Add RoleConfig drift reconciliation

Author: PanSpagetka

config/crd/bases/infrastructure.cluster.x-k8s.io_rosaroleconfigs.yaml

@@ -48,12 +48,8 @@ spec:
                   creating your ROSA cluster.
                 properties:
                   path:
-                    description: The arn path for the account/operator roles as well
-                      as their policies.
                     type: string
                   permissionsBoundaryARN:
-                    description: The ARN of the policy that is used to set the permissions
-                      boundary for the account roles.
                     type: string
                   prefix:
                     description: User-defined prefix for all generated AWS resources
@@ -82,11 +78,8 @@ spec:
                 - version
                 type: object
               credentialsSecretRef:
-                description: |-
-                  CredentialsSecretRef references a secret with necessary credentials to connect to the OCM API.
-                  The secret should contain the following data keys:
-                  - ocmToken: eyJhbGciOiJIUzI1NiIsI....
-                  - ocmApiUrl: Optional, defaults to 'https://api.openshift.com'
+                description: CredentialsSecretRef references a secret with necessary
+                  credentials to connect to the OCM API.
                 properties:
                   name:
                     default: ""
@@ -366,37 +359,6 @@ spec:
                     x-kubernetes-list-map-keys:
                     - name
                     x-kubernetes-list-type: map
-                  identityRef:
-                    description: AWSIdentityReference specifies a identity.
-                    properties:
-                      kind:
-                        description: Kind of the identity.
-                        enum:
-                        - AWSClusterControllerIdentity
-                        - AWSClusterRoleIdentity
-                        - AWSClusterStaticIdentity
-                        type: string
-                      name:
-                        description: Name of the identity.
-                        minLength: 1
-                        type: string
-                    required:
-                    - kind
-                    - name
-                    type: object
-                  managedOIDC:
-                    default: true
-                    description: ManagedOIDC indicates whether it is a Red Hat managed
-                      or unmanaged (Customer hosted) OIDC Configuration. Default is
-                      true.
-                    type: boolean
-                  prefix:
-                    type: string
-                  region:
-                    type: string
-                required:
-                - managedOIDC
-                - prefix
                 type: object
               operatorRoleConfig:
                 description: OperatorRoleConfig defines cluster-specific operator

controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go

@@ -15,6 +15,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
+// log is for logging in this package.
+var rosacpLog = ctrl.Log.WithName("rosacontrolplane-resource")
+
 // SetupWebhookWithManager will setup the webhooks for the ROSAControlPlane.
 func (r *ROSAControlPlane) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	w := new(rosaControlPlaneWebhook)
@@ -184,25 +187,54 @@ func (r *ROSAControlPlane) validateExternalAuthProviders() *field.Error {
 }
 
 func (r *ROSAControlPlane) validateRosaRoleConfig() *field.Error {
-	hasRosaRoleConfigRef := r.Spec.RosaRoleConfigRef != nil
 	hasAnyDirectRoleFields := r.Spec.OIDCID != "" || r.Spec.InstallerRoleARN != "" || r.Spec.SupportRoleARN != "" || r.Spec.WorkerRoleARN != "" ||
 		r.Spec.RolesRef.IngressARN != "" || r.Spec.RolesRef.ImageRegistryARN != "" || r.Spec.RolesRef.StorageARN != "" ||
 		r.Spec.RolesRef.NetworkARN != "" || r.Spec.RolesRef.KubeCloudControllerARN != "" || r.Spec.RolesRef.NodePoolManagementARN != "" ||
 		r.Spec.RolesRef.ControlPlaneOperatorARN != "" || r.Spec.RolesRef.KMSProviderARN != ""
 
