From a21f7b49a570fa4e4cb4e9953e4edbf5ee01b7ba Mon Sep 17 00:00:00 2001 From: Amrutha Date: Tue, 7 Jan 2025 12:19:21 -0500 Subject: [PATCH] Adding managedcluster identity creator role arn Signed-off-by: Gaurav Jaswal --- ...ter-management.io_clustermanagers.crd.yaml | 25 ++++++++ ...ter-management.io_clustermanagers.crd.yaml | 25 ++++++++ ...cluster-manager.clusterserviceversion.yaml | 2 +- ...cluster-management.io_clustermanagers.yaml | 25 ++++++++ .../klusterlet.clusterserviceversion.yaml | 2 +- go.mod | 2 +- go.sum | 4 +- ...r-manager-registration-serviceaccount.yaml | 4 ++ manifests/config.go | 3 +- pkg/common/helpers/parser.go | 15 +++++ pkg/common/helpers/parser_test.go | 14 +++++ .../clustermanager_controller.go | 16 +++++ .../klusterlet_controller.go | 18 +----- .../register/aws_irsa/aws_irsa.go | 6 +- .../operator/clustermanager_aws_test.go | 62 +++++++++++++++++++ .../operator/clustermanager_test.go | 8 ++- .../spokecluster_aws_joining_test.go | 6 +- vendor/modules.txt | 2 +- ...ter-management.io_clustermanagers.crd.yaml | 25 ++++++++ .../api/operator/v1/types_clustermanager.go | 22 +++++++ .../api/operator/v1/zz_generated.deepcopy.go | 21 +++++++ .../v1/zz_generated.swagger_doc_generated.go | 14 ++++- 22 files changed, 290 insertions(+), 31 deletions(-) create mode 100644 pkg/common/helpers/parser.go create mode 100644 pkg/common/helpers/parser_test.go create mode 100644 test/integration/operator/clustermanager_aws_test.go diff --git a/deploy/cluster-manager/chart/cluster-manager/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml b/deploy/cluster-manager/chart/cluster-manager/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml index 8e92beeb7..c4e3864fa 100644 --- a/deploy/cluster-manager/chart/cluster-manager/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml +++ b/deploy/cluster-manager/chart/cluster-manager/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml @@ -255,6 +255,31 @@ spec: - feature type: object type: array + registrationDrivers: + description: |- + RegistrationDrivers represent the list of hub registration drivers that contain information used by hub to initialize the hub cluster + A RegistrationDriverHub contains details of authentication type and the hub cluster ARN + items: + properties: + authType: + default: csr + description: Type of the authentication used by hub to initialize + the Hub cluster. Possible values are csr and awsirsa. + enum: + - csr + - awsirsa + type: string + hubClusterArn: + description: |- + This represents the hub cluster ARN + Example - arn:eks:us-west-2:12345678910:cluster/hub-cluster1 + pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$ + type: string + type: object + type: array + x-kubernetes-list-map-keys: + - authType + x-kubernetes-list-type: map type: object registrationImagePullSpec: default: quay.io/open-cluster-management/registration diff --git a/deploy/cluster-manager/config/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml b/deploy/cluster-manager/config/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml index 8e92beeb7..c4e3864fa 100644 --- a/deploy/cluster-manager/config/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml +++ b/deploy/cluster-manager/config/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml @@ -255,6 +255,31 @@ spec: - feature type: object type: array + registrationDrivers: + description: |- + RegistrationDrivers represent the list of hub registration drivers that contain information used by hub to initialize the hub cluster + A RegistrationDriverHub contains details of authentication type and the hub cluster ARN + items: + properties: + authType: + default: csr + description: Type of the authentication used by hub to initialize + the Hub cluster. Possible values are csr and