Add support for Origin Access Control CRD

[TiberiuGC]

Issue #, if available: aws-controllers-k8s/community#2093

Description of changes: add support for Origin Access Control CRD

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[a-hilaly]

We're so lucky we don't have arrays in this CRDs, we don't have write another massacre like https://github.com/aws-controllers-k8s/cloudfront-controller/blob/main/pkg/resource/distribution/hooks.go#L29-L34

[a-hilaly]

Super neat! thanks!
/lgtm

[ack-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: a-hilaly, TiberiuGC

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [a-hilaly]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bala151187]

@TiberiuGC @a-hilaly
I just installed new verison of cloudfront 0.0.12 & CRD as well .. Facing below permission error for the controller

{"level":"info","ts":"2024-07-19T20:56:48.227Z","msg":"pkg/mod/k8s.io/client-go@v0.29.0/tools/cache/reflector.go:229: failed to list *v1alpha1.OriginAccessControl: originaccesscontrols.cloudfront.services.k8s.aws is forbidden: User \"system:serviceaccount:ack-system:ack-cloudfront-controller\" cannot list resource \"originaccesscontrols\" in API group \"cloudfront.services.k8s.aws\" at the cluster scope"} {"level":"error","ts":"2024-07-19T20:56:48.227Z","msg":"pkg/mod/k8s.io/client-go@v0.29.0/tools/cache/reflector.go:229: Failed to watch *v1alpha1.OriginAccessControl: failed to list *v1alpha1.OriginAccessControl: originaccesscontrols.cloudfront.services.k8s.aws is forbidden: User \"system:serviceaccount:ack-system:ack-cloudfront-controller\" cannot list resource \"originaccesscontrols\" in API group \"cloudfront.services.k8s.aws\" at the cluster scope","stacktrace":"k8s.io/client-go/tools/cache.DefaultWatchErrorHandler\n\t/go/pkg/mod/k8s.io/client-go@v0.29.0/tools/cache/reflector.go:147\nk8s.io/client-go/tools/cache.(*Reflector).Run.func1\n\t/go/pkg/mod/k8s.io/client-go@v0.29.0/tools/cache/reflector.go:292\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/go/pkg/mod/k8s.io/apimachinery@v0.29.0/pkg/util/wait/backoff.go:226\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/go/pkg/mod/k8s.io/apimachinery@v0.29.0/pkg/util/wait/backoff.go:227\nk8s.io/client-go/tools/cache.(*Reflector).Run\n\t/go/pkg/mod/k8s.io/client-go@v0.29.0/tools/cache/reflector.go:290\nk8s.io/client-go/tools/cache.(*controller).Run.(*Group).StartWithChannel.func2\n\t/go/pkg/mod/k8s.io/apimachinery@v0.29.0/pkg/util/wait/wait.go:55\nk8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1\n\t/go/pkg/mod/k8s.io/apimachinery@v0.29.0/pkg/util/wait/wait.go:72"}

my IAM role has these policies attached

That role mapped to the service account .

Am i missing anything

[a-hilaly]

@bala151187 this sounds like an RBAC issue, did you update the helm chart as well?

[bala151187]

@a-hilaly Yeah . i just manually updated the image version :) .

image: public.ecr.aws/aws-controllers-k8s/cloudfront-controller:0.0.12

[a-hilaly]

Updating the deployment image alone isn't enough, you need to use the latest helm chart (it contains the right RBAC for this version of the controller)

[bala151187]

@a-hilaly hmm .. then that's the missing piece .. gotcha .. ll let you know on monday .. thanks for replying