Enable partial reconcile of Rosa Operator Roles

PanSpagetka · PanSpagetka · commit 8060b464986d · 2025-08-14T12:53:36.000+02:00
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml
@@ -759,15 +759,6 @@ spec:
                       [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\":
                       \"*\"\n\t\t}\n\t]\n}"
                     type: string
-                required:
-                - controlPlaneOperatorARN
-                - imageRegistryARN
-                - ingressARN
-                - kmsProviderARN
-                - kubeCloudControllerARN
-                - networkARN
-                - nodePoolManagementARN
-                - storageARN
                 type: object
               rosaClusterName:
                 description: |-
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_rosaroleconfigs.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_rosaroleconfigs.yaml
@@ -410,15 +410,6 @@ spec:
                       [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\":
                       \"*\"\n\t\t}\n\t]\n}"
                     type: string
-                required:
-                - controlPlaneOperatorARN
-                - imageRegistryARN
-                - ingressARN
-                - kmsProviderARN
-                - kubeCloudControllerARN
-                - networkARN
-                - nodePoolManagementARN
-                - storageARN
                 type: object
             type: object
         type: object
diff --git a/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go b/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go
@@ -414,7 +414,7 @@ type AWSRolesRef struct {
 	//		}
 	//	]
 	// }
-	IngressARN string `json:"ingressARN"`
+	IngressARN string `json:"ingressARN,omitempty"`
 
 	// ImageRegistryARN is an ARN value referencing a role appropriate for the Image Registry Operator.
 	//
@@ -449,7 +449,7 @@ type AWSRolesRef struct {
 	//		}
 	//	]
 	// }
-	ImageRegistryARN string `json:"imageRegistryARN"`
+	ImageRegistryARN string `json:"imageRegistryARN,omitempty"`
 
 	// StorageARN is an ARN value referencing a role appropriate for the Storage Operator.
 	//
@@ -480,7 +480,7 @@ type AWSRolesRef struct {
 	//		}
 	//	]
 	// }
-	StorageARN string `json:"storageARN"`
+	StorageARN string `json:"storageARN,omitempty"`
 
 	// NetworkARN is an ARN value referencing a role appropriate for the Network Operator.
 	//
@@ -506,7 +506,7 @@ type AWSRolesRef struct {
 	//		}
 	//	]
 	// }
-	NetworkARN string `json:"networkARN"`
+	NetworkARN string `json:"networkARN,omitempty"`
 
 	// KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC.
 	// Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies
@@ -584,7 +584,7 @@ type AWSRolesRef struct {
 	//  ]
 	// }
 	// +immutable
-	KubeCloudControllerARN string `json:"kubeCloudControllerARN"`
+	KubeCloudControllerARN string `json:"kubeCloudControllerARN,omitempty"`
 
 	// NodePoolManagementARN is an ARN value referencing a role appropriate for the CAPI Controller.
 	//
@@ -697,7 +697,7 @@ type AWSRolesRef struct {
 	// }
 	//
 	// +immutable
-	NodePoolManagementARN string `json:"nodePoolManagementARN"`
+	NodePoolManagementARN string `json:"nodePoolManagementARN,omitempty"`
 
 	// ControlPlaneOperatorARN  is an ARN value referencing a role appropriate for the Control Plane Operator.
 	//
@@ -737,8 +737,8 @@ type AWSRolesRef struct {
 	//	]
 	// }
 	// +immutable
-	ControlPlaneOperatorARN string `json:"controlPlaneOperatorARN"`
-	KMSProviderARN          string `json:"kmsProviderARN"`
+	ControlPlaneOperatorARN string `json:"controlPlaneOperatorARN,omitempty"`
+	KMSProviderARN          string `json:"kmsProviderARN,omitempty"`
 }
 
 // RosaControlPlaneStatus defines the observed state of ROSAControlPlane.
diff --git a/exp/controllers/rosaroleconfig_controller.go b/exp/controllers/rosaroleconfig_controller.go
@@ -46,6 +46,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
+	"sigs.k8s.io/cluster-api-provider-aws/v2/controlplane/rosa/api/v1beta2"
 	expinfrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/exp/api/v1beta2"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/scope"
@@ -150,18 +151,18 @@ func (r *ROSARoleConfigReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return ctrl.Result{}, fmt.Errorf("failed to OICD Config: %w", err)
 	}
 
