Merge remote-tracking branch 'origin/main' into addons-preserve

Author: root

cmd/clusterawsadm/api/bootstrap/v1alpha1/conversion.go

@@ -25,3 +25,7 @@ import (
 func Convert_v1beta1_AWSIAMConfigurationSpec_To_v1alpha1_AWSIAMConfigurationSpec(in *v1beta1.AWSIAMConfigurationSpec, out *AWSIAMConfigurationSpec, s conversion.Scope) error {
 	return autoConvert_v1beta1_AWSIAMConfigurationSpec_To_v1alpha1_AWSIAMConfigurationSpec(in, out, s)
 }
+
+func Convert_v1beta1_AWSIAMRoleSpec_To_v1alpha1_AWSIAMRoleSpec(in *v1beta1.AWSIAMRoleSpec, out *AWSIAMRoleSpec, s conversion.Scope) error {
+	return autoConvert_v1beta1_AWSIAMRoleSpec_To_v1alpha1_AWSIAMRoleSpec(in, out, s)
+}

cmd/clusterawsadm/api/bootstrap/v1alpha1/zz_generated.conversion.go

@@ -83,6 +83,14 @@ type AWSIAMRoleSpec struct {
 	// ExtraStatements are additional IAM statements to be included inline for the role.
 	ExtraStatements []iamv1.StatementEntry `json:"extraStatements,omitempty"`
 
+	// Path sets the path to the role.
+	// +optional
+	Path string `json:"path,omitempty"`
+
+	// PermissionsBoundary sets the ARN of the managed policy that is used to set the permissions boundary for the role.
+	// +optional
+	PermissionsBoundary string `json:"permissionsBoundary,omitempty"`
+
 	// TrustStatements is an IAM PolicyDocument defining what identities are allowed to assume this role.
 	// See "sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/api/iam/v1beta1" for more documentation.
 	TrustStatements []iamv1.StatementEntry `json:"trustStatements,omitempty"`

cmd/clusterawsadm/api/bootstrap/v1beta1/types.go

@@ -138,24 +138,30 @@ func (t Template) RenderCloudFormation() *cloudformation.Template {
 
 	template.Resources[AWSIAMRoleControlPlane] = &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("control-plane"),
+		Path:                     t.Spec.ControlPlane.Path,
 		AssumeRolePolicyDocument: t.controlPlaneTrustPolicy(),
 		ManagedPolicyArns:        t.Spec.ControlPlane.ExtraPolicyAttachments,
 		Policies:                 t.controlPlanePolicies(),
+		PermissionsBoundary:      t.Spec.ControlPlane.PermissionsBoundary,
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.ControlPlane.Tags),
 	}
 
 	template.Resources[AWSIAMRoleControllers] = &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("controllers"),
+		Path:                     t.Spec.ControlPlane.Path,
 		AssumeRolePolicyDocument: t.controllersTrustPolicy(),
 		Policies:                 t.controllersRolePolicy(),
+		PermissionsBoundary:      t.Spec.ControlPlane.PermissionsBoundary,
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.ClusterAPIControllers.Tags),
 	}
 
 	template.Resources[AWSIAMRoleNodes] = &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("nodes"),
+		Path:                     t.Spec.ControlPlane.Path,
 		AssumeRolePolicyDocument: t.nodeTrustPolicy(),
 		ManagedPolicyArns:        t.nodeManagedPolicies(),
 		Policies:                 t.nodePolicies(),
+		PermissionsBoundary:      t.Spec.ControlPlane.PermissionsBoundary,
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.Nodes.Tags),
 	}
 

