xfnlib does not support role chaining

[mproffitt]

xfnlib is a library for use in crossplane composition functions built for handling authentication to both cloud providers and the kubernetes API

At present it supports both AWS WebIdentity framework and static credentials, however when using WebIdentity, it does not support role chaining which I understand as being a requirement for cross account IRSA operations.

To the best of my understanding, role chaining works by assuming each role in order, and then passing the desired config back to the client.

If this assumption is correct then this would require a change to this block to follow the chain of roles instead of just accepting the first.

		assumeRoleArn = &pcfg.AssumeRoleChain[0].RoleARN
		log.Info("Assuming role", "role", *assumeRoleArn)
		if cfg, err = config.LoadDefaultConfig(
			ctx,
			config.WithRegion(*region),
			config.WithCredentialsProvider(aws.NewCredentialsCache(
				stscredsv2.NewAssumeRoleProvider(
					stsclient,
					*assumeRoleArn,
				)),
			),

https://github.com/giantswarm/xfnlib/blob/01a8491e4ce3cff6f89b33c27cc08af600b46d25/pkg/auth/aws/client.go#L272-L282

Testing would then require this embedded into the network-discovery composition function by updating the version in go.mod, recompiling and deploying to golem

It would then be possible to configure an additional VPC lookup for the discovery claim as such:

  - name: CLUSTER-vpc
    providerConfigRef:
      name: PROVIDER-CONFIG-REF
    region: eu-central-1

If all works correctly, you should then see CLUSTER-vpc appear in the status of the XR

$ k get discoveries example-8npnx -o yaml
status:
  conditions:
  - lastTransitionTime: "2024-08-22T04:02:06Z"
    reason: ReconcileSuccess
    status: "True"
    type: Synced
  - lastTransitionTime: "2024-08-21T16:04:38Z"
    reason: Available
    status: "True"
    type: Ready
  vpcs:
    CLUSTER-vpc:
        ...

[weatherhog]

@mproffitt we will wait for you to come back to speak about this