api/v1beta1: add S3Bucket field to AWSClusterSpec

As a preparation for using it as an alternative backend to Secret
Manager for OS-es, which do not support Secret Manager, like Flatcar
Container Linux.

Co-authored-by: Dongsu Park <[email protected]>
Signed-off-by: Mateusz Gozdek <[email protected]>

Author: invidian

api/v1alpha3/awscluster_conversion.go

@@ -54,6 +54,8 @@ func (r *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 		restoreControlPlaneLoadBalancer(restored.Spec.ControlPlaneLoadBalancer, dst.Spec.ControlPlaneLoadBalancer)
 	}
 
+	dst.Spec.S3Bucket = restored.Spec.S3Bucket
+
 	return nil
 }
 
@@ -125,3 +127,7 @@ func Convert_v1beta1_NetworkStatus_To_v1alpha3_Network(in *infrav1.NetworkStatus
 func Convert_v1beta1_AWSLoadBalancerSpec_To_v1alpha3_AWSLoadBalancerSpec(in *infrav1.AWSLoadBalancerSpec, out *AWSLoadBalancerSpec, s apiconversion.Scope) error {
 	return autoConvert_v1beta1_AWSLoadBalancerSpec_To_v1alpha3_AWSLoadBalancerSpec(in, out, s)
 }
+
+func Convert_v1beta1_AWSClusterSpec_To_v1alpha3_AWSClusterSpec(in *infrav1.AWSClusterSpec, out *AWSClusterSpec, s apiconversion.Scope) error {
+	return autoConvert_v1beta1_AWSClusterSpec_To_v1alpha3_AWSClusterSpec(in, out, s)
+}

api/v1alpha3/zz_generated.conversion.go

@@ -45,6 +45,8 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 		restoreControlPlaneLoadBalancer(restored.Spec.ControlPlaneLoadBalancer, dst.Spec.ControlPlaneLoadBalancer)
 	}
 
+	dst.Spec.S3Bucket = restored.Spec.S3Bucket
+
 	return nil
 }
 

api/v1alpha4/awscluster_conversion.go

@@ -18,6 +18,8 @@ package v1alpha4
 
 import (
 	apiconversion "k8s.io/apimachinery/pkg/conversion"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	v1beta1 "sigs.k8s.io/cluster-api-provider-aws/api/v1beta1"
 	clusterv1alpha4 "sigs.k8s.io/cluster-api/api/v1alpha4"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
@@ -31,3 +33,7 @@ func Convert_v1alpha4_ObjectMeta_To_v1beta1_ObjectMeta(in *clusterv1alpha4.Objec
 func Convert_v1beta1_ObjectMeta_To_v1alpha4_ObjectMeta(in *clusterv1.ObjectMeta, out *clusterv1alpha4.ObjectMeta, s apiconversion.Scope) error {
 	return clusterv1alpha4.Convert_v1beta1_ObjectMeta_To_v1alpha4_ObjectMeta(in, out, s)
 }
+
+func Convert_v1beta1_AWSClusterSpec_To_v1alpha4_AWSClusterSpec(in *v1beta1.AWSClusterSpec, out *AWSClusterSpec, s conversion.Scope) error {
+	return autoConvert_v1beta1_AWSClusterSpec_To_v1alpha4_AWSClusterSpec(in, out, s)
+}

api/v1alpha4/conversion.go

@@ -90,6 +90,13 @@ type AWSClusterSpec struct {
 	// IdentityRef is a reference to a identity to be used when reconciling this cluster
 	// +optional
 	IdentityRef *AWSIdentityReference `json:"identityRef,omitempty"`
+
+	// S3Bucket contains options to configure a supporting S3 bucket for this
+	// cluster - currently used for nodes requiring Ignition
+	// (https://coreos.github.io/ignition/) for bootstrapping (requires
+	// BootstrapFormatIgnition feature flag to be enabled).
+	// +optional
+	S3Bucket *S3Bucket `json:"s3Bucket,omitempty"`
 }
 
 // AWSIdentityKind defines allowed AWS identity types.
@@ -198,6 +205,22 @@ type AWSClusterStatus struct {
 	Conditions     clusterv1.Conditions     `json:"conditions,omitempty"`
 }
 
