controllers: reconcile S3Bucket as part of reconciliation loop

When S3Bucket.Enabled is true, cluster controller will create an S3
bucket, by default with cluster name as a bucket name, where machine
controller will be able to put userdata for systems, which do not
support pulling them from Secret Manager, like Ignition.

When cluster is deleted, bucket will be removed as well.

Co-authored-by: Dongsu Park <[email protected]>
Signed-off-by: Mateusz Gozdek <[email protected]>

Author: invidian

cmd/clusterawsadm/api/bootstrap/v1alpha1/zz_generated.conversion.go

@@ -33,6 +33,8 @@ const (
 	DefaultPartitionName = "aws"
 	// DefaultKMSAliasPattern is the default KMS alias.
 	DefaultKMSAliasPattern = "cluster-api-provider-aws-*"
+	// DefaultS3BucketPrefix is the default S3 bucket prefix.
+	DefaultS3BucketPrefix = "cluster-api-provider-aws-"
 )
 
 func addDefaultingFuncs(scheme *runtime.Scheme) error {
@@ -91,6 +93,10 @@ func SetDefaults_AWSIAMConfigurationSpec(obj *AWSIAMConfigurationSpec) { //nolin
 	if len(obj.EKS.KMSAliasPrefix) == 0 {
 		obj.EKS.KMSAliasPrefix = DefaultKMSAliasPattern
 	}
+
+	if obj.S3Buckets.NamePrefix == "" {
+		obj.S3Buckets.NamePrefix = DefaultS3BucketPrefix
+	}
 }
 
 // SetDefaults_AWSIAMConfiguration is used by defaulter-gen.

cmd/clusterawsadm/api/bootstrap/v1beta1/defaults.go

@@ -159,6 +159,17 @@ type AWSIAMConfiguration struct {
 	Spec AWSIAMConfigurationSpec `json:"spec,omitempty"`
 }
 
+// S3Buckets controls the configuration of the AWS IAM role for S3 buckets
+// which can be created for storing bootstrap data for nodes requiring it.
+type S3Buckets struct {
+	// Enable controls whether permissions are granted to manage S3 buckets.
+	Enable bool `json:"enable"`
+
+	// NamePrefix will be prepended to every AWS IAM role bucket name. Defaults to "cluster-api-provider-aws-".
+	// AWSCluster S3 Bucket name must be prefixed with the same prefix.
+	NamePrefix string `json:"namePrefix"`
+}
+
 // AWSIAMConfigurationSpec defines the specification of the AWSIAMConfiguration.
 type AWSIAMConfigurationSpec struct {
 	// NamePrefix will be prepended to every AWS IAM role, user and policy created by clusterawsadm. Defaults to "".
@@ -207,6 +218,12 @@ type AWSIAMConfigurationSpec struct {
 	// will generate AWS Secrets Manager policies instead.
 	// +kubebuilder:validation:Enum=secrets-manager;ssm-parameter-store
 	SecureSecretsBackends []infrav1.SecretBackend `json:"secureSecretBackends,omitempty"`
+
+	// S3Buckets, when enabled, will add controller nodes permissions to
+	// create S3 Buckets for workload clusters.
+	// TODO: This field could be a pointer, but it seems it breaks setting default values?
+	// +optional
+	S3Buckets S3Buckets `json:"s3Buckets,omitempty"`
 }
 
 // GetObjectKind returns the AAWSIAMConfiguration's TypeMeta.

cmd/clusterawsadm/api/bootstrap/v1beta1/types.go

@@ -236,6 +236,21 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 			})
 		}
 	}
+	if t.Spec.S3Buckets.Enable {
+		statement = append(statement, iamv1.StatementEntry{
+			Effect: iamv1.EffectAllow,
+			Resource: iamv1.Resources{
+				fmt.Sprintf("arn:*:s3:::%s*", t.Spec.S3Buckets.NamePrefix),
+			},
+			Action: iamv1.Actions{
+				"s3:CreateBucket",
+				"s3:DeleteBucket",
+				"s3:PutObject",
+				"s3:DeleteObject",
+				"s3:PutBucketPolicy",
+			},
+		})
+	}
 	if t.Spec.EventBridge.Enable {
 		statement = append(statement, iamv1.StatementEntry{
 			Effect:   iamv1.EffectAllow,