle != "" && isSecretRegion { cm.Data[cloudProviderConfigCABundleDataKey] = trustBundle } diff --git a/pkg/asset/tls/cloudprovidercabundle.go b/pkg/asset/tls/cloudprovidercabundle.go index bea0e94e10b..8a4e2be4a7c 100644 --- a/pkg/asset/tls/cloudprovidercabundle.go +++ b/pkg/asset/tls/cloudprovidercabundle.go @@ -2,9 +2,11 @@ package tls import ( "context" + "fmt" "github.com/openshift/installer/pkg/asset" "github.com/openshift/installer/pkg/asset/installconfig" + awsic "github.com/openshift/installer/pkg/asset/installconfig/aws" awstypes "github.com/openshift/installer/pkg/types/aws" ) @@ -35,7 +37,12 @@ func (a *CloudProviderCABundle) Generate(_ context.Context, deps asset.Parents) if ic.Config.Platform.Name() != awstypes.Name { return nil } - if !awstypes.IsSecretRegion(ic.Config.Platform.AWS.Region) { + + isSecretRegion, err := awsic.IsSecretRegion(ic.Config.Platform.AWS.Region) + if err != nil { + return fmt.Errorf("failed to determine if AWS region is secret: %w", err) + } + if !isSecretRegion { return nil } diff --git a/pkg/types/aws/platform.go b/pkg/types/aws/platform.go index 39f3f070538..4f3a94c82ea 100644 --- a/pkg/types/aws/platform.go +++ b/pkg/types/aws/platform.go @@ -3,8 +3,6 @@ package aws import ( "os" - "github.com/aws/aws-sdk-go/aws/endpoints" - configv1 "github.com/openshift/api/config/v1" "github.com/openshift/installer/pkg/types/dns" ) @@ -232,19 +230,6 @@ const ( ControlPlaneInternalLBSubnetRole SubnetRoleType = "ControlPlaneInternalLB" ) -// IsSecretRegion returns true if the region is part of either the ISO or ISOB partitions. -func IsSecretRegion(region string) bool { - partition, ok := endpoints.PartitionForRegion(endpoints.DefaultPartitions(), region) - if !ok { - return false - } - switch partition.ID() { - case endpoints.AwsIsoPartitionID, endpoints.AwsIsoBPartitionID: - return true - } - return false -} - // IsPublicOnlySubnetsEnabled returns whether the public-only subnets feature has been enabled via env var. func IsPublicOnlySubnetsEnabled() bool { // Even though this looks too simple for a function, it's better than having to update the logic everywhere it's