Fix comments

Signed-off-by: serngawy <[email protected]>

Author: serngawy

config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml

@@ -782,8 +782,8 @@ spec:
                   rule: self == oldSelf
               rosaRoleConfigRef:
                 description: |-
-                  RosaRoleConfigRef is a reference to a RosaRoleConfig resource that contains account and operator roles and OIDC configuration.
-                  If specified, the roles and OIDC configuration will be taken from the referenced RosaRoleConfig instead of the direct fields.
+                  RosaRoleConfigRef is a reference to a RosaRoleConfig resource that contains account roles, operator roles and OIDC configuration.
+                  RosaRoleConfigRef and role fields such as installerRoleARN, supportRoleARN, workerRoleARN, rolesRef and oidcID are mutually exclusive.
                 properties:
                   name:
                     default: ""

config/crd/bases/infrastructure.cluster.x-k8s.io_rosaroleconfigs.yaml

@@ -48,31 +48,44 @@ spec:
                   creating your ROSA cluster.
                 properties:
                   path:
+                    description: The arn path for the account/operator roles as well
+                      as their policies.
                     type: string
                   permissionsBoundaryARN:
+                    description: The ARN of the policy that is used to set the permissions
+                      boundary for the account roles.
                     type: string
                   prefix:
-                    description: User-defined prefix for all generated AWS resources
+                    description: User-defined prefix for all generated AWS account
+                      role
                     maxLength: 4
+                    pattern: ^[a-z]([-a-z0-9]*[a-z0-9])?$
                     type: string
+                    x-kubernetes-validations:
+                    - message: prefix is immutable
+                      rule: self == oldSelf
                   sharedVPCConfig:
                     description: SharedVPCConfig is used to set up shared VPC.
                     properties:
                       routeRoleARN:
-                        description: ' Role ARN associated with the private hosted
-                          zone used for Hosted Control Plane cluster shared VPC, this
-                          role contains policies to be used with Route 53'
+                        description: Role ARN associated with the private hosted zone
+                          used for Hosted Control Plane cluster shared VPC, this role
+                          contains policies to be used with Route 53
                         type: string
                       vpcEndpointRoleArn:
-                        description: ' Role ARN associated with the shared VPC used
+                        description: Role ARN associated with the shared VPC used
                           for Hosted Control Plane clusters, this role contains policies
-                          to be used with the VPC endpoint'
+                          to be used with the VPC endpoint
                         type: string
                     type: object
                   version:
-                    description: ' Version of OpenShift that will be used to setup
-                      policy tag, for example "4.11"'
+                    description: |-
+                      Version of OpenShift that will be used to the roles tag in formate of x.y.z example; "4.19.0"
+                      Setting the role OpenShift version tag does not affect the associated ROSAControlplane version.
                     type: string
+                    x-kubernetes-validations:
+                    - message: version is immutable
+                      rule: self == oldSelf
                 required:
                 - prefix
                 - version
@@ -93,7 +106,9 @@ spec:
                 type: object
                 x-kubernetes-map-type: atomic
               identityRef:
-                description: AWSIdentityReference specifies a identity.
+                description: |-
+                  IdentityRef is a reference to an identity to be used when reconciling the ROSA Role Config.
+                  If no identity is specified, the default identity for this controller will be used.
                 properties:
                   kind:
                     description: Kind of the identity.
@@ -110,43 +125,59 @@ spec:
                 - kind
                 - name
                 type: object
+              oidcProviderType:
+                default: Managed
+                description: OIDC provider type values are Managed or UnManaged. When
+                  set to UnManged OperatorRoleConfig OIDCID field must be provided.
+                enum:
+                - Managed
+                - UnManaged
+                type: string
               operatorRoleConfig:
                 description: OperatorRoleConfig defines cluster-specific operator
                   IAM roles based on your cluster configuration.
                 properties:
                   oidcID:
                     description: |-
                       OIDCID is the ID of the OIDC config that will be used to create the operator roles.
-                      A managed OIDC-provider will be created if the OIDCID not specified
+                      Cannot be set when OidcProviderType set to Managed
                     type: string
+                    x-kubernetes-validations:
+                    - message: oidcID is immutable
+                      rule: self == oldSelf
                   permissionsBoundaryARN:
                     description: The ARN of the policy that is used to set the permissions
                       boundary for the operator roles.
                     type: string
                   prefix:
                     description: ' User-defined prefix for generated AWS operator
-                      policies.'
+                      roles.'
                     maxLength: 4
+                    pattern: ^[a-z]([-a-z0-9]*[a-z0-9])?$
                     type: string
+                    x-kubernetes-validations:
+                    - message: prefix is immutable
+                      rule: self == oldSelf
                   sharedVPCConfig:
                     description: SharedVPCConfig is used to set up shared VPC.
                     properties:
                       routeRoleARN:
-                        description: ' Role ARN associated with the private hosted
-                          zone used for Hosted Control Plane cluster shared VPC, this
-                          role contains policies to be used with Route 53'
+                        description: Role ARN associated with the private hosted zone
+                          used for Hosted Control Plane cluster shared VPC, this role
+                          contains policies to be used with Route 53
                         type: string
                       vpcEndpointRoleArn:
-                        description: ' Role ARN associated with the shared VPC used
+                        description: Role ARN associated with the shared VPC used
                           for Hosted Control Plane clusters, this role contains policies
-                          to be used with the VPC endpoint'
+                          to be used with the VPC endpoint
                         type: string
                     type: object
                 required:
                 - prefix
                 type: object
             required:
             - accountRoleConfig
+            - oidcProviderType
             - operatorRoleConfig
             type: object
           status:
@@ -170,8 +201,7 @@ spec:
                     type: string
                 type: object
               conditions:
-                description: Conditions provide observations of the operational state
-                  of a Cluster API resource.
+                description: Conditions specifies the ROSARoleConfig conditions
                 items:
                   description: Condition defines an observation of a Cluster API resource
                     operational state.

