feat: Add IRSA support for self-managed.

Fix s3 tests

api/v1beta1/awscluster_conversion.go

@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	apiconversion "k8s.io/apimachinery/pkg/conversion"
+	"sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	infrav2 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	utilconversion "sigs.k8s.io/cluster-api/util/conversion"
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
@@ -62,6 +63,8 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Status.Bastion.CapacityReservationID = restored.Status.Bastion.CapacityReservationID
 	}
 	dst.Spec.Partition = restored.Spec.Partition
+	dst.Spec.AssociateOIDCProvider = restored.Spec.AssociateOIDCProvider
+	dst.Status.OIDCProvider = restored.Status.OIDCProvider
 
 	for role, sg := range restored.Status.Network.SecurityGroups {
 		dst.Status.Network.SecurityGroups[role] = sg
@@ -218,3 +221,7 @@ func (r *AWSClusterList) ConvertFrom(srcRaw conversion.Hub) error {
 func Convert_v1beta2_SubnetSpec_To_v1beta1_SubnetSpec(in *infrav2.SubnetSpec, out *SubnetSpec, s apiconversion.Scope) error {
 	return autoConvert_v1beta2_SubnetSpec_To_v1beta1_SubnetSpec(in, out, s)
 }
+
+func Convert_v1beta2_AWSClusterStatus_To_v1beta1_AWSClusterStatus(in *v1beta2.AWSClusterStatus, out *AWSClusterStatus, scope apiconversion.Scope) error {
+	return autoConvert_v1beta2_AWSClusterStatus_To_v1beta1_AWSClusterStatus(in, out, scope)
+}

api/v1beta1/s3bucket.go

@@ -21,8 +21,6 @@ import (
 	"net"
 
 	"k8s.io/apimachinery/pkg/util/validation/field"
-
-	"sigs.k8s.io/cluster-api-provider-aws/v2/feature"
 )
 
 // Validate validates S3Bucket fields.
@@ -37,12 +35,6 @@ func (b *S3Bucket) Validate() []*field.Error {
 		errs = append(errs, field.Required(field.NewPath("spec", "s3Bucket", "name"), "can't be empty"))
 	}
 
-	// Feature gate is not enabled but ignition is enabled then send a forbidden error.
-	if !feature.Gates.Enabled(feature.BootstrapFormatIgnition) {
-		errs = append(errs, field.Forbidden(field.NewPath("spec", "s3Bucket"),
-			"can be set only if the BootstrapFormatIgnition feature gate is enabled"))
-	}
-
 	if b.ControlPlaneIAMInstanceProfile == "" {
 		errs = append(errs,
 			field.Required(field.NewPath("spec", "s3Bucket", "controlPlaneIAMInstanceProfiles"), "can't be empty"))

api/v1beta2/awscluster_spec.go

@@ -0,0 +1,23 @@
+package v1beta2
+
+import (
+	"k8s.io/apimachinery/pkg/util/validation/field"
+
+	"sigs.k8s.io/cluster-api-provider-aws/v2/feature"
+)
+
+// Validate will validate the spec fields.
+func (s *AWSClusterSpec) Validate() []*field.Error {
+	var errs field.ErrorList
+
+	// Check the feature gate is enabled for OIDC Provider.
+	if s.AssociateOIDCProvider && !feature.Gates.Enabled(feature.OIDCProviderSupport) {
+		errs = append(errs,
+			field.Forbidden(field.NewPath("spec", "associateOIDCProvider"),
+				"can be enabled only if the OIDCProviderSupport feature gate is enabled"),
+		)
+		return errs
+	}
+
+	return errs
+}

api/v1beta2/awscluster_types.go

@@ -106,11 +106,17 @@ type AWSClusterSpec struct {
 	IdentityRef *AWSIdentityReference `json:"identityRef,omitempty"`
 
