Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ feat: Add IRSA support for self-managed clusters (rebase) #5109

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

✨ feat: Add IRSA support for self-managed clusters (rebase) #5109

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions api/v1beta1/awscluster_conversion.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package v1beta1

import (
apiconversion "k8s.io/apimachinery/pkg/conversion"
"sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
infrav2 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
utilconversion "sigs.k8s.io/cluster-api/util/conversion"
"sigs.k8s.io/controller-runtime/pkg/conversion"
Expand Down Expand Up @@ -62,6 +63,8 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
dst.Status.Bastion.CapacityReservationID = restored.Status.Bastion.CapacityReservationID
}
dst.Spec.Partition = restored.Spec.Partition
dst.Spec.AssociateOIDCProvider = restored.Spec.AssociateOIDCProvider
dst.Status.OIDCProvider = restored.Status.OIDCProvider

for role, sg := range restored.Status.Network.SecurityGroups {
dst.Status.Network.SecurityGroups[role] = sg
Expand Down Expand Up @@ -218,3 +221,7 @@ func (r *AWSClusterList) ConvertFrom(srcRaw conversion.Hub) error {
func Convert_v1beta2_SubnetSpec_To_v1beta1_SubnetSpec(in *infrav2.SubnetSpec, out *SubnetSpec, s apiconversion.Scope) error {
return autoConvert_v1beta2_SubnetSpec_To_v1beta1_SubnetSpec(in, out, s)
}

func Convert_v1beta2_AWSClusterStatus_To_v1beta1_AWSClusterStatus(in *v1beta2.AWSClusterStatus, out *AWSClusterStatus, scope apiconversion.Scope) error {
return autoConvert_v1beta2_AWSClusterStatus_To_v1beta1_AWSClusterStatus(in, out, scope)
}
8 changes: 0 additions & 8 deletions api/v1beta1/s3bucket.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@ import (
"net"

"k8s.io/apimachinery/pkg/util/validation/field"

"sigs.k8s.io/cluster-api-provider-aws/v2/feature"
)

// Validate validates S3Bucket fields.
Expand All @@ -37,12 +35,6 @@ func (b *S3Bucket) Validate() []*field.Error {
errs = append(errs, field.Required(field.NewPath("spec", "s3Bucket", "name"), "can't be empty"))
}

// Feature gate is not enabled but ignition is enabled then send a forbidden error.
if !feature.Gates.Enabled(feature.BootstrapFormatIgnition) {
errs = append(errs, field.Forbidden(field.NewPath("spec", "s3Bucket"),
"can be set only if the BootstrapFormatIgnition feature gate is enabled"))
}

if b.ControlPlaneIAMInstanceProfile == "" {
errs = append(errs,
field.Required(field.NewPath("spec", "s3Bucket", "controlPlaneIAMInstanceProfiles"), "can't be empty"))
Expand Down
17 changes: 7 additions & 10 deletions api/v1beta1/zz_generated.conversion.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

23 changes: 23 additions & 0 deletions api/v1beta2/awscluster_spec.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
package v1beta2

import (
"k8s.io/apimachinery/pkg/util/validation/field"

"sigs.k8s.io/cluster-api-provider-aws/v2/feature"
)

// Validate will validate the spec fields.
func (s *AWSClusterSpec) Validate() []*field.Error {
var errs field.ErrorList

// Check the feature gate is enabled for OIDC Provider.
if s.AssociateOIDCProvider && !feature.Gates.Enabled(feature.OIDCProviderSupport) {
errs = append(errs,
field.Forbidden(field.NewPath("spec", "associateOIDCProvider"),
"can be enabled only if the OIDCProviderSupport feature gate is enabled"),
)
return errs
}

return errs
}
16 changes: 13 additions & 3 deletions api/v1beta2/awscluster_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,11 +106,17 @@ type AWSClusterSpec struct {
IdentityRef *AWSIdentityReference `json:"identityRef,omitempty"`

// S3Bucket contains options to configure a supporting S3 bucket for this
// cluster - currently used for nodes requiring Ignition
// (https://coreos.github.io/ignition/) for bootstrapping (requires
// BootstrapFormatIgnition feature flag to be enabled).
// cluster - Used for nodes requiring Ignition (https://coreos.github.io/ignition/) for bootstrapping (requires
// BootstrapFormatIgnition feature flag to be enabled) and/or for storing OIDC endpoint certificates for use
// with IRSA (requires OIDCProviderSupport feature flag to be enabled).
// +optional
S3Bucket *S3Bucket `json:"s3Bucket,omitempty"`