config/crd/kustomization.yaml

@@ -42,7 +42,6 @@ patchesStrategicMerge:
 - patches/webhook_in_awsmanagedcontrolplanetemplates.yaml
 - patches/webhook_in_eksconfigs.yaml
 - patches/webhook_in_eksconfigtemplates.yaml
-- patches/webhook_in_rosaroleconfigs.yaml
   # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
@@ -59,7 +58,6 @@ patchesStrategicMerge:
 - patches/cainjection_in_awsmanagedclustertemplates.yaml
 - patches/cainjection_in_eksconfigs.yaml
 - patches/cainjection_in_eksconfigtemplates.yaml
-- patches/cainjection_in_rosaroleconfigs.yaml
 # +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # [LABEL] To enable label, uncomment all the sections with [LABEL] prefix.

controlplane/rosa/api/v1beta2/rosacontrolplane_types.go

@@ -123,8 +123,8 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	// +kubebuilder:default=WaitForAcknowledge
 	VersionGate VersionGateAckType `json:"versionGate"`
 
-	// RosaRoleConfigRef is a reference to a RosaRoleConfig resource that contains account and operator roles and OIDC configuration.
-	// If specified, the roles and OIDC configuration will be taken from the referenced RosaRoleConfig instead of the direct fields.
+	// RosaRoleConfigRef is a reference to a RosaRoleConfig resource that contains account roles, operator roles and OIDC configuration.
+	// RosaRoleConfigRef and role fields such as installerRoleARN, supportRoleARN, workerRoleARN, rolesRef and oidcID are mutually exclusive.
 	//
 	// +optional
 	RosaRoleConfigRef *corev1.LocalObjectReference `json:"rosaRoleConfigRef,omitempty"`

controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go

@@ -31,9 +31,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
-// log is for logging in this package.
-var rosacpLog = ctrl.Log.WithName("rosacontrolplane-resource")
-
 // SetupWebhookWithManager will setup the webhooks for the ROSAControlPlane.
 func (r *ROSAControlPlane) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	w := new(rosaControlPlaneWebhook)
@@ -124,6 +121,10 @@ func (*rosaControlPlaneWebhook) ValidateUpdate(_ context.Context, oldObj, newObj
 		allErrs = append(allErrs, err)
 	}
 
+	if err := r.validateRosaRoleConfig(); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	allErrs = append(allErrs, r.validateNetwork()...)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 
@@ -203,14 +204,14 @@ func (r *ROSAControlPlane) validateExternalAuthProviders() *field.Error {
 }
 
 func (r *ROSAControlPlane) validateRosaRoleConfig() *field.Error {
-	hasAnyDirectRoleFields := r.Spec.OIDCID != "" || r.Spec.InstallerRoleARN != "" || r.Spec.SupportRoleARN != "" || r.Spec.WorkerRoleARN != "" ||
+	hasRoleFields := r.Spec.OIDCID != "" || r.Spec.InstallerRoleARN != "" || r.Spec.SupportRoleARN != "" || r.Spec.WorkerRoleARN != "" ||
 		r.Spec.RolesRef.IngressARN != "" || r.Spec.RolesRef.ImageRegistryARN != "" || r.Spec.RolesRef.StorageARN != "" ||
 		r.Spec.RolesRef.NetworkARN != "" || r.Spec.RolesRef.KubeCloudControllerARN != "" || r.Spec.RolesRef.NodePoolManagementARN != "" ||
 		r.Spec.RolesRef.ControlPlaneOperatorARN != "" || r.Spec.RolesRef.KMSProviderARN != ""
 
