rosa: load identity dynamically

Instead of requiring users to provide their account IDs and ARNs in the
spec of their hosted control planes, we can refer to AWS credentials
like the other managed control plane controllers do in this provider.

Signed-off-by: Steve Kuznetsov <[email protected]>

Author: stevekuznetsov

Makefile

@@ -76,7 +76,7 @@ DOCKER_BUILDKIT=1
 export ACK_GINKGO_DEPRECATIONS := 1.16.4
 
 # Set --output-base for conversion-gen if we are not within GOPATH
-ifneq ($(abspath $(REPO_ROOT)),$(shell go env GOPATH)/src/sigs.k8s.io/cluster-api-provider-aws)
+ifneq ($(abspath $(REPO_ROOT)),$(abspath $(shell go env GOPATH)/src/sigs.k8s.io/cluster-api-provider-aws))
 	GEN_OUTPUT_BASE := --output-base=$(REPO_ROOT)
 else
 	export GOPATH := $(shell go env GOPATH)
@@ -190,6 +190,7 @@ defaulters: $(DEFAULTER_GEN) ## Generate all Go types
 	$(DEFAULTER_GEN) \
 		--input-dirs=./api/v1beta2 \
 		--input-dirs=./$(EXP_DIR)/api/v1beta2 \
+		--input-dirs=./controlplane/rosa/api/v1beta2 \
 		--input-dirs=./cmd/clusterawsadm/api/bootstrap/v1beta1 \
 		--input-dirs=./cmd/clusterawsadm/api/bootstrap/v1alpha1 \
 		--extra-peer-dirs=sigs.k8s.io/cluster-api/api/v1beta1 \

config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml

@@ -45,10 +45,6 @@ spec:
             type: object
           spec:
             properties:
-              accountID:
-                description: 'TODO: these are to satisfy ocm sdk. Explore how to drop
-                  them.'
-                type: string
               availabilityZones:
                 description: AWS AvailabilityZones of the worker nodes should match
                   the AvailabilityZones of the Subnets.
@@ -70,8 +66,6 @@ spec:
                 - host
                 - port
                 type: object
-              creatorARN:
-                type: string
               credentialsSecretRef:
                 description: 'CredentialsSecretRef references a secret with necessary
                   credentials to connect to the OCM API. The secret should contain
@@ -84,7 +78,28 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-map-type: atomic
+              identityRef:
+                description: IdentityRef is a reference to an identity to be used
+                  when reconciling the managed control plane.
+                properties:
+                  kind:
+                    description: Kind of the identity.
+                    enum:
+                    - AWSClusterControllerIdentity
+                    - AWSClusterRoleIdentity
+                    - AWSClusterStaticIdentity
+                    type: string
+                  name:
+                    description: Name of the identity.
+                    minLength: 1
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
               installerRoleARN:
+                description: 'TODO: these are to satisfy ocm sdk. Explore how to drop
+                  them.'
                 type: string
               machineCIDR:
                 description: Block of IP addresses used by OpenShift while installing
@@ -276,9 +291,7 @@ spec:
               workerRoleARN:
                 type: string
             required:
-            - accountID
             - availabilityZones
-            - creatorARN
             - installerRoleARN
             - machineCIDR
             - oidcID

controllers/rosacluster_controller.go

@@ -35,6 +35,7 @@ import (
 	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	rosacontrolplanev1 "sigs.k8s.io/cluster-api-provider-aws/v2/controlplane/rosa/api/v1beta2"
 	expinfrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/exp/api/v1beta2"
+	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/scope"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/logger"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/util"
@@ -48,6 +49,7 @@ type ROSAClusterReconciler struct {
 	client.Client
 	Recorder         record.EventRecorder
 	WatchFilterValue string
+	Endpoints        []scope.ServiceEndpoint
 }
 
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=rosaclusters,verbs=get;list;watch;update;patch;delete

controlplane/rosa/api/v1beta2/defaults.go

@@ -0,0 +1,13 @@
+package v1beta2
+
+import "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
+
+// SetDefaults_RosaControlPlaneSpec is used by defaulter-gen.
+func SetDefaults_RosaControlPlaneSpec(s *RosaControlPlaneSpec) { //nolint:golint,stylecheck
+	if s.IdentityRef == nil {
+		s.IdentityRef = &v1beta2.AWSIdentityReference{
+			Kind: v1beta2.ControllerIdentityKind,
+			Name: v1beta2.AWSClusterControllerIdentityName,
+		}
+	}
+}

controlplane/rosa/api/v1beta2/rosacontrolplane_types.go

@@ -20,6 +20,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
 
@@ -64,8 +65,6 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	OIDCID *string `json:"oidcID"`
 