 	// S3Bucket contains options to configure a supporting S3 bucket for this
-	// cluster - currently used for nodes requiring Ignition
-	// (https://coreos.github.io/ignition/) for bootstrapping (requires
-	// BootstrapFormatIgnition feature flag to be enabled).
+	// cluster - Used for nodes requiring Ignition (https://coreos.github.io/ignition/) for bootstrapping (requires
+	// BootstrapFormatIgnition feature flag to be enabled) and/or for storing OIDC endpoint certificates for use
+	// with IRSA (requires OIDCProviderSupport feature flag to be enabled).
 	// +optional
 	S3Bucket *S3Bucket `json:"s3Bucket,omitempty"`
+
+	// AssociateOIDCProvider can be enabled to automatically publish the clusters Service Account issuer OIDC discovery
+	// documents to S3, create an AWS IAM OIDC identity provider and configure it to trust the cluster issuer.
+	// This will only work if the S3Bucket is configured properly.
+	// +kubebuilder:default=false
+	AssociateOIDCProvider bool `json:"associateOIDCProvider,omitempty"`
 }
 
 // AWSIdentityKind defines allowed AWS identity types.
@@ -281,6 +287,10 @@ type AWSClusterStatus struct {
 	FailureDomains clusterv1.FailureDomains `json:"failureDomains,omitempty"`
 	Bastion        *Instance                `json:"bastion,omitempty"`
 	Conditions     clusterv1.Conditions     `json:"conditions,omitempty"`
+
+	// OIDCProvider holds the status of the identity provider for this cluster
+	// +optional
+	OIDCProvider OIDCProviderStatus `json:"oidcProvider,omitempty"`
 }
 
 // S3Bucket defines a supporting S3 bucket for the cluster, currently can be optionally used for Ignition.

api/v1beta2/awscluster_webhook.go

@@ -53,6 +53,7 @@ var (
 func (r *AWSCluster) ValidateCreate() (admission.Warnings, error) {
 	var allErrs field.ErrorList
 
+	allErrs = append(allErrs, r.Spec.Validate()...)
 	allErrs = append(allErrs, r.Spec.Bastion.Validate()...)
 	allErrs = append(allErrs, r.validateSSHKeyName()...)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)

api/v1beta2/conditions_consts.go

@@ -192,3 +192,11 @@ const (
 	// S3BucketFailedReason is used when any errors occur during reconciliation of an S3 bucket.
 	S3BucketFailedReason = "S3BucketCreationFailed"
 )
+
+const (
+	// OIDCProviderReadyCondition indicates that the OIDC provider has been created successfully.
+	OIDCProviderReadyCondition = "OIDCProviderCreated"
+
+	// OIDCProviderReconciliationFailedReason is used if we can't reconcile the OIDC provider.
+	OIDCProviderReconciliationFailedReason = "OIDCProviderReconciliationFailed"
+)

api/v1beta2/s3bucket.go

@@ -38,9 +38,9 @@ func (b *S3Bucket) Validate() []*field.Error {
 	}
 
 	// Feature gate is not enabled but ignition is enabled then send a forbidden error.
-	if !feature.Gates.Enabled(feature.BootstrapFormatIgnition) {
+	if !feature.Gates.Enabled(feature.BootstrapFormatIgnition) && !feature.Gates.Enabled(feature.OIDCProviderSupport) {
 		errs = append(errs, field.Forbidden(field.NewPath("spec", "s3Bucket"),
-			"can be set only if the BootstrapFormatIgnition feature gate is enabled"))
+			"can be set only if the BootstrapFormatIgnition or OIDCProviderSupport feature gate is enabled"))
 	}
 
 	if b.PresignedURLDuration == nil {

api/v1beta2/types.go

@@ -438,6 +438,16 @@ const (
 	AmazonLinuxGPU EKSAMILookupType = "AmazonLinuxGPU"
 )
 
