Address review comments

Author: PanSpagetka

controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go

@@ -185,16 +185,21 @@ func (r *ROSAControlPlane) validateExternalAuthProviders() *field.Error {
 
 func (r *ROSAControlPlane) validateRosaRoleConfig() *field.Error {
 	hasRosaRoleConfigRef := r.Spec.RosaRoleConfigRef != nil
-	hasDirectRoleFields := r.Spec.OIDCID != "" || r.Spec.InstallerRoleARN != "" || r.Spec.SupportRoleARN != "" || r.Spec.WorkerRoleARN != "" ||
+	hasAnyDirectRoleFields := r.Spec.OIDCID != "" || r.Spec.InstallerRoleARN != "" || r.Spec.SupportRoleARN != "" || r.Spec.WorkerRoleARN != "" ||
 		r.Spec.RolesRef.IngressARN != "" || r.Spec.RolesRef.ImageRegistryARN != "" || r.Spec.RolesRef.StorageARN != "" ||
 		r.Spec.RolesRef.NetworkARN != "" || r.Spec.RolesRef.KubeCloudControllerARN != "" || r.Spec.RolesRef.NodePoolManagementARN != "" ||
 		r.Spec.RolesRef.ControlPlaneOperatorARN != "" || r.Spec.RolesRef.KMSProviderARN != ""
 
-	if hasRosaRoleConfigRef && hasDirectRoleFields {
+	hasAllDirectRoleFields := r.Spec.OIDCID != "" && r.Spec.InstallerRoleARN != "" && r.Spec.SupportRoleARN != "" && r.Spec.WorkerRoleARN != "" &&
+		r.Spec.RolesRef.IngressARN != "" && r.Spec.RolesRef.ImageRegistryARN != "" && r.Spec.RolesRef.StorageARN != "" &&
+		r.Spec.RolesRef.NetworkARN != "" && r.Spec.RolesRef.KubeCloudControllerARN != "" && r.Spec.RolesRef.NodePoolManagementARN != "" &&
+		r.Spec.RolesRef.ControlPlaneOperatorARN != "" && r.Spec.RolesRef.KMSProviderARN != ""
+
+	if hasRosaRoleConfigRef && hasAnyDirectRoleFields {
 		return field.Invalid(field.NewPath("spec.rosaRoleConfigRef"), r.Spec.RosaRoleConfigRef, "rosaRoleConfigRef and direct role fields (oidcID, installerRoleARN, supportRoleARN, workerRoleARN, rolesRef) are mutually exclusive")
 	}
 
-	if !hasRosaRoleConfigRef && !hasDirectRoleFields {
+	if !hasRosaRoleConfigRef && !hasAllDirectRoleFields {
 		return field.Invalid(field.NewPath("spec"), r.Spec, "either rosaRoleConfigRef or direct role fields (oidcID, installerRoleARN, supportRoleARN, workerRoleARN, rolesRef) must be specified")
 	}
 

controlplane/rosa/controllers/rosacontrolplane_controller.go

@@ -228,10 +228,11 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 		return ctrl.Result{}, fmt.Errorf("failed to transform caller identity to creator: %w", err)
 	}
 
+	rosaRoleConfig := &expinfrav1.ROSARoleConfig{}
 	// Get role configuration from either RosaRoleConfig or direct fields
 	if rosaScope.ControlPlane.Spec.RosaRoleConfigRef != nil {
 		// Get configuration from RosaRoleConfig
-		rosaRoleConfig := &expinfrav1.ROSARoleConfig{}
+
 		key := client.ObjectKey{
 			Name:      rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name,
 			Namespace: rosaScope.ControlPlane.Namespace,
@@ -260,21 +261,25 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 		}
 
 		conditions.MarkTrue(rosaScope.ControlPlane, rosacontrolplanev1.ROSARoleConfigReadyCondition)
-
-		// Update spec fields from RosaRoleConfig
-		rosaScope.ControlPlane.Spec.OIDCID = rosaRoleConfig.Status.OIDCID
-		rosaScope.ControlPlane.Spec.InstallerRoleARN = rosaRoleConfig.Status.AccountRolesRef.InstallerRoleARN
-		rosaScope.ControlPlane.Spec.SupportRoleARN = rosaRoleConfig.Status.AccountRolesRef.SupportRoleARN
-		rosaScope.ControlPlane.Spec.WorkerRoleARN = rosaRoleConfig.Status.AccountRolesRef.WorkerRoleARN
-		rosaScope.ControlPlane.Spec.RolesRef = rosaRoleConfig.Status.OperatorRolesRef
-		rosaScope.ControlPlane.Spec.EnableExternalAuthProviders = len(rosaRoleConfig.Spec.OIDCConfig.ExternalAuthProviders) > 0
+	} else {
+		rosaRoleConfig.Status.OIDCID = rosaScope.ControlPlane.Spec.OIDCID
+		rosaRoleConfig.Status.AccountRolesRef.InstallerRoleARN = rosaScope.ControlPlane.Spec.InstallerRoleARN
+		rosaRoleConfig.Status.AccountRolesRef.SupportRoleARN = rosaScope.ControlPlane.Spec.SupportRoleARN
+		rosaRoleConfig.Status.AccountRolesRef.WorkerRoleARN = rosaScope.ControlPlane.Spec.WorkerRoleARN
+		rosaRoleConfig.Status.OperatorRolesRef = rosaScope.ControlPlane.Spec.RolesRef
+		rosaRoleConfig.Spec.OIDCConfig.ExternalAuthProviders = rosaScope.ControlPlane.Spec.ExternalAuthProviders
 	}
 
 	validationMessage, err := validateControlPlaneSpec(ocmClient, rosaScope)
 	if err != nil {
 		return ctrl.Result{}, fmt.Errorf("failed to validate ROSAControlPlane.spec: %w", err)
 	}
 
+	err = validateRoleConfigSpec(rosaRoleConfig)
+	if err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to validate ROSAControlPlane.spec: %w", err)
+	}
+
 	conditions.MarkTrue(rosaScope.ControlPlane, rosacontrolplanev1.ROSAControlPlaneValidCondition)
 	if validationMessage != "" {
 		conditions.MarkFalse(rosaScope.ControlPlane,
@@ -357,7 +362,7 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 		return ctrl.Result{RequeueAfter: time.Second * 60}, nil
 	}
 
-	ocmClusterSpec, err := buildOCMClusterSpec(rosaScope.ControlPlane.Spec, creator)
+	ocmClusterSpec, err := buildOCMClusterSpec(rosaScope.ControlPlane.Spec, rosaRoleConfig, creator)
 	if err != nil {
 		return ctrl.Result{}, err
 	}
@@ -951,7 +956,7 @@ func validateControlPlaneSpec(ocmClient rosa.OCMClient, rosaScope *scope.ROSACon
 	return "", nil
 }
 
-func buildOCMClusterSpec(controlPlaneSpec rosacontrolplanev1.RosaControlPlaneSpec, creator *rosaaws.Creator) (ocm.Spec, error) {
+func buildOCMClusterSpec(controlPlaneSpec rosacontrolplanev1.RosaControlPlaneSpec, roleConfig *expinfrav1.ROSARoleConfig, creator *rosaaws.Creator) (ocm.Spec, error) {
 	billingAccount := controlPlaneSpec.BillingAccount
 	if billingAccount == "" {
 		billingAccount = creator.AccountID
@@ -975,11 +980,11 @@ func buildOCMClusterSpec(controlPlaneSpec rosacontrolplanev1.RosaControlPlaneSpe
 
 		SubnetIds:        controlPlaneSpec.Subnets,
 		IsSTS:            true,
-		RoleARN:          controlPlaneSpec.InstallerRoleARN,
-		SupportRoleARN:   controlPlaneSpec.SupportRoleARN,
-		WorkerRoleARN:    controlPlaneSpec.WorkerRoleARN,
-		OperatorIAMRoles: operatorIAMRoles(controlPlaneSpec.RolesRef),
-		OidcConfigId:     controlPlaneSpec.OIDCID,
+		RoleARN:          roleConfig.Status.AccountRolesRef.InstallerRoleARN,
+		SupportRoleARN:   roleConfig.Status.AccountRolesRef.SupportRoleARN,
+		WorkerRoleARN:    roleConfig.Status.AccountRolesRef.WorkerRoleARN,
+		OperatorIAMRoles: operatorIAMRoles(roleConfig.Status.OperatorRolesRef),
+		OidcConfigId:     roleConfig.Status.OIDCID,
 		Mode:             "auto",
 		Hypershift: ocm.Hypershift{
 			Enabled: true,
@@ -1183,3 +1188,55 @@ func convertStsV2(identity *sts.GetCallerIdentityOutput) *stsv2.GetCallerIdentit
 		UserId:  identity.UserId,
 	}
 }
+
+func validateRoleConfigSpec(roleConfig *expinfrav1.ROSARoleConfig) error {
+	if roleConfig.Status.OIDCID == "" {
+		return fmt.Errorf("OIDCID is required")
+	}
+
+	if roleConfig.Status.AccountRolesRef.InstallerRoleARN == "" {
+		return fmt.Errorf("InstallerRoleARN is required")
+	}
+
+	if roleConfig.Status.AccountRolesRef.SupportRoleARN == "" {
+		return fmt.Errorf("SupportRoleARN is required")
+	}
+
+	if roleConfig.Status.AccountRolesRef.WorkerRoleARN == "" {
+		return fmt.Errorf("WorkerRoleARN is required")
+	}
+
+	if roleConfig.Status.OperatorRolesRef.IngressARN == "" {
+		return fmt.Errorf("IngressARN is required")
+	}
+
+	if roleConfig.Status.OperatorRolesRef.ImageRegistryARN == "" {
+		return fmt.Errorf("ImageRegistryARN is required")
+	}
+
+	if roleConfig.Status.OperatorRolesRef.StorageARN == "" {
+		return fmt.Errorf("StorageARN is required")
+	}
+
+	if roleConfig.Status.OperatorRolesRef.NetworkARN == "" {
+		return fmt.Errorf("NetworkARN is required")
+	}
+
+	if roleConfig.Status.OperatorRolesRef.KubeCloudControllerARN == "" {
+		return fmt.Errorf("KubeCloudControllerARN is required")
+	}
+
+	if roleConfig.Status.OperatorRolesRef.KMSProviderARN == "" {
+		return fmt.Errorf("KMSProviderARN is required")
+	}
+
+	if roleConfig.Status.OperatorRolesRef.ControlPlaneOperatorARN == "" {
+		return fmt.Errorf("ControlPlaneOperatorARN is required")
+	}
+
+	if roleConfig.Status.OperatorRolesRef.NodePoolManagementARN == "" {
+		return fmt.Errorf("NodePoolManagementARN is required")
+	}
+
+	return nil
+}