cmd/clusterawsadm/cloudformation/bootstrap/template.go

@@ -2938,6 +2938,30 @@ spec:
                   and no name is supplied then a role is created.
                 minLength: 2
                 type: string
+              rolePath:
+                description: |-
+                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+                  in the IAM User Guide.
+
+                  This parameter is optional. If it is not included, it defaults to a slash
+                  (/).
+                type: string
+              rolePermissionsBoundary:
+                description: |-
+                  RolePermissionsBoundary sets the ARN of the managed policy that is used
+                  to set the permissions boundary for the role.
+
+                  A permissions boundary policy defines the maximum permissions that identity-based
+                  policies can grant to an entity, but does not grant permissions. Permissions
+                  boundaries do not define the maximum permissions that a resource-based policy
+                  can grant to an entity. To learn more, see Permissions boundaries for IAM
+                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+                  in the IAM User Guide.
+
+                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+                  in the IAM User Guide.
+                type: string
               secondaryCidrBlock:
                 description: |-
                   SecondaryCidrBlock is the additional CIDR range to use for pod IPs.

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

@@ -911,6 +911,9 @@ spec:
                 description: Ready denotes that the ROSAControlPlane API Server is
                   ready to receive requests.
                 type: boolean
+              version:
+                description: OpenShift semantic version, for example "4.14.5".
+                type: string
             required:
             - ready
             type: object

config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml

@@ -264,6 +264,30 @@ spec:
                   and not delete it on deletion. If the EKSEnableIAM feature
                   flag is true and no name is supplied then a role is created.
                 type: string
+              rolePath:
+                description: |-
+                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+                  in the IAM User Guide.
+
+                  This parameter is optional. If it is not included, it defaults to a slash
+                  (/).
+                type: string
+              rolePermissionsBoundary:
+                description: |-
+                  RolePermissionsBoundary sets the ARN of the managed policy that is used
+                  to set the permissions boundary for the role.
+
+                  A permissions boundary policy defines the maximum permissions that identity-based
+                  policies can grant to an entity, but does not grant permissions. Permissions
+                  boundaries do not define the maximum permissions that a resource-based policy
+                  can grant to an entity. To learn more, see Permissions boundaries for IAM
+                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+                  in the IAM User Guide.
+
+                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+                  in the IAM User Guide.
+                type: string
               selectors:
                 description: Selectors specify fargate pod selectors.
                 items:

config/crd/bases/infrastructure.cluster.x-k8s.io_awsfargateprofiles.yaml

@@ -938,6 +938,30 @@ spec:
                   and not delete it on deletion. If the EKSEnableIAM feature
                   flag is true and no name is supplied then a role is created.
                 type: string
+              rolePath:
+                description: |-
+                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+                  in the IAM User Guide.
+
+                  This parameter is optional. If it is not included, it defaults to a slash
+                  (/).
+                type: string
+              rolePermissionsBoundary:
+                description: |-
+                  RolePermissionsBoundary sets the ARN of the managed policy that is used
+                  to set the permissions boundary for the role.
+
+                  A permissions boundary policy defines the maximum permissions that identity-based
+                  policies can grant to an entity, but does not grant permissions. Permissions
+                  boundaries do not define the maximum permissions that a resource-based policy
+                  can grant to an entity. To learn more, see Permissions boundaries for IAM
+                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+                  in the IAM User Guide.
+
+                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+                  in the IAM User Guide.
+                type: string
               scaling:
                 description: Scaling specifies scaling for the ASG behind this pool
                 properties:

config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml

@@ -204,6 +204,7 @@ func (r *AWSMachineReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	machineScope, err := scope.NewMachineScope(scope.MachineScopeParams{
 		Client:       r.Client,
 		Cluster:      cluster,
+		Logger:       log,
 		Machine:      machine,
 		InfraCluster: infraCluster,
 		AWSMachine:   awsMachine,

controllers/awsmachine_controller.go

@@ -42,6 +42,8 @@ func (r *AWSManagedControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.VpcCni.Disable = r.Spec.DisableVPCCNI
 	dst.Spec.Partition = restored.Spec.Partition
 	dst.Spec.RestrictPrivateSubnets = restored.Spec.RestrictPrivateSubnets
+	dst.Spec.RolePath = restored.Spec.RolePath
+	dst.Spec.RolePermissionsBoundary = restored.Spec.RolePermissionsBoundary
 	dst.Status.Version = restored.Status.Version
 	dst.Spec.BootstrapSelfManagedAddons = restored.Spec.BootstrapSelfManagedAddons
 	return nil

controlplane/eks/api/v1beta1/conversion.go

@@ -88,6 +88,30 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	RoleAdditionalPolicies *[]string `json:"roleAdditionalPolicies,omitempty"`
 
