controlplane/rosa: support Private Link

Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>

Makefile

@@ -76,7 +76,7 @@ DOCKER_BUILDKIT=1
 export ACK_GINKGO_DEPRECATIONS := 1.16.4
 
 # Set --output-base for conversion-gen if we are not within GOPATH
-ifneq ($(abspath $(REPO_ROOT)),$(shell go env GOPATH)/src/sigs.k8s.io/cluster-api-provider-aws)
+ifneq ($(abspath $(REPO_ROOT)),$(abspath $(shell go env GOPATH)/src/sigs.k8s.io/cluster-api-provider-aws))
 	GEN_OUTPUT_BASE := --output-base=$(REPO_ROOT)
 else
 	export GOPATH := $(shell go env GOPATH)

config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml

@@ -55,6 +55,28 @@ spec:
                 items:
                   type: string
                 type: array
+              aws:
+                description: AWS configures aspects of the ROSA HCP workload cluster
+                  that are specific to AWS.
+                properties:
+                  privateLink:
+                    description: PrivateLink configures whether Private Link is enabled
+                      for the cluster
+                    type: boolean
+                  privateLinkConfiguration:
+                    description: PrivateLinkConfiguration configures the Private Link
+                      for the cluster
+                    properties:
+                      principals:
+                        description: Principals are the ARNs for principals that are
+                          allowed for the Private Link.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                required:
+                - privateLink
+                type: object
               controlPlaneEndpoint:
                 description: ControlPlaneEndpoint represents the endpoint used to
                   communicate with the control plane.
@@ -277,6 +299,7 @@ spec:
             required:
             - accountID
             - availabilityZones
+            - aws
             - creatorARN
             - installerRoleARN
             - machineCIDR

controlplane/rosa/api/v1beta2/rosacontrolplane_types.go

@@ -74,6 +74,22 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	// - ocmApiUrl: Optional, defaults to 'https://api.openshift.com'
 	// +optional
 	CredentialsSecretRef *corev1.LocalObjectReference `json:"credentialsSecretRef,omitempty"`
+
+	// AWS configures aspects of the ROSA HCP workload cluster that are specific to AWS.
+	AWS AWSConfiguration `json:"aws"`
+}
+
+type AWSConfiguration struct {
+	// PrivateLink configures whether Private Link is enabled for the cluster
+	PrivateLink bool `json:"privateLink"`
+
+	// PrivateLinkConfiguration configures the Private Link for the cluster
+	PrivateLinkConfiguration *PrivateLinkConfiguration `json:"privateLinkConfiguration,omitempty"`
+}
+
+type PrivateLinkConfiguration struct {
+	// Principals are the ARNs for principals that are allowed for the Private Link.
+	Principals []string `json:"principals,omitempty"`
 }
 
 // AWSRolesRef contains references to various AWS IAM roles required for operators to make calls against the AWS API.

controlplane/rosa/controllers/rosacontrolplane_controller.go

@@ -272,6 +272,21 @@ func ocmCluster(controlPlane *rosacontrolplanev1.ROSAControlPlane, now func() ti
 				AccountID(*controlPlane.Spec.AccountID).
 				BillingAccountID(*controlPlane.Spec.AccountID).
 				SubnetIDs(controlPlane.Spec.Subnets...).
+				PrivateLink(controlPlane.Spec.AWS.PrivateLink).
+				PrivateLinkConfiguration(
+					clustersmgmtv1.NewPrivateLinkClusterConfiguration().
+						Principals(
+							func(aws rosacontrolplanev1.AWSConfiguration) []*clustersmgmtv1.PrivateLinkPrincipalBuilder {
+								var out []*clustersmgmtv1.PrivateLinkPrincipalBuilder
+								if aws.PrivateLinkConfiguration != nil {
+									for _, principal := range aws.PrivateLinkConfiguration.Principals {
+										out = append(out, clustersmgmtv1.NewPrivateLinkPrincipal().Principal(principal))
+									}
+								}
+								return out
+							}(controlPlane.Spec.AWS)...,
+						),
+				).
 				STS(
 					clustersmgmtv1.NewSTS().
 						RoleARN(*controlPlane.Spec.InstallerRoleARN).

controlplane/rosa/controllers/rosacontrolplane_controller_test.go

@@ -58,6 +58,12 @@ func TestOCMCluster(t *testing.T) {
 					CredentialsSecretRef: &corev1.LocalObjectReference{
 						Name: "credentials-secret-name",
 					},
+					AWS: rosacontrolplanev1beta2.AWSConfiguration{
+						PrivateLink: true,
+						PrivateLinkConfiguration: &rosacontrolplanev1beta2.PrivateLinkConfiguration{
+							Principals: []string{"principal-arn-1", "principal-arn-2"},
+						},
+					},
 				},
 			},
 		},

controlplane/rosa/controllers/testdata/zz_fixture_TestOCMCluster.json

@@ -56,6 +56,19 @@
     },
     "account_id": "account-id",
     "billing_account_id": "account-id",
+    "private_link": true,
+    "private_link_configuration": {
+      "principals": [
+        {
+          "kind": "PrivateLinkPrincipal",
+          "principal": "principal-arn-1"
+        },
+        {
+          "kind": "PrivateLinkPrincipal",
+          "principal": "principal-arn-2"
+        }
+      ]
+    },
     "subnet_ids": [
       "subnet-1",
       "subnet-2"