Add support for Ignition v3 Proxy and TLS

From Ignition v3.1 there is support in the struct to setup a proxy, and
CA validation. This changeset allows AWSMachines to expose these
features when using Ignition.

Signed-off-by: Vince Prignano <vincepri@redhat.com>

api/v1beta1/conversion.go

@@ -98,3 +98,7 @@ func Convert_v1beta2_NetworkSpec_To_v1beta1_NetworkSpec(in *v1beta2.NetworkSpec,
 func Convert_v1beta2_S3Bucket_To_v1beta1_S3Bucket(in *v1beta2.S3Bucket, out *S3Bucket, s conversion.Scope) error {
 	return autoConvert_v1beta2_S3Bucket_To_v1beta1_S3Bucket(in, out, s)
 }
+
+func Convert_v1beta2_Ignition_To_v1beta1_Ignition(in *v1beta2.Ignition, out *Ignition, s conversion.Scope) error {
+	return autoConvert_v1beta2_Ignition_To_v1beta1_Ignition(in, out, s)
+}

api/v1beta2/awsmachine_types.go

@@ -197,6 +197,39 @@ type Ignition struct {
 	// +kubebuilder:default="2.3"
 	// +kubebuilder:validation:Enum="2.3";"3.0";"3.1";"3.2";"3.3";"3.4"
 	Version string `json:"version,omitempty"`
+
+	// IgnitionProxy defines proxy settings for Ignition.
+	// Only valid for Ignition versions 3.4 and above.
+	// +optional
+	Proxy *IgnitionProxy `json:"proxy,omitempty"`
+
+	// TLS defines TLS settings for Ignition.
+	// Only valid for Ignition versions 3.4 and above.
+	// +optional
+	TLS *IgnitionTLS `json:"tls,omitempty"`
+}
+
+// IgnitionTLS defines TLS settings for Ignition.
+type IgnitionTLS struct {
+	// CASources defines the list of certificate authorities to use for Ignition.
+	// THe value is the certificate bundle (in PEM format). The bundle can contain multiple concatenated certificates.
+	// Supported schemes are http, https, tftp, s3, arn, gs, and `data` (RFC 2397) URL scheme.
+	//
+	// +optional
+	CASources []string `json:"certificateAuthorities,omitempty"`
+}
+
+// IgnitionProxy defines proxy settings for Ignition.
+type IgnitionProxy struct {
+	// HTTPProxy is the HTTP proxy to use for Ignition.
+	// +optional
+	HTTPProxy *string `json:"httpProxy,omitempty"`
+	// HTTPSProxy is the HTTPS proxy to use for Ignition.
+	// +optional
+	HTTPSProxy *string `json:"httpsProxy,omitempty"`
+	// NoProxy is the list of domains to not proxy for Ignition.
+	// +optional
+	NoProxy []string `json:"noProxy,omitempty"`
 }
 
 // AWSMachineStatus defines the observed state of AWSMachine.

api/v1beta2/awsmachine_webhook.go

@@ -171,6 +171,15 @@ func (r *AWSMachine) validateIgnitionAndCloudInit() field.ErrorList {
 		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "cloudInit"), "cannot be set if spec.ignition is set"))
 	}
 
+	if r.ignitionEnabled() && (r.Spec.Ignition.Version == "2.3" || r.Spec.Ignition.Version == "3.0") {
+		if r.Spec.Ignition.Proxy != nil {
+			allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "ignition", "proxy"), "cannot be set if spec.ignition.version is 2.3 or 3.0"))
+		}
+		if r.Spec.Ignition.TLS != nil {
+			allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "ignition", "tls"), "cannot be set if spec.ignition.version is 2.3 or 3.0"))
+		}
+	}
+
 	return allErrs
 }
 

api/v1beta2/awsmachine_webhook_test.go

@@ -24,8 +24,10 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	. "github.com/onsi/gomega"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilfeature "k8s.io/component-base/featuregate/testing"
 	"k8s.io/utils/ptr"
 
+	"sigs.k8s.io/cluster-api-provider-aws/v2/feature"
 	utildefaulting "sigs.k8s.io/cluster-api/util/defaulting"
 )
 
