Add two flags for init to capture csr users and aws arn patterns to whitelist for auto approval

Signed-off-by: Jeffrey Wong <[email protected]>

Author: jeffw17

go.mod

@@ -28,7 +28,7 @@ require (
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kubectl v0.31.1
 	k8s.io/utils v0.0.0-20240921022957-49e7df575cb6
-	open-cluster-management.io/api v0.15.1-0.20250226073118-8c9793267c9e
+	open-cluster-management.io/api v0.15.1-0.20250219064651-4281b7684d9b
 	open-cluster-management.io/cluster-proxy v0.4.0
 	open-cluster-management.io/managed-serviceaccount v0.6.0
 	open-cluster-management.io/ocm v0.15.1-0.20250228202623-6c270f90a09a

go.sum

@@ -565,8 +565,6 @@ k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 h1:MDF6h2H/h4tbzmtIKTuctcwZmY0tY
 k8s.io/utils v0.0.0-20240921022957-49e7df575cb6/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 open-cluster-management.io/api v0.15.1-0.20250219064651-4281b7684d9b h1:1ScdOKBMLbzA/k84P9Z64uSq3sxRclquej3tT1zhsqU=
 open-cluster-management.io/api v0.15.1-0.20250219064651-4281b7684d9b/go.mod h1:9erZEWEn4bEqh0nIX2wA7f/s3KCuFycQdBrPrRzi0QM=
-open-cluster-management.io/api v0.15.1-0.20250226073118-8c9793267c9e h1:4iQneGfxartfFSR+IHZRrjEuwtRpiHyKQ15Kd33YCVk=
-open-cluster-management.io/api v0.15.1-0.20250226073118-8c9793267c9e/go.mod h1:9erZEWEn4bEqh0nIX2wA7f/s3KCuFycQdBrPrRzi0QM=
 open-cluster-management.io/cluster-proxy v0.4.0 h1:rm0UDaDWe3/P3xLzwqdHtqNksKwSzsic02MkrEe6BnM=
 open-cluster-management.io/cluster-proxy v0.4.0/go.mod h1:gTvfDHAhGezhdg4BD3ECBn6jbg2Y5PbHhV2ceW5nrB0=
 open-cluster-management.io/managed-serviceaccount v0.6.0 h1:qIi5T9WQJBuoGqnYGIktXbtqfQoiN2H9XU2P/6lAQiw=

pkg/cmd/init/cmd.go

@@ -16,7 +16,7 @@ var example = `
 %[1]s init
 
 # Initialize the hub cluster with the type of authentication. Either or both of csr,awsirsa
-%[1]s init --registration-auth awsirsa --registration-auth csr --hubClusterArn arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1
+%[1]s init --registration-drivers="awsirsa,csr" --hubClusterArn arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1
 `
 
 // NewCmd ...
@@ -81,7 +81,7 @@ func NewCmd(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, stream
 	_ = clusterManagerSet.SetAnnotation("singleton-name", "singletonSet", []string{})
 	o.Helm.AddFlags(singletonSet)
 	cmd.Flags().AddFlagSet(singletonSet)
-	cmd.Flags().StringSliceVar(&o.registrationAuth, "registration-auth", []string{},
+	cmd.Flags().StringSliceVar(&o.registrationDrivers, "registration-drivers", []string{},
 		"The type of authentication to use for registering and authenticating with hub. Only csr and awsirsa are accepted as valid inputs. This flag can be repeated to specify multiple authentication types.")
 	cmd.Flags().StringVar(&o.hubClusterArn, "hub-cluster-arn", "",
 		"The hubCluster ARN to be passed if awsirsa is one of the registrationAuths and the cluster name in EKS kubeconfig doesn't contain hubClusterArn")

pkg/cmd/init/exec.go

@@ -153,18 +153,18 @@ func (o *Options) validate() error {
 	}
 
 	validRegistrationDriver := sets.New[string]("csr", "awsirsa")
-	for _, driver := range o.registrationAuth {
+	for _, driver := range o.registrationDrivers {
 		if !validRegistrationDriver.Has(driver) {
 			return fmt.Errorf("only csr and awsirsa are valid drivers")
 		}
 	}
 
