Add missing Fields to RosaControlPlane - tags, etcdEncryption

Signed-off-by: Xiangjing Li <xiangli@redhat.com>
kubernetes-sigs · Mar 6, 2024 · be41c4f · be41c4f
1 parent f103bff
commit be41c4f
Show file tree

Hide file tree

Showing 7 changed files with 50 additions and 4 deletions.
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml
@@ -47,6 +47,12 @@ spec:
           spec:
             description: RosaControlPlaneSpec defines the desired state of ROSAControlPlane.
             properties:
+              additionalTags:
+                additionalProperties:
+                  type: string
+                description: AdditionalTags are user-defined tags to be added on the
+                  AWS resources associated with the control plane.
+                type: object
               autoscaling:
                 description: Autoscaling specifies auto scaling behaviour for the
                   MachinePools.
@@ -102,6 +108,11 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-map-type: atomic
+              etcdEncryptionKMSArn:
+                description: EtcdEncryptionKMSArn is the ARN of the KMS key used to
+                  encrypt etcd. The key itself needs to be created out-of-band by
+                  the user and tagged with `red-hat:true`.
+                type: string
               identityRef:
                 description: IdentityRef is a reference to an identity to be used
                   when reconciling the managed control plane. If no identity is specified,

diff --git a/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go b/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go
@@ -98,6 +98,15 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	Autoscaling *expinfrav1.RosaMachinePoolAutoScaling `json:"autoscaling,omitempty"`
 
+	// AdditionalTags are user-defined tags to be added on the AWS resources associated with the control plane.
+	// +optional
+	AdditionalTags infrav1.Tags `json:"additionalTags,omitempty"`
+
+	// EtcdEncryptionKMSArn is the ARN of the KMS key used to encrypt etcd. The key itself needs to be
+	// created out-of-band by the user and tagged with `red-hat:true`.
+	// +optional
+	EtcdEncryptionKMSArn string `json:"etcdEncryptionKMSArn,omitempty"`
+
 	// ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.
 	// +optional
 	ControlPlaneEndpoint clusterv1.APIEndpoint `json:"controlPlaneEndpoint"`

diff --git a/controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go b/controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go
@@ -4,6 +4,7 @@ import (
 	"net"
 
 	"github.com/blang/semver"
+	kmsArnRegexpValidator "github.com/openshift-online/ocm-common/pkg/resource/validations"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -33,7 +34,12 @@ func (r *ROSAControlPlane) ValidateCreate() (warnings admission.Warnings, err er
 		allErrs = append(allErrs, err)
 	}
 
+	if err := r.validateEtcdEncryptionKMSArn(); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	allErrs = append(allErrs, r.validateNetwork()...)
+	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 
 	if len(allErrs) == 0 {
 		return nil, nil
@@ -54,7 +60,12 @@ func (r *ROSAControlPlane) ValidateUpdate(old runtime.Object) (warnings admissio
 		allErrs = append(allErrs, err)
 	}
 
+	if err := r.validateEtcdEncryptionKMSArn(); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	allErrs = append(allErrs, r.validateNetwork()...)
+	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 
 	if len(allErrs) == 0 {
 		return nil, nil
@@ -113,6 +124,15 @@ func (r *ROSAControlPlane) validateNetwork() field.ErrorList {
 	return allErrs
 }
 
+func (r *ROSAControlPlane) validateEtcdEncryptionKMSArn() *field.Error {
+	err := kmsArnRegexpValidator.ValidateKMSKeyARN(&r.Spec.EtcdEncryptionKMSArn)
+	if err != nil {
+		return field.Invalid(field.NewPath("spec.EtcdEncryptionKMSArn"), r.Spec.EtcdEncryptionKMSArn, err.Error())
+	}
+
+	return nil
+}
+
 // Default implements admission.Defaulter.
 func (r *ROSAControlPlane) Default() {
 	SetObjectDefaults_ROSAControlPlane(r)

diff --git a/controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go b/controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go
diff --git a/controlplane/rosa/controllers/rosacontrolplane_controller.go b/controlplane/rosa/controllers/rosacontrolplane_controller.go
@@ -284,6 +284,9 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 		DisableWorkloadMonitoring: ptr.To(true),
 		DefaultIngress:            ocm.NewDefaultIngressSpec(), // n.b. this is a no-op when it's set to the default value
 		ComputeMachineType:        rosaScope.ControlPlane.Spec.InstanceType,
+		Tags:                      rosaScope.ControlPlane.Spec.AdditionalTags,
+		EtcdEncryption:            rosaScope.ControlPlane.Spec.EtcdEncryptionKMSArn != "",
+		EtcdEncryptionKMSArn:      rosaScope.ControlPlane.Spec.EtcdEncryptionKMSArn,
 
 		SubnetIds:         rosaScope.ControlPlane.Spec.Subnets,
 		AvailabilityZones: rosaScope.ControlPlane.Spec.AvailabilityZones,

diff --git a/templates/cluster-template-rosa-machinepool.yaml b/templates/cluster-template-rosa-machinepool.yaml
@@ -30,8 +30,6 @@ spec:
   rosaClusterName: ${CLUSTER_NAME:0:15}
   version: "${OPENSHIFT_VERSION}"
   region: "${AWS_REGION}"
-  accountID: "${AWS_ACCOUNT_ID}"
-  creatorARN: "${AWS_CREATOR_ARN}"
   network:
     machineCIDR: "10.0.0.0/16"
   rolesRef:

diff --git a/templates/cluster-template-rosa.yaml b/templates/cluster-template-rosa.yaml
@@ -30,8 +30,6 @@ spec:
   rosaClusterName: ${CLUSTER_NAME:0:15}
   version: "${OPENSHIFT_VERSION}"
   region: "${AWS_REGION}"
-  accountID: "${AWS_ACCOUNT_ID}"
-  creatorARN: "${AWS_CREATOR_ARN}"
   network:
     machineCIDR: "10.0.0.0/16"
   rolesRef: