changes to support aws tags

Signed-off-by: Jeffrey Wong <[email protected]>

Author: jeffw17

go.mod

@@ -28,10 +28,10 @@ require (
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kubectl v0.31.1
 	k8s.io/utils v0.0.0-20240921022957-49e7df575cb6
-	open-cluster-management.io/api v0.15.1-0.20250219064651-4281b7684d9b
+	open-cluster-management.io/api v0.15.1-0.20250226073118-8c9793267c9e
 	open-cluster-management.io/cluster-proxy v0.4.0
 	open-cluster-management.io/managed-serviceaccount v0.6.0
-	open-cluster-management.io/ocm v0.15.1-0.20250228202623-6c270f90a09a
+	open-cluster-management.io/ocm v0.15.1-0.20250306192929-c4e706f12358
 	open-cluster-management.io/sdk-go v0.15.1-0.20241125015855-1536c3970f8f
 	sigs.k8s.io/apiserver-network-proxy v0.29.0
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3

go.sum

@@ -563,14 +563,14 @@ k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24=
 k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM=
 k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 h1:MDF6h2H/h4tbzmtIKTuctcwZmY0tY9mD9fNT47QO6HI=
 k8s.io/utils v0.0.0-20240921022957-49e7df575cb6/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-open-cluster-management.io/api v0.15.1-0.20250219064651-4281b7684d9b h1:1ScdOKBMLbzA/k84P9Z64uSq3sxRclquej3tT1zhsqU=
-open-cluster-management.io/api v0.15.1-0.20250219064651-4281b7684d9b/go.mod h1:9erZEWEn4bEqh0nIX2wA7f/s3KCuFycQdBrPrRzi0QM=
+open-cluster-management.io/api v0.15.1-0.20250226073118-8c9793267c9e h1:4iQneGfxartfFSR+IHZRrjEuwtRpiHyKQ15Kd33YCVk=
+open-cluster-management.io/api v0.15.1-0.20250226073118-8c9793267c9e/go.mod h1:9erZEWEn4bEqh0nIX2wA7f/s3KCuFycQdBrPrRzi0QM=
 open-cluster-management.io/cluster-proxy v0.4.0 h1:rm0UDaDWe3/P3xLzwqdHtqNksKwSzsic02MkrEe6BnM=
 open-cluster-management.io/cluster-proxy v0.4.0/go.mod h1:gTvfDHAhGezhdg4BD3ECBn6jbg2Y5PbHhV2ceW5nrB0=
 open-cluster-management.io/managed-serviceaccount v0.6.0 h1:qIi5T9WQJBuoGqnYGIktXbtqfQoiN2H9XU2P/6lAQiw=
 open-cluster-management.io/managed-serviceaccount v0.6.0/go.mod h1:G4LUTbZiyrB8c0+rqi/xnDmGlsg7Rdr4T7MPLCWhyQI=
-open-cluster-management.io/ocm v0.15.1-0.20250228202623-6c270f90a09a h1:Im9vF1AQp9D6A7W1c8NBd58/6rYMP8o7b2SvtrbR1qA=
-open-cluster-management.io/ocm v0.15.1-0.20250228202623-6c270f90a09a/go.mod h1:Milw2tXtXFE4iJB2F4x2DtXxozLXYJhEyz9CuUfggzg=
+open-cluster-management.io/ocm v0.15.1-0.20250306192929-c4e706f12358 h1:cI1iF80iMHrO1GMB6c8HBXvWUqFDByW4aP0QWcI2fag=
+open-cluster-management.io/ocm v0.15.1-0.20250306192929-c4e706f12358/go.mod h1:TpRPBEiYJj8ZoVmuDIJS+nJlixRv2fnp/a54uXSWd38=
 open-cluster-management.io/sdk-go v0.15.1-0.20241125015855-1536c3970f8f h1:zeC7QrFNarfK2zY6jGtd+mX+yDrQQmnH/J8A7n5Nh38=
 open-cluster-management.io/sdk-go v0.15.1-0.20241125015855-1536c3970f8f/go.mod h1:fi5WBsbC5K3txKb8eRLuP0Sim/Oqz/PHX18skAEyjiA=
 oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo=

