Merge pull request #3926 from AmitSahastra/arn-us-gov

capa fix hardcoded role arn for aws iam authenticator

Author: k8s-ci-robot

api/v1beta1/awscluster_conversion.go

@@ -17,40 +17,41 @@ limitations under the License.
 package v1beta1
 
 import (
-	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
+	infrav2 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	utilconversion "sigs.k8s.io/cluster-api/util/conversion"
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
 )
 
-// ConvertTo converts the v1beta1 AWSCluster receiver to a v1beta1 AWSCluster.
+// ConvertTo converts the v1beta1 AWSCluster receiver to a v1beta2 AWSCluster.
 func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
-	dst := dstRaw.(*infrav1.AWSCluster)
+	dst := dstRaw.(*infrav2.AWSCluster)
 
 	if err := Convert_v1beta1_AWSCluster_To_v1beta2_AWSCluster(src, dst, nil); err != nil {
 		return err
 	}
 	// Manually restore data.
-	restored := &infrav1.AWSCluster{}
+	restored := &infrav2.AWSCluster{}
 	if ok, err := utilconversion.UnmarshalData(src, restored); err != nil || !ok {
 		return err
 	}
 
 	if restored.Spec.ControlPlaneLoadBalancer != nil {
 		if dst.Spec.ControlPlaneLoadBalancer == nil {
-			dst.Spec.ControlPlaneLoadBalancer = &infrav1.AWSLoadBalancerSpec{}
+			dst.Spec.ControlPlaneLoadBalancer = &infrav2.AWSLoadBalancerSpec{}
 		}
 		restoreControlPlaneLoadBalancer(restored.Spec.ControlPlaneLoadBalancer, dst.Spec.ControlPlaneLoadBalancer)
 	}
 	restoreControlPlaneLoadBalancerStatus(&restored.Status.Network.APIServerELB, &dst.Status.Network.APIServerELB)
 
 	dst.Spec.S3Bucket = restored.Spec.S3Bucket
+	dst.Spec.Partition = restored.Spec.Partition
 
 	return nil
 }
 
 // restoreControlPlaneLoadBalancerStatus manually restores the control plane loadbalancer status data.
 // Assumes restored and dst are non-nil.
-func restoreControlPlaneLoadBalancerStatus(restored, dst *infrav1.LoadBalancer) {
+func restoreControlPlaneLoadBalancerStatus(restored, dst *infrav2.LoadBalancer) {
 	dst.ARN = restored.ARN
 	dst.LoadBalancerType = restored.LoadBalancerType
 	dst.ELBAttributes = restored.ELBAttributes
@@ -59,7 +60,7 @@ func restoreControlPlaneLoadBalancerStatus(restored, dst *infrav1.LoadBalancer)
 
 // restoreControlPlaneLoadBalancer manually restores the control plane loadbalancer data.
 // Assumes restored and dst are non-nil.
-func restoreControlPlaneLoadBalancer(restored, dst *infrav1.AWSLoadBalancerSpec) {
+func restoreControlPlaneLoadBalancer(restored, dst *infrav2.AWSLoadBalancerSpec) {
 	dst.Name = restored.Name
 	dst.HealthCheckProtocol = restored.HealthCheckProtocol
 	dst.LoadBalancerType = restored.LoadBalancerType
@@ -69,7 +70,7 @@ func restoreControlPlaneLoadBalancer(restored, dst *infrav1.AWSLoadBalancerSpec)
 
 // ConvertFrom converts the v1beta1 AWSCluster receiver to a v1beta1 AWSCluster.
 func (r *AWSCluster) ConvertFrom(srcRaw conversion.Hub) error {
-	src := srcRaw.(*infrav1.AWSCluster)
+	src := srcRaw.(*infrav2.AWSCluster)
 
 	if err := Convert_v1beta2_AWSCluster_To_v1beta1_AWSCluster(src, r, nil); err != nil {
 		return err
@@ -85,14 +86,14 @@ func (r *AWSCluster) ConvertFrom(srcRaw conversion.Hub) error {
 
 // ConvertTo converts the v1beta1 AWSClusterList receiver to a v1beta2 AWSClusterList.
 func (src *AWSClusterList) ConvertTo(dstRaw conversion.Hub) error {
-	dst := dstRaw.(*infrav1.AWSClusterList)
+	dst := dstRaw.(*infrav2.AWSClusterList)
 
 	return Convert_v1beta1_AWSClusterList_To_v1beta2_AWSClusterList(src, dst, nil)
 }
 
 // ConvertFrom converts the v1beta2 AWSClusterList receiver to a v1beta1 AWSClusterList.
 func (r *AWSClusterList) ConvertFrom(srcRaw conversion.Hub) error {
-	src := srcRaw.(*infrav1.AWSClusterList)
+	src := srcRaw.(*infrav2.AWSClusterList)
 
 	return Convert_v1beta2_AWSClusterList_To_v1beta1_AWSClusterList(src, r, nil)
 }

api/v1beta1/zz_generated.conversion.go

@@ -39,6 +39,10 @@ type AWSClusterSpec struct {
 	// The AWS Region the cluster lives in.
 	Region string `json:"region,omitempty"`
 
