Merge pull request #3976 from spectrocloud/add-oidc-tags

Adding tags to OIDC providers

Author: k8s-ci-robot

pkg/cloud/converters/tags.go

@@ -22,6 +22,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/elb"
 	"github.com/aws/aws-sdk-go/service/elbv2"
+	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/secretsmanager"
 	"github.com/aws/aws-sdk-go/service/ssm"
 
@@ -152,6 +153,22 @@ func MapToSSMTags(src infrav1.Tags) []*ssm.Tag {
 	return tags
 }
 
+// MapToIAMTags converts a infrav1.Tags to a []*iam.Tag.
+func MapToIAMTags(src infrav1.Tags) []*iam.Tag {
+	tags := make([]*iam.Tag, 0, len(src))
+
+	for k, v := range src {
+		tag := &iam.Tag{
+			Key:   aws.String(k),
+			Value: aws.String(v),
+		}
+
+		tags = append(tags, tag)
+	}
+
+	return tags
+}
+
 // ASGTagsToMap converts a []*autoscaling.TagDescription into a infrav1.Tags.
 func ASGTagsToMap(src []*autoscaling.TagDescription) infrav1.Tags {
 	tags := make(infrav1.Tags, len(src))

pkg/cloud/services/eks/oidc.go

@@ -23,6 +23,7 @@ import (
 	"strings"
 
 	"github.com/aws/aws-sdk-go/service/eks"
+	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -32,6 +33,7 @@ import (
 
 	"sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/converters"
 	iamv1 "sigs.k8s.io/cluster-api-provider-aws/v2/iam/api/v1beta1"
+	tagConverter "sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/converters"
 	"sigs.k8s.io/cluster-api/controllers/remote"
 )
 
@@ -74,6 +76,14 @@ func (s *Service) reconcileOIDCProvider(cluster *eks.Cluster) error {
 	if err := s.scope.PatchObject(); err != nil {
 		return errors.Wrap(err, "failed to update control plane with OIDC provider ARN")
 	}
+	// tagging the OIDC provider with the same tags of cluster
+	inputForTags := iam.TagOpenIDConnectProviderInput{
+		OpenIDConnectProviderArn: &s.scope.ControlPlane.Status.OIDCProvider.ARN,
+		Tags:                     tagConverter.MapToIAMTags(tagConverter.MapPtrToMap(cluster.Tags)),
+	}
+	if _, err := s.IAMClient.TagOpenIDConnectProvider(&inputForTags); err != nil {
+		return errors.Wrap(err, "failed to tag OIDC provider")
+	}
 
 	if err := s.reconcileTrustPolicy(); err != nil {
 		return errors.Wrap(err, "failed to reconcile trust policy in workload cluster")

pkg/cloud/services/eks/oidc_test.go

@@ -69,6 +69,10 @@ func TestOIDCReconcile(t *testing.T) {
 				}).Return(&iam.CreateOpenIDConnectProviderOutput{
 					OpenIDConnectProviderArn: aws.String("arn::oidc"),
 				}, nil)
+				m.TagOpenIDConnectProvider(&iam.TagOpenIDConnectProviderInput{
+					OpenIDConnectProviderArn: aws.String("arn::oidc"),
+					Tags:                     []*iam.Tag{},
+				}).Return(&iam.TagOpenIDConnectProviderOutput{}, nil)
 			},
 		},
 		{
@@ -101,6 +105,10 @@ func TestOIDCReconcile(t *testing.T) {
 					ThumbprintList: aws.StringSlice([]string{"15dbd260c7465ecca6de2c0b2181187f66ee0d1a"}),
 					Url:            &url,
 				}, nil)
+				m.TagOpenIDConnectProvider(&iam.TagOpenIDConnectProviderInput{
+					OpenIDConnectProviderArn: aws.String("arn::oidc"),
+					Tags:                     []*iam.Tag{},
+				}).Return(&iam.TagOpenIDConnectProviderOutput{}, nil)
 			},
 		},
 	}