pkg/cmd/init/cmd.go

@@ -16,7 +16,11 @@ var example = `
 %[1]s init
 
 # Initialize the hub cluster with the type of authentication. Either or both of csr,awsirsa
-%[1]s init --registration-drivers="awsirsa,csr" --hubClusterArn arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1
+%[1]s init --registration-drivers "awsirsa,csr"
+    --hubClusterArn arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1
+	--aws-resource-tags product:v1:tenant:app-name=My-App,product:v1:tenant:created-by=Team-1
+    --auto-approved-csr-identities="user1,user2"
+	--auto-approved-arn-patterns="arn:aws:eks:us-west-2:123456789013:cluster/.*,arn:aws:eks:us-west-2:123456789012:cluster/.*"
 `
 
 // NewCmd ...
@@ -85,6 +89,8 @@ func NewCmd(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, stream
 		"The type of authentication to use for registering and authenticating with hub. Only csr and awsirsa are accepted as valid inputs. This flag can be repeated to specify multiple authentication types.")
 	cmd.Flags().StringVar(&o.hubClusterArn, "hub-cluster-arn", "",
 		"The hubCluster ARN to be passed if awsirsa is one of the registrationAuths and the cluster name in EKS kubeconfig doesn't contain hubClusterArn")
+	cmd.Flags().StringSliceVar(&o.awsResourceTags, "aws-resource-tags", []string{},
+		"List of tags to be added to AWS resources created by hub while processing awsirsa registration request, for example: product:v1:tenant:app-name=My-App,product:v1:tenant:created-by=Team-1")
 
 	cmd.Flags().StringSliceVar(&o.autoApprovedCSRIdentities, "auto-approved-csr-identities", []string{},
 		"The users or identities that can be auto approved for CSR and auto accepted to join with hub cluster")

pkg/cmd/init/exec.go

@@ -390,13 +390,15 @@ func getRegistrationDrivers(o *Options) ([]operatorv1.RegistrationDriverHub, err
 
 	for _, driver := range o.registrationDrivers {
 		if driver == "csr" {
-			registrationDriver = operatorv1.RegistrationDriverHub{AuthType: driver, AutoApprovedIdentities: o.autoApprovedCSRIdentities}
+			csr := &operatorv1.CSRConfig{AutoApprovedIdentities: o.autoApprovedCSRIdentities}
+			registrationDriver = operatorv1.RegistrationDriverHub{AuthType: driver, CSR: csr}
 		} else if driver == "awsirsa" {
 			hubClusterArn, err := getHubClusterArn(o)
 			if err != nil {
 				return registrationDrivers, err
 			}
-			registrationDriver = operatorv1.RegistrationDriverHub{AuthType: driver, AutoApprovedIdentities: o.autoApprovedARNPatterns, HubClusterArn: hubClusterArn}
+			awsirsa := &operatorv1.AwsIrsaConfig{HubClusterArn: hubClusterArn, Tags: o.awsResourceTags, AutoApprovedIdentities: o.autoApprovedARNPatterns}
+			registrationDriver = operatorv1.RegistrationDriverHub{AuthType: driver, AwsIrsa: awsirsa}
 		}
 		registrationDrivers = append(registrationDrivers, registrationDriver)
 	}

pkg/cmd/init/options.go

@@ -61,6 +61,8 @@ type Options struct {
 	autoApprovedCSRIdentities []string
 	// A list of AWS EKS ARN patterns that are accepted and whatever matches can be auto accepted to join hub cluster
 	autoApprovedARNPatterns []string
+	// List of tags to be added to AWS resources created by hub while processing awsirsa registration request
+	awsResourceTags []string
 }
 
 func newOptions(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, streams genericiooptions.IOStreams) *Options {