awsirsa. + enum: + - csr + - awsirsa + type: string + hubClusterArn: + description: |- + This represents the hub cluster ARN + Example - arn:eks:us-west-2:12345678910:cluster/hub-cluster1 + pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$ + type: string + type: object + type: array + x-kubernetes-list-map-keys: + - authType + x-kubernetes-list-type: map type: object registrationImagePullSpec: default: quay.io/open-cluster-management/registration diff --git a/deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml b/deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml index dcdc472af..c109f0cb0 100644 --- a/deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml +++ b/deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml @@ -59,7 +59,7 @@ metadata: categories: Integration & Delivery,OpenShift Optional certified: "false" containerImage: quay.io/open-cluster-management/registration-operator:latest - createdAt: "2025-01-06T02:51:43Z" + createdAt: "2025-01-16T23:45:52Z" description: Manages the installation and upgrade of the ClusterManager. operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 diff --git a/deploy/cluster-manager/olm-catalog/latest/manifests/operator.open-cluster-management.io_clustermanagers.yaml b/deploy/cluster-manager/olm-catalog/latest/manifests/operator.open-cluster-management.io_clustermanagers.yaml index 3da9df424..fab826ce2 100644 --- a/deploy/cluster-manager/olm-catalog/latest/manifests/operator.open-cluster-management.io_clustermanagers.yaml +++ b/deploy/cluster-manager/olm-catalog/latest/manifests/operator.open-cluster-management.io_clustermanagers.yaml @@ -255,6 +255,31 @@ spec: - feature type: object type: array + registrationDrivers: + description: |- + RegistrationDrivers represent the list of hub registration drivers that contain information used by hub to initialize the hub cluster + A RegistrationDriverHub contains details of authentication type and the hub cluster ARN + items: + properties: + authType: + default: csr + description: Type of the authentication used by hub to initialize + the Hub cluster. Possible values are csr and awsirsa. + enum: + - csr + - awsirsa + type: string + hubClusterArn: + description: |- + This represents the hub cluster ARN + Example - arn:eks:us-west-2:12345678910:cluster/hub-cluster1 + pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$ + type: string + type: object + type: array + x-kubernetes-list-map-keys: + - authType + x-kubernetes-list-type: map type: object registrationImagePullSpec: default: quay.io/open-cluster-management/registration diff --git a/deploy/klusterlet/olm-catalog/latest/manifests/klusterlet.clusterserviceversion.yaml b/deploy/klusterlet/olm-catalog/latest/manifests/klusterlet.clusterserviceversion.yaml index e92b9f1cc..a2b90ef86 100644 --- a/deploy/klusterlet/olm-catalog/latest/manifests/klusterlet.clusterserviceversion.yaml +++ b/deploy/klusterlet/olm-catalog/latest/manifests/klusterlet.clusterserviceversion.yaml @@ -31,7 +31,7 @@ metadata: categories: Integration & Delivery,OpenShift Optional certified: "false" containerImage: quay.io/open-cluster-management/registration-operator:latest - createdAt: "2024-12-18T07:51:42Z" + createdAt: "2025-01-16T23:45:52Z" description: Manages the installation and upgrade of the Klusterlet. operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 diff --git a/go.mod b/go.mod index d2c2affec..54d5442d0 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( k8s.io/kube-aggregator v0.31.4 k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 open-cluster-management.io/addon-framework v0.11.1-0.20241129080247-57b1d2859f50 - open-cluster-management.io/api v0.15.1-0.20250109024121-1a5e25a78a43 + open-cluster-management.io/api v0.15.1-0.20250116010516-3a595d6a4e40 