+	// Partition is the AWS security partition being used. Defaults to "aws"
+	// +optional
+	Partition string `json:"partition,omitempty"`
+
 	// SSHKeyName is the name of the ssh key to attach to the bastion host. Valid values are empty string (do not use SSH keys), a valid SSH key name, or omitted (use the default SSH key name)
 	// +optional
 	SSHKeyName *string `json:"sshKeyName,omitempty"`

api/v1beta2/awscluster_types.go

@@ -31,6 +31,8 @@ const (
 	DefaultStackName = "cluster-api-provider-aws-sigs-k8s-io"
 	// DefaultPartitionName is the default security partition for AWS ARNs.
 	DefaultPartitionName = "aws"
+	// PartitionNameUSGov is the default security partition for AWS ARNs.
+	PartitionNameUSGov = "aws-us-gov"
 	// DefaultKMSAliasPattern is the default KMS alias.
 	DefaultKMSAliasPattern = "cluster-api-provider-aws-*"
 	// DefaultS3BucketPrefix is the default S3 bucket prefix.

cmd/clusterawsadm/api/bootstrap/v1beta1/defaults.go

@@ -17,12 +17,18 @@ limitations under the License.
 package bootstrap
 
 import (
+	"strings"
+
 	bootstrapv1 "sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/api/bootstrap/v1beta1"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/services/eks"
 )
 
-func fargateProfilePolicies(roleSpec *bootstrapv1.AWSIAMRoleSpec) []string {
-	policies := eks.FargateRolePolicies()
+func (t Template) fargateProfilePolicies(roleSpec *bootstrapv1.AWSIAMRoleSpec) []string {
+	var policies []string
+	policies = eks.FargateRolePolicies()
+	if strings.Contains(t.Spec.Partition, bootstrapv1.PartitionNameUSGov) {
+		policies = eks.FargateRolePoliciesUSGov()
+	}
 	if roleSpec.ExtraPolicyAttachments != nil {
 		policies = append(policies, roleSpec.ExtraPolicyAttachments...)
 	}

cmd/clusterawsadm/cloudformation/bootstrap/fargate.go

@@ -16,10 +16,20 @@ limitations under the License.
 
 package bootstrap
 
-import "sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/services/eks"
+import (
+	"strings"
+
+	bootstrapv1 "sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/api/bootstrap/v1beta1"
+	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/services/eks"
+)
 
 func (t Template) eksMachinePoolPolicies() []string {
-	policies := eks.NodegroupRolePolicies()
+	var policies []string
+
+	policies = eks.NodegroupRolePolicies()
+	if strings.Contains(t.Spec.Partition, bootstrapv1.PartitionNameUSGov) {
+		policies = eks.NodegroupRolePoliciesUSGov()
+	}
 	if t.Spec.EKS.ManagedMachinePool.ExtraPolicyAttachments != nil {
 		policies = append(policies, t.Spec.EKS.ManagedMachinePool.ExtraPolicyAttachments...)
 	}

cmd/clusterawsadm/cloudformation/bootstrap/managed_nodegroup.go

@@ -200,7 +200,7 @@ func (t Template) RenderCloudFormation() *cloudformation.Template {
 		template.Resources[AWSIAMRoleEKSFargate] = &cfn_iam.Role{
 			RoleName:                 expinfrav1.DefaultEKSFargateRole,
 			AssumeRolePolicyDocument: AssumeRolePolicy(iamv1.PrincipalService, []string{eksiam.EKSFargateService}),
-			ManagedPolicyArns:        fargateProfilePolicies(t.Spec.EKS.Fargate),
+			ManagedPolicyArns:        t.fargateProfilePolicies(t.Spec.EKS.Fargate),
 			Tags:                     converters.MapToCloudFormationTags(t.Spec.EKS.Fargate.Tags),
 		}
 	}

cmd/clusterawsadm/cloudformation/bootstrap/template.go

@@ -1936,6 +1936,10 @@ spec:
                       prefixing.
                     type: string
                 type: object
+              partition:
+                description: Partition is the AWS security partition being used. Defaults
+                  to "aws"
+                type: string
               region:
                 description: The AWS Region the cluster lives in.
                 type: string

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

@@ -1241,6 +1241,10 @@ spec:
                         type: object
                     type: object
                 type: object
+              partition:
+                description: Partition is the AWS security partition being used. Defaults
+                  to "aws"
+                type: string
               region:
                 description: The AWS Region the cluster lives in.
                 type: string

config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml

@@ -848,6 +848,10 @@ spec:
                                 type: object
                             type: object
                         type: object
+                      partition:
+                        description: Partition is the AWS security partition being
+                          used. Defaults to "aws"
+                        type: string
                       region:
                         description: The AWS Region the cluster lives in.
                         type: string