rosa: load identity dynamically

Instead of requiring users to provide their account IDs and ARNs in the spec of their hosted control planes, we can refer to AWS credentials like the other managed control plane controllers do in this provider. Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
kubernetes-sigs · Feb 9, 2024 · 71d5769 · 71d5769
1 parent 1fd6d67
commit 71d5769
Show file tree

Hide file tree

Showing 14 changed files with 177 additions and 38 deletions.
diff --git a/Makefile b/Makefile
@@ -76,7 +76,7 @@ DOCKER_BUILDKIT=1
 export ACK_GINKGO_DEPRECATIONS := 1.16.4
 
 # Set --output-base for conversion-gen if we are not within GOPATH
-ifneq ($(abspath $(REPO_ROOT)),$(shell go env GOPATH)/src/sigs.k8s.io/cluster-api-provider-aws)
+ifneq ($(abspath $(REPO_ROOT)),$(abspath $(shell go env GOPATH)/src/sigs.k8s.io/cluster-api-provider-aws))
 	GEN_OUTPUT_BASE := --output-base=$(REPO_ROOT)
 else
 	export GOPATH := $(shell go env GOPATH)
@@ -190,6 +190,7 @@ defaulters: $(DEFAULTER_GEN) ## Generate all Go types
 	$(DEFAULTER_GEN) \
 		--input-dirs=./api/v1beta2 \
 		--input-dirs=./$(EXP_DIR)/api/v1beta2 \
+		--input-dirs=./controlplane/rosa/api/v1beta2 \
 		--input-dirs=./cmd/clusterawsadm/api/bootstrap/v1beta1 \
 		--input-dirs=./cmd/clusterawsadm/api/bootstrap/v1alpha1 \
 		--extra-peer-dirs=sigs.k8s.io/cluster-api/api/v1beta1 \

diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml
@@ -45,10 +45,6 @@ spec:
             type: object
           spec:
             properties:
-              accountID:
-                description: 'TODO: these are to satisfy ocm sdk. Explore how to drop
-                  them.'
-                type: string
               availabilityZones:
                 description: AWS AvailabilityZones of the worker nodes should match
                   the AvailabilityZones of the Subnets.
@@ -70,8 +66,6 @@ spec:
                 - host
                 - port
                 type: object
-              creatorARN:
-                type: string
               credentialsSecretRef:
                 description: 'CredentialsSecretRef references a secret with necessary
                   credentials to connect to the OCM API. The secret should contain
@@ -84,7 +78,28 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-map-type: atomic
+              identityRef:
+                description: IdentityRef is a reference to an identity to be used
+                  when reconciling the managed control plane.
+                properties:
+                  kind:
+                    description: Kind of the identity.
+                    enum:
+                    - AWSClusterControllerIdentity
+                    - AWSClusterRoleIdentity
+                    - AWSClusterStaticIdentity
+                    type: string
+                  name:
+                    description: Name of the identity.
+                    minLength: 1
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
               installerRoleARN:
+                description: 'TODO: these are to satisfy ocm sdk. Explore how to drop
+                  them.'
                 type: string
               machineCIDR:
                 description: Block of IP addresses used by OpenShift while installing
@@ -276,9 +291,7 @@ spec:
               workerRoleARN:
                 type: string
             required:
-            - accountID
             - availabilityZones
-            - creatorARN
             - installerRoleARN
             - machineCIDR
             - oidcID

diff --git a/controllers/rosacluster_controller.go b/controllers/rosacluster_controller.go
@@ -35,6 +35,7 @@ import (
 	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	rosacontrolplanev1 "sigs.k8s.io/cluster-api-provider-aws/v2/controlplane/rosa/api/v1beta2"
 	expinfrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/exp/api/v1beta2"
+	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/scope"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/logger"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/util"
@@ -48,6 +49,7 @@ type ROSAClusterReconciler struct {
 	client.Client
 	Recorder         record.EventRecorder
 	WatchFilterValue string
+	Endpoints        []scope.ServiceEndpoint
 }
 
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=rosaclusters,verbs=get;list;watch;update;patch;delete

diff --git a/controlplane/rosa/api/v1beta2/defaults.go b/controlplane/rosa/api/v1beta2/defaults.go
@@ -0,0 +1,13 @@
+package v1beta2
+
+import "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
+
+// SetDefaults_RosaControlPlaneSpec is used by defaulter-gen.
+func SetDefaults_RosaControlPlaneSpec(s *RosaControlPlaneSpec) { //nolint:golint,stylecheck
+	if s.IdentityRef == nil {
+		s.IdentityRef = &v1beta2.AWSIdentityReference{
+			Kind: v1beta2.ControllerIdentityKind,
+			Name: v1beta2.AWSClusterControllerIdentityName,
+		}
+	}
+}
diff --git a/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go b/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go
@@ -20,6 +20,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
 
@@ -64,8 +65,6 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	OIDCID *string `json:"oidcID"`
 
 	// TODO: these are to satisfy ocm sdk. Explore how to drop them.
-	AccountID        *string `json:"accountID"`
-	CreatorARN       *string `json:"creatorARN"`
 	InstallerRoleARN *string `json:"installerRoleARN"`
 	SupportRoleARN   *string `json:"supportRoleARN"`
 	WorkerRoleARN    *string `json:"workerRoleARN"`
@@ -76,6 +75,10 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	// - ocmApiUrl: Optional, defaults to 'https://api.openshift.com'
 	// +optional
 	CredentialsSecretRef *corev1.LocalObjectReference `json:"credentialsSecretRef,omitempty"`
+
+	// IdentityRef is a reference to an identity to be used when reconciling the managed control plane.
+	// +optional
+	IdentityRef *infrav1.AWSIdentityReference `json:"identityRef,omitempty"`
 }
 
