Add two flags for init to capture csr users and aws arn patterns to whitelist for auto approval

Signed-off-by: “Jeffrey <[email protected]>
Signed-off-by: Alex <[email protected]>

Author: jeffw17

go.mod

@@ -28,7 +28,7 @@ require (
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kubectl v0.31.1
 	k8s.io/utils v0.0.0-20240921022957-49e7df575cb6
-	open-cluster-management.io/api v0.15.1-0.20250116010516-3a595d6a4e40
+	open-cluster-management.io/api v0.15.1-0.20250219064651-4281b7684d9b
 	open-cluster-management.io/cluster-proxy v0.4.0
 	open-cluster-management.io/managed-serviceaccount v0.6.0
 	open-cluster-management.io/ocm v0.15.1-0.20250120013556-eeb4ab31d5ab

go.sum

@@ -557,8 +557,8 @@ k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24=
 k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM=
 k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 h1:MDF6h2H/h4tbzmtIKTuctcwZmY0tY9mD9fNT47QO6HI=
 k8s.io/utils v0.0.0-20240921022957-49e7df575cb6/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-open-cluster-management.io/api v0.15.1-0.20250116010516-3a595d6a4e40 h1:LckTHZ68rcy3hDFu6wa7BVOJ9wbWItJLZXmi0bpMyh8=
-open-cluster-management.io/api v0.15.1-0.20250116010516-3a595d6a4e40/go.mod h1:9erZEWEn4bEqh0nIX2wA7f/s3KCuFycQdBrPrRzi0QM=
+open-cluster-management.io/api v0.15.1-0.20250219064651-4281b7684d9b h1:1ScdOKBMLbzA/k84P9Z64uSq3sxRclquej3tT1zhsqU=
+open-cluster-management.io/api v0.15.1-0.20250219064651-4281b7684d9b/go.mod h1:9erZEWEn4bEqh0nIX2wA7f/s3KCuFycQdBrPrRzi0QM=
 open-cluster-management.io/cluster-proxy v0.4.0 h1:rm0UDaDWe3/P3xLzwqdHtqNksKwSzsic02MkrEe6BnM=
 open-cluster-management.io/cluster-proxy v0.4.0/go.mod h1:gTvfDHAhGezhdg4BD3ECBn6jbg2Y5PbHhV2ceW5nrB0=
 open-cluster-management.io/managed-serviceaccount v0.6.0 h1:qIi5T9WQJBuoGqnYGIktXbtqfQoiN2H9XU2P/6lAQiw=

pkg/cmd/init/cmd.go

@@ -86,5 +86,9 @@ func NewCmd(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, stream
 	cmd.Flags().StringVar(&o.hubClusterArn, "hub-cluster-arn", "",
 		"The hubCluster ARN to be passed if awsirsa is one of the registrationAuths and the cluster name in EKS kubeconfig doesn't contain hubClusterArn")
 
+	cmd.Flags().StringSliceVar(&o.autoApprovedCSRIdentities, "auto-approved-csr-identities", []string{},
+		"The users or identities that can be auto approved for CSR and auto accepted to join with hub cluster")
+	cmd.Flags().StringSliceVar(&o.autoApprovedARNPatterns, "auto-approved-arn-patterns", []string{},
+		"List of AWS EKS ARN patterns so any EKS clusters with these patterns will be auto accepted to join with hub cluster")
 	return cmd
 }

pkg/cmd/init/exec.go

@@ -4,10 +4,11 @@ package init
 import (
 	"context"
 	"fmt"
-	"k8s.io/apimachinery/pkg/util/sets"
 	"os"
 	"time"
 
+	"k8s.io/apimachinery/pkg/util/sets"
+
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	corev1 "k8s.io/api/core/v1"
@@ -75,6 +76,7 @@ func (o *Options) complete(cmd *cobra.Command, args []string) (err error) {
 		if err != nil {
 			return err
 		}
+
 		o.clusterManagerChartConfig.ClusterManager = chart.ClusterManagerConfig{
 			RegistrationConfiguration: operatorv1.RegistrationHubConfiguration{
 				FeatureGates: genericclioptionsclusteradm.ConvertToFeatureGateAPI(
@@ -157,6 +159,32 @@ func (o *Options) validate() error {
 		}
 	}
 
