OTA-1010: release extract: --include works for a minor level update

Author: hongkailiu

credentials-requests/0000_30_machine-api-operator_00_credentials-request.yaml

@@ -0,0 +1,63 @@
+---
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  annotations:
+    capability.openshift.io/name: MachineAPI
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: openshift-machine-api-aws
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - action:
+      - ec2:CreateTags
+      - ec2:DescribeAvailabilityZones
+      - ec2:DescribeDhcpOptions
+      - ec2:DescribeImages
+      - ec2:DescribeInstances
+      - ec2:DescribeInstanceTypes
+      - ec2:DescribeInternetGateways
+      - ec2:DescribeSecurityGroups
+      - ec2:DescribeRegions
+      - ec2:DescribeSubnets
+      - ec2:DescribeVpcs
+      - ec2:RunInstances
+      - ec2:TerminateInstances
+      - elasticloadbalancing:DescribeLoadBalancers
+      - elasticloadbalancing:DescribeTargetGroups
+      - elasticloadbalancing:DescribeTargetHealth
+      - elasticloadbalancing:RegisterInstancesWithLoadBalancer
+      - elasticloadbalancing:RegisterTargets
+      - elasticloadbalancing:DeregisterTargets
+      - iam:PassRole
+      - iam:CreateServiceLinkedRole
+      effect: Allow
+      resource: '*'
+    - action:
+      - kms:Decrypt
+      - kms:Encrypt
+      - kms:GenerateDataKey
+      - kms:GenerateDataKeyWithoutPlainText
+      - kms:DescribeKey
+      effect: Allow
+      resource: '*'
+    - action:
+      - kms:RevokeGrant
+      - kms:CreateGrant
+      - kms:ListGrants
+      effect: Allow
+      policyCondition:
+        Bool:
+          kms:GrantIsForAWSResource: true
+      resource: '*'
+  secretRef:
+    name: aws-cloud-credentials
+    namespace: openshift-machine-api
+  serviceAccountNames:
+  - machine-api-controllers

credentials-requests/0000_50_cloud-credential-operator_05-iam-ro-credentialsrequest.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  annotations:
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+  name: cloud-credential-operator-iam-ro
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - action:
+      - iam:GetUser
+      - iam:GetUserPolicy
+      - iam:ListAccessKeys
+      effect: Allow
+      resource: '*'
+  secretRef:
+    name: cloud-credential-operator-iam-ro-creds
+    namespace: openshift-cloud-credential-operator
+  serviceAccountNames:
+  - cloud-credential-operator

credentials-requests/0000_50_cluster-image-registry-operator_01-registry-credentials-request.yaml

@@ -0,0 +1,45 @@
+---
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  annotations:
+    capability.openshift.io/name: ImageRegistry
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: openshift-image-registry
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - action:
+      - s3:CreateBucket
+      - s3:DeleteBucket
+      - s3:PutBucketTagging
+      - s3:GetBucketTagging
+      - s3:PutBucketPublicAccessBlock
+      - s3:GetBucketPublicAccessBlock
+      - s3:PutEncryptionConfiguration
+      - s3:GetEncryptionConfiguration
+      - s3:PutLifecycleConfiguration
+      - s3:GetLifecycleConfiguration
+      - s3:GetBucketLocation
+      - s3:ListBucket
+      - s3:GetObject
+      - s3:PutObject
+      - s3:DeleteObject
+      - s3:ListBucketMultipartUploads
+      - s3:AbortMultipartUpload
+      - s3:ListMultipartUploadParts
+      effect: Allow
+      resource: '*'
+  secretRef:
+    name: installer-cloud-credentials
+    namespace: openshift-image-registry
+  serviceAccountNames:
+  - cluster-image-registry-operator
+  - registry

credentials-requests/0000_50_cluster-ingress-operator_00-ingress-credentials-request.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: openshift-ingress
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - action:
+      - elasticloadbalancing:DescribeLoadBalancers
+      - route53:ListHostedZones
+      - route53:ListTagsForResources
+      - route53:ChangeResourceRecordSets
+      - tag:GetResources
+      - sts:AssumeRole
+      effect: Allow
+      resource: '*'
+  secretRef:
+    name: cloud-credentials
+    namespace: openshift-ingress-operator
+  serviceAccountNames:
+  - ingress-operator

