NE-2401: Add support for AWS ISO partitions

[alebedev87]

Update IAM policy resource ARNs from arn:aws: to arn:*: to support all AWS partitions. Extend the stsIAMRoleARN CRD validation regex to accept aws-iso, aws-iso-b, aws-iso-e, and aws-iso-f partitions in addition to the existing aws, aws-cn, and aws-us-gov.

The CRD validation serves as the enforcement point for which partitions are supported, while arn:*: in the IAM policy resources ensures permissions work in whichever partition the cluster runs in. Note that the minified IAM policy used in non-STS clusters already collapses all resources to *, so the partition-specific ARNs only matter for the non-minified STS policy.

[openshift-ci-robot]

@alebedev87: This pull request references NE-2401 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Update IAM policy resource ARNs from arn:aws: to arn:*: to support all AWS partitions. Extend the stsIAMRoleARN CRD validation regex to accept aws-iso, aws-iso-b, aws-iso-e, and aws-iso-f partitions in addition to the existing aws, aws-cn, and aws-us-gov.

The CRD validation serves as the enforcement point for which partitions are supported, while arn:*: in the IAM policy resources ensures permissions work in whichever partition the cluster runs in. Note that the minified IAM policy used in non-STS clusters already collapses all resources to *, so the partition-specific ARNs only matter for the non-minified STS policy.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request expands AWS partition support across multiple components. The validation pattern for the stsIAMRoleARN field is updated to accept aws-iso, aws-iso-b, aws-iso-e, and aws-iso-f partitions in addition to the existing aws, aws-cn, and aws-us-gov partitions. Simultaneously, IAM policy resource ARNs are updated to use wildcard partition matching (arn:*:) instead of hardcoded AWS partition prefixes (arn:aws:). These changes are reflected in Go code files, CRD manifests, policy JSON files, and corresponding test cases that validate AWS ISO partition functionality.

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main objective of the PR: adding support for AWS ISO partitions.
Description check	✅ Passed	The description is directly related to the changeset, explaining the ARN updates and CRD validation changes to support AWS ISO partitions.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test names in the PR appear to be static, descriptive strings without dynamic identifiers, timestamps, or random suffixes.
Test Structure And Quality	✅ Passed	Test files follow excellent Go testing framework practices with table-driven patterns, proper setup, meaningful error messages, and consistent conventions.
Microshift Test Compatibility	✅ Passed	Repository does not use Ginkgo framework; no e2e tests detected in PR changes, only unit test updates for IAM policy and partition support.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR modifies only unit tests in pkg/operator/credentials_test.go and pkg/utils/resource/update/credentials_request_test.go. These are standard Go unit tests, not Ginkgo e2e tests, and do not assume multi-node or HA cluster topologies.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only IAM policy ARNs and CRD validation patterns without changing deployment manifests or Kubernetes scheduling constructs.
Ote Binary Stdout Contract	✅ Passed	PR modifies IAM policy ARNs, CRD validation patterns, and test scenarios with no changes to process-level code (main, init, BeforeSuite, AfterSuite) that could write to stdout.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The pull request does not add any new Ginkgo e2e tests. Modifications to test files are additions to existing standard Go unit tests using the testing.T interface, not Ginkgo-style tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: can't load config: can't unmarshal config by viper (flags, file): 1 error(s) decoding:

• 'output.formats' expected a map, got 'slice'
  The command is terminated due to an error: can't load config: can't unmarshal config by viper (flags, file): 1 error(s) decoding:

• 'output.formats' expected a map, got 'slice'

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign davidesalerno for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (1)

pkg/operator/credentials_test.go (1)

70-99: Add test coverage for all newly supported ISO partitions.

Great addition for aws-iso. Since support was expanded across four ISO partitions, add table entries for aws-iso-b, aws-iso-e, and aws-iso-f as well to lock in the full contract and prevent regressions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/credentials_test.go` around lines 70 - 99, Add three additional
table-driven test cases alongside the existing "nominal sts iso partition" entry
to cover the other ISO partitions: "aws-iso-b", "aws-iso-e", and "aws-iso-f".
For each new case, mirror the existing test case structure (envVars with ROLEARN
set to "arn:aws-iso-<X>:iam::123456789012:role/foo", scheme set to test.Scheme,
provisionedSecret with Data["credentials"]=[]byte("okiso"), expectedCredReqName
matching the current NamespacedName, compareCredReq function asserting
providerSpec.STSIAMRoleARN equals the partition-specific ARN and
credReq.Spec.CloudTokenPath equals
"/var/run/secrets/openshift/serviceaccount/token", and expectedContents "okiso")
so that the tests exercise the same assertions used by compareCredReq,
provisionedSecret, expectedCredReqName, and expectedContents.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/operator/credentials_test.go`:
- Around line 70-99: Add three additional table-driven test cases alongside the
existing "nominal sts iso partition" entry to cover the other ISO partitions:
"aws-iso-b", "aws-iso-e", and "aws-iso-f". For each new case, mirror the
existing test case structure (envVars with ROLEARN set to
"arn:aws-iso-<X>:iam::123456789012:role/foo", scheme set to test.Scheme,
provisionedSecret with Data["credentials"]=[]byte("okiso"), expectedCredReqName
matching the current NamespacedName, compareCredReq function asserting
providerSpec.STSIAMRoleARN equals the partition-specific ARN and
credReq.Spec.CloudTokenPath equals
"/var/run/secrets/openshift/serviceaccount/token", and expectedContents "okiso")
so that the tests exercise the same assertions used by compareCredReq,
provisionedSecret, expectedCredReqName, and expectedContents.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 395fd3f8-f713-4bf5-85ff-f9597a2cfd50

📥 Commits

Reviewing files that changed from the base of the PR and between 1c2aeaf and e38e0cd.

📒 Files selected for processing (12)

• api/v1/awsloadbalancercontroller_types.go
• assets/iam-policy.json
• assets/operator-iam-policy.json
• bundle/manifests/networking.olm.openshift.io_awsloadbalancercontrollers.yaml
• config/crd/bases/networking.olm.openshift.io_awsloadbalancercontrollers.yaml
• hack/controller/controller-credentials-request.yaml
• hack/operator-credentials-request.yaml
• hack/operator-permission-policy.json
• pkg/controllers/awsloadbalancercontroller/iam_policy.go
• pkg/operator/credentials_test.go
• pkg/operator/iam_policy.go
• pkg/utils/resource/update/credentials_request_test.go

[openshift-ci]

@alebedev87: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-rosa-operator	e38e0cd	link	true	/test e2e-aws-rosa-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.