// AssociateOIDCProvider can be enabled to automatically publish the clusters Service Account issuer OIDC discovery
// documents to S3, create an AWS IAM OIDC identity provider and configure it to trust the cluster issuer.
// This will only work if the S3Bucket is configured properly.
// +kubebuilder:default=false
AssociateOIDCProvider bool `json:"associateOIDCProvider,omitempty"`
}

// AWSIdentityKind defines allowed AWS identity types.
Expand Down Expand Up @@ -281,6 +287,10 @@ type AWSClusterStatus struct {
FailureDomains clusterv1.FailureDomains `json:"failureDomains,omitempty"`
Bastion *Instance `json:"bastion,omitempty"`
Conditions clusterv1.Conditions `json:"conditions,omitempty"`

// OIDCProvider holds the status of the identity provider for this cluster
// +optional
OIDCProvider OIDCProviderStatus `json:"oidcProvider,omitempty"`
}

// S3Bucket defines a supporting S3 bucket for the cluster, currently can be optionally used for Ignition.
Expand Down
1 change: 1 addition & 0 deletions api/v1beta2/awscluster_webhook.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ var (
func (r *AWSCluster) ValidateCreate() (admission.Warnings, error) {
var allErrs field.ErrorList

allErrs = append(allErrs, r.Spec.Validate()...)
allErrs = append(allErrs, r.Spec.Bastion.Validate()...)
allErrs = append(allErrs, r.validateSSHKeyName()...)
allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
Expand Down
8 changes: 8 additions & 0 deletions api/v1beta2/conditions_consts.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,3 +192,11 @@ const (
// S3BucketFailedReason is used when any errors occur during reconciliation of an S3 bucket.
S3BucketFailedReason = "S3BucketCreationFailed"
)

const (
// OIDCProviderReadyCondition indicates that the OIDC provider has been created successfully.
OIDCProviderReadyCondition = "OIDCProviderCreated"

// OIDCProviderReconciliationFailedReason is used if we can't reconcile the OIDC provider.
OIDCProviderReconciliationFailedReason = "OIDCProviderReconciliationFailed"
)
4 changes: 2 additions & 2 deletions api/v1beta2/s3bucket.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,9 @@ func (b *S3Bucket) Validate() []*field.Error {
}

// Feature gate is not enabled but ignition is enabled then send a forbidden error.
if !feature.Gates.Enabled(feature.BootstrapFormatIgnition) {
if !feature.Gates.Enabled(feature.BootstrapFormatIgnition) && !feature.Gates.Enabled(feature.OIDCProviderSupport) {
errs = append(errs, field.Forbidden(field.NewPath("spec", "s3Bucket"),
"can be set only if the BootstrapFormatIgnition feature gate is enabled"))
"can be set only if the BootstrapFormatIgnition or OIDCProviderSupport feature gate is enabled"))
}

if b.PresignedURLDuration == nil {
Expand Down
10 changes: 10 additions & 0 deletions api/v1beta2/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -438,6 +438,16 @@ const (
AmazonLinuxGPU EKSAMILookupType = "AmazonLinuxGPU"
)

// OIDCProviderStatus holds the status of the AWS OIDC identity provider.
type OIDCProviderStatus struct {
// ARN holds the ARN of the provider
ARN string `json:"arn,omitempty"`
// IssuerURL holds the OIDC Issuer URL of the cluster.
IssuerURL string `json:"issuerUrl,omitempty"`
// TrustPolicy contains the boilerplate IAM trust policy to use for IRSA
TrustPolicy string `json:"trustPolicy,omitempty"`
}

// PrivateDNSName is the options for the instance hostname.
type PrivateDNSName struct {
// EnableResourceNameDNSAAAARecord indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records.
Expand Down
16 changes: 16 additions & 0 deletions api/v1beta2/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,11 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
"ec2:DeleteLaunchTemplateVersions",
"ec2:DescribeKeyPairs",
"ec2:ModifyInstanceMetadataOptions",
"iam:CreateOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"iam:ListOpenIDConnectProviders",
"iam:GetOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider",
},
},
{
Expand Down Expand Up @@ -295,6 +300,9 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
"s3:DeleteObject",
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
"s3:PutBucketOwnershipControls",
"s3:PutObjectAcl",
"s3:PutBucketPublicAccessBlock",
},
})
}
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
Loading