credentials-requests/0000_50_cluster-network-operator_02-cncc-credentials.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: openshift-cloud-network-config-controller-aws
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - action:
+      - ec2:DescribeInstances
+      - ec2:DescribeInstanceStatus
+      - ec2:DescribeInstanceTypes
+      - ec2:UnassignPrivateIpAddresses
+      - ec2:AssignPrivateIpAddresses
+      - ec2:UnassignIpv6Addresses
+      - ec2:AssignIpv6Addresses
+      - ec2:DescribeSubnets
+      - ec2:DescribeNetworkInterfaces
+      effect: Allow
+      resource: '*'
+  secretRef:
+    name: cloud-credentials
+    namespace: openshift-cloud-network-config-controller
+  serviceAccountNames:
+  - cloud-network-config-controller

credentials-requests/0000_50_cluster-storage-operator_03_credentials_request_aws.yaml

@@ -0,0 +1,58 @@
+---
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  annotations:
+    capability.openshift.io/name: Storage
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: aws-ebs-csi-driver-operator
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - action:
+      - ec2:AttachVolume
+      - ec2:CreateSnapshot
+      - ec2:CreateTags
+      - ec2:CreateVolume
+      - ec2:DeleteSnapshot
+      - ec2:DeleteTags
+      - ec2:DeleteVolume
+      - ec2:DescribeInstances
+      - ec2:DescribeSnapshots
+      - ec2:DescribeTags
+      - ec2:DescribeVolumes
+      - ec2:DescribeVolumesModifications
+      - ec2:DetachVolume
+      - ec2:ModifyVolume
+      - ec2:DescribeAvailabilityZones
+      - ec2:EnableFastSnapshotRestores
+      effect: Allow
+      resource: '*'
+    - action:
+      - kms:ReEncrypt*
+      - kms:Decrypt
+      - kms:Encrypt
+      - kms:GenerateDataKey
+      - kms:GenerateDataKeyWithoutPlainText
+      - kms:DescribeKey
+      effect: Allow
+      resource: '*'
+    - action:
+      - kms:RevokeGrant
+      - kms:CreateGrant
+      - kms:ListGrants
+      effect: Allow
+      policyCondition:
+        Bool:
+          kms:GrantIsForAWSResource: true
+      resource: '*'
+  secretRef:
+    name: ebs-cloud-credentials
+    namespace: openshift-cluster-csi-drivers
+  serviceAccountNames:
+  - aws-ebs-csi-driver-operator
+  - aws-ebs-csi-driver-controller-sa

pkg/cli/admin/release/extract.go

@@ -32,6 +32,7 @@ import (
 	"github.com/openshift/oc/pkg/cli/image/imagesource"
 	imagemanifest "github.com/openshift/oc/pkg/cli/image/manifest"
 	"github.com/openshift/oc/pkg/cli/image/workqueue"
+	"github.com/openshift/oc/pkg/version"
 	"github.com/pkg/errors"
 )
 
@@ -94,7 +95,8 @@ func NewExtract(f kcmdutil.Factory, streams genericiooptions.IOStreams) *cobra.C
 			If --install-config is set, it will be used to determine the expected cluster configuration,
 			otherwise the command will interrogate your current cluster to determine its configuration.
 			This command is most accurate when the version of the extracting client matches the version
-			of the cluster under consideration.
+			of the cluster under consideration. Otherwise, for example, newly introduced capabilities in
+            the version of the extracting client might be considered enabled.
 
 			Instead of extracting the manifests, you can specify --git=DIR to perform a Git
 			checkout of the source code that comprises the release. A warning will be printed
@@ -359,10 +361,19 @@ func (o *ExtractOptions) Run(ctx context.Context) error {
 		if o.Included {
 			context := "connected cluster"
 			inclusionConfig := manifestInclusionConfiguration{}
+
+			clientVersion, reportedVersion, VersionErr := version.ExtractVersion()
+			if VersionErr != nil {
+				return VersionErr
+			}
+			if reportedVersion == "" {
+				reportedVersion = clientVersion.String()
+			}
+
 			if o.InstallConfig == "" {
-				inclusionConfig, err = findClusterIncludeConfig(ctx, o.RESTConfig)
+				inclusionConfig, err = findClusterIncludeConfig(ctx, o.RESTConfig, reportedVersion)
 			} else {
-				inclusionConfig, err = findClusterIncludeConfigFromInstallConfig(ctx, o.InstallConfig)
+				inclusionConfig, err = findClusterIncludeConfigFromInstallConfig(ctx, o.InstallConfig, reportedVersion)
 				context = o.InstallConfig
 			}
 			if err != nil {