-	featureGates := o.clusterManagerChartConfig.ClusterManager.RegistrationConfiguration.FeatureGates
+	featureGates := genericclioptionsclusteradm.ConvertToFeatureGateAPI(
+		genericclioptionsclusteradm.HubMutableFeatureGate, ocmfeature.DefaultHubRegistrationFeatureGates)
 	managedClusterAutoApprove := false
-
 	for _, feature := range featureGates {
-		if feature.Feature == "featuregate/ManagedClusterAutoApproval" {
-			if feature.Mode == "Enabled" {
+		if feature.Feature == "ManagedClusterAutoApproval" {
+			if feature.Mode == "Enable" {
 				managedClusterAutoApprove = true
 			}
 		}
@@ -173,12 +173,12 @@ func (o *Options) validate() error {
 	if managedClusterAutoApprove {
 		// If hub registration does not accept awsirsa, we stop user if they also pass in a list of patterns for AWS EKS ARN.
 
-		if len(o.autoApprovedARNPatterns) > 0 && !sets.New[string](o.registrationAuth...).Has("awsirsa") {
+		if len(o.autoApprovedARNPatterns) > 0 && !sets.New[string](o.registrationDrivers...).Has("awsirsa") {
 			return fmt.Errorf("should not provide list of patterns for aws eks arn if not initializing hub with awsirsa registration")
 		}
 
 		// If hub registration does not accept csr, we stop user if they also pass in a list of users for CSR auto approval.
-		if len(o.autoApprovedCSRIdentities) > 0 && !sets.New[string](o.registrationAuth...).Has("csr") {
+		if len(o.autoApprovedCSRIdentities) > 0 && !sets.New[string](o.registrationDrivers...).Has("csr") {
 			return fmt.Errorf("should not provide list of users for csr to auto approve if not initializing hub with csr registration")
 		}
 	} else if len(o.autoApprovedARNPatterns) > 0 || len(o.autoApprovedCSRIdentities) > 0 {
@@ -399,15 +399,15 @@ func getRegistrationDrivers(o *Options) ([]operatorv1.RegistrationDriverHub, err
 	registrationDrivers := []operatorv1.RegistrationDriverHub{}
 	var registrationDriver operatorv1.RegistrationDriverHub
 
-	for _, driver := range o.registrationAuth {
+	for _, driver := range o.registrationDrivers {
 		if driver == "csr" {
-			registrationDriver = operatorv1.RegistrationDriverHub{AuthType: driver, CSR: &operatorv1.CSRConfig{AutoApprovedIdentities: o.autoApprovedCSRIdentities}}
+			registrationDriver = operatorv1.RegistrationDriverHub{AuthType: driver, AutoApprovedIdentities: o.autoApprovedCSRIdentities}
 		} else if driver == "awsirsa" {
 			hubClusterArn, err := getHubClusterArn(o)
 			if err != nil {
 				return registrationDrivers, err
 			}
-			registrationDriver = operatorv1.RegistrationDriverHub{AuthType: driver, AwsIrsa: &operatorv1.AwsIrsaConfig{HubClusterArn: hubClusterArn, AutoApprovedIdentities: o.autoApprovedARNPatterns}}
+			registrationDriver = operatorv1.RegistrationDriverHub{AuthType: driver, AutoApprovedIdentities: o.autoApprovedARNPatterns, HubClusterArn: hubClusterArn}
 		}
 		registrationDrivers = append(registrationDrivers, registrationDriver)
 	}

pkg/cmd/init/options.go

@@ -52,7 +52,7 @@ type Options struct {
 	Streams genericiooptions.IOStreams
 
 	// The type of authentication to use for initializing the hub cluster
-	registrationAuth []string
+	registrationDrivers []string
 	// The optional ARN to pass if awsirsa is one of the registrationAuths
 	// and the cluster name in EKS kubeconfig doesn't contain hubClusterArn
 	hubClusterArn string

test/e2e/clusteradm/init_test.go

@@ -38,42 +38,40 @@ var _ = ginkgo.Describe("test clusteradm with bootstrap token in singleton mode"
 				"--use-bootstrap-token",
 				"--context", e2e.Cluster().Hub().Context(),
 				"--bundle-version=latest",
-				"--registration-auth=awsirsa",
+				"--registration-drivers=awsirsa",
 				"--hub-cluster-arn=arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1",
 			)
 			gomega.Expect(err).NotTo(gomega.HaveOccurred(), "clusteradm init error")
 
