Merge pull request #4767 from stevekuznetsov/skuznets/rosa-aws-session

✨ rosa: load identity dynamically
kubernetes-sigs · Feb 12, 2024 · 121d0ff · 121d0ff
2 parents 6193d17 + 1e11e57
commit 121d0ff
Show file tree

Hide file tree

Showing 21 changed files with 211 additions and 53 deletions.
diff --git a/Makefile b/Makefile
@@ -190,6 +190,7 @@ defaulters: $(DEFAULTER_GEN) ## Generate all Go types
 	$(DEFAULTER_GEN) \
 		--input-dirs=./api/v1beta2 \
 		--input-dirs=./$(EXP_DIR)/api/v1beta2 \
+		--input-dirs=./controlplane/rosa/api/v1beta2 \
 		--input-dirs=./cmd/clusterawsadm/api/bootstrap/v1beta1 \
 		--input-dirs=./cmd/clusterawsadm/api/bootstrap/v1alpha1 \
 		--extra-peer-dirs=sigs.k8s.io/cluster-api/api/v1beta1 \

diff --git a/api/v1beta1/awscluster_types.go b/api/v1beta1/awscluster_types.go
@@ -87,8 +87,10 @@ type AWSClusterSpec struct {
 	// +optional
 	Bastion Bastion `json:"bastion"`
 
-	// IdentityRef is a reference to a identity to be used when reconciling this cluster
 	// +optional
+
+	// IdentityRef is a reference to an identity to be used when reconciling the managed control plane.
+	// If no identity is specified, the default identity for this controller will be used.
 	IdentityRef *AWSIdentityReference `json:"identityRef,omitempty"`
 
 	// S3Bucket contains options to configure a supporting S3 bucket for this

diff --git a/api/v1beta2/awscluster_types.go b/api/v1beta2/awscluster_types.go
@@ -99,8 +99,10 @@ type AWSClusterSpec struct {
 	// +optional
 	Bastion Bastion `json:"bastion"`
 
-	// IdentityRef is a reference to a identity to be used when reconciling this cluster
 	// +optional
+
+	// IdentityRef is a reference to an identity to be used when reconciling the managed control plane.
+	// If no identity is specified, the default identity for this controller will be used.
 	IdentityRef *AWSIdentityReference `json:"identityRef,omitempty"`
 
 	// S3Bucket contains options to configure a supporting S3 bucket for this

diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -258,8 +258,9 @@ spec:
                     type: array
                 type: object
               identityRef:
-                description: IdentityRef is a reference to a identity to be used when
-                  reconciling the managed control plane.
+                description: IdentityRef is a reference to an identity to be used
+                  when reconciling the managed control plane. If no identity is specified,
+                  the default identity for this controller will be used.
                 properties:
                   kind:
                     description: Kind of the identity.
@@ -2096,8 +2097,9 @@ spec:
                     type: array
                 type: object
               identityRef:
-                description: IdentityRef is a reference to a identity to be used when
-                  reconciling the managed control plane.
+                description: IdentityRef is a reference to an identity to be used
+                  when reconciling the managed control plane. If no identity is specified,
+                  the default identity for this controller will be used.
                 properties:
                   kind:
                     description: Kind of the identity.

diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml
@@ -45,10 +45,6 @@ spec:
             type: object
           spec:
             properties:
-              accountID:
-                description: 'TODO: these are to satisfy ocm sdk. Explore how to drop
-                  them.'
-                type: string
               availabilityZones:
                 description: AWS AvailabilityZones of the worker nodes should match
                   the AvailabilityZones of the Subnets.
@@ -70,8 +66,6 @@ spec:
                 - host
                 - port
                 type: object
-              creatorARN:
-                type: string
               credentialsSecretRef:
                 description: 'CredentialsSecretRef references a secret with necessary
                   credentials to connect to the OCM API. The secret should contain
@@ -84,7 +78,29 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-map-type: atomic
+              identityRef:
+                description: IdentityRef is a reference to an identity to be used
+                  when reconciling the managed control plane. If no identity is specified,
+                  the default identity for this controller will be used.
+                properties:
+                  kind:
+                    description: Kind of the identity.
+                    enum:
+                    - AWSClusterControllerIdentity
+                    - AWSClusterRoleIdentity
+                    - AWSClusterStaticIdentity
+                    type: string
+                  name:
+                    description: Name of the identity.
+                    minLength: 1
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
               installerRoleARN:
+                description: 'TODO: these are to satisfy ocm sdk. Explore how to drop
+                  them.'
                 type: string
               machineCIDR:
                 description: Block of IP addresses used by OpenShift while installing
@@ -276,9 +292,7 @@ spec:
               workerRoleARN:
                 type: string
             required:
-            - accountID
             - availabilityZones
-            - creatorARN
             - installerRoleARN
             - machineCIDR
             - oidcID