+	// RolePath sets the path to the role. For more information about paths, see IAM Identifiers
+	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
+	// in the IAM User Guide.
+	//
+	// This parameter is optional. If it is not included, it defaults to a slash
+	// (/).
+	// +optional
+	RolePath string `json:"rolePath,omitempty"`
+
+	// RolePermissionsBoundary sets the ARN of the managed policy that is used
+	// to set the permissions boundary for the role.
+	//
+	// A permissions boundary policy defines the maximum permissions that identity-based
+	// policies can grant to an entity, but does not grant permissions. Permissions
+	// boundaries do not define the maximum permissions that a resource-based policy
+	// can grant to an entity. To learn more, see Permissions boundaries for IAM
+	// entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
+	// in the IAM User Guide.
+	//
+	// For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
+	// in the IAM User Guide.
+	// +optional
+	RolePermissionsBoundary string `json:"rolePermissionsBoundary,omitempty"`
+
 	// Logging specifies which EKS Cluster logs should be enabled. Entries for
 	// each of the enabled logs will be sent to CloudWatch
 	// +optional

controlplane/eks/api/v1beta1/zz_generated.conversion.go

@@ -749,6 +749,10 @@ type RosaControlPlaneStatus struct {
 	// OIDCEndpointURL is the endpoint url for the managed OIDC provider.
 	OIDCEndpointURL string `json:"oidcEndpointURL,omitempty"`
 
+	// OpenShift semantic version, for example "4.14.5".
+	// +optional
+	Version string `json:"version"`
+
 	// Available upgrades for the ROSA hosted control plane.
 	AvailableUpgrades []string `json:"availableUpgrades,omitempty"`
 }

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go

@@ -94,6 +94,8 @@ type ROSAControlPlaneReconciler struct {
 	Endpoints        []scope.ServiceEndpoint
 	NewStsClient     func(cloud.ScopeUsage, cloud.Session, logger.Wrapper, runtime.Object) stsiface.STSAPI
 	NewOCMClient     func(ctx context.Context, rosaScope *scope.ROSAControlPlaneScope) (rosa.OCMClient, error)
+	// Exposing the restClientConfig for integration test. No need to initialize.
+	restClientConfig *restclient.Config
 }
 
 // SetupWithManager is used to setup the controller.
@@ -252,6 +254,7 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 		rosaScope.ControlPlane.Status.ConsoleURL = cluster.Console().URL()
 		rosaScope.ControlPlane.Status.OIDCEndpointURL = cluster.AWS().STS().OIDCEndpointURL()
 		rosaScope.ControlPlane.Status.Ready = false
+		rosaScope.ControlPlane.Status.Version = rosa.RawVersionID(cluster.Version())
 
 		switch cluster.Status().State() {
 		case cmv1.ClusterStateReady:
@@ -801,13 +804,16 @@ func (r *ROSAControlPlaneReconciler) reconcileKubeconfig(ctx context.Context, ro
 		return err
 	}
 
-	clientConfig := &restclient.Config{
-		Host:     apiServerURL,
-		Username: userName,
+	if r.restClientConfig == nil {
+		r.restClientConfig = &restclient.Config{
+			Host:     apiServerURL,
+			Username: userName,
+		}
 	}
+
 	// request an acccess token using the credentials of the cluster admin user created earlier.
 	// this token is used in the kubeconfig to authenticate with the API server.
-	token, err := rosa.RequestToken(ctx, apiServerURL, userName, password, clientConfig)
+	token, err := rosa.RequestToken(ctx, apiServerURL, userName, password, r.restClientConfig)
 	if err != nil {
 		return fmt.Errorf("failed to request token: %w", err)
 	}