+	featureGates := o.clusterManagerChartConfig.ClusterManager.RegistrationConfiguration.FeatureGates
+	managedClusterAutoApprove := false
+
+	for _, feature := range featureGates {
+		if feature.Feature == "featuregate/ManagedClusterAutoApproval" {
+			if feature.Mode == "Enabled" {
+				managedClusterAutoApprove = true
+			}
+		}
+	}
+
+	if managedClusterAutoApprove {
+		// If hub registration does not accept awsirsa, we stop user if they also pass in a list of patterns for AWS EKS ARN.
+
+		if len(o.autoApprovedARNPatterns) > 0 && !sets.New[string](o.registrationAuth...).Has("awsirsa") {
+			return fmt.Errorf("should not provide list of patterns for aws eks arn if not initializing hub with awsirsa registration")
+		}
+
+		// If hub registration does not accept csr, we stop user if they also pass in a list of users for CSR auto approval.
+		if len(o.autoApprovedCSRIdentities) > 0 && !sets.New[string](o.registrationAuth...).Has("csr") {
+			return fmt.Errorf("should not provide list of users for csr to auto approve if not initializing hub with csr registration")
+		}
+	} else if len(o.autoApprovedARNPatterns) > 0 || len(o.autoApprovedCSRIdentities) > 0 {
+		return fmt.Errorf("should enable feature gate ManagedClusterAutoApproval before passing list of identities")
+	}
+
 	// If --wait is set, some information during initialize process will print to output, the output would not keep
 	// machine readable, so this behavior should be disabled
 	if o.wait && o.output != "text" {
@@ -373,17 +401,16 @@ func getRegistrationDrivers(o *Options) ([]operatorv1.RegistrationDriverHub, err
 
 	for _, driver := range o.registrationAuth {
 		if driver == "csr" {
-			registrationDriver = operatorv1.RegistrationDriverHub{AuthType: driver}
+			registrationDriver = operatorv1.RegistrationDriverHub{AuthType: driver, AutoApprovedIdentities: o.autoApprovedCSRIdentities}
 		} else if driver == "awsirsa" {
 			hubClusterArn, err := getHubClusterArn(o)
 			if err != nil {
 				return registrationDrivers, err
 			}
-			registrationDriver = operatorv1.RegistrationDriverHub{AuthType: driver, HubClusterArn: hubClusterArn}
+			registrationDriver = operatorv1.RegistrationDriverHub{AuthType: driver, HubClusterArn: hubClusterArn, AutoApprovedIdentities: o.autoApprovedARNPatterns}
 		}
 		registrationDrivers = append(registrationDrivers, registrationDriver)
 	}
-
 	return registrationDrivers, nil
 }
 

pkg/cmd/init/options.go

@@ -56,6 +56,11 @@ type Options struct {
 	// The optional ARN to pass if awsirsa is one of the registrationAuths
 	// and the cluster name in EKS kubeconfig doesn't contain hubClusterArn
 	hubClusterArn string
+
+	// A list of users that can be auto approve csr and auto accept to join hub cluster
+	autoApprovedCSRIdentities []string
+	// A list of AWS EKS ARN patterns that are accepted and whatever matches can be auto accepted to join hub cluster
+	autoApprovedARNPatterns []string
 }
 
 func newOptions(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, streams genericiooptions.IOStreams) *Options {

test/e2e/clusteradm/init_test.go

@@ -69,6 +69,23 @@ var _ = ginkgo.Describe("test clusteradm with bootstrap token in singleton mode"
 			//gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].HubClusterArn).
 			//	Should(gomega.Equal("arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1"))
 
+			err = e2e.Clusteradm().Init(
+				"--use-bootstrap-token",
+				"--context", e2e.Cluster().Hub().Context(),
+				"--bundle-version=latest",
+				"--registration-auth awsirsa,csr",
+				"--auto-approved-csr-identities csr1",
+				"--auto-approved-arn-patterns arn:aws:eks:us-west-2:123456789012:cluster/*",
+			)
+			gomega.Expect(err).NotTo(gomega.HaveOccurred(), "clusteradm init error")
+			cm, err = operatorClient.OperatorV1().ClusterManagers().Get(context.TODO(), "cluster-manager", metav1.GetOptions{})
+			gomega.Expect(err).NotTo(gomega.HaveOccurred())
+			// Ensure that the auto approval identities contain user for CSR and pattern for AWS
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AuthType).Should(gomega.Equal("csr"))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].AuthType).Should(gomega.Equal("awsirsa"))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AutoApprovedIdentities[0]).Should(gomega.Equal("csr1"))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].AutoApprovedIdentities[0]).Should(gomega.Equal("arn:aws:eks:us-west-2:123456789012:cluster/*"))
+
 			err = e2e.Clusteradm().Init(
 				"--use-bootstrap-token",
 				"--context", e2e.Cluster().Hub().Context(),

vendor/modules.txt

@@ -1239,7 +1239,7 @@ k8s.io/utils/pointer
 k8s.io/utils/ptr
 k8s.io/utils/strings/slices
 k8s.io/utils/trace
-# open-cluster-management.io/api v0.15.1-0.20250116010516-3a595d6a4e40
+# open-cluster-management.io/api v0.15.1-0.20250219064651-4281b7684d9b
 ## explicit; go 1.22.0
 open-cluster-management.io/api/addon/v1alpha1
 open-cluster-management.io/api/client/addon/clientset/versioned