test/e2e/clusteradm/init_test.go

@@ -55,17 +55,25 @@ var _ = ginkgo.Describe("test clusteradm with bootstrap token in singleton mode"
 				"--bundle-version=latest",
 				"--registration-drivers=awsirsa,csr",
 				"--hub-cluster-arn=arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1",
+				"--aws-resource-tags=product:v1:tenant:app-name=My-App,product:v1:tenant:created-by=Team-1",
 			)
 			gomega.Expect(err).NotTo(gomega.HaveOccurred(), "clusteradm init error")
 
 			cm, err = operatorClient.OperatorV1().ClusterManagers().Get(context.TODO(), "cluster-manager", metav1.GetOptions{})
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 			// Ensure that awsirsa and csr is passed as registration-drivers both the values are set.
 			gomega.Expect(len(cm.Spec.RegistrationConfiguration.RegistrationDrivers)).Should(gomega.Equal(2))
+
 			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AuthType).Should(gomega.Equal("awsirsa"))
-			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].AuthType).Should(gomega.Equal("csr"))
-			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].HubClusterArn).
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AwsIrsa.HubClusterArn).
 				Should(gomega.Equal("arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1"))
+			gomega.Expect(len(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AwsIrsa.Tags)).Should(gomega.Equal(2))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AwsIrsa.Tags).
+				Should(gomega.ContainElement("product:v1:tenant:app-name=My-App"))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AwsIrsa.Tags).
+				Should(gomega.ContainElement("product:v1:tenant:created-by=Team-1"))
+
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].AuthType).Should(gomega.Equal("csr"))
 
 			err = e2e.Clusteradm().Init(
 				"--use-bootstrap-token",
@@ -74,17 +82,26 @@ var _ = ginkgo.Describe("test clusteradm with bootstrap token in singleton mode"
 				"--registration-drivers=awsirsa,csr",
 				"--hub-cluster-arn=arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1",
 				"--feature-gates=ManagedClusterAutoApproval=true",
-				"--auto-approved-csr-identities=csr1",
-				"--auto-approved-arn-patterns=arn:aws:eks:us-west-2:123456789012:cluster/*",
+				"--auto-approved-csr-identities=user1,user2",
+				"--auto-approved-arn-patterns=arn:aws:eks:us-west-2:123456789013:cluster/.*,arn:aws:eks:us-west-2:123456789012:cluster/.*",
 			)
 			gomega.Expect(err).NotTo(gomega.HaveOccurred(), "clusteradm init error")
 			cm, err = operatorClient.OperatorV1().ClusterManagers().Get(context.TODO(), "cluster-manager", metav1.GetOptions{})
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 			// Ensure that the auto approval identities contain user for CSR and pattern for AWS
 			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AuthType).Should(gomega.Equal("awsirsa"))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AwsIrsa.HubClusterArn).
+				Should(gomega.Equal("arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1"))
+			gomega.Expect(len(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AwsIrsa.AutoApprovedIdentities)).Should(gomega.Equal(2))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AwsIrsa.AutoApprovedIdentities).
+				Should(gomega.ContainElement("arn:aws:eks:us-west-2:123456789013:cluster/.*"))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AwsIrsa.AutoApprovedIdentities).
+				Should(gomega.ContainElement("arn:aws:eks:us-west-2:123456789012:cluster/.*"))
+
+
 			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].AuthType).Should(gomega.Equal("csr"))
-			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].AutoApprovedIdentities[0]).Should(gomega.Equal("csr1"))
-			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[0].AutoApprovedIdentities[0]).Should(gomega.Equal("arn:aws:eks:us-west-2:123456789012:cluster/*"))
+			gomega.Expect(cm.Spec.RegistrationConfiguration.RegistrationDrivers[1].CSR.AutoApprovedIdentities).
+				Should(gomega.Equal("user1,user2"))
 
 			err = e2e.Clusteradm().Init(
 				"--use-bootstrap-token",

vendor/modules.txt

@@ -1245,7 +1245,7 @@ k8s.io/utils/pointer
 k8s.io/utils/ptr
 k8s.io/utils/strings/slices
 k8s.io/utils/trace
-# open-