 	if r.Spec.RosaRoleConfigRef != nil {
-		if hasAnyDirectRoleFields {
-			rosacpLog.Info("rosaRoleConfigRef and direct role fields (oidcID, installerRoleARN, supportRoleARN, workerRoleARN, rolesRef) are mutually exclusive")
+		if hasRoleFields {
+			return field.Invalid(field.NewPath("spec.rosaRoleConfigRef"), r.Spec.RosaRoleConfigRef, "RosaRoleConfigRef and role fields such as installerRoleARN, supportRoleARN, workerRoleARN, rolesRef and oidcID are mutually exclusive")
 		}
 		return nil
 	}

controlplane/rosa/controllers/rosacontrolplane_controller.go

@@ -198,10 +198,10 @@ func (r *ROSAControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.Req
 	}
 
 	// Handle normal reconciliation loop.
-	return r.reconcileNormal(ctx, rosaScope, log)
+	return r.reconcileNormal(ctx, rosaScope)
 }
 
-func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaScope *scope.ROSAControlPlaneScope, log *logger.Logger) (res ctrl.Result, reterr error) {
+func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaScope *scope.ROSAControlPlaneScope) (res ctrl.Result, reterr error) {
 	rosaScope.Info("Reconciling ROSAControlPlane")
 
 	if controllerutil.AddFinalizer(rosaScope.ControlPlane, ROSAControlPlaneFinalizer) {
@@ -245,10 +245,10 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 					rosacontrolplanev1.ROSARoleConfigNotFoundReason,
 					clusterv1.ConditionSeverityError,
 					"RosaRoleConfig %s/%s not found", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name)
-				log.Error(err, fmt.Sprintf("RosaRoleConfig %s/%s not found: %s", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name, err.Error()))
+				rosaScope.Error(err, fmt.Sprintf("RosaRoleConfig %s/%s not found: %s", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name, err.Error()))
 				return ctrl.Result{RequeueAfter: time.Second * 60}, nil
 			}
-			log.Error(err, fmt.Sprintf("failed to get RosaRoleConfig %s/%s: %s", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name, err.Error()))
+			rosaScope.Error(err, fmt.Sprintf("failed to get RosaRoleConfig %s/%s: %s", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name, err.Error()))
 			return ctrl.Result{RequeueAfter: time.Second * 60}, nil
 		}
 
@@ -259,7 +259,7 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 				rosacontrolplanev1.ROSARoleConfigNotReadyReason,
 				clusterv1.ConditionSeverityWarning,
 				"RosaRoleConfig %s/%s is not ready", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name)
-			log.Error(err, fmt.Sprintf("RosaRoleConfig %s/%s is not ready", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name))
+			rosaScope.Error(err, fmt.Sprintf("RosaRoleConfig %s/%s is not ready", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name))
 
 			return ctrl.Result{RequeueAfter: time.Second * 60}, nil
 		}
@@ -278,11 +278,6 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 		return ctrl.Result{}, fmt.Errorf("failed to validate ROSAControlPlane.spec: %w", err)
 	}
 
-	err = validateRoleConfigSpec(rosaRoleConfig)
-	if err != nil {
-		return ctrl.Result{}, fmt.Errorf("failed to validate ROSAControlPlane.spec: %w", err)
-	}
-
 	conditions.MarkTrue(rosaScope.ControlPlane, rosacontrolplanev1.ROSAControlPlaneValidCondition)
 	if validationMessage != "" {
 		conditions.MarkFalse(rosaScope.ControlPlane,
@@ -1189,55 +1184,3 @@ func buildAPIEndpoint(cluster *cmv1.Cluster) (*clusterv1.APIEndpoint, error) {
 		Port: int32(port), //#nosec G109 G115
 	}, nil
 }
-
-func validateRoleConfigSpec(roleConfig *expinfrav1.ROSARoleConfig) error {
-	if roleConfig.Status.OIDCID == "" {
-		return fmt.Errorf("OIDCID is required")
-	}
-
-	if roleConfig.Status.AccountRolesRef.InstallerRoleARN == "" {
-		return fmt.Errorf("InstallerRoleARN is required")
-	}
-
-	if roleConfig.Status.AccountRolesRef.SupportRoleARN == "" {
-		return fmt.Errorf("SupportRoleARN is required")
-	}
-
-	if roleConfig.Status.AccountRolesRef.WorkerRoleARN == "" {
-		return fmt.Errorf("WorkerRoleARN is required")
-	}
-
-	if roleConfig.Status.OperatorRolesRef.IngressARN == "" {
-		return fmt.Errorf("IngressARN is required")
-	}
-
-	if roleConfig.Status.OperatorRolesRef.ImageRegistryARN == "" {
-		return fmt.Errorf("ImageRegistryARN is required")
-	}
-
-	if roleConfig.Status.OperatorRolesRef.StorageARN == "" {
-		return fmt.Errorf("StorageARN is required")
-	}
-
-	if roleConfig.Status.OperatorRolesRef.NetworkARN == "" {
-		return fmt.Errorf("NetworkARN is required")
-	}
-
-	if roleConfig.Status.OperatorRolesRef.KubeCloudControllerARN == "" {
-		return fmt.Errorf("KubeCloudControllerARN is required")
-	}
-
-	if roleConfig.Status.OperatorRolesRef.KMSProviderARN == "" {
-		return fmt.Errorf("KMSProviderARN is required")
-	}
-
-	if roleConfig.Status.OperatorRolesRef.ControlPlaneOperatorARN == "" {
-		return fmt.Errorf("ControlPlaneOperatorARN is required")
-	}
-
-	if roleConfig.Status.OperatorRolesRef.NodePoolManagementARN == "" {
-		return fmt.Errorf("NodePoolManagementARN is required")
-	}
-
-	return nil
-}

