Add EndpointAccess field

- remove cluster expirationTime
kubernetes-sigs · Mar 6, 2024 · 977ecec · 977ecec
1 parent be41c4f
commit 977ecec
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 5 deletions.
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml
@@ -108,6 +108,14 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-map-type: atomic
+              endpointAccess:
+                default: Public
+                description: EndpointAccess specifies the publishing scope of cluster
+                  endpoints. The default is Public.
+                enum:
+                - Public
+                - Private
+                type: string
               etcdEncryptionKMSArn:
                 description: EtcdEncryptionKMSArn is the ARN of the KMS key used to
                   encrypt etcd. The key itself needs to be created out-of-band by
@@ -372,7 +380,7 @@ spec:
             description: RosaControlPlaneStatus defines the observed state of ROSAControlPlane.
             properties:
               conditions:
-                description: Conditions specifies the cpnditions for the managed control
+                description: Conditions specifies the conditions for the managed control
                   plane
                 items:
                   description: Condition defines an observation of a Cluster API resource
@@ -444,7 +452,7 @@ spec:
                 type: boolean
               oidcEndpointURL:
                 description: OIDCEndpointURL is the endpoint url for the managed OIDC
-                  porvider.
+                  provider.
                 type: string
               ready:
                 default: false

diff --git a/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go b/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go
@@ -25,6 +25,19 @@ import (
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
 
+// RosaEndpointAccessType specifies the publishing scope of cluster endpoints.
+type RosaEndpointAccessType string
+
+const (
+	// Public endpoint access allows public API server access and
+	// private node communication with the control plane.
+	Public RosaEndpointAccessType = "Public"
+
+	// Private endpoint access allows only private API server access and private
+	// node communication with the control plane.
+	Private RosaEndpointAccessType = "Private"
+)
+
 // RosaControlPlaneSpec defines the desired state of ROSAControlPlane.
 type RosaControlPlaneSpec struct { //nolint: maligned
 	// Cluster name must be valid DNS-1035 label, so it must consist of lower case alphanumeric
@@ -90,6 +103,14 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	Network *NetworkSpec `json:"network,omitempty"`
 
+	// EndpointAccess specifies the publishing scope of cluster endpoints. The
+	// default is Public.
+	//
+	// +kubebuilder:validation:Enum=Public;Private
+	// +kubebuilder:default=Public
+	// +optional
+	EndpointAccess RosaEndpointAccessType `json:"endpointAccess,omitempty"`
+
 	// The instance type to use, for example `r5.xlarge`. Instance type ref; https://aws.amazon.com/ec2/instance-types/
 	// +optional
 	InstanceType string `json:"instanceType,omitempty"`
@@ -543,14 +564,14 @@ type RosaControlPlaneStatus struct {
 	//
 	// +optional
 	FailureMessage *string `json:"failureMessage,omitempty"`
-	// Conditions specifies the cpnditions for the managed control plane
+	// Conditions specifies the conditions for the managed control plane
 	Conditions clusterv1.Conditions `json:"conditions,omitempty"`
 
 	// ID is the cluster ID given by ROSA.
 	ID string `json:"id,omitempty"`
 	// ConsoleURL is the url for the openshift console.
 	ConsoleURL string `json:"consoleURL,omitempty"`
-	// OIDCEndpointURL is the endpoint url for the managed OIDC porvider.
+	// OIDCEndpointURL is the endpoint url for the managed OIDC provider.
 	OIDCEndpointURL string `json:"oidcEndpointURL,omitempty"`
 }
 

diff --git a/controlplane/rosa/api/v1beta2/zz_generated.defaults.go b/controlplane/rosa/api/v1beta2/zz_generated.defaults.go
diff --git a/controlplane/rosa/controllers/rosacontrolplane_controller.go b/controlplane/rosa/controllers/rosacontrolplane_controller.go
@@ -280,7 +280,6 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 		MultiAZ:                   true,
 		Version:                   ocm.CreateVersionID(rosaScope.ControlPlane.Spec.Version, ocm.DefaultChannelGroup),
 		ChannelGroup:              ocm.DefaultChannelGroup,
-		Expiration:                time.Now().Add(1 * time.Hour),
 		DisableWorkloadMonitoring: ptr.To(true),
 		DefaultIngress:            ocm.NewDefaultIngressSpec(), // n.b. this is a no-op when it's set to the default value
 		ComputeMachineType:        rosaScope.ControlPlane.Spec.InstanceType,
@@ -304,6 +303,11 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 		AWSCreator:     creator,
 	}
 
+	if rosaScope.ControlPlane.Spec.EndpointAccess == rosacontrolplanev1.Private {
+		ocmClusterSpec.Private = ptr.To(true)
+		ocmClusterSpec.PrivateLink = ptr.To(true)
+	}
+
 	if networkSpec := rosaScope.ControlPlane.Spec.Network; networkSpec != nil {
 		if networkSpec.MachineCIDR != "" {
 			_, machineCIDR, err := net.ParseCIDR(networkSpec.MachineCIDR)