open-cluster-management.io/sdk-go v0.15.1-0.20241125015855-1536c3970f8f sigs.k8s.io/cluster-inventory-api v0.0.0-20240730014211-ef0154379848 sigs.k8s.io/controller-runtime v0.19.3 diff --git a/go.sum b/go.sum index 104bd4eba..0dc608b65 100644 --- a/go.sum +++ b/go.sum @@ -453,8 +453,8 @@ k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 h1:MDF6h2H/h4tbzmtIKTuctcwZmY0tY k8s.io/utils v0.0.0-20240921022957-49e7df575cb6/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= open-cluster-management.io/addon-framework v0.11.1-0.20241129080247-57b1d2859f50 h1:TXRd6OdGjArh6cwlCYOqlIcyx21k81oUIYj4rmHlYx0= open-cluster-management.io/addon-framework v0.11.1-0.20241129080247-57b1d2859f50/go.mod h1:tsBSNs9mGfVQQjXBnjgpiX6r0UM+G3iNfmzQgKhEfw4= -open-cluster-management.io/api v0.15.1-0.20250109024121-1a5e25a78a43 h1:9kgKRQQHMGNM1t+J+OrmF7hgZmND9kRwyRVnHIULzqw= -open-cluster-management.io/api v0.15.1-0.20250109024121-1a5e25a78a43/go.mod h1:9erZEWEn4bEqh0nIX2wA7f/s3KCuFycQdBrPrRzi0QM= +open-cluster-management.io/api v0.15.1-0.20250116010516-3a595d6a4e40 h1:LckTHZ68rcy3hDFu6wa7BVOJ9wbWItJLZXmi0bpMyh8= +open-cluster-management.io/api v0.15.1-0.20250116010516-3a595d6a4e40/go.mod h1:9erZEWEn4bEqh0nIX2wA7f/s3KCuFycQdBrPrRzi0QM= open-cluster-management.io/sdk-go v0.15.1-0.20241125015855-1536c3970f8f h1:zeC7QrFNarfK2zY6jGtd+mX+yDrQQmnH/J8A7n5Nh38= open-cluster-management.io/sdk-go v0.15.1-0.20241125015855-1536c3970f8f/go.mod h1:fi5WBsbC5K3txKb8eRLuP0Sim/Oqz/PHX18skAEyjiA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= diff --git a/manifests/cluster-manager/hub/cluster-manager-registration-serviceaccount.yaml b/manifests/cluster-manager/hub/cluster-manager-registration-serviceaccount.yaml index ffb1d5be3..561b1ff56 100644 --- a/manifests/cluster-manager/hub/cluster-manager-registration-serviceaccount.yaml +++ b/manifests/cluster-manager/hub/cluster-manager-registration-serviceaccount.yaml @@ -3,3 +3,7 @@ kind: ServiceAccount metadata: name: registration-controller-sa namespace: {{ .ClusterManagerNamespace }} + {{ if .ManagedClusterIdentityCreatorRole }} + annotations: + eks.amazonaws.com/role-arn: {{ .ManagedClusterIdentityCreatorRole }} + {{end}} \ No newline at end of file diff --git a/manifests/config.go b/manifests/config.go index d62aca81b..dc7bcec68 100644 --- a/manifests/config.go +++ b/manifests/config.go @@ -30,7 +30,8 @@ type HubConfig struct { ResourceRequirementResourceType operatorapiv1.ResourceQosClass // ResourceRequirements is the resource requirements for the cluster manager managed containers. // The type has to be []byte to use "indent" template function. - ResourceRequirements []byte + ResourceRequirements []byte + ManagedClusterIdentityCreatorRole string } type Webhook struct { diff --git a/pkg/common/helpers/parser.go b/pkg/common/helpers/parser.go new file mode 100644 index 000000000..6ea20b2df --- /dev/null +++ b/pkg/common/helpers/parser.go @@ -0,0 +1,15 @@ +package helpers + +import "strings" + +func GetAwsAccountIdAndClusterName(clusterArn string) (string, string) { + clusterStringParts := strings.Split(clusterArn, ":") + clusterName := strings.Split(clusterStringParts[5], "/")[1] + awsAccountId := clusterStringParts[4] + return awsAccountId, clusterName +} + +func GetAwsRegion(clusterArn string) string { + clusterStringParts := strings.Split(clusterArn, ":") + return clusterStringParts[3] +} diff --git a/pkg/common/helpers/parser_test.go b/pkg/common/helpers/parser_test.go new file mode 100644 index 000000000..875deadfd --- /dev/null +++ b/pkg/common/helpers/parser_test.go @@ -0,0 +1,14 @@ +package helpers + +import ( + "testing" +) + +func TestGetAwsAccountIdAndClusterName(t *testing.T) { + + awsAccountId, clusterName := GetAwsAccountIdAndClusterName("arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster") + if