docs/book/src/topics/rosa/creating-a-cluster.md

@@ -89,30 +89,46 @@ The SSO offline token is being deprecated and it is recommended to use service a
 
 Follow the guide [here](https://docs.aws.amazon.com/ROSA/latest/userguide/getting-started-hcp.html) up until ["Create a ROSA with HCP Cluster"](https://docs.aws.amazon.com/ROSA/latest/userguide/getting-started-hcp.html#create-hcp-cluster-cli) to install the required tools and setup the prerequisite infrastructure. Once Step 3 is done, you will be ready to proceed with creating a ROSA HCP cluster using cluster-api.
 
+Note; Skip the "Create the required IAM roles and OpenID Connect configuration" step from the prerequisites url above and use the templates/cluster-template-rosa-role-config.yaml to generate a ROSARoleConfig CR to create the required account roles, operator roles & managed OIDC provider.
+
 ## Creating the cluster
 
 1. Prepare the environment:
     ```bash
-    export OPENSHIFT_VERSION="4.14.5"
+    export OPENSHIFT_VERSION="4.19.0"
     export AWS_REGION="us-west-2"
     export AWS_AVAILABILITY_ZONE="us-west-2a"
     export AWS_ACCOUNT_ID="<account_id>"
     export AWS_CREATOR_ARN="<user_arn>" # can be retrieved e.g. using `aws sts get-caller-identity`
 
+    # Note: if using templates/cluster-template-rosa.yaml set the below env variables
     export OIDC_CONFIG_ID="<oidc_id>" # OIDC config id creating previously with `rosa create oidc-config`
     export ACCOUNT_ROLES_PREFIX="ManagedOpenShift-HCP" # prefix used to create account IAM roles with `rosa create account-roles`
     export OPERATOR_ROLES_PREFIX="capi-rosa-quickstart"  # prefix used to create operator roles with `rosa create operator-roles --prefix <PREFIX_NAME>`
 
+    # Note: if using templates/cluster-template-rosa-role-config.yaml set the below env variables
+    export ACCOUNT_ROLES_PREFIX="capa" # prefix can be change to preferable prefix with max 4 chars
+    export OPERATOR_ROLES_PREFIX="capa"  # prefix can be change to preferable prefix with max 4 chars
+
     # subnet IDs created earlier
     export PUBLIC_SUBNET_ID="subnet-0b54a1111111111111"
     export PRIVATE_SUBNET_ID="subnet-05e72222222222222"
     ```
 
 1. Render the cluster manifest using the ROSA HCP cluster template:
+
+    a. Using templates/cluster-template-rosa.yaml
+
+    Note: The AWS role name must be no more than 64 characters in length. Otherwise an error will be returned. Truncate values exceeding 64 characters.
     ```shell
     clusterctl generate cluster <cluster-name> --from templates/cluster-template-rosa.yaml > rosa-capi-cluster.yaml
     ```
-    Note: The AWS role name must be no more than 64 characters in length. Otherwise an error will be returned. Truncate values exceeding 64 characters.
+
+    b. Using templates/cluster-template-rosa-role-config.yaml
+    ```shell
+    clusterctl generate cluster <cluster-name> --from templates/cluster-template-rosa-role-config.yaml > rosa-capi-cluster.yaml
+    ```
+
 
 1. If a credentials secret was created earlier, edit `ROSAControlPlane` to reference it:
     ```yaml