 // AWSRolesRef contains references to various AWS IAM roles required for operators to make calls against the AWS API.
@@ -489,6 +492,7 @@ type RosaControlPlaneStatus struct {
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Cluster",type="string",JSONPath=".metadata.labels.cluster\\.x-k8s\\.io/cluster-name",description="Cluster to which this RosaControl belongs"
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.ready",description="Control plane infrastructure is ready for worker nodes"
+// +k8s:defaulter-gen=true
 
 type ROSAControlPlane struct {
 	metav1.TypeMeta   `json:",inline"`

diff --git a/controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go b/controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go
diff --git a/controlplane/rosa/api/v1beta2/zz_generated.defaults.go b/controlplane/rosa/api/v1beta2/zz_generated.defaults.go
diff --git a/controlplane/rosa/controllers/rosacontrolplane_controller.go b/controlplane/rosa/controllers/rosacontrolplane_controller.go
@@ -68,6 +68,7 @@ type ROSAControlPlaneReconciler struct {
 	client.Client
 	WatchFilterValue string
 	WaitInfraPeriod  time.Duration
+	Endpoints        []scope.ServiceEndpoint
 }
 
 // SetupWithManager is used to setup the controller.
@@ -148,6 +149,7 @@ func (r *ROSAControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		Cluster:        cluster,
 		ControlPlane:   rosaControlPlane,
 		ControllerName: strings.ToLower(rosaControlPlaneKind),
+		Endpoints:      r.Endpoints,
 		Logger:         log,
 	})
 	if err != nil {
@@ -344,8 +346,8 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 	stsBuilder.AutoMode(true)
 
 	awsBuilder := cmv1.NewAWS().
-		AccountID(*rosaScope.ControlPlane.Spec.AccountID).
-		BillingAccountID(*rosaScope.ControlPlane.Spec.AccountID).
+		AccountID(*rosaScope.Identity.Account).
+		BillingAccountID(*rosaScope.Identity.Account).
 		SubnetIDs(rosaScope.ControlPlane.Spec.Subnets...).
 		STS(stsBuilder)
 	clusterBuilder = clusterBuilder.AWS(awsBuilder)
@@ -355,7 +357,7 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 	clusterBuilder = clusterBuilder.Nodes(clusterNodesBuilder)
 
 	clusterProperties := map[string]string{}
-	clusterProperties[rosaCreatorArnProperty] = *rosaScope.ControlPlane.Spec.CreatorARN
+	clusterProperties[rosaCreatorArnProperty] = *rosaScope.Identity.Arn
 
 	clusterBuilder = clusterBuilder.Properties(clusterProperties)
 	clusterSpec, err := clusterBuilder.Build()

diff --git a/exp/controllers/rosamachinepool_controller.go b/exp/controllers/rosamachinepool_controller.go
@@ -37,6 +37,7 @@ type ROSAMachinePoolReconciler struct {
 	client.Client
 	Recorder         record.EventRecorder
 	WatchFilterValue string
+	Endpoints        []scope.ServiceEndpoint
 }
 
 // SetupWithManager is used to setup the controller.

diff --git a/main.go b/main.go
@@ -227,6 +227,7 @@ func main() {
 			Client:           mgr.GetClient(),
 			WatchFilterValue: watchFilterValue,
 			WaitInfraPeriod:  waitInfraPeriod,
+			Endpoints:        awsServiceEndpoints,
 		}).SetupWithManager(ctx, mgr, controller.Options{MaxConcurrentReconciles: awsClusterConcurrency, RecoverPanic: ptr.To[bool](true)}); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "ROSAControlPlane")
 			os.Exit(1)
@@ -237,6 +238,7 @@ func main() {
 			Client:           mgr.GetClient(),
 			Recorder:         mgr.GetEventRecorderFor("rosacluster-controller"),
 			WatchFilterValue: watchFilterValue,
+			Endpoints:        awsServiceEndpoints,
 		}).SetupWithManager(ctx, mgr, controller.Options{MaxConcurrentReconciles: awsClusterConcurrency, RecoverPanic: ptr.To[bool](true)}); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "ROSACluster")
 			os.Exit(1)
@@ -247,6 +249,7 @@ func main() {
 			Client:           mgr.GetClient(),
 			Recorder:         mgr.GetEventRecorderFor("rosamachinepool-controller"),
 			WatchFilterValue: watchFilterValue,
+			Endpoints:        awsServiceEndpoints,
 		}).SetupWithManager(ctx, mgr, controller.Options{MaxConcurrentReconciles: awsClusterConcurrency, RecoverPanic: ptr.To[bool](true)}); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "ROSAMachinePool")
 			os.Exit(1)

diff --git a/pkg/cloud/interfaces.go b/pkg/cloud/interfaces.go
@@ -84,3 +84,15 @@ type ClusterScoper interface {
 	// Close closes the current scope persisting the cluster configuration and status.
 	Close() error
 }
+
+// SessionMetadata knows how to extract the information for managing AWS sessions for a resource.
+type SessionMetadata interface {
+	// Namespace returns the cluster namespace.
+	Namespace() string
+	// InfraClusterName returns the AWS infrastructure cluster name.
+	InfraClusterName() string
+	// InfraCluster returns the AWS infrastructure cluster object.
+	InfraCluster() ClusterObject
+	// IdentityRef returns the AWS infrastructure cluster identityRef.
+	IdentityRef() *infrav1.AWSIdentityReference
+}