awsAccountId != "123456789012" && clusterName != "hub-cluster" { + t.Errorf("awsAccountId and cluster id are not valid") + } + +} diff --git a/pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_controller.go b/pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_controller.go index 32af09449..5ce717271 100644 --- a/pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_controller.go +++ b/pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_controller.go @@ -210,6 +210,9 @@ func (n *clusterManagerController) sync(ctx context.Context, controllerContext f // Check if addon management is enabled by the feature gate config.AddOnManagerEnabled = helpers.FeatureGateEnabled(addonFeatureGates, ocmfeature.DefaultHubAddonManagerFeatureGates, ocmfeature.AddonManagement) + // Compute and populate the value of managed cluster identity creator role to be used in cluster manager registration service account + config.ManagedClusterIdentityCreatorRole = getManagedClusterIdentityCreatorRolename(*clusterManager) + // If we are deploying in the hosted mode, it requires us to create webhook in a different way with the default mode. // In the hosted mode, the webhook servers is running in the management cluster but the users are accessing the hub cluster. // So we need to add configuration to make the apiserver of the hub cluster could access the webhook servers on the management cluster. @@ -419,3 +422,16 @@ func (n *clusterManagerController) getImagePullSecret(ctx context.Context) (stri return helpers.ImagePullSecret, nil } + +func getManagedClusterIdentityCreatorRolename(cm operatorapiv1.ClusterManager) string { + if cm.Spec.RegistrationConfiguration != nil { + for _, registrationDriver := range cm.Spec.RegistrationConfiguration.RegistrationDrivers { + if registrationDriver.AuthType == "awsirsa" { + hubClusterArn := registrationDriver.HubClusterArn + hubClusterAccountId, hubClusterName := commonhelper.GetAwsAccountIdAndClusterName(hubClusterArn) + return "arn:aws:iam::" + hubClusterAccountId + ":role/" + hubClusterName + "_managed-cluster-identity-creator" + } + } + } + return "" +} diff --git a/pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go b/pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go index 53c4656f8..c73ac80b4 100644 --- a/pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go +++ b/pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go @@ -130,7 +130,7 @@ type ManagedClusterIamRole struct { } func (managedClusterIamRole *ManagedClusterIamRole) arn() string { - managedClusterAccountId, _ := GetAwsAccountIdAndClusterName(managedClusterIamRole.AwsIrsa.ManagedClusterArn) + managedClusterAccountId, _ := commonhelpers.GetAwsAccountIdAndClusterName(managedClusterIamRole.AwsIrsa.ManagedClusterArn) md5HashUniqueIdentifier := managedClusterIamRole.md5HashSuffix() //arn:aws:iam:::role/ocm-managed-cluster- @@ -138,8 +138,8 @@ func (managedClusterIamRole *ManagedClusterIamRole) arn() string { } func (managedClusterIamRole *ManagedClusterIamRole) md5HashSuffix() string { - hubClusterAccountId, hubClusterName := GetAwsAccountIdAndClusterName(managedClusterIamRole.AwsIrsa.HubClusterArn) - managedClusterAccountId, managedClusterName := GetAwsAccountIdAndClusterName(managedClusterIamRole.AwsIrsa.ManagedClusterArn) + hubClusterAccountId, hubClusterName := commonhelpers.GetAwsAccountIdAndClusterName(managedClusterIamRole.AwsIrsa.HubClusterArn) + managedClusterAccountId, managedClusterName := commonhelpers.GetAwsAccountIdAndClusterName(managedClusterIamRole.AwsIrsa.ManagedClusterArn) hash := md5.Sum([]byte(strings.Join([]string{hubClusterAccountId, hubClusterName, managedClusterAccountId, managedClusterName}, "#"))) // #nosec G401 return hex.EncodeToString(hash[:]) @@ -573,15 +573,3 @@ func