exp/api/v1beta2/rosaroleconfig_types.go

@@ -60,20 +60,27 @@ type ROSARoleConfig struct {
 // AccountRoleConfig defines account-wide IAM roles before creating your ROSA cluster.
 type AccountRoleConfig struct {
 	// User-defined prefix for all generated AWS resources
-	// +kubebuilder:validation:MaxLength:=4
+	// +kubebuilder:validation:MaxLength:=40
 	// +kubebuilder:validation:Required
+	// +immutable
 	Prefix string `json:"prefix"`
 	// The ARN of the policy that is used to set the permissions boundary for the account roles.
 	// +optional
+	// +immutable
+
 	PermissionsBoundaryARN string `json:"permissionsBoundaryARN,omitempty"`
 	// The arn path for the account/operator roles as well as their policies.
 	// +optional
+	// +immutable
+
 	Path string `json:"path,omitempty"`
 	//  Version of OpenShift that will be used to setup policy tag, for example "4.11"
 	// +kubebuilder:validation:Required
+	// +immutable
 	Version string `json:"version"`
 	// SharedVPCConfig is used to set up shared VPC.
 	// +optional
+	// +immutable
 	SharedVPCConfig SharedVPCConfig `json:"sharedVPCConfig,omitempty"`
 }
 
@@ -82,12 +89,15 @@ type OperatorRoleConfig struct {
 	//  User-defined prefix for generated AWS operator policies.
 	// +kubebuilder:validation:MaxLength:=4
 	// +kubebuilder:validation:Required
+	// +immutable
 	Prefix string `json:"prefix"`
 	// The ARN of the policy that is used to set the permissions boundary for the operator roles.
 	// +optional
+	// +immutable
 	PermissionsBoundaryARN string `json:"permissionsBoundaryARN,omitempty"`
 	// SharedVPCConfig is used to set up shared VPC.
 	// +optional
+	// +immutable
 	SharedVPCConfig SharedVPCConfig `json:"sharedVPCConfig,omitempty"`
 }
 
@@ -104,6 +114,7 @@ type SharedVPCConfig struct {
 type OIDCConfig struct {
 	// ManagedOIDC indicates whether it is a Red Hat managed or unmanaged (Customer hosted) OIDC Configuration. Default is true.
 	// +kubebuilder:default=true
+	// +immutable
 	ManagedOIDC bool `json:"managedOIDC"`
 	// ExternalAuthProviders are external OIDC identity providers that can issue tokens for this cluster.
 	// Can only be set if "enableExternalAuthProviders" is set to "True".
@@ -113,10 +124,17 @@ type OIDCConfig struct {
 	// +listType=map
 	// +listMapKey=name
 	// +kubebuilder:validation:MaxItems=1
+	// +immutable
 	ExternalAuthProviders []rosacontrolplanev1.ExternalAuthProvider `json:"externalAuthProviders,omitempty"`
-	IdentityRef           *infrav1.AWSIdentityReference             `json:"identityRef,omitempty"`
-	Region                string                                    `json:"region,omitempty"`
-	Prefix                string                                    `json:"prefix"`
+	// IdentityRef is the AWS identity reference for the OIDC config.
+	// +immutable
+	IdentityRef *infrav1.AWSIdentityReference `json:"identityRef,omitempty"`
+	// Region is the AWS region for the OIDC config.
+	// +immutable
+	Region string `json:"region,omitempty"`
+	// Prefix is the prefix for the OIDC config.
+	// +immutable
+	Prefix string `json:"prefix"`
 }
 