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
@@ -167,8 +167,9 @@ spec:
                     type: array
                 type: object
               identityRef:
-                description: IdentityRef is a reference to a identity to be used when
-                  reconciling this cluster
+                description: IdentityRef is a reference to an identity to be used
+                  when reconciling the managed control plane. If no identity is specified,
+                  the default identity for this controller will be used.
                 properties:
                   kind:
                     description: Kind of the identity.
@@ -1142,8 +1143,9 @@ spec:
                     type: array
                 type: object
               identityRef:
-                description: IdentityRef is a reference to a identity to be used when
-                  reconciling this cluster
+                description: IdentityRef is a reference to an identity to be used
+                  when reconciling the managed control plane. If no identity is specified,
+                  the default identity for this controller will be used.
                 properties:
                   kind:
                     description: Kind of the identity.

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml
@@ -183,8 +183,10 @@ spec:
                             type: array
                         type: object
                       identityRef:
-                        description: IdentityRef is a reference to a identity to be
-                          used when reconciling this cluster
+                        description: IdentityRef is a reference to an identity to
+                          be used when reconciling the managed control plane. If no
+                          identity is specified, the default identity for this controller
+                          will be used.
                         properties:
                           kind:
                             description: Kind of the identity.
@@ -742,8 +744,10 @@ spec:
                             type: array
                         type: object
                       identityRef:
-                        description: IdentityRef is a reference to a identity to be
-                          used when reconciling this cluster
+                        description: IdentityRef is a reference to an identity to
+                          be used when reconciling the managed control plane. If no
+                          identity is specified, the default identity for this controller
+                          will be used.
                         properties:
                           kind:
                             description: Kind of the identity.

diff --git a/controllers/rosacluster_controller.go b/controllers/rosacluster_controller.go
@@ -35,6 +35,7 @@ import (
 	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	rosacontrolplanev1 "sigs.k8s.io/cluster-api-provider-aws/v2/controlplane/rosa/api/v1beta2"
 	expinfrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/exp/api/v1beta2"
+	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/scope"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/logger"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/util"
@@ -48,6 +49,7 @@ type ROSAClusterReconciler struct {
 	client.Client
 	Recorder         record.EventRecorder
 	WatchFilterValue string
+	Endpoints        []scope.ServiceEndpoint
 }
 
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=rosaclusters,verbs=get;list;watch;update;patch;delete

diff --git a/controlplane/eks/api/v1beta1/awsmanagedcontrolplane_types.go b/controlplane/eks/api/v1beta1/awsmanagedcontrolplane_types.go
@@ -40,8 +40,10 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	EKSClusterName string `json:"eksClusterName,omitempty"`
 
-	// IdentityRef is a reference to a identity to be used when reconciling the managed control plane.
 	// +optional
+
+	// IdentityRef is a reference to an identity to be used when reconciling the managed control plane.
+	// If no identity is specified, the default identity for this controller will be used.
 	IdentityRef *infrav1.AWSIdentityReference `json:"identityRef,omitempty"`
 
 	// NetworkSpec encapsulates all things related to AWS network.

diff --git a/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go b/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go
@@ -40,8 +40,10 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	EKSClusterName string `json:"eksClusterName,omitempty"`
 
-	// IdentityRef is a reference to a identity to be used when reconciling the managed control plane.
 	// +optional
+
+	// IdentityRef is a reference to an identity to be used when reconciling the managed control plane.
+	// If no identity is specified, the default identity for this controller will be used.
 	IdentityRef *infrav1.AWSIdentityReference `json:"identityRef,omitempty"`
 
 	// NetworkSpec encapsulates all things related to AWS network.

diff --git a/controlplane/rosa/api/v1beta2/defaults.go b/controlplane/rosa/api/v1beta2/defaults.go
@@ -0,0 +1,13 @@
+package v1beta2
+
+import "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
+
+// SetDefaults_RosaControlPlaneSpec is used by defaulter-gen.
+func SetDefaults_RosaControlPlaneSpec(s *RosaControlPlaneSpec) { //nolint:golint,stylecheck
+	if s.IdentityRef == nil {
+		s.IdentityRef = &v1beta2.AWSIdentityReference{
+			Kind: v1beta2.ControllerIdentityKind,
+			Name: v1beta2.AWSClusterControllerIdentityName,
+		}
+	}
+}
diff --git a/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go b/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go
@@ -20,6 +20,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
 