serviceAccountName(suffix string, klusterlet *operatorapiv1.Klusterlet) str } return fmt.Sprintf("%s-%s", klusterlet.Name, suffix) } - -func GetAwsAccountIdAndClusterName(clusterArn string) (string, string) { - clusterStringParts := strings.Split(clusterArn, ":") - clusterName := strings.Split(clusterStringParts[5], "/")[1] - awsAccountId := clusterStringParts[4] - return awsAccountId, clusterName -} - -func GetAwsRegion(clusterArn string) string { - clusterStringParts := strings.Split(clusterArn, ":") - return clusterStringParts[3] -} diff --git a/pkg/registration/register/aws_irsa/aws_irsa.go b/pkg/registration/register/aws_irsa/aws_irsa.go index 6e708b9ce..10140ee1e 100644 --- a/pkg/registration/register/aws_irsa/aws_irsa.go +++ b/pkg/registration/register/aws_irsa/aws_irsa.go @@ -15,7 +15,7 @@ import ( clusterv1 "open-cluster-management.io/api/cluster/v1" operatorv1 "open-cluster-management.io/api/operator/v1" - "open-cluster-management.io/ocm/pkg/operator/operators/klusterlet/controllers/klusterletcontroller" + "open-cluster-management.io/ocm/pkg/common/helpers" "open-cluster-management.io/ocm/pkg/registration/register" ) @@ -59,8 +59,8 @@ func (c *AWSIRSADriver) Process( } func (c *AWSIRSADriver) BuildKubeConfigFromTemplate(kubeConfig *clientcmdapi.Config) *clientcmdapi.Config { - hubClusterAccountId, hubClusterName := klusterletcontroller.GetAwsAccountIdAndClusterName(c.hubClusterArn) - awsRegion := klusterletcontroller.GetAwsRegion(c.hubClusterArn) + hubClusterAccountId, hubClusterName := helpers.GetAwsAccountIdAndClusterName(c.hubClusterArn) + awsRegion := helpers.GetAwsRegion(c.hubClusterArn) kubeConfig.AuthInfos = map[string]*clientcmdapi.AuthInfo{register.DefaultKubeConfigAuth: { Exec: &clientcmdapi.ExecConfig{ APIVersion: "client.authentication.k8s.io/v1beta1", diff --git a/test/integration/operator/clustermanager_aws_test.go b/test/integration/operator/clustermanager_aws_test.go new file mode 100644 index 000000000..0d7fe3275 --- /dev/null +++ b/test/integration/operator/clustermanager_aws_test.go @@ -0,0 +1,62 @@ +package operator + +import ( + "context" + "github.com/onsi/ginkgo/v2" + "github.com/onsi/gomega" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + operatorapiv1 "open-cluster-management.io/api/operator/v1" +) + +var _ = ginkgo.Describe("ClusterManager Default Mode with aws registration", func() { + var cancel context.CancelFunc + var hubRegistrationSA = "registration-controller-sa" + + ginkgo.BeforeEach(func() { + var ctx context.Context + ctx, cancel = context.WithCancel(context.Background()) + go startHubOperator(ctx, operatorapiv1.InstallModeDefault) + }) + + ginkgo.AfterEach(func() { + // delete deployment for clustermanager here so tests are not impacted with each other + err := kubeClient.AppsV1().Deployments(hubNamespace).DeleteCollection(context.TODO(), metav1.DeleteOptions{}, metav1.ListOptions{}) + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + if cancel != nil { + cancel() + } + }) + + ginkgo.Context("Deploy hub with aws auth", func() { + + ginkgo.It("should have IAM role annotation when initialized with awsirsa", func() { + + clusterManager, err := operatorClient.OperatorV1().ClusterManagers().Get(context.Background(), clusterManagerName, metav1.GetOptions{}) + gomega.Expect(err).ToNot(gomega.HaveOccurred()) + + if clusterManager.Spec.RegistrationConfiguration == nil { + clusterManager.Spec.RegistrationConfiguration = &operatorapiv1.RegistrationHubConfiguration{} + clusterManager.Spec.RegistrationConfiguration.RegistrationDrivers = []operatorapiv1.RegistrationDriverHub{ + { + AuthType: "awsirsa", + HubClusterArn: "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster", + }, + } + } + _, err = operatorClient.OperatorV1().ClusterManagers().Update(context.Background(), clusterManager, metav1.UpdateOptions{}) + gomega.Expect(err).ToNot(gomega.HaveOccurred()) + + gomega.Eventually(func() bool { + registrationControllerSA, err := kubeClient.CoreV1().ServiceAccounts(hubNamespace).Get( + context.Background(), hubRegistrationSA, metav1.GetOptions{}) + if err != nil { + return false + } + annotation := registrationControllerSA.Annotations["eks.amazonaws.com/role-arn"] + return annotation == "arn:aws:iam::123456789012:role/hub-cluster_managed-cluster-identity-creator" + }, eventuallyTimeout, eventuallyInterval).Should(gomega.BeTrue()) + + }) + }) + +}) diff --git a/test/integration/operator/clustermanager_test.go b/test/integration/operator/clustermanager_test.go index 088a5cd9a..0eb3f6008 100644 --- a/test/integration/operator/clustermanager_test.go +++ b/test/integration/operator/clustermanager_test.go @@ -153,9 +153,14 @@ var _ = ginkgo.Describe("ClusterManager Default Mode", func() { // Check service account gomega.Eventually(func() error { - if _, err := kubeClient.CoreV1().ServiceAccounts(hubNamespace).Get(context.Background(), hubRegistrationSA, metav1.GetOptions{}); err != nil { + registrationControllerSA, err := kubeClient.CoreV1().ServiceAccounts(hubNamespace).Get(context.Background(), hubRegistrationSA, metav1.GetOptions{}) + if err != nil { return err } + + if _, ok := registrationControllerSA.Annotations["eks.amazonaws.com/role-arn"]; ok { + return fmt.Errorf("Annotation applicable to awsirsa registration only") + } return nil }, eventuallyTimeout, eventuallyInterval).Should(gomega.BeNil()) gomega.Eventually(func() error { @@ -1294,4 +1299,5 @@ var _ = ginkgo.Describe("ClusterManager Default Mode", func() { gomega.ContainElement("manager")) }) }) + }) diff --git a/test/integration/registration/spokecluster_aws_joining_test.go b/test/integration/registration/spokecluster_aws_joining_test.go index 60ddc3182..9998eef9a 100644 --- a/test/integration/registration/spokecluster_aws_joining_test.go +++ b/test/integration/registration/spokecluster_aws_joining_test.go @@ -12,8 +12,8 @@ import ( "k8s.io/apimachinery/pkg/util/sets" "k8s.io/client-go/tools/clientcmd" + "open-cluster-management.io/ocm/pkg/common/helpers" commonoptions "open-cluster-management.io/ocm/pkg/common/options" - "open-cluster-management.io/ocm/pkg/operator/operators/klusterlet/controllers/klusterletcontroller" "open-cluster-management.io/ocm/pkg/registration/register" "open-cluster-management.io/ocm/pkg/registration/spoke" "open-cluster-management.io/ocm/test/integration/util" @@ -113,8 +113,8 @@ var _ = ginkgo.Describe("Joining Process for aws flow", func() { return fmt.Errorf("user exec plugun command is invalid") } - hubClusterAccountId, hubClusterName := klusterletcontroller.GetAwsAccountIdAndClusterName(hubClusterArn) - awsRegion := klusterletcontroller.GetAwsRegion(hubClusterArn) + hubClusterAccountId, hubClusterName := helpers.GetAwsAccountIdAndClusterName(hubClusterArn) + awsRegion := helpers.GetAwsRegion(hubClusterArn) if !contains(hubUser.Exec.Args, fmt.Sprintf("arn:aws:iam::%s:role/ocm-hub-%s", hubClusterAccountId, managedClusterRoleSuffix)) || !contains(hubUser.Exec.Args, hubClusterName) || diff --git a/vendor/modules.txt b/vendor/modules.txt index bff73e5ae..bd0aba1cf 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1584,7 +1584,7 @@ open-cluster-management.io/addon-framework/pkg/agent open-cluster-management.io/addon-framework/pkg/assets open-cluster-management.io/addon-framework/pkg/index open-cluster-management.io/addon-framework/pkg/utils -# open-cluster-management.io/api v0.15.1-0.20250109024121-1a5e25a78a43 +# open-cluster-management.io/api v0.15.1-0.20250116010516-3a595d6a4e40 ## explicit; go 1.22.0 open-cluster-management.io/api/addon/v1alpha1 open-cluster-management.io/api/client/addon/clientset/versioned diff --git a/vendor/open-cluster-management.io/api/operator/v1/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml b/vendor/open-cluster-management.io/api/operator/v1/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml index 8e92beeb7..c4e3864fa 100644 --- a/vendor/open-cluster-management.io/api/operator/v1/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml +++ b/vendor/open-cluster-management.io/api/operator/v1/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml @@ -255,6 +255,31 @@ spec: - feature type: object type: array + registrationDrivers: + description: |- + RegistrationDrivers represent the list of hub registration drivers that contain information used by hub to initialize the hub cluster + A RegistrationDriverHub contains details of authentication type and the hub cluster ARN + items: + properties: + authType: + default: csr + description: Type of the authentication used by hub to initialize + the Hub cluster. Possible values are csr and awsirsa. + enum: + - csr + - awsirsa + type: string + hubClusterArn: + description: |- + This represents the hub cluster ARN + Example - arn:eks:us-west-2:12345678910:cluster/hub-cluster1 + pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$ + type: string + type: object + type: array + x-kubernetes-list-map-keys: + - authType + x-kubernetes-list-type: map type: object registrationImagePullSpec: default: quay.io/open-cluster-management/registration diff --git a/vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go b/vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go index 373f87f10..d9d058e69 100644 --- a/vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go +++ b/vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go @@ -108,6 +108,28 @@ type RegistrationHubConfiguration struct { // he can set featuregate/Foo=false before upgrading. Let's say the cluster-admin wants featuregate/Foo=false. // +optional FeatureGates []FeatureGate `json:"featureGates,omitempty"` + + // RegistrationDrivers represent the list of hub registration drivers that contain information used by hub to initialize the hub cluster + // A RegistrationDriverHub contains details of authentication type and the hub cluster ARN + // +optional + // +listType=map + // +listMapKey=authType + RegistrationDrivers []RegistrationDriverHub `json:"registrationDrivers,omitempty"` +} + +type RegistrationDriverHub struct { + + // Type of the authentication used by hub to initialize the Hub cluster. Possible values are csr and awsirsa. + // +required + // +kubebuilder:default:=csr + // +kubebuilder:validation:Enum=csr;awsirsa + AuthType string `json:"authType,omitempty"` + + // This represents the hub cluster ARN + // Example - arn:eks:us-west-2:12345678910:cluster/hub-cluster1 + // +optional + // +kubebuilder:validation:Pattern=`^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$` + HubClusterArn string `json:"hubClusterArn,omitempty"` } type WorkConfiguration struct { diff --git a/vendor/open-cluster-management.io/api/operator/v1/zz_generated.deepcopy.go b/vendor/open-cluster-management.io/api/operator/v1/zz_generated.deepcopy.go index 64a618ba5..96eef484b 100644 --- a/vendor/open-cluster-management.io/api/operator/v1/zz_generated.deepcopy.go +++ b/vendor/open-cluster-management.io/api/operator/v1/zz_generated.deepcopy.go @@ -557,6 +557,22 @@ func (in *RegistrationDriver) DeepCopy() *RegistrationDriver { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RegistrationDriverHub) DeepCopyInto(out *RegistrationDriverHub) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegistrationDriverHub. +func (in *RegistrationDriverHub) DeepCopy() *RegistrationDriverHub { + if in == nil { + return nil + } + out := new(RegistrationDriverHub) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RegistrationHubConfiguration) DeepCopyInto(out *RegistrationHubConfiguration) { *out = *in @@ -570,6 +586,11 @@ func (in *RegistrationHubConfiguration) DeepCopyInto(out *RegistrationHubConfigu *out = make([]FeatureGate, len(*in)) copy(*out, *in) } + if in.RegistrationDrivers != nil { + in, out := &in.RegistrationDrivers, &out.RegistrationDrivers + *out = make([]RegistrationDriverHub, len(*in)) + copy(*out, *in) + } return } diff --git a/vendor/open-cluster-management.io/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/open-cluster-management.io/api/operator/v1/zz_generated.swagger_doc_generated.go index 5d63b9197..7342a4106 100644 --- a/vendor/open-cluster-management.io/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/open-cluster-management.io/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -122,9 +122,19 @@ func (NodePlacement) SwaggerDoc() map[string]string { return map_NodePlacement } +var map_RegistrationDriverHub = map[string]string{ + "authType": "Type of the authentication used by hub to initialize the Hub cluster. Possible values are csr and awsirsa.", + "hubClusterArn": "This represents the hub cluster ARN Example - arn:eks:us-west-2:12345678910:cluster/hub-cluster1", +} + +func (RegistrationDriverHub) SwaggerDoc() map[string]string { + return map_RegistrationDriverHub +} + var map_RegistrationHubConfiguration = map[string]string{ - "autoApproveUsers": "AutoApproveUser represents a list of users that can auto approve CSR and accept client. If the credential of the bootstrap-hub-kubeconfig matches to the users, the cluster created by the bootstrap-hub-kubeconfig will be auto-registered into the hub cluster. This takes effect only when ManagedClusterAutoApproval feature gate is enabled.", - "featureGates": "FeatureGates represents the list of feature gates for registration If it is set empty, default feature gates will be used. If it is set, featuregate/Foo is an example of one item in FeatureGates:\n 1. If featuregate/Foo does not exist, registration-operator will discard it\n 2. If featuregate/Foo exists and is false by default. It is now possible to set featuregate/Foo=[false|true]\n 3. If featuregate/Foo exists and is true by default. If a cluster-admin upgrading from 1 to 2 wants to continue having featuregate/Foo=false,\n \the can set featuregate/Foo=false before upgrading. Let's say the cluster-admin wants featuregate/Foo=false.", + "autoApproveUsers": "AutoApproveUser represents a list of users that can auto approve CSR and accept client. If the credential of the bootstrap-hub-kubeconfig matches to the users, the cluster created by the bootstrap-hub-kubeconfig will be auto-registered into the hub cluster. This takes effect only when ManagedClusterAutoApproval feature gate is enabled.", + "featureGates": "FeatureGates represents the list of feature gates for registration If it is set empty, default feature gates will be used. If it is set, featuregate/Foo is an example of one item in FeatureGates:\n 1. If featuregate/Foo does not exist, registration-operator will discard it\n 2. If featuregate/Foo exists and is false by default. It is now possible to set featuregate/Foo=[false|true]\n 3. If featuregate/Foo exists and is true by default. If a cluster-admin upgrading from 1 to 2 wants to continue having featuregate/Foo=false,\n \the can set featuregate/Foo=false before upgrading. Let's say the cluster-admin wants featuregate/Foo=false.", + "registrationDrivers": "RegistrationDrivers represent the list of hub registration drivers that contain information used by hub to initialize the hub cluster A RegistrationDriverHub contains details of authentication type and the hub cluster ARN", } func (RegistrationHubConfiguration) SwaggerDoc() map[string]string {