kubernetes-sigs · sl1pm4t · May 26, 2023 · Feb 4, 2025 · richardcase · Jan 31, 2025
diff --git a/api/v1beta1/awscluster_conversion.go b/api/v1beta1/awscluster_conversion.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	apiconversion "k8s.io/apimachinery/pkg/conversion"
+	"sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	infrav2 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	utilconversion "sigs.k8s.io/cluster-api/util/conversion"
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
@@ -64,6 +65,8 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Status.Bastion.MarketType = restored.Status.Bastion.MarketType
 	}
 	dst.Spec.Partition = restored.Spec.Partition
+	dst.Spec.AssociateOIDCProvider = restored.Spec.AssociateOIDCProvider
+	dst.Status.OIDCProvider = restored.Status.OIDCProvider
 
 	for role, sg := range restored.Status.Network.SecurityGroups {
 		dst.Status.Network.SecurityGroups[role] = sg
@@ -222,3 +225,7 @@ func (r *AWSClusterList) ConvertFrom(srcRaw conversion.Hub) error {
 func Convert_v1beta2_SubnetSpec_To_v1beta1_SubnetSpec(in *infrav2.SubnetSpec, out *SubnetSpec, s apiconversion.Scope) error {
 	return autoConvert_v1beta2_SubnetSpec_To_v1beta1_SubnetSpec(in, out, s)
 }
+
+func Convert_v1beta2_AWSClusterStatus_To_v1beta1_AWSClusterStatus(in *v1beta2.AWSClusterStatus, out *AWSClusterStatus, scope apiconversion.Scope) error {
+	return autoConvert_v1beta2_AWSClusterStatus_To_v1beta1_AWSClusterStatus(in, out, scope)
+}
diff --git a/api/v1beta1/s3bucket.go b/api/v1beta1/s3bucket.go
@@ -21,8 +21,6 @@ import (
 	"net"
 
 	"k8s.io/apimachinery/pkg/util/validation/field"
-
-	"sigs.k8s.io/cluster-api-provider-aws/v2/feature"
 )
 
 // Validate validates S3Bucket fields.
@@ -37,12 +35,6 @@ func (b *S3Bucket) Validate() []*field.Error {
 		errs = append(errs, field.Required(field.NewPath("spec", "s3Bucket", "name"), "can't be empty"))
 	}
 
-	// Feature gate is not enabled but ignition is enabled then send a forbidden error.
-	if !feature.Gates.Enabled(feature.BootstrapFormatIgnition) {
-		errs = append(errs, field.Forbidden(field.NewPath("spec", "s3Bucket"),
-			"can be set only if the BootstrapFormatIgnition feature gate is enabled"))
-	}
-
 	if b.ControlPlaneIAMInstanceProfile == "" {
 		errs = append(errs,
 			field.Required(field.NewPath("spec", "s3Bucket", "controlPlaneIAMInstanceProfiles"), "can't be empty"))

diff --git a/api/v1beta1/zz_generated.conversion.go b/api/v1beta1/zz_generated.conversion.go
diff --git a/api/v1beta2/awscluster_spec.go b/api/v1beta2/awscluster_spec.go
@@ -0,0 +1,23 @@
+package v1beta2
+
+import (
+	"k8s.io/apimachinery/pkg/util/validation/field"
+
+	"sigs.k8s.io/cluster-api-provider-aws/v2/feature"
+)
+
+// Validate will validate the spec fields.
+func (s *AWSClusterSpec) Validate() []*field.Error {
+	var errs field.ErrorList
+
+	// Check the feature gate is enabled for OIDC Provider.
+	if s.AssociateOIDCProvider && !feature.Gates.Enabled(feature.OIDCProviderUnmanagedClusters) {
+		errs = append(errs,
+			field.Forbidden(field.NewPath("spec", "associateOIDCProvider"),
+				"can be enabled only if the OIDCProviderUnmanagedClusters feature gate is enabled"),
+		)
+		return errs
+	}
+
+	return errs
+}
diff --git a/api/v1beta2/awscluster_types.go b/api/v1beta2/awscluster_types.go
@@ -106,11 +106,17 @@ type AWSClusterSpec struct {
 	IdentityRef *AWSIdentityReference `json:"identityRef,omitempty"`
 