 			cm, err = operatorClient.OperatorV1().ClusterManagers().Get(context.TODO(), "cluster-manager", metav1.GetOptions{})
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
-			// Ensure that when only awsirsa is passed as registration-auth only awsirsa driver is available
+			// Ensure that when only awsirsa is passed as registration-drivers only awsirsa driver is available
 			gomega.Expect(len(cm.Spec.RegistrationConfiguration.RegistrationDrivers)).Should(gomega.Equal(1))
 			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AuthType).Should(gomega.Equal("awsirsa"))
 
 			err = e2e.Clusteradm().Init(
 				"--use-bootstrap-token",
 				"--context", e2e.Cluster().Hub().Context(),
 				"--bundle-version=latest",
-				"--registration-auth=awsirsa",
-				"--registration-auth=csr",
+				"--registration-drivers=awsirsa,csr",
 				"--hub-cluster-arn=arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1",
 			)
 			gomega.Expect(err).NotTo(gomega.HaveOccurred(), "clusteradm init error")
 
 			cm, err = operatorClient.OperatorV1().ClusterManagers().Get(context.TODO(), "cluster-manager", metav1.GetOptions{})
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
-			// Ensure that awsirsa and csr is passed as registration-auth both the values are set.
+			// Ensure that awsirsa and csr is passed as registration-drivers both the values are set.
 			gomega.Expect(len(cm.Spec.RegistrationConfiguration.RegistrationDrivers)).Should(gomega.Equal(2))
-			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AuthType).Should(gomega.Equal("csr"))
-			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].AuthType).Should(gomega.Equal("awsirsa"))
-			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].HubClusterArn).
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AuthType).Should(gomega.Equal("awsirsa"))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].AuthType).Should(gomega.Equal("csr"))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].HubClusterArn).
 				Should(gomega.Equal("arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1"))
 
 			err = e2e.Clusteradm().Init(
 				"--use-bootstrap-token",
 				"--context", e2e.Cluster().Hub().Context(),
 				"--bundle-version=latest",
-				"--registration-auth=awsirsa",
-				"--registration-auth=csr",
+				"--registration-drivers=awsirsa,csr",
 				"--hub-cluster-arn=arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1",
 				"--feature-gates=ManagedClusterAutoApproval=true",
 				"--auto-approved-csr-identities=csr1",
@@ -83,10 +81,10 @@ var _ = ginkgo.Describe("test clusteradm with bootstrap token in singleton mode"
 			cm, err = operatorClient.OperatorV1().ClusterManagers().Get(context.TODO(), "cluster-manager", metav1.GetOptions{})
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 			// Ensure that the auto approval identities contain user for CSR and pattern for AWS
-			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AuthType).Should(gomega.Equal("csr"))
-			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].AuthType).Should(gomega.Equal("awsirsa"))
-			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].CSR.AutoApprovedIdentities).Should(gomega.Equal("csr1"))
-			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].AwsIrsa.AutoApprovedIdentities).Should(gomega.Equal("arn:aws:eks:us-west-2:123456789012:cluster/*"))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AuthType).Should(gomega.Equal("awsirsa"))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].AuthType).Should(gomega.Equal("csr"))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].AutoApprovedIdentities[0]).Should(gomega.Equal("csr1"))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AutoApprovedIdentities[0]).Should(gomega.Equal("arn:aws:eks:us-west-2:123456789012:cluster/*"))
 
 			err = e2e.Clusteradm().Init(
 				"--use-bootstrap-token",

vendor/modules.txt

@@ -1245,7 +1245,7 @@ k8s.io/utils/pointer
 k8s.io/utils/ptr
 k8s.io/utils/strings/slices
 k8s.io/utils/trace
-# open-cluster-management.io/api v0.15.1-0.20250226073118-8c9793267c9e
+# open-cluster-management.io/api v0.15.1-0.20250219064651-4281b7684d9b
 ## explicit; go 1.22.0
 open-cluster-management.io/api/addon/v1alpha1
 open-cluster-management.io/api/client/addon/clientset/versioned