-	hasAllDirectRoleFields := r.Spec.OIDCID != "" && r.Spec.InstallerRoleARN != "" && r.Spec.SupportRoleARN != "" && r.Spec.WorkerRoleARN != "" &&
-		r.Spec.RolesRef.IngressARN != "" && r.Spec.RolesRef.ImageRegistryARN != "" && r.Spec.RolesRef.StorageARN != "" &&
-		r.Spec.RolesRef.NetworkARN != "" && r.Spec.RolesRef.KubeCloudControllerARN != "" && r.Spec.RolesRef.NodePoolManagementARN != "" &&
-		r.Spec.RolesRef.ControlPlaneOperatorARN != "" && r.Spec.RolesRef.KMSProviderARN != ""
-
-	if hasRosaRoleConfigRef && hasAnyDirectRoleFields {
-		return field.Invalid(field.NewPath("spec.rosaRoleConfigRef"), r.Spec.RosaRoleConfigRef, "rosaRoleConfigRef and direct role fields (oidcID, installerRoleARN, supportRoleARN, workerRoleARN, rolesRef) are mutually exclusive")
+	if r.Spec.RosaRoleConfigRef != nil {
+		if hasAnyDirectRoleFields {
+			rosacpLog.Info("rosaRoleConfigRef and direct role fields (oidcID, installerRoleARN, supportRoleARN, workerRoleARN, rolesRef) are mutually exclusive")
+		}
+		return nil
 	}
 
-	if !hasRosaRoleConfigRef && !hasAllDirectRoleFields {
-		return field.Invalid(field.NewPath("spec"), r.Spec, "either rosaRoleConfigRef or direct role fields (oidcID, installerRoleARN, supportRoleARN, workerRoleARN, rolesRef) must be specified")
+	if r.Spec.OIDCID == "" {
+		return field.Invalid(field.NewPath("spec.oidcID"), r.Spec.OIDCID, "must be specified")
+	}
+	if r.Spec.InstallerRoleARN == "" {
+		return field.Invalid(field.NewPath("spec.installerRoleARN"), r.Spec.InstallerRoleARN, "must be specified")
+	}
+	if r.Spec.SupportRoleARN == "" {
+		return field.Invalid(field.NewPath("spec.supportRoleARN"), r.Spec.SupportRoleARN, "must be specified")
+	}
+	if r.Spec.WorkerRoleARN == "" {
+		return field.Invalid(field.NewPath("spec.workerRoleARN"), r.Spec.WorkerRoleARN, "must be specified")
+	}
+	if r.Spec.RolesRef.IngressARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.ingressARN"), r.Spec.RolesRef.IngressARN, "must be specified")
+	}
+	if r.Spec.RolesRef.ImageRegistryARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.imageRegistryARN"), r.Spec.RolesRef.ImageRegistryARN, "must be specified")
+	}
+	if r.Spec.RolesRef.StorageARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.storageARN"), r.Spec.RolesRef.StorageARN, "must be specified")
+	}
+	if r.Spec.RolesRef.NetworkARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.networkARN"), r.Spec.RolesRef.NetworkARN, "must be specified")
+	}
+	if r.Spec.RolesRef.KubeCloudControllerARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.kubeCloudControllerARN"), r.Spec.RolesRef.KubeCloudControllerARN, "must be specified")
+	}
+	if r.Spec.RolesRef.NodePoolManagementARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.nodePoolManagementARN"), r.Spec.RolesRef.NodePoolManagementARN, "must be specified")
+	}
+	if r.Spec.RolesRef.ControlPlaneOperatorARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.controlPlaneOperatorARN"), r.Spec.RolesRef.ControlPlaneOperatorARN, "must be specified")
+	}
+	if r.Spec.RolesRef.KMSProviderARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.kmsProviderARN"), r.Spec.RolesRef.KMSProviderARN, "must be specified")
 	}
-
 	return nil
 }
 

controlplane/rosa/controllers/rosacontrolplane_controller.go

@@ -171,7 +171,6 @@ func (r *ROSAControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.Req
 	}
 
 	log = log.WithValues("cluster", klog.KObj(cluster))
-
 	if isPaused, conditionChanged, err := paused.EnsurePausedCondition(ctx, r.Client, cluster, rosaControlPlane); err != nil || isPaused || conditionChanged {
 		return ctrl.Result{}, err
 	}
@@ -202,10 +201,10 @@ func (r *ROSAControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.Req
 	}
 
 	// Handle normal reconciliation loop.
-	return r.reconcileNormal(ctx, rosaScope)
+	return r.reconcileNormal(ctx, rosaScope, log)
 }
 