 // ROSARoleConfigStatus defines the observed state of ROSARoleConfig

exp/controllers/rosaroleconfig_controller.go

@@ -22,7 +22,6 @@ import (
 	"fmt"
 	"net/url"
 	"strings"
-	"time"
 
 	"github.com/aws/aws-sdk-go/service/sts/stsiface"
 	"github.com/go-logr/logr"
@@ -141,26 +140,26 @@ func (r *ROSARoleConfigReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		err = r.createOIDCConfig(roleConfig, scope, ocmClient)
 		if err != nil {
 			conditions.MarkFalse(scope.RosaRoleConfig, expinfrav1.RosaRoleConfigReadyCondition, expinfrav1.RosaRoleConfigReconciliationFailedReason, clusterv1.ConditionSeverityError, "Failed to create OIDC Config: %v", err)
-			return ctrl.Result{RequeueAfter: time.Second * 60}, fmt.Errorf("failed to OICD Config: %w", err)
+			return ctrl.Result{}, fmt.Errorf("failed to OICD Config: %w", err)
 		}
 	}
 
 	err = r.createAccountRoles(ctx, roleConfig, scope, ocmClient)
 	if err != nil {
 		conditions.MarkFalse(scope.RosaRoleConfig, expinfrav1.RosaRoleConfigReadyCondition, expinfrav1.RosaRoleConfigReconciliationFailedReason, clusterv1.ConditionSeverityError, "Failed to create Account Roles: %v", err)
-		return ctrl.Result{RequeueAfter: time.Second * 60}, fmt.Errorf("failed to Create AccountRoles: %w", err)
+		return ctrl.Result{}, fmt.Errorf("failed to Create AccountRoles: %w", err)
 	}
 
 	err = r.createOperatorRoles(ctx, roleConfig, scope, ocmClient)
 	if err != nil {
 		conditions.MarkFalse(scope.RosaRoleConfig, expinfrav1.RosaRoleConfigReadyCondition, expinfrav1.RosaRoleConfigReconciliationFailedReason, clusterv1.ConditionSeverityError, "Failed to create Operator Roles: %v", err)
-		return ctrl.Result{RequeueAfter: time.Second * 60}, fmt.Errorf("failed to Create OperatorRoles: %w", err)
+		return ctrl.Result{}, fmt.Errorf("failed to Create OperatorRoles: %w", err)
 	}
 
 	err = r.createOIDCProvider(scope, ocmClient)
 	if err != nil {
 		conditions.MarkFalse(scope.RosaRoleConfig, expinfrav1.RosaRoleConfigReadyCondition, expinfrav1.RosaRoleConfigReconciliationFailedReason, clusterv1.ConditionSeverityError, "Failed to create OIDC provider: %v", err)
-		return ctrl.Result{RequeueAfter: time.Second * 60}, fmt.Errorf("failed to Create OIDC provider: %w", err)
+		return ctrl.Result{}, fmt.Errorf("failed to Create OIDC provider: %w", err)
 	}
 
 	if r.rosaRolesConfigReady(scope) {

main.go

@@ -285,15 +285,20 @@ func main() {
 			setupLog.Error(err, "unable to create webhook", "webhook", "ROSAMachinePool")
 			os.Exit(1)
 		}
-	}
 
-	if err = (&expcontrollers.ROSARoleConfigReconciler{
-		Client: mgr.GetClient(),
-		Log:    ctrl.Log.WithName("controllers").WithName("ROSARoleConfig"),
-		Scheme: mgr.GetScheme(),
-	}).SetupWithManager(ctx, mgr, controller.Options{MaxConcurrentReconciles: awsClusterConcurrency, RecoverPanic: ptr.To[bool](true)}); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "ROSARoleConfig")
-		os.Exit(1)
+		if err = (&expcontrollers.ROSARoleConfigReconciler{
+			Client: mgr.GetClient(),
+			Log:    ctrl.Log.WithName("controllers").WithName("ROSARoleConfig"),
+			Scheme: mgr.GetScheme(),
+		}).SetupWithManager(ctx, mgr, controller.Options{MaxConcurrentReconciles: awsClusterConcurrency, RecoverPanic: ptr.To[bool](true)}); err != nil {
+			setupLog.Error(err, "unable to create controller", "controller", "ROSARoleConfig")
+			os.Exit(1)
+		}
+
+		if err := (&expinfrav1.ROSARoleConfig{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create webhook", "webhook", "ROSARoleConfig")
+			os.Exit(1)
+		}
 	}
 	// +kubebuilder:scaffold:builder