 	// S3Bucket contains options to configure a supporting S3 bucket for this
-	// cluster - currently used for nodes requiring Ignition
-	// (https://coreos.github.io/ignition/) for bootstrapping (requires
-	// BootstrapFormatIgnition feature flag to be enabled).
+	// cluster - Used for nodes requiring Ignition (https://coreos.github.io/ignition/) for bootstrapping (requires
+	// BootstrapFormatIgnition feature flag to be enabled) and/or for storing OIDC endpoint certificates for use
+	// with IRSA (requires OIDCProviderUnmanagedClusters feature flag to be enabled).
 	// +optional
 	S3Bucket *S3Bucket `json:"s3Bucket,omitempty"`
+
+	// AssociateOIDCProvider can be enabled to automatically publish the clusters Service Account issuer OIDC discovery
+	// documents to S3, create an AWS IAM OIDC identity provider and configure it to trust the cluster issuer.
+	// This will only work if the S3Bucket is configured properly.
+	// +kubebuilder:default=false
+	AssociateOIDCProvider bool `json:"associateOIDCProvider,omitempty"`
 }
 
 // AWSIdentityKind defines allowed AWS identity types.
@@ -281,6 +287,10 @@ type AWSClusterStatus struct {
 	FailureDomains clusterv1.FailureDomains `json:"failureDomains,omitempty"`
 	Bastion        *Instance                `json:"bastion,omitempty"`
 	Conditions     clusterv1.Conditions     `json:"conditions,omitempty"`
+
+	// OIDCProvider holds the status of the identity provider for this cluster
+	// +optional
+	OIDCProvider *OIDCProviderStatus `json:"oidcProvider,omitempty"`
 }
 
 // S3Bucket defines a supporting S3 bucket for the cluster, currently can be optionally used for Ignition.

diff --git a/api/v1beta2/awscluster_webhook.go b/api/v1beta2/awscluster_webhook.go
@@ -60,6 +60,7 @@ func (r *AWSCluster) ValidateCreate() (admission.Warnings, error) {
 	var allErrs field.ErrorList
 	var allWarnings admission.Warnings
 
+	allErrs = append(allErrs, r.Spec.Validate()...)
 	allErrs = append(allErrs, r.Spec.Bastion.Validate()...)
 	allErrs = append(allErrs, r.validateSSHKeyName()...)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)

diff --git a/api/v1beta2/conditions_consts.go b/api/v1beta2/conditions_consts.go
@@ -192,3 +192,11 @@ const (
 	// S3BucketFailedReason is used when any errors occur during reconciliation of an S3 bucket.
 	S3BucketFailedReason = "S3BucketCreationFailed"
 )
+
+const (
+	// OIDCProviderReadyCondition indicates that the OIDC provider has been created successfully.
+	OIDCProviderReadyCondition = "OIDCProviderCreated"
+
+	// OIDCProviderReconciliationFailedReason is used if we can't reconcile the OIDC provider.
+	OIDCProviderReconciliationFailedReason = "OIDCProviderReconciliationFailed"
+)
diff --git a/api/v1beta2/s3bucket.go b/api/v1beta2/s3bucket.go
@@ -37,10 +37,11 @@ func (b *S3Bucket) Validate() []*field.Error {
 		errs = append(errs, field.Required(field.NewPath("spec", "s3Bucket", "name"), "can't be empty"))
 	}
 
-	// Feature gate is not enabled but ignition is enabled then send a forbidden error.
-	if !feature.Gates.Enabled(feature.BootstrapFormatIgnition) {
+	// Either the BootstrapFormatIgnition or OIDCProviderUnmanagedClusters feature gate must be enabled.
+	// Otherwise send a forbidden error.
+	if !feature.Gates.Enabled(feature.BootstrapFormatIgnition) && !feature.Gates.Enabled(feature.OIDCProviderUnmanagedClusters) {
 		errs = append(errs, field.Forbidden(field.NewPath("spec", "s3Bucket"),
-			"can be set only if the BootstrapFormatIgnition feature gate is enabled"))
+			"can be set only if the BootstrapFormatIgnition or OIDCProviderUnmanagedClusters feature gate is enabled"))
 	}
 
 	if b.PresignedURLDuration == nil {

diff --git a/api/v1beta2/types.go b/api/v1beta2/types.go
@@ -465,6 +465,16 @@ const (
 	AmazonLinuxGPU EKSAMILookupType = "AmazonLinuxGPU"
 )
 
+// OIDCProviderStatus holds the status of the AWS OIDC identity provider.
+type OIDCProviderStatus struct {
+	// ARN holds the ARN of the provider
+	ARN string `json:"arn,omitempty"`
+	// IssuerURL holds the OIDC Issuer URL of the cluster.
+	IssuerURL string `json:"issuerUrl,omitempty"`
+	// TrustPolicy contains the boilerplate IAM trust policy to use for IRSA
+	TrustPolicy string `json:"trustPolicy,omitempty"`
+}
+
 // PrivateDNSName is the options for the instance hostname.
 type PrivateDNSName struct {
 	// EnableResourceNameDNSAAAARecord indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records.

diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
diff --git a/cmd/clusterawsadm/api/bootstrap/v1alpha1/zz_generated.conversion.go b/cmd/clusterawsadm/api/bootstrap/v1alpha1/zz_generated.conversion.go
diff --git a/cmd/clusterawsadm/api/bootstrap/v1beta1/defaults.go b/cmd/clusterawsadm/api/bootstrap/v1beta1/defaults.go
@@ -106,6 +106,11 @@ func SetDefaults_AWSIAMConfigurationSpec(obj *AWSIAMConfigurationSpec) { //nolin
 	if obj.S3Buckets.NamePrefix == "" {
 		obj.S3Buckets.NamePrefix = DefaultS3BucketPrefix
 	}
+	if obj.IAMIdentityProviders == nil {
+		obj.IAMIdentityProviders = &IAMIdentityProviders{
+			Enable: false,
+		}
+	}
 }
 
 // SetDefaults_AWSIAMConfiguration is used by defaulter-gen.

diff --git a/cmd/clusterawsadm/api/bootstrap/v1beta1/types.go b/cmd/clusterawsadm/api/bootstrap/v1beta1/types.go
@@ -178,6 +178,13 @@ type S3Buckets struct {
 	NamePrefix string `json:"namePrefix"`
 }
 
+// IAMIdentityProviders controls the configuration of the AWS IAM role for IAM
+// Identity providers, which can be created to support IRSA for unmanaged clusters.
+type IAMIdentityProviders struct {
+	// Enable controls whether permissions are granted to manage IAM Identity Providers
+	Enable bool `json:"enable,omitempty"`
+}
+
 // AWSIAMConfigurationSpec defines the specification of the AWSIAMConfiguration.
 type AWSIAMConfigurationSpec struct {
 	// NamePrefix will be prepended to every AWS IAM role, user and policy created by clusterawsadm. Defaults to "".
@@ -235,6 +242,11 @@ type AWSIAMConfigurationSpec struct {
 
 	// AllowAssumeRole enables the sts:AssumeRole permission within the CAPA policies
 	AllowAssumeRole bool `json:"allowAssumeRole,omitempty"`
+
+	// IAMIdentityProviders, when enabled, will add controller nodes permissions to
+	// create IAM Identity Providers for kubeadm workload clusters.
+	// +optional
+	IAMIdentityProviders *IAMIdentityProviders `json:"iamIdentityProviders,omitempty"`
 }
 
 // GetObjectKind returns the AAWSIAMConfiguration's TypeMeta.

diff --git a/cmd/clusterawsadm/api/bootstrap/v1beta1/zz_generated.deepcopy.go b/cmd/clusterawsadm/api/bootstrap/v1beta1/zz_generated.deepcopy.go
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go
@@ -302,6 +302,19 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 			},
 		})
 	}
+	if t.Spec.IAMIdentityProviders.Enable {
+		statement = append(statement, iamv1.StatementEntry{
+			Effect: iamv1.EffectAllow,
+			Resource: iamv1.Resources{
+				fmt.Sprintf("arn:*:s3:::%s*", t.Spec.S3Buckets.NamePrefix),
+			},
+			Action: iamv1.Actions{
+				"s3:PutBucketOwnershipControls",
+				"s3:PutObjectAcl",
+				"s3:PutBucketPublicAccessBlock",
+			},
+		})
+	}
 	if t.Spec.EventBridge.Enable {
 		statement = append(statement, iamv1.StatementEntry{
 			Effect:   iamv1.EffectAllow,
@@ -323,6 +336,19 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 			},
 		})
 	}
+	if t.Spec.IAMIdentityProviders.Enable {
+		statement = append(statement, iamv1.StatementEntry{
+			Effect:   iamv1.EffectAllow,
+			Resource: iamv1.Resources{iamv1.Any},
+			Action: iamv1.Actions{
+				"iam:CreateOpenIDConnectProvider",
+				"iam:DeleteOpenIDConnectProvider",
+				"iam:ListOpenIDConnectProviders",
+				"iam:GetOpenIDConnectProvider",
+				"iam:TagOpenIDConnectProvider",
+			},
+		})
+	}
 
 	return &iamv1.PolicyDocument{
 		Version:   iamv1.CurrentVersion,