-func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaScope *scope.ROSAControlPlaneScope) (res ctrl.Result, reterr error) {
+func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaScope *scope.ROSAControlPlaneScope, log *logger.Logger) (res ctrl.Result, reterr error) {
 	rosaScope.Info("Reconciling ROSAControlPlane")
 
 	if controllerutil.AddFinalizer(rosaScope.ControlPlane, ROSAControlPlaneFinalizer) {
@@ -245,9 +244,11 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 					rosacontrolplanev1.ROSARoleConfigNotFoundReason,
 					clusterv1.ConditionSeverityError,
 					"RosaRoleConfig %s/%s not found", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name)
-				return ctrl.Result{}, fmt.Errorf("RosaRoleConfig %s/%s not found: %w", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name, err)
+				log.Error(err, fmt.Sprintf("RosaRoleConfig %s/%s not found: %w", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name, err))
+				return ctrl.Result{RequeueAfter: time.Second * 60}, nil
 			}
-			return ctrl.Result{}, fmt.Errorf("failed to get RosaRoleConfig %s/%s: %w", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name, err)
+			log.Error(err, fmt.Sprintf("failed to get RosaRoleConfig %s/%s: %w", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name, err))
+			return ctrl.Result{RequeueAfter: time.Second * 60}, nil
 		}
 
 		// Check if RosaRoleConfig is ready
@@ -257,7 +258,9 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 				rosacontrolplanev1.ROSARoleConfigNotReadyReason,
 				clusterv1.ConditionSeverityWarning,
 				"RosaRoleConfig %s/%s is not ready", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name)
-			return ctrl.Result{}, fmt.Errorf("RosaRoleConfig %s/%s is not ready", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name)
+			log.Error(err, fmt.Sprintf("RosaRoleConfig %s/%s is not ready", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name))
+
+			return ctrl.Result{RequeueAfter: time.Second * 60}, nil
 		}
 
 		conditions.MarkTrue(rosaScope.ControlPlane, rosacontrolplanev1.ROSARoleConfigReadyCondition)

exp/api/v1beta2/rosaroleconfig_types.go

@@ -36,9 +36,6 @@ type ROSARoleConfigSpec struct {
 	IdentityRef        *infrav1.AWSIdentityReference `json:"identityRef,omitempty"`
 	Region             string                        `json:"region,omitempty"`
 	// CredentialsSecretRef references a secret with necessary credentials to connect to the OCM API.
-	// The secret should contain the following data keys:
-	// - ocmToken: eyJhbGciOiJIUzI1NiIsI....
-	// - ocmApiUrl: Optional, defaults to 'https://api.openshift.com'
 	// +optional
 	CredentialsSecretRef *corev1.LocalObjectReference `json:"credentialsSecretRef,omitempty"`
 }
@@ -60,7 +57,7 @@ type ROSARoleConfig struct {
 // AccountRoleConfig defines account-wide IAM roles before creating your ROSA cluster.
 type AccountRoleConfig struct {
 	// User-defined prefix for all generated AWS resources
-	// +kubebuilder:validation:MaxLength:=40
+	// +kubebuilder:validation:MaxLength:=4
 	// +kubebuilder:validation:Required
 	// +immutable
 	Prefix string `json:"prefix"`
@@ -112,10 +109,6 @@ type SharedVPCConfig struct {
 // OIDCConfig creates OIDC config in a S3 bucket for the client AWS account and populates it to be compliant with OIDC protocol.
 // It also creates a Secret in Secrets Manager containing the private key.
 type OIDCConfig struct {
-	// ManagedOIDC indicates whether it is a Red Hat managed or unmanaged (Customer hosted) OIDC Configuration. Default is true.
-	// +kubebuilder:default=true
-	// +immutable
-	ManagedOIDC bool `json:"managedOIDC"`
 	// ExternalAuthProviders are external OIDC identity providers that can issue tokens for this cluster.
 	// Can only be set if "enableExternalAuthProviders" is set to "True".
 	//
@@ -126,15 +119,6 @@ type OIDCConfig struct {
 	// +kubebuilder:validation:MaxItems=1
 	// +immutable
 	ExternalAuthProviders []rosacontrolplanev1.ExternalAuthProvider `json:"externalAuthProviders,omitempty"`
-	// IdentityRef is the AWS identity reference for the OIDC config.
-	// +immutable
-	IdentityRef *infrav1.AWSIdentityReference `json:"identityRef,omitempty"`
-	// Region is the AWS region for the OIDC config.
-	// +immutable
-	Region string `json:"region,omitempty"`
-	// Prefix is the prefix for the OIDC config.
-	// +immutable
-	Prefix string `json:"prefix"`
 }
 
 // ROSARoleConfigStatus defines the observed state of ROSARoleConfig