Merge pull request #4844 from muraee/rosacontrolplane-new-fields

✨Add new fields to ROSAControlPlane - additionalTags, etcdEncryption, endpointAccess

config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml

@@ -47,6 +47,12 @@ spec:
           spec:
             description: RosaControlPlaneSpec defines the desired state of ROSAControlPlane.
             properties:
+              additionalTags:
+                additionalProperties:
+                  type: string
+                description: AdditionalTags are user-defined tags to be added on the
+                  AWS resources associated with the control plane.
+                type: object
               autoscaling:
                 description: Autoscaling specifies auto scaling behaviour for the
                   MachinePools.
@@ -102,6 +108,19 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-map-type: atomic
+              endpointAccess:
+                default: Public
+                description: EndpointAccess specifies the publishing scope of cluster
+                  endpoints. The default is Public.
+                enum:
+                - Public
+                - Private
+                type: string
+              etcdEncryptionKMSArn:
+                description: EtcdEncryptionKMSArn is the ARN of the KMS key used to
+                  encrypt etcd. The key itself needs to be created out-of-band by
+                  the user and tagged with `red-hat:true`.
+                type: string
               identityRef:
                 description: IdentityRef is a reference to an identity to be used
                   when reconciling the managed control plane. If no identity is specified,
@@ -361,7 +380,7 @@ spec:
             description: RosaControlPlaneStatus defines the observed state of ROSAControlPlane.
             properties:
               conditions:
-                description: Conditions specifies the cpnditions for the managed control
+                description: Conditions specifies the conditions for the managed control
                   plane
                 items:
                   description: Condition defines an observation of a Cluster API resource
@@ -433,7 +452,7 @@ spec:
                 type: boolean
               oidcEndpointURL:
                 description: OIDCEndpointURL is the endpoint url for the managed OIDC
-                  porvider.
+                  provider.
                 type: string
               ready:
                 default: false

controlplane/rosa/api/v1beta2/doc.go

@@ -0,0 +1,21 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1beta2 contains API Schema definitions for the controlplane v1beta2 API group
+// +gencrdrefdocs:force
+// +groupName=controlplane.cluster.x-k8s.io
+// +k8s:defaulter-gen=TypeMeta
+package v1beta2

controlplane/rosa/api/v1beta2/rosacontrolplane_types.go

@@ -25,6 +25,19 @@ import (
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
 
+// RosaEndpointAccessType specifies the publishing scope of cluster endpoints.
+type RosaEndpointAccessType string
+
+const (
+	// Public endpoint access allows public API server access and
+	// private node communication with the control plane.
+	Public RosaEndpointAccessType = "Public"
+
+	// Private endpoint access allows only private API server access and private
+	// node communication with the control plane.
+	Private RosaEndpointAccessType = "Private"
+)
+
 // RosaControlPlaneSpec defines the desired state of ROSAControlPlane.
 type RosaControlPlaneSpec struct { //nolint: maligned
 	// Cluster name must be valid DNS-1035 label, so it must consist of lower case alphanumeric
@@ -90,6 +103,14 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	Network *NetworkSpec `json:"network,omitempty"`
 
+	// EndpointAccess specifies the publishing scope of cluster endpoints. The
+	// default is Public.
+	//
+	// +kubebuilder:validation:Enum=Public;Private
+	// +kubebuilder:default=Public
+	// +optional
+	EndpointAccess RosaEndpointAccessType `json:"endpointAccess,omitempty"`
+
 	// The instance type to use, for example `r5.xlarge`. Instance type ref; https://aws.amazon.com/ec2/instance-types/
 	// +optional
 	InstanceType string `json:"instanceType,omitempty"`
@@ -98,6 +119,15 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	Autoscaling *expinfrav1.RosaMachinePoolAutoScaling `json:"autoscaling,omitempty"`
 
+	// AdditionalTags are user-defined tags to be added on the AWS resources associated with the control plane.
+	// +optional
+	AdditionalTags infrav1.Tags `json:"additionalTags,omitempty"`
+
+	// EtcdEncryptionKMSArn is the ARN of the KMS key used to encrypt etcd. The key itself needs to be
+	// created out-of-band by the user and tagged with `red-hat:true`.
+	// +optional
+	EtcdEncryptionKMSArn string `json:"etcdEncryptionKMSArn,omitempty"`
+
 	// ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.
 	// +optional
 	ControlPlaneEndpoint clusterv1.APIEndpoint `json:"controlPlaneEndpoint"`
@@ -534,14 +564,14 @@ type RosaControlPlaneStatus struct {
 	//
 	// +optional
 	FailureMessage *string `json:"failureMessage,omitempty"`
-	// Conditions specifies the cpnditions for the managed control plane
+	// Conditions specifies the conditions for the managed control plane
 	Conditions clusterv1.Conditions `json:"conditions,omitempty"`
 