-	err = r.createOperatorRoles(ctx, roleConfig, scope, ocmClient)
-	if err != nil {
-		conditions.MarkFalse(scope.RosaRoleConfig, expinfrav1.RosaRoleConfigReadyCondition, expinfrav1.RosaRoleConfigReconciliationFailedReason, clusterv1.ConditionSeverityError, "Failed to create Operator Roles: %v", err)
-		return ctrl.Result{}, fmt.Errorf("failed to Create OperatorRoles: %w", err)
-	}
-
 	err = r.createOIDCProvider(scope, ocmClient)
 	if err != nil {
 		conditions.MarkFalse(scope.RosaRoleConfig, expinfrav1.RosaRoleConfigReadyCondition, expinfrav1.RosaRoleConfigReconciliationFailedReason, clusterv1.ConditionSeverityError, "Failed to create OIDC provider: %v", err)
 		return ctrl.Result{}, fmt.Errorf("failed to Create OIDC provider: %w", err)
 	}
 
+	err = r.createOperatorRoles(ctx, roleConfig, scope, ocmClient)
+	if err != nil {
+		conditions.MarkFalse(scope.RosaRoleConfig, expinfrav1.RosaRoleConfigReadyCondition, expinfrav1.RosaRoleConfigReconciliationFailedReason, clusterv1.ConditionSeverityError, "Failed to create Operator Roles: %v", err)
+		return ctrl.Result{}, fmt.Errorf("failed to Create OperatorRoles: %w", err)
+	}
+
 	if r.rosaRolesConfigReady(scope) {
 		conditions.MarkTrue(scope.RosaRoleConfig, expinfrav1.RosaRoleConfigReadyCondition)
 		conditions.Set(scope.RosaRoleConfig,
@@ -184,6 +185,12 @@ func (r *ROSARoleConfigReconciler) reconcileDelete(scope *scope.RosaRoleConfigSc
 		return err
 	}
 
+	err = r.deleteOperatorRoles(ocmClient, awsClient, scope.RosaRoleConfig.Spec.AccountRoleConfig.Prefix)
+	if err != nil {
+		conditions.MarkFalse(scope.RosaRoleConfig, expinfrav1.RosaRoleConfigReadyCondition, expinfrav1.RosaRoleConfigDeletionFailedReason, clusterv1.ConditionSeverityError, "Failed to delete operator roles: %v", err)
+		return err
+	}
+
 	oidcID := scope.RosaRoleConfig.Status.OIDCID
 	if scope.RosaRoleConfig.Spec.OperatorRoleConfig.OIDCID == "" {
 		err = r.deleteOIDCProvider(ocmClient, awsClient, oidcID)
@@ -193,12 +200,6 @@ func (r *ROSARoleConfigReconciler) reconcileDelete(scope *scope.RosaRoleConfigSc
 		}
 	}
 
-	err = r.deleteOperatorRoles(ocmClient, awsClient, scope.RosaRoleConfig.Spec.AccountRoleConfig.Prefix)
-	if err != nil {
-		conditions.MarkFalse(scope.RosaRoleConfig, expinfrav1.RosaRoleConfigReadyCondition, expinfrav1.RosaRoleConfigDeletionFailedReason, clusterv1.ConditionSeverityError, "Failed to delete operator roles: %v", err)
-		return err
-	}
-
 	err = r.deleteAccountRoles(ocmClient, awsClient, scope)
 	if err != nil {
 		conditions.MarkFalse(scope.RosaRoleConfig, expinfrav1.RosaRoleConfigReadyCondition, expinfrav1.RosaRoleConfigDeletionFailedReason, clusterv1.ConditionSeverityError, "Failed to delete account roles: %v", err)
@@ -267,36 +268,29 @@ func (r *ROSARoleConfigReconciler) createOperatorRoles(ctx context.Context, role
 		return err
 	}
 
-	if len(operatorRoles) > 0 {
-		for _, roles := range operatorRoles {
-			for _, role := range roles {
-				if strings.Contains(role.RoleName, fmt.Sprintf("%s-openshift-ingress-operator-cloud-credentials", config.Prefix)) {
-					scope.RosaRoleConfig.Status.OperatorRolesRef.IngressARN = role.RoleARN
-				}
-				if strings.Contains(role.RoleName, fmt.Sprintf("%s-openshift-image-registry-installer-cloud-credentials", config.Prefix)) {
-					scope.RosaRoleConfig.Status.OperatorRolesRef.ImageRegistryARN = role.RoleARN
-				}
-				if strings.Contains(role.RoleName, fmt.Sprintf("%s-openshift-cluster-csi-drivers-ebs-cloud-credentials", config.Prefix)) {
-					scope.RosaRoleConfig.Status.OperatorRolesRef.StorageARN = role.RoleARN
-				}
-				if strings.Contains(role.RoleName, fmt.Sprintf("%s-openshift-cloud-network-config-controller-cloud-credentials", config.Prefix)) {
-					scope.RosaRoleConfig.Status.OperatorRolesRef.NetworkARN = role.RoleARN
-				}
-				if strings.Contains(role.RoleName, fmt.Sprintf("%s-kube-system-kube-controller-manager", config.Prefix)) {
-					scope.RosaRoleConfig.Status.OperatorRolesRef.KubeCloudControllerARN = role.RoleARN
-				}
-				if strings.Contains(role.RoleName, fmt.Sprintf("%s-kube-system-capa-controller-manager", config.Prefix)) {
-					scope.RosaRoleConfig.Status.OperatorRolesRef.NodePoolManagementARN = role.RoleARN
-				}
-				if strings.Contains(role.RoleName, fmt.Sprintf("%s-kube-system-control-plane-operator", config.Prefix)) {
-					scope.RosaRoleConfig.Status.OperatorRolesRef.ControlPlaneOperatorARN = role.RoleARN
-				}
-				if strings.Contains(role.RoleName, fmt.Sprintf("%s-kube-system-kms-provider", config.Prefix)) {
-					scope.RosaRoleConfig.Status.OperatorRolesRef.KMSProviderARN = role.RoleARN
-				}
+	for _, roles := range operatorRoles {
+		for _, role := range roles {
+			if role.RoleName == fmt.Sprintf("%s-openshift-ingress-operator-cloud-credentials", config.Prefix) {
+				scope.RosaRoleConfig.Status.OperatorRolesRef.IngressARN = role.RoleARN
+			} else if role.RoleName == fmt.Sprintf("%s-openshift-image-registry-installer-cloud-credentials", config.Prefix) {
+				scope.RosaRoleConfig.Status.OperatorRolesRef.ImageRegistryARN = role.RoleARN
+			} else if role.RoleName == fmt.Sprintf("%s-openshift-cluster-csi-drivers-ebs-cloud-credentials", config.Prefix) {
+				scope.RosaRoleConfig.Status.OperatorRolesRef.StorageARN = role.RoleARN
+			} else if role.RoleName == fmt.Sprintf("%s-openshift-cloud-network-config-controller-cloud-credentials", config.Prefix) {
+				scope.RosaRoleConfig.Status.OperatorRolesRef.NetworkARN = role.RoleARN
+			} else if role.RoleName == fmt.Sprintf("%s-kube-system-kube-controller-manager", config.Prefix) {
+				scope.RosaRoleConfig.Status.OperatorRolesRef.KubeCloudControllerARN = role.RoleARN
+			} else if role.RoleName == fmt.Sprintf("%s-kube-system-capa-controller-manager", config.Prefix) {
+				scope.RosaRoleConfig.Status.OperatorRolesRef.NodePoolManagementARN = role.RoleARN
+			} else if role.RoleName == fmt.Sprintf("%s-kube-system-control-plane-operator", config.Prefix) {
+				scope.RosaRoleConfig.Status.OperatorRolesRef.ControlPlaneOperatorARN = role.RoleARN
+			} else if role.RoleName == fmt.Sprintf("%s-kube-system-kms-provider", config.Prefix) {
+				scope.RosaRoleConfig.Status.OperatorRolesRef.KMSProviderARN = role.RoleARN
 			}
 		}
-	} else {
+	}
+
+	if !r.operatorRolesReady(&scope.RosaRoleConfig.Status.OperatorRolesRef) {
 		err = operatorroles.CreateOperatorRoles(runtime, ocm.Production, config.PermissionsBoundaryARN, interactive.ModeAuto, policies, version, isSharedVpc, config.Prefix, hostedCp, installerRoleArn, forcePolicyCreation,
 			oidcConfigID, config.SharedVPCConfig.RouteRoleARN, ocm.DefaultChannelGroup, config.SharedVPCConfig.VPCEndpointRoleARN)
 		return err
@@ -407,15 +401,15 @@ func (r *ROSARoleConfigReconciler) createAccountRoles(ctx context.Context, roleC
 	}
 
 	for _, role := range accountRoles {
-		if strings.Contains(role.RoleName, fmt.Sprintf("%s-HCP-ROSA-Installer", config.Prefix)) {
+		if role.RoleName == fmt.Sprintf("%s-HCP-ROSA-Installer-Role", config.Prefix) {
 			createRoles = false
 			scope.RosaRoleConfig.Status.AccountRolesRef.InstallerRoleARN = role.RoleARN
 		}
-		if strings.Contains(role.RoleName, fmt.Sprintf("%s-HCP-ROSA-Support", config.Prefix)) {
+		if role.RoleName == fmt.Sprintf("%s-HCP-ROSA-Support-Role", config.Prefix) {
 			createRoles = false
 			scope.RosaRoleConfig.Status.AccountRolesRef.SupportRoleARN = role.RoleARN
 		}
-		if strings.Contains(role.RoleName, fmt.Sprintf("%s-HCP-ROSA-Worker", config.Prefix)) {
+		if role.RoleName == fmt.Sprintf("%s-HCP-ROSA-Worker-Role", config.Prefix) {
 			createRoles = false
 			scope.RosaRoleConfig.Status.AccountRolesRef.WorkerRoleARN = role.RoleARN
 		}
@@ -612,14 +606,21 @@ func (r ROSARoleConfigReconciler) rosaRolesConfigReady(scope *scope.RosaRoleConf
 		scope.RosaRoleConfig.Status.AccountRolesRef.InstallerRoleARN == "" ||
 		scope.RosaRoleConfig.Status.AccountRolesRef.SupportRoleARN == "" ||
 		scope.RosaRoleConfig.Status.AccountRolesRef.WorkerRoleARN == "" ||
-		scope.RosaRoleConfig.Status.OperatorRolesRef.ControlPlaneOperatorARN == "" ||
-		scope.RosaRoleConfig.Status.OperatorRolesRef.ImageRegistryARN == "" ||
-		scope.RosaRoleConfig.Status.OperatorRolesRef.IngressARN == "" ||
-		scope.RosaRoleConfig.Status.OperatorRolesRef.KMSProviderARN == "" ||
-		scope.RosaRoleConfig.Status.OperatorRolesRef.KubeCloudControllerARN == "" ||
-		scope.RosaRoleConfig.Status.OperatorRolesRef.NetworkARN == "" ||
-		scope.RosaRoleConfig.Status.OperatorRolesRef.NodePoolManagementARN == "" ||
-		scope.RosaRoleConfig.Status.OperatorRolesRef.StorageARN == "" {
+		!r.operatorRolesReady(&scope.RosaRoleConfig.Status.OperatorRolesRef) {
+		return false
+	}
+	return true
+}
+
+func (r ROSARoleConfigReconciler) operatorRolesReady(operatorRolesRef *v1beta2.AWSRolesRef) bool {
+	if operatorRolesRef.ControlPlaneOperatorARN == "" ||
+		operatorRolesRef.ImageRegistryARN == "" ||
+		operatorRolesRef.IngressARN == "" ||
+		operatorRolesRef.KMSProviderARN == "" ||
+		operatorRolesRef.KubeCloudControllerARN == "" ||
+		operatorRolesRef.NetworkARN == "" ||
+		operatorRolesRef.NodePoolManagementARN == "" ||
+		operatorRolesRef.StorageARN == "" {
 		return false
 	}
 	return true