@@ -64,8 +65,6 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	OIDCID *string `json:"oidcID"`
 
 	// TODO: these are to satisfy ocm sdk. Explore how to drop them.
-	AccountID        *string `json:"accountID"`
-	CreatorARN       *string `json:"creatorARN"`
 	InstallerRoleARN *string `json:"installerRoleARN"`
 	SupportRoleARN   *string `json:"supportRoleARN"`
 	WorkerRoleARN    *string `json:"workerRoleARN"`
@@ -76,6 +75,12 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	// - ocmApiUrl: Optional, defaults to 'https://api.openshift.com'
 	// +optional
 	CredentialsSecretRef *corev1.LocalObjectReference `json:"credentialsSecretRef,omitempty"`
+
+	// +optional
+
+	// IdentityRef is a reference to an identity to be used when reconciling the managed control plane.
+	// If no identity is specified, the default identity for this controller will be used.
+	IdentityRef *infrav1.AWSIdentityReference `json:"identityRef,omitempty"`
 }
 
 // AWSRolesRef contains references to various AWS IAM roles required for operators to make calls against the AWS API.
@@ -489,6 +494,7 @@ type RosaControlPlaneStatus struct {
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Cluster",type="string",JSONPath=".metadata.labels.cluster\\.x-k8s\\.io/cluster-name",description="Cluster to which this RosaControl belongs"
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.ready",description="Control plane infrastructure is ready for worker nodes"
+// +k8s:defaulter-gen=true
 
 type ROSAControlPlane struct {
 	metav1.TypeMeta   `json:",inline"`

diff --git a/controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go b/controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go
diff --git a/controlplane/rosa/api/v1beta2/zz_generated.defaults.go b/controlplane/rosa/api/v1beta2/zz_generated.defaults.go
diff --git a/controlplane/rosa/controllers/rosacontrolplane_controller.go b/controlplane/rosa/controllers/rosacontrolplane_controller.go
@@ -68,6 +68,7 @@ type ROSAControlPlaneReconciler struct {
 	client.Client
 	WatchFilterValue string
 	WaitInfraPeriod  time.Duration
+	Endpoints        []scope.ServiceEndpoint
 }
 
 // SetupWithManager is used to setup the controller.
@@ -148,6 +149,7 @@ func (r *ROSAControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		Cluster:        cluster,
 		ControlPlane:   rosaControlPlane,
 		ControllerName: strings.ToLower(rosaControlPlaneKind),
+		Endpoints:      r.Endpoints,
 		Logger:         log,
 	})
 	if err != nil {
@@ -344,8 +346,8 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 	stsBuilder.AutoMode(true)
 
 	awsBuilder := cmv1.NewAWS().
-		AccountID(*rosaScope.ControlPlane.Spec.AccountID).
-		BillingAccountID(*rosaScope.ControlPlane.Spec.AccountID).
+		AccountID(*rosaScope.Identity.Account).
+		BillingAccountID(*rosaScope.Identity.Account).
 		SubnetIDs(rosaScope.ControlPlane.Spec.Subnets...).
 		STS(stsBuilder)
 	clusterBuilder = clusterBuilder.AWS(awsBuilder)
@@ -355,7 +357,7 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 	clusterBuilder = clusterBuilder.Nodes(clusterNodesBuilder)
 
 	clusterProperties := map[string]string{}
-	clusterProperties[rosaCreatorArnProperty] = *rosaScope.ControlPlane.Spec.CreatorARN
+	clusterProperties[rosaCreatorArnProperty] = *rosaScope.Identity.Arn
 
 	clusterBuilder = clusterBuilder.Properties(clusterProperties)
 	clusterSpec, err := clusterBuilder.Build()

diff --git a/exp/controllers/rosamachinepool_controller.go b/exp/controllers/rosamachinepool_controller.go
@@ -37,6 +37,7 @@ type ROSAMachinePoolReconciler struct {
 	client.Client
 	Recorder         record.EventRecorder
 	WatchFilterValue string
+	Endpoints        []scope.ServiceEndpoint
 }
 
 // SetupWithManager is used to setup the controller.