 	// ID is the cluster ID given by ROSA.
 	ID string `json:"id,omitempty"`
 	// ConsoleURL is the url for the openshift console.
 	ConsoleURL string `json:"consoleURL,omitempty"`
-	// OIDCEndpointURL is the endpoint url for the managed OIDC porvider.
+	// OIDCEndpointURL is the endpoint url for the managed OIDC provider.
 	OIDCEndpointURL string `json:"oidcEndpointURL,omitempty"`
 }
 

controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go

@@ -4,6 +4,7 @@ import (
 	"net"
 
 	"github.com/blang/semver"
+	kmsArnRegexpValidator "github.com/openshift-online/ocm-common/pkg/resource/validations"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -33,7 +34,12 @@ func (r *ROSAControlPlane) ValidateCreate() (warnings admission.Warnings, err er
 		allErrs = append(allErrs, err)
 	}
 
+	if err := r.validateEtcdEncryptionKMSArn(); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	allErrs = append(allErrs, r.validateNetwork()...)
+	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 
 	if len(allErrs) == 0 {
 		return nil, nil
@@ -54,7 +60,12 @@ func (r *ROSAControlPlane) ValidateUpdate(old runtime.Object) (warnings admissio
 		allErrs = append(allErrs, err)
 	}
 
+	if err := r.validateEtcdEncryptionKMSArn(); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	allErrs = append(allErrs, r.validateNetwork()...)
+	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 
 	if len(allErrs) == 0 {
 		return nil, nil
@@ -113,6 +124,15 @@ func (r *ROSAControlPlane) validateNetwork() field.ErrorList {
 	return allErrs
 }
 
+func (r *ROSAControlPlane) validateEtcdEncryptionKMSArn() *field.Error {
+	err := kmsArnRegexpValidator.ValidateKMSKeyARN(&r.Spec.EtcdEncryptionKMSArn)
+	if err != nil {
+		return field.Invalid(field.NewPath("spec.EtcdEncryptionKMSArn"), r.Spec.EtcdEncryptionKMSArn, err.Error())
+	}
+
+	return nil
+}
+
 // Default implements admission.Defaulter.
 func (r *ROSAControlPlane) Default() {
 	SetObjectDefaults_ROSAControlPlane(r)

controlplane/rosa/controllers/rosacontrolplane_controller.go

@@ -280,10 +280,12 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 		MultiAZ:                   true,
 		Version:                   ocm.CreateVersionID(rosaScope.ControlPlane.Spec.Version, ocm.DefaultChannelGroup),
 		ChannelGroup:              ocm.DefaultChannelGroup,
-		Expiration:                time.Now().Add(1 * time.Hour),
 		DisableWorkloadMonitoring: ptr.To(true),
 		DefaultIngress:            ocm.NewDefaultIngressSpec(), // n.b. this is a no-op when it's set to the default value
 		ComputeMachineType:        rosaScope.ControlPlane.Spec.InstanceType,
+		Tags:                      rosaScope.ControlPlane.Spec.AdditionalTags,
+		EtcdEncryption:            rosaScope.ControlPlane.Spec.EtcdEncryptionKMSArn != "",
+		EtcdEncryptionKMSArn:      rosaScope.ControlPlane.Spec.EtcdEncryptionKMSArn,
 
 		SubnetIds:         rosaScope.ControlPlane.Spec.Subnets,
 		AvailabilityZones: rosaScope.ControlPlane.Spec.AvailabilityZones,
@@ -301,6 +303,11 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 		AWSCreator:     creator,
 	}
 
+	if rosaScope.ControlPlane.Spec.EndpointAccess == rosacontrolplanev1.Private {
+		ocmClusterSpec.Private = ptr.To(true)
+		ocmClusterSpec.PrivateLink = ptr.To(true)
+	}
+
 	if networkSpec := rosaScope.ControlPlane.Spec.Network; networkSpec != nil {
 		if networkSpec.MachineCIDR != "" {
 			_, machineCIDR, err := net.ParseCIDR(networkSpec.MachineCIDR)