+// OIDCProviderStatus holds the status of the AWS OIDC identity provider.
+type OIDCProviderStatus struct {
+	// ARN holds the ARN of the provider
+	ARN string `json:"arn,omitempty"`
+	// IssuerURL holds the OIDC Issuer URL of the cluster.
+	IssuerURL string `json:"issuerUrl,omitempty"`
+	// TrustPolicy contains the boilerplate IAM trust policy to use for IRSA
+	TrustPolicy string `json:"trustPolicy,omitempty"`
+}
+
 // PrivateDNSName is the options for the instance hostname.
 type PrivateDNSName struct {
 	// EnableResourceNameDNSAAAARecord indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records.

cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go

@@ -184,6 +184,11 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 				"ec2:DeleteLaunchTemplateVersions",
 				"ec2:DescribeKeyPairs",
 				"ec2:ModifyInstanceMetadataOptions",
+				"iam:CreateOpenIDConnectProvider",
+				"iam:DeleteOpenIDConnectProvider",
+				"iam:ListOpenIDConnectProviders",
+				"iam:GetOpenIDConnectProvider",
+				"iam:TagOpenIDConnectProvider",
 			},
 		},
 		{
@@ -295,6 +300,9 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 				"s3:DeleteObject",
 				"s3:PutBucketPolicy",
 				"s3:PutBucketTagging",
+				"s3:PutBucketOwnershipControls",
+				"s3:PutObjectAcl",
+				"s3:PutBucketPublicAccessBlock",
 			},
 		})
 	}

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml

@@ -243,6 +243,11 @@ Resources:
           - ec2:DeleteLaunchTemplateVersions
           - ec2:DescribeKeyPairs
           - ec2:ModifyInstanceMetadataOptions
+          - iam:CreateOpenIDConnectProvider
+          - iam:DeleteOpenIDConnectProvider
+          - iam:ListOpenIDConnectProviders
+          - iam:GetOpenIDConnectProvider
+          - iam:TagOpenIDConnectProvider
           Effect: Allow
           Resource:
           - '*'

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml

@@ -243,6 +243,11 @@ Resources:
           - ec2:DeleteLaunchTemplateVersions
           - ec2:DescribeKeyPairs
           - ec2:ModifyInstanceMetadataOptions
+          - iam:CreateOpenIDConnectProvider
+          - iam:DeleteOpenIDConnectProvider
+          - iam:ListOpenIDConnectProviders
+          - iam:GetOpenIDConnectProvider
+          - iam:TagOpenIDConnectProvider
           Effect: Allow
           Resource:
           - '*'

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml

@@ -249,6 +249,11 @@ Resources:
           - ec2:DeleteLaunchTemplateVersions
           - ec2:DescribeKeyPairs
           - ec2:ModifyInstanceMetadataOptions
+          - iam:CreateOpenIDConnectProvider
+          - iam:DeleteOpenIDConnectProvider
+          - iam:ListOpenIDConnectProviders
+          - iam:GetOpenIDConnectProvider
+          - iam:TagOpenIDConnectProvider
           Effect: Allow
           Resource:
           - '*'

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml

@@ -243,6 +243,11 @@ Resources:
           - ec2:DeleteLaunchTemplateVersions
           - ec2:DescribeKeyPairs
           - ec2:ModifyInstanceMetadataOptions
+          - iam:CreateOpenIDConnectProvider
+          - iam:DeleteOpenIDConnectProvider
+          - iam:ListOpenIDConnectProviders
+          - iam:GetOpenIDConnectProvider
+          - iam:TagOpenIDConnectProvider
           Effect: Allow
           Resource:
           - '*'

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml

@@ -249,6 +249,11 @@ Resources:
           - ec2:DeleteLaunchTemplateVersions
           - ec2:DescribeKeyPairs
           - ec2:ModifyInstanceMetadataOptions
+          - iam:CreateOpenIDConnectProvider
+          - iam:DeleteOpenIDConnectProvider
+          - iam:ListOpenIDConnectProviders
+          - iam:GetOpenIDConnectProvider
+          - iam:TagOpenIDConnectProvider
           Effect: Allow
           Resource:
           - '*'