+type S3Bucket struct {
+	// ControlPlaneIAMInstanceProfile is a name of the IAMInstanceProfile, which will be allowed
+	// to read control-plane node bootstrap data from S3 Bucket.
+	ControlPlaneIAMInstanceProfile string `json:"controlPlaneIAMInstanceProfile"`
+
+	// NodesIAMInstanceProfiles is a list of IAM instance profiles, which will be allowed to read
+	// worker nodes bootstrap data from S3 Bucket.
+	NodesIAMInstanceProfiles []string `json:"nodesIAMInstanceProfiles"`
+
+	// Name defines name of S3 Bucket to be created.
+	// +kubebuilder:validation:MinLength:=3
+	// +kubebuilder:validation:MaxLength:=63
+	// +kubebuilder:validation:Pattern=`^[a-z0-9][a-z0-9.-]{1,61}[a-z0-9]$`
+	Name string `json:"name"`
+}
+
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:path=awsclusters,scope=Namespaced,categories=cluster-api,shortName=awsc
 // +kubebuilder:storageversion

api/v1alpha4/zz_generated.conversion.go

@@ -55,6 +55,7 @@ func (r *AWSCluster) ValidateCreate() error {
 	allErrs = append(allErrs, r.Spec.Bastion.Validate()...)
 	allErrs = append(allErrs, r.validateSSHKeyName()...)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
+	allErrs = append(allErrs, r.Spec.S3Bucket.Validate()...)
 
 	return aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
 }
@@ -164,6 +165,7 @@ func (r *AWSCluster) ValidateUpdate(old runtime.Object) error {
 
 	allErrs = append(allErrs, r.Spec.Bastion.Validate()...)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
+	allErrs = append(allErrs, r.Spec.S3Bucket.Validate()...)
 
 	return aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
 }

api/v1beta1/awscluster_types.go

@@ -94,6 +94,132 @@ func TestAWSCluster_ValidateCreate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "accepts bucket name with acceptable characters",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					S3Bucket: &S3Bucket{
+						Name:                           "abcdefghijklmnoprstuwxyz-0123456789",
+						ControlPlaneIAMInstanceProfile: "control-plane.cluster-api-provider-aws.sigs.k8s.io",
+						NodesIAMInstanceProfiles:       []string{"nodes.cluster-api-provider-aws.sigs.k8s.io"},
+					},
+				},
+			},
+		},
+		{
+			name: "rejects empty bucket name",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					S3Bucket: &S3Bucket{},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "rejects bucket name shorter than 3 characters",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					S3Bucket: &S3Bucket{
+						Name: "fo",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "rejects bucket name longer than 63 characters",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					S3Bucket: &S3Bucket{
+						Name: strings.Repeat("a", 64),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "rejects bucket name starting with not letter or number",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					S3Bucket: &S3Bucket{
+						Name: "-foo",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "rejects bucket name ending with not letter or number",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					S3Bucket: &S3Bucket{
+						Name: "foo-",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "rejects bucket name formatted as IP address",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					S3Bucket: &S3Bucket{
+						Name: "8.8.8.8",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "requires bucket control plane IAM instance profile to be not empty",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					S3Bucket: &S3Bucket{
+						Name:                           "foo",
+						ControlPlaneIAMInstanceProfile: "",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "requires at least one bucket node IAM instance profile",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					S3Bucket: &S3Bucket{
+						Name:                           "foo",
+						ControlPlaneIAMInstanceProfile: "foo",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "requires all bucket node IAM instance profiles to be not empty",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					S3Bucket: &S3Bucket{
+						Name:                           "foo",
+						ControlPlaneIAMInstanceProfile: "foo",
+						NodesIAMInstanceProfiles:       []string{""},
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "does not return error when all IAM instance profiles are populated",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					S3Bucket: &S3Bucket{
+						Name:                           "foo",
+						ControlPlaneIAMInstanceProfile: "foo",
+						NodesIAMInstanceProfiles:       []string{"bar"},
+					},
+				},
+			},
+			wantErr: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -123,7 +249,9 @@ func TestAWSCluster_ValidateCreate(t *testing.T) {
 				return err == nil
 			}, 10*time.Second).Should(Equal(true))
 
-			tt.expect(g, c.Spec.ControlPlaneLoadBalancer)
+			if tt.expect != nil {
+				tt.expect(g, c.Spec.ControlPlaneLoadBalancer)
+			}
 		})
 	}
 }

api/v1beta1/awscluster_webhook.go

@@ -157,3 +157,11 @@ const (
 	// ELBDetachFailedReason used when a control plane node fails to detach from an ELB.
 	ELBDetachFailedReason = "ELBDetachFailed"
 )
+
+const (
+	// S3BucketReadyCondition indicates an S3 bucket has been created successfully.
+	S3BucketReadyCondition clusterv1.ConditionType = "S3BucketCreated"
+
+	// S3BucketFailedReason is used when any errors occur during reconciliation of an S3 bucket.
+	S3BucketFailedReason = "S3BucketCreationFailed"
+)