@@ -248,9 +250,44 @@ func TestAWSMachineCreate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "ignition proxy and TLS can be from version 3.1",
+			machine: &AWSMachine{
+				Spec: AWSMachineSpec{
+					InstanceType: "test",
+					Ignition: &Ignition{
+						Version: "3.1",
+						Proxy: &IgnitionProxy{
+							HTTPProxy: "http://proxy.example.com:3128",
+						},
+						TLS: &IgnitionTLS{
+							CASources: []string{"test"},
+						},
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "cannot use ignition proxy with version 2.3",
+			machine: &AWSMachine{
+				Spec: AWSMachineSpec{
+					InstanceType: "test",
+					Ignition: &Ignition{
+						Version: "2.3.0",
+						Proxy: &IgnitionProxy{
+							HTTPProxy: "http://proxy.example.com:3128",
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			defer utilfeature.SetFeatureGateDuringTest(t, feature.Gates, feature.BootstrapFormatIgnition, true)()
+
 			machine := tt.machine.DeepCopy()
 			machine.ObjectMeta = metav1.ObjectMeta{
 				GenerateName: "machine-",

config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml

@@ -632,6 +632,37 @@ spec:
                 description: Ignition defined options related to the bootstrapping
                   systems where Ignition is used.
                 properties:
+                  proxy:
+                    description: IgnitionProxy defines proxy settings for Ignition.
+                      Only valid for Ignition versions 3.4 and above.
+                    properties:
+                      httpProxy:
+                        description: HTTPProxy is the HTTP proxy to use for Ignition.
+                        type: string
+                      httpsProxy:
+                        description: HTTPSProxy is the HTTPS proxy to use for Ignition.
+                        type: string
+                      noProxy:
+                        description: NoProxy is the list of domains to not proxy for
+                          Ignition.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  tls:
+                    description: TLS defines TLS settings for Ignition. Only valid
+                      for Ignition versions 3.4 and above.
+                    properties:
+                      certificateAuthorities:
+                        description: CASources defines the list of certificate authorities
+                          to use for Ignition. THe value is the certificate bundle
+                          (in PEM format). The bundle can contain multiple concatenated
+                          certificates. Supported schemes are http, https, tftp, s3,
+                          arn, gs, and `data` (RFC 2397) URL scheme.
+                        items:
+                          type: string
+                        type: array
+                    type: object
                   version:
                     default: "2.3"
                     description: Version defines which version of Ignition will be

config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml

@@ -578,6 +578,40 @@ spec:
                         description: Ignition defined options related to the bootstrapping
                           systems where Ignition is used.
                         properties:
+                          proxy:
+                            description: IgnitionProxy defines proxy settings for
+                              Ignition. Only valid for Ignition versions 3.4 and above.
+                            properties:
+                              httpProxy:
+                                description: HTTPProxy is the HTTP proxy to use for
+                                  Ignition.
+                                type: string
+                              httpsProxy:
+                                description: HTTPSProxy is the HTTPS proxy to use
+                                  for Ignition.
+                                type: string
+                              noProxy:
+                                description: NoProxy is the list of domains to not
+                                  proxy for Ignition.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          tls:
+                            description: TLS defines TLS settings for Ignition. Only
+                              valid for Ignition versions 3.4 and above.
+                            properties:
+                              certificateAuthorities:
+                                description: CASources defines the list of certificate
+                                  authorities to use for Ignition. THe value is the
+                                  certificate bundle (in PEM format). The bundle can
+                                  contain multiple concatenated certificates. Supported
+                                  schemes are http, https, tftp, s3, arn, gs, and
+                                  `data` (RFC 2397) URL scheme.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
                           version:
                             default: "2.3"
                             description: Version defines which version of Ignition

controllers/awsmachine_controller.go

@@ -787,6 +787,25 @@ func (r *AWSMachineReconciler) ignitionUserData(scope *scope.MachineScope, objec
 			},
 		}
 
+		if scope.AWSMachine.Spec.Ignition.Proxy != nil {
+			ignData.Ignition.Proxy = ignV3Types.Proxy{
+				HTTPProxy:  scope.AWSMachine.Spec.Ignition.Proxy.HTTPProxy,
+				HTTPSProxy: scope.AWSMachine.Spec.Ignition.Proxy.HTTPSProxy,
+			}
+			for _, noProxy := range scope.AWSMachine.Spec.Ignition.Proxy.NoProxy {
+				ignData.Ignition.Proxy.NoProxy = append(ignData.Ignition.Proxy.NoProxy, ignV3Types.NoProxyItem(noProxy))
+			}
+		}
+
+		if scope.AWSMachine.Spec.Ignition.TLS != nil {
+			for _, cert := range scope.AWSMachine.Spec.Ignition.TLS.CASources {
+				ignData.Ignition.Security.TLS.CertificateAuthorities = append(
+					ignData.Ignition.Security.TLS.CertificateAuthorities,
+					ignV3Types.Resource{Source: aws.String(cert)},
+				)
+			}
+		}
+
 		return json.Marshal(ignData)
 	default:
 		return nil, errors.Errorf("unsupported ignition version %q", ignVersion)