diff --git a/manifests/klusterlet/managed/klusterlet-registration-serviceaccount.yaml b/manifests/klusterlet/managed/klusterlet-registration-serviceaccount.yaml index bbbe83dc7..431e8ef07 100644 --- a/manifests/klusterlet/managed/klusterlet-registration-serviceaccount.yaml +++ b/manifests/klusterlet/managed/klusterlet-registration-serviceaccount.yaml @@ -9,5 +9,9 @@ metadata: "{{ $key }}": "{{ $value }}" {{ end }} {{ end }} + {{ if and .ManagedClusterRoleArn (eq .RegistrationDriver.AuthType "awsirsa") }} + annotations: + eks.amazonaws.com/role-arn: {{ .ManagedClusterRoleArn }} + {{ end }} imagePullSecrets: - name: open-cluster-management-image-pull-credentials diff --git a/manifests/klusterlet/managed/klusterlet-work-serviceaccount.yaml b/manifests/klusterlet/managed/klusterlet-work-serviceaccount.yaml index bf2f326f0..b16ddcf20 100644 --- a/manifests/klusterlet/managed/klusterlet-work-serviceaccount.yaml +++ b/manifests/klusterlet/managed/klusterlet-work-serviceaccount.yaml @@ -9,5 +9,9 @@ metadata: "{{ $key }}": "{{ $value }}" {{ end }} {{ end }} + {{ if and .ManagedClusterRoleArn (eq .RegistrationDriver.AuthType "awsirsa") }} + annotations: + eks.amazonaws.com/role-arn: {{ .ManagedClusterRoleArn }} + {{ end }} imagePullSecrets: - name: open-cluster-management-image-pull-credentials diff --git a/manifests/klusterlet/management/klusterlet-agent-deployment.yaml b/manifests/klusterlet/management/klusterlet-agent-deployment.yaml index 6a4f69a60..2c93df472 100644 --- a/manifests/klusterlet/management/klusterlet-agent-deployment.yaml +++ b/manifests/klusterlet/management/klusterlet-agent-deployment.yaml @@ -109,11 +109,15 @@ spec: {{if .AppliedManifestWorkEvictionGracePeriod}} - "--appliedmanifestwork-eviction-grace-period={{ .AppliedManifestWorkEvictionGracePeriod }}" {{end}} - {{if .RegistrationDriver.AuthType}} + {{if and .RegistrationDriver .RegistrationDriver.AuthType}} - "--registration-auth={{ .RegistrationDriver.AuthType }}" - {{end}} {{if eq .RegistrationDriver.AuthType "awsirsa"}} - "--hub-cluster-arn={{ .RegistrationDriver.AwsIrsa.HubClusterArn }}" + - "--managed-cluster-arn={{ .RegistrationDriver.AwsIrsa.ManagedClusterArn }}" + {{if .ManagedClusterRoleSuffix}} + - "--managed-cluster-role-suffix={{ .ManagedClusterRoleSuffix }}" + {{end}} + {{end}} {{end}} env: - name: POD_NAME @@ -144,6 +148,10 @@ spec: mountPath: "/spoke/hub-kubeconfig" - name: tmpdir mountPath: /tmp + {{if and .RegistrationDriver .RegistrationDriver.AuthType (eq .RegistrationDriver.AuthType "awsirsa")}} + - name: dot-aws + mountPath: /.aws + {{end}} {{if eq .InstallMode "SingletonHosted"}} - name: spoke-kubeconfig-secret mountPath: "/spoke/config" @@ -195,6 +203,10 @@ spec: medium: Memory - name: tmpdir emptyDir: { } + {{if and .RegistrationDriver .RegistrationDriver.AuthType (eq .RegistrationDriver.AuthType "awsirsa")}} + - name: dot-aws + emptyDir: { } + {{end}} {{if eq .InstallMode "SingletonHosted"}} - name: spoke-kubeconfig-secret secret: diff --git a/manifests/klusterlet/management/klusterlet-registration-deployment.yaml b/manifests/klusterlet/management/klusterlet-registration-deployment.yaml index 1a6b4893d..2e0623907 100644 --- a/manifests/klusterlet/management/klusterlet-registration-deployment.yaml +++ b/manifests/klusterlet/management/klusterlet-registration-deployment.yaml @@ -97,11 +97,15 @@ spec: {{if gt .RegistrationKubeAPIBurst 0}} - "--kube-api-burst={{ .RegistrationKubeAPIBurst }}" {{end}} - {{if .RegistrationDriver.AuthType}} + {{if and .RegistrationDriver .RegistrationDriver.AuthType}} - "--registration-auth={{ .RegistrationDriver.AuthType }}" - {{end}} {{if eq .RegistrationDriver.AuthType "awsirsa"}} - "--hub-cluster-arn={{ .RegistrationDriver.AwsIrsa.HubClusterArn }}" + - "--managed-cluster-arn={{ .RegistrationDriver.AwsIrsa.ManagedClusterArn }}" + {{if .ManagedClusterRoleSuffix}} + - "--managed-cluster-role-suffix={{ .ManagedClusterRoleSuffix }}" + {{end}} + {{end}} {{end}} env: - name: POD_NAME @@ -132,6 +136,10 @@ spec: mountPath: "/spoke/hub-kubeconfig" - name: tmpdir mountPath: /tmp + {{if and .RegistrationDriver .RegistrationDriver.AuthType (eq .RegistrationDriver.AuthType "awsirsa")}} + - name: dot-aws + mountPath: /.aws + {{end}} {{if eq .InstallMode "Hosted"}} - name: spoke-kubeconfig-secret mountPath: "/spoke/config" @@ -183,6 +191,10 @@ spec: medium: Memory - name: tmpdir emptyDir: { } + {{if and .RegistrationDriver .RegistrationDriver.AuthType (eq .RegistrationDriver.AuthType "awsirsa")}} + - name: dot-aws + emptyDir: { } + {{end}} {{if eq .InstallMode "Hosted"}} - name: spoke-kubeconfig-secret secret: diff --git a/manifests/klusterlet/management/klusterlet-work-deployment.yaml b/manifests/klusterlet/management/klusterlet-work-deployment.yaml index 0a71fc4f4..cb9913840 100644 --- a/manifests/klusterlet/management/klusterlet-work-deployment.yaml +++ b/manifests/klusterlet/management/klusterlet-work-deployment.yaml @@ -107,6 +107,10 @@ spec: readOnly: true - name: tmpdir mountPath: /tmp + {{if and .RegistrationDriver .RegistrationDriver.AuthType (eq .RegistrationDriver.AuthType "awsirsa")}} + - name: dot-aws + mountPath: /.aws + {{end}} {{if eq .InstallMode "Hosted"}} - name: spoke-kubeconfig-secret mountPath: "/spoke/config" @@ -147,6 +151,10 @@ spec: secretName: {{ .HubKubeConfigSecret }} - name: tmpdir emptyDir: { } + {{if and .RegistrationDriver .RegistrationDriver.AuthType (eq .RegistrationDriver.AuthType "awsirsa")}} + - name: dot-aws + emptyDir: { } + {{end}} {{if eq .InstallMode "Hosted"}} - name: spoke-kubeconfig-secret secret: diff --git a/pkg/common/helpers/aws.go b/pkg/common/helpers/aws.go new file mode 100644 index 000000000..c47cc9356 --- /dev/null +++ b/pkg/common/helpers/aws.go @@ -0,0 +1,14 @@ +package helpers + +import ( + "regexp" +) + +func IsEksArnWellFormed(eksArn string) bool { + pattern := "^arn:aws:eks:([a-zA-Z0-9-]+):(\\d{12}):cluster/([a-zA-Z0-9-]+)$" + matched, err := regexp.MatchString(pattern, eksArn) + if err != nil { + return false + } + return matched +} diff --git a/pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go b/pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go index 30e1c5ee8..f999a3714 100644 --- a/pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go +++ b/pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go @@ -2,6 +2,9 @@ package klusterletcontroller import ( "context" + "crypto/md5" + "encoding/hex" + er "errors" "fmt" "strings" "time" @@ -114,7 +117,8 @@ func NewKlusterletController( } type AwsIrsa struct { - HubClusterArn string + HubClusterArn string + ManagedClusterArn string } type RegistrationDriver struct { @@ -187,6 +191,10 @@ type klusterletConfig struct { // Labels of the agents are synced from klusterlet CR. Labels map[string]string RegistrationDriver RegistrationDriver + + ManagedClusterArn string + ManagedClusterRoleArn string + ManagedClusterRoleSuffix string } // If multiplehubs feature gate is enabled, using the bootstrapkubeconfigs from klusterlet CR. @@ -329,12 +337,32 @@ func (n *klusterletController) sync(ctx context.Context, controllerContext facto //Configuring Registration driver depending on registration auth if &klusterlet.Spec.RegistrationConfiguration.RegistrationDriver != nil && klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AuthType == AwsIrsaAuthType { + + hubClusterArn := klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AwsIrsa.HubClusterArn + managedClusterArn := klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AwsIrsa.ManagedClusterArn + + if !commonhelpers.IsEksArnWellFormed(hubClusterArn) { + errorMsg := fmt.Sprintf("HubClusterArn %s is not well formed", hubClusterArn) + klog.Errorf(errorMsg) + return er.New(errorMsg) + } + + if !commonhelpers.IsEksArnWellFormed(managedClusterArn) { + errorMsg := fmt.Sprintf("ManagedClusterArn %s is not well formed", managedClusterArn) + klog.Errorf(errorMsg) + return er.New(errorMsg) + } + config.RegistrationDriver = RegistrationDriver{ AuthType: klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AuthType, AwsIrsa: &AwsIrsa{ - HubClusterArn: klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AwsIrsa.HubClusterArn, + HubClusterArn: hubClusterArn, + ManagedClusterArn: managedClusterArn, }, } + managedClusterRoleArn, managedClusterRoleSuffix := n.generateManagedRoleArnAndSuffix(klusterlet) + config.ManagedClusterRoleArn = managedClusterRoleArn + config.ManagedClusterRoleSuffix = managedClusterRoleSuffix } else { config.RegistrationDriver = RegistrationDriver{ AuthType: klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AuthType, @@ -433,6 +461,23 @@ func (n *klusterletController) sync(ctx context.Context, controllerContext facto return utilerrors.NewAggregate(errs) } +func (n *klusterletController) generateManagedRoleArnAndSuffix(klusterlet *operatorapiv1.Klusterlet) (string, string) { + hubClusterArn := klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AwsIrsa.HubClusterArn + managedClusterArn := klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AwsIrsa.ManagedClusterArn + + hubClusterStringParts := strings.Split(hubClusterArn, ":") + + managedClusterStringParts := strings.Split(managedClusterArn, ":") + hubClusterName := strings.Split(hubClusterStringParts[5], "/")[1] + hubClusterAccountId := hubClusterStringParts[4] + managedClusterName := strings.Split(managedClusterStringParts[5], "/")[1] + managedClusterAccountId := managedClusterStringParts[4] + md5HashUniqueIdentifier := generateMd5HashUniqueIdentifier(hubClusterAccountId, hubClusterName, managedClusterAccountId, managedClusterName) + //arn:aws:iam:::role/ocm-managed-cluster- + managedClusterRoleArn := "arn:aws:iam::" + managedClusterAccountId + ":role/ocm-managed-cluster-" + md5HashUniqueIdentifier + return managedClusterRoleArn, md5HashUniqueIdentifier +} + // TODO also read CABundle from ExternalServerURLs and set into registration deployment func getServersFromKlusterlet(klusterlet *operatorapiv1.Klusterlet) string { if klusterlet.Spec.ExternalServerURLs == nil { @@ -536,3 +581,8 @@ func serviceAccountName(suffix string, klusterlet *operatorapiv1.Klusterlet) str } return fmt.Sprintf("%s-%s", klusterlet.Name, suffix) } + +func generateMd5HashUniqueIdentifier(hubClusterAccountId string, hubClusterName string, managedClusterAccountId string, managedClusterName string) string { + hash := md5.Sum([]byte(hubClusterAccountId + "#" + hubClusterName + "#" + managedClusterAccountId + "#" + managedClusterName)) + return hex.EncodeToString(hash[:]) +} diff --git a/pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller_test.go b/pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller_test.go index 983bafe11..5867f49e6 100644 --- a/pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller_test.go +++ b/pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller_test.go @@ -388,6 +388,9 @@ func assertKlusterletDeployment(t *testing.T, actions []clienttesting.Action, ve } args := deployment.Spec.Template.Spec.Containers[0].Args + volumeMounts := deployment.Spec.Template.Spec.Containers[0].VolumeMounts + volumes := deployment.Spec.Template.Spec.Volumes + expectedArgs := []string{ "/registration-operator", "agent", @@ -405,14 +408,39 @@ func assertKlusterletDeployment(t *testing.T, actions []clienttesting.Action, ve expectedArgs = append(expectedArgs, "--disable-leader-election") } - expectedArgs = append(expectedArgs, "--status-sync-interval=60s", "--kube-api-qps=20", "--kube-api-burst=60", - "--registration-auth=awsirsa", "--hub-cluster-arn=arneks:us-west-2:123456789012:cluster/hub-cluster1") + expectedArgs = append(expectedArgs, "--status-sync-interval=60s", "--kube-api-qps=20", "--kube-api-burst=60") + + expectedArgs = append(expectedArgs, "--registration-auth=awsirsa", + "--hub-cluster-arn=arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1", + "--managed-cluster-arn=arn:aws:eks:us-west-2:123456789012:cluster/managed-cluster1", + "--managed-cluster-role-suffix=7f8141296c75f2871e3d030f85c35692") if !equality.Semantic.DeepEqual(args, expectedArgs) { t.Errorf("Expect args %v, but got %v", expectedArgs, args) return } + assert.True(t, isDotAwsMounted(volumeMounts)) + assert.True(t, isDotAwsVolumePresent(volumes)) + +} + +func isDotAwsVolumePresent(volumes []corev1.Volume) bool { + for _, volume := range volumes { + if volume.Name == "dot-aws" { + return true + } + } + return false +} + +func isDotAwsMounted(mounts []corev1.VolumeMount) bool { + for _, mount := range mounts { + if mount.Name == "dot-aws" && mount.MountPath == "/.aws" { + return true + } + } + return false } func assertRegistrationDeployment(t *testing.T, actions []clienttesting.Action, verb, serverURL, clusterName string, replica int32, awsAuth bool) { @@ -444,7 +472,9 @@ func assertRegistrationDeployment(t *testing.T, actions []clienttesting.Action, expectedArgs = append(expectedArgs, "--kube-api-qps=10", "--kube-api-burst=60") if awsAuth { - expectedArgs = append(expectedArgs, "--registration-auth=awsirsa", "--hub-cluster-arn=arneks:us-west-2:123456789012:cluster/hub-cluster1") + expectedArgs = append(expectedArgs, "--registration-auth=awsirsa", "--hub-cluster-arn=arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1") + expectedArgs = append(expectedArgs, "--managed-cluster-arn=arn:aws:eks:us-west-2:123456789012:cluster/managed-cluster1", + "--managed-cluster-role-suffix=7f8141296c75f2871e3d030f85c35692") } if !equality.Semantic.DeepEqual(args, expectedArgs) { t.Errorf("Expect args %v, but got %v", expectedArgs, args) @@ -988,18 +1018,50 @@ func TestGetServersFromKlusterlet(t *testing.T) { } } +func TestAWSIrsaAuthInSingletonModeWithInvalidClusterArns(t *testing.T) { + klusterlet := newKlusterlet("klusterlet", "testns", "cluster1") + awsIrsaRegistrationDriver := operatorapiv1.RegistrationDriver{ + AuthType: AwsIrsaAuthType, + AwsIrsa: &operatorapiv1.AwsIrsa{ + HubClusterArn: "arn:aws:bks:us-west-2:123456789012:cluster/hub-cluster1", + ManagedClusterArn: "arn:aws:eks:us-west-2:123456789012:cluster/managed-cluster1", + }, + } + klusterlet.Spec.RegistrationConfiguration.RegistrationDriver = awsIrsaRegistrationDriver + klusterlet.Spec.DeployOption.Mode = operatorapiv1.InstallModeSingleton + hubSecret := newSecret(helpers.HubKubeConfig, "testns") + hubSecret.Data["kubeconfig"] = []byte("dummykubeconfig") + hubSecret.Data["cluster-name"] = []byte("cluster1") + objects := []runtime.Object{ + newNamespace("testns"), + newSecret(helpers.BootstrapHubKubeConfig, "testns"), + hubSecret, + } + + syncContext := testingcommon.NewFakeSyncContext(t, "klusterlet") + controller := newTestController(t, klusterlet, syncContext.Recorder(), nil, false, + objects...) + + err := controller.controller.sync(context.TODO(), syncContext) + if err != nil { + assert.Equal(t, err.Error(), "HubClusterArn arn:aws:bks:us-west-2:123456789012:cluster/hub-cluster1 is not well formed") + } + +} + func TestAWSIrsaAuthInSingletonMode(t *testing.T) { klusterlet := newKlusterlet("klusterlet", "testns", "cluster1") awsIrsaRegistrationDriver := operatorapiv1.RegistrationDriver{ AuthType: AwsIrsaAuthType, AwsIrsa: &operatorapiv1.AwsIrsa{ - HubClusterArn: "arneks:us-west-2:123456789012:cluster/hub-cluster1", + HubClusterArn: "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1", + ManagedClusterArn: "arn:aws:eks:us-west-2:123456789012:cluster/managed-cluster1", }, } klusterlet.Spec.RegistrationConfiguration.RegistrationDriver = awsIrsaRegistrationDriver klusterlet.Spec.DeployOption.Mode = operatorapiv1.InstallModeSingleton hubSecret := newSecret(helpers.HubKubeConfig, "testns") - hubSecret.Data["kubeconfig"] = []byte("dummuykubeconnfig") + hubSecret.Data["kubeconfig"] = []byte("dummykubeconfig") hubSecret.Data["cluster-name"] = []byte("cluster1") objects := []runtime.Object{ newNamespace("testns"), @@ -1024,7 +1086,8 @@ func TestAWSIrsaAuthInNonSingletonMode(t *testing.T) { awsIrsaRegistrationDriver := operatorapiv1.RegistrationDriver{ AuthType: AwsIrsaAuthType, AwsIrsa: &operatorapiv1.AwsIrsa{ - HubClusterArn: "arneks:us-west-2:123456789012:cluster/hub-cluster1", + HubClusterArn: "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1", + ManagedClusterArn: "arn:aws:eks:us-west-2:123456789012:cluster/managed-cluster1", }, } klusterlet.Spec.RegistrationConfiguration.RegistrationDriver = awsIrsaRegistrationDriver diff --git a/pkg/registration/helpers/helpers.go b/pkg/registration/helpers/helpers.go index 2fc8b5508..368e441a3 100644 --- a/pkg/registration/helpers/helpers.go +++ b/pkg/registration/helpers/helpers.go @@ -2,9 +2,6 @@ package helpers import ( "embed" - "net/url" - "regexp" - "github.com/openshift/library-go/pkg/assets" "github.com/openshift/library-go/pkg/operator/resource/resourceapply" certificatesv1 "k8s.io/api/certificates/v1" @@ -13,6 +10,7 @@ import ( "k8s.io/client-go/discovery/cached/memory" "k8s.io/client-go/kubernetes" "k8s.io/client-go/restmapper" + "net/url" clusterv1 "open-cluster-management.io/api/cluster/v1" ) @@ -177,14 +175,3 @@ func IsCSRSupported(nativeClient kubernetes.Interface) (bool, bool, error) { } return v1CSRSupported, v1beta1CSRSupported, nil } - -// IsEksArnWellFormed checks if the EKS cluster ARN is well-formed -// Example of a well-formed ARN: arn:aws:eks:us-west-2:123456789012:cluster/my-cluster -func IsEksArnWellFormed(eksArn string) bool { - pattern := "^arn:aws:eks:([a-zA-Z0-9-]+):(\\d{12}):cluster/([a-zA-Z0-9-]+)$" - matched, err := regexp.MatchString(pattern, eksArn) - if err != nil { - return false - } - return matched -} diff --git a/pkg/registration/register/aws_irsa/aws_irsa.go b/pkg/registration/register/aws_irsa/aws_irsa.go index 2ba57c86b..823a92a36 100644 --- a/pkg/registration/register/aws_irsa/aws_irsa.go +++ b/pkg/registration/register/aws_irsa/aws_irsa.go @@ -33,7 +33,8 @@ type AWSOption struct { } type AWSIRSADriver struct { - name string + name string + managedClusterRoleName string } func (c *AWSIRSADriver) Process( diff --git a/pkg/registration/spoke/options.go b/pkg/registration/spoke/options.go index f9c0649de..6c75e24e4 100644 --- a/pkg/registration/spoke/options.go +++ b/pkg/registration/spoke/options.go @@ -38,7 +38,9 @@ type SpokeAgentOptions struct { ClientCertExpirationSeconds int32 ClusterAnnotations map[string]string RegistrationAuth string - EksHubClusterArn string + HubClusterArn string + ManagedClusterArn string + ManagedClusterRoleSuffix string } func NewSpokeAgentOptions() *SpokeAgentOptions { @@ -79,8 +81,12 @@ func (o *SpokeAgentOptions) AddFlags(fs *pflag.FlagSet) { //Consider grouping these flags for driverOption in a new Option struct and add the flags using function driverOptions.AddFlags(fs). fs.StringVar(&o.RegistrationAuth, "registration-auth", o.RegistrationAuth, "The type of authentication to use to authenticate with hub.") - fs.StringVar(&o.EksHubClusterArn, "hub-cluster-arn", o.EksHubClusterArn, + fs.StringVar(&o.HubClusterArn, "hub-cluster-arn", o.HubClusterArn, "The ARN of the EKS based hub cluster.") + fs.StringVar(&o.ManagedClusterArn, "managed-cluster-arn", o.ManagedClusterArn, + "The ARN of the EKS based managed cluster.") + fs.StringVar(&o.ManagedClusterRoleSuffix, "managed-cluster-role-suffix", o.ManagedClusterRoleSuffix, + "The suffix of the managed cluster IAM role.") } // Validate verifies the inputs. @@ -113,7 +119,7 @@ func (o *SpokeAgentOptions) Validate() error { return errors.New("client certificate expiration seconds must greater or qual to 3600") } - if (o.RegistrationAuth == AwsIrsaAuthType) && (o.EksHubClusterArn == "") { + if (o.RegistrationAuth == AwsIrsaAuthType) && (o.HubClusterArn == "") { return errors.New("EksHubClusterArn cannot be empty if RegistrationAuth is awsirsa") } diff --git a/pkg/registration/spoke/spokeagent.go b/pkg/registration/spoke/spokeagent.go index 5b9cfeeb9..df378481a 100644 --- a/pkg/registration/spoke/spokeagent.go +++ b/pkg/registration/spoke/spokeagent.go @@ -31,7 +31,6 @@ import ( "open-cluster-management.io/ocm/pkg/common/helpers" commonoptions "open-cluster-management.io/ocm/pkg/common/options" "open-cluster-management.io/ocm/pkg/features" - registrationHelpers "open-cluster-management.io/ocm/pkg/registration/helpers" "open-cluster-management.io/ocm/pkg/registration/register" awsIrsa "open-cluster-management.io/ocm/pkg/registration/register/aws_irsa" "open-cluster-management.io/ocm/pkg/registration/register/csr" @@ -194,13 +193,13 @@ func (o *SpokeAgentConfig) RunSpokeAgentWithSpokeInformers(ctx context.Context, var registerDriver register.RegisterDriver if o.registrationOption.RegistrationAuth == AwsIrsaAuthType { // TODO: may consider add additional validations - if o.registrationOption.EksHubClusterArn != "" && registrationHelpers.IsEksArnWellFormed(o.registrationOption.EksHubClusterArn) { + if o.registrationOption.HubClusterArn != "" { registerDriver = awsIrsa.NewAWSIRSADriver() if o.registrationOption.ClusterAnnotations == nil { o.registrationOption.ClusterAnnotations = map[string]string{} } - o.registrationOption.ClusterAnnotations[operatorv1.ClusterAnnotationsKeyPrefix+"/managed-cluster-arn"] = "" //TODO: find arn from current context - o.registrationOption.ClusterAnnotations[operatorv1.ClusterAnnotationsKeyPrefix+"/managed-cluster-iam-role-suffix"] = "" //TODO: Add role suffix after RE-7249 + o.registrationOption.ClusterAnnotations[operatorv1.ClusterAnnotationsKeyPrefix+"/managed-cluster-arn"] = o.registrationOption.ManagedClusterArn + o.registrationOption.ClusterAnnotations[operatorv1.ClusterAnnotationsKeyPrefix+"/managed-cluster-iam-role-suffix"] = o.registrationOption.ManagedClusterRoleSuffix } else { panic("A valid EKS Hub Cluster ARN is required with awsirsa based authentication") @@ -324,7 +323,7 @@ func (o *SpokeAgentConfig) RunSpokeAgentWithSpokeInformers(ctx context.Context, var registrationAuthOption any if o.registrationOption.RegistrationAuth == AwsIrsaAuthType { - if o.registrationOption.EksHubClusterArn != "" && registrationHelpers.IsEksArnWellFormed(o.registrationOption.EksHubClusterArn) { + if o.registrationOption.HubClusterArn != "" { registrationAuthOption, err = registration.NewAWSOption( secretOption, bootstrapClusterInformerFactory.Cluster(),