 	// TODO: these are to satisfy ocm sdk. Explore how to drop them.
-	AccountID        *string `json:"accountID"`
-	CreatorARN       *string `json:"creatorARN"`
 	InstallerRoleARN *string `json:"installerRoleARN"`
 	SupportRoleARN   *string `json:"supportRoleARN"`
 	WorkerRoleARN    *string `json:"workerRoleARN"`
@@ -76,6 +75,10 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	// - ocmApiUrl: Optional, defaults to 'https://api.openshift.com'
 	// +optional
 	CredentialsSecretRef *corev1.LocalObjectReference `json:"credentialsSecretRef,omitempty"`
+
+	// IdentityRef is a reference to an identity to be used when reconciling the managed control plane.
+	// +optional
+	IdentityRef *infrav1.AWSIdentityReference `json:"identityRef,omitempty"`
 }
 
 // AWSRolesRef contains references to various AWS IAM roles required for operators to make calls against the AWS API.
@@ -489,6 +492,7 @@ type RosaControlPlaneStatus struct {
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Cluster",type="string",JSONPath=".metadata.labels.cluster\\.x-k8s\\.io/cluster-name",description="Cluster to which this RosaControl belongs"
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.ready",description="Control plane infrastructure is ready for worker nodes"
+// +k8s:defaulter-gen=true
 
 type ROSAControlPlane struct {
 	metav1.TypeMeta   `json:",inline"`

controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go

@@ -68,6 +68,7 @@ type ROSAControlPlaneReconciler struct {
 	client.Client
 	WatchFilterValue string
 	WaitInfraPeriod  time.Duration
+	Endpoints        []scope.ServiceEndpoint
 }
 
 // SetupWithManager is used to setup the controller.
@@ -148,6 +149,7 @@ func (r *ROSAControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		Cluster:        cluster,
 		ControlPlane:   rosaControlPlane,
 		ControllerName: strings.ToLower(rosaControlPlaneKind),
+		Endpoints:      r.Endpoints,
 		Logger:         log,
 	})
 	if err != nil {
@@ -344,8 +346,8 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 	stsBuilder.AutoMode(true)
 
 	awsBuilder := cmv1.NewAWS().
-		AccountID(*rosaScope.ControlPlane.Spec.AccountID).
-		BillingAccountID(*rosaScope.ControlPlane.Spec.AccountID).
+		AccountID(*rosaScope.Identity.Account).
+		BillingAccountID(*rosaScope.Identity.Account).
 		SubnetIDs(rosaScope.ControlPlane.Spec.Subnets...).
 		STS(stsBuilder)
 	clusterBuilder = clusterBuilder.AWS(awsBuilder)
@@ -355,7 +357,7 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 	clusterBuilder = clusterBuilder.Nodes(clusterNodesBuilder)
 
 	clusterProperties := map[string]string{}
-	clusterProperties[rosaCreatorArnProperty] = *rosaScope.ControlPlane.Spec.CreatorARN
+	clusterProperties[rosaCreatorArnProperty] = *rosaScope.Identity.Arn
 
 	clusterBuilder = clusterBuilder.Properties(clusterProperties)
 	clusterSpec, err := clusterBuilder.Build()

controlplane/rosa/api/v1beta2/zz_generated.defaults.go

@@ -37,6 +37,7 @@ type ROSAMachinePoolReconciler struct {
 	client.Client
 	Recorder         record.EventRecorder
 	WatchFilterValue string
+	Endpoints        []scope.ServiceEndpoint
 }
 
 // SetupWithManager is used to setup the controller.

controlplane/rosa/controllers/rosacontrolplane_controller.go

@@ -227,6 +227,7 @@ func main() {
 			Client:           mgr.GetClient(),
 			WatchFilterValue: watchFilterValue,
 			WaitInfraPeriod:  waitInfraPeriod,
+			Endpoints:        awsServiceEndpoints,
 		}).SetupWithManager(ctx, mgr, controller.Options{MaxConcurrentReconciles: awsClusterConcurrency, RecoverPanic: ptr.To[bool](true)}); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "ROSAControlPlane")
 			os.Exit(1)
@@ -237,6 +238,7 @@ func main() {
 			Client:           mgr.GetClient(),
 			Recorder:         mgr.GetEventRecorderFor("rosacluster-controller"),
 			WatchFilterValue: watchFilterValue,
+			Endpoints:        awsServiceEndpoints,
 		}).SetupWithManager(ctx, mgr, controller.Options{MaxConcurrentReconciles: awsClusterConcurrency, RecoverPanic: ptr.To[bool](true)}); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "ROSACluster")
 			os.Exit(1)
@@ -247,6 +249,7 @@ func main() {
 			Client:           mgr.GetClient(),
 			Recorder:         mgr.GetEventRecorderFor("rosamachinepool-controller"),
 			WatchFilterValue: watchFilterValue,
+			Endpoints:        awsServiceEndpoints,
 		}).SetupWithManager(ctx, mgr, controller.Options{MaxConcurrentReconciles: awsClusterConcurrency, RecoverPanic: ptr.To[bool](true)}); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "ROSAMachinePool")
 			os.Exit(1)