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml

@@ -249,6 +249,11 @@ Resources:
           - ec2:DeleteLaunchTemplateVersions
           - ec2:DescribeKeyPairs
           - ec2:ModifyInstanceMetadataOptions
+          - iam:CreateOpenIDConnectProvider
+          - iam:DeleteOpenIDConnectProvider
+          - iam:ListOpenIDConnectProviders
+          - iam:GetOpenIDConnectProvider
+          - iam:TagOpenIDConnectProvider
           Effect: Allow
           Resource:
           - '*'

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml

@@ -243,6 +243,11 @@ Resources:
           - ec2:DeleteLaunchTemplateVersions
           - ec2:DescribeKeyPairs
           - ec2:ModifyInstanceMetadataOptions
+          - iam:CreateOpenIDConnectProvider
+          - iam:DeleteOpenIDConnectProvider
+          - iam:ListOpenIDConnectProviders
+          - iam:GetOpenIDConnectProvider
+          - iam:TagOpenIDConnectProvider
           Effect: Allow
           Resource:
           - '*'

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml

@@ -243,6 +243,11 @@ Resources:
           - ec2:DeleteLaunchTemplateVersions
           - ec2:DescribeKeyPairs
           - ec2:ModifyInstanceMetadataOptions
+          - iam:CreateOpenIDConnectProvider
+          - iam:DeleteOpenIDConnectProvider
+          - iam:ListOpenIDConnectProviders
+          - iam:GetOpenIDConnectProvider
+          - iam:TagOpenIDConnectProvider
           Effect: Allow
           Resource:
           - '*'

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml

@@ -243,6 +243,11 @@ Resources:
           - ec2:DeleteLaunchTemplateVersions
           - ec2:DescribeKeyPairs
           - ec2:ModifyInstanceMetadataOptions
+          - iam:CreateOpenIDConnectProvider
+          - iam:DeleteOpenIDConnectProvider
+          - iam:ListOpenIDConnectProviders
+          - iam:GetOpenIDConnectProvider
+          - iam:TagOpenIDConnectProvider
           Effect: Allow
           Resource:
           - '*'

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml

@@ -243,6 +243,11 @@ Resources:
           - ec2:DeleteLaunchTemplateVersions
           - ec2:DescribeKeyPairs
           - ec2:ModifyInstanceMetadataOptions
+          - iam:CreateOpenIDConnectProvider
+          - iam:DeleteOpenIDConnectProvider
+          - iam:ListOpenIDConnectProviders
+          - iam:GetOpenIDConnectProvider
+          - iam:TagOpenIDConnectProvider
           Effect: Allow
           Resource:
           - '*'

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml

@@ -243,6 +243,11 @@ Resources:
           - ec2:DeleteLaunchTemplateVersions
           - ec2:DescribeKeyPairs
           - ec2:ModifyInstanceMetadataOptions
+          - iam:CreateOpenIDConnectProvider
+          - iam:DeleteOpenIDConnectProvider
+          - iam:ListOpenIDConnectProviders
+          - iam:GetOpenIDConnectProvider
+          - iam:TagOpenIDConnectProvider
           Effect: Allow
           Resource:
           - '*'

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml

@@ -249,6 +249,11 @@ Resources:
           - ec2:DeleteLaunchTemplateVersions
           - ec2:DescribeKeyPairs
           - ec2:ModifyInstanceMetadataOptions
+          - iam:CreateOpenIDConnectProvider
+          - iam:DeleteOpenIDConnectProvider
+          - iam:ListOpenIDConnectProviders
+          - iam:GetOpenIDConnectProvider
+          - iam:TagOpenIDConnectProvider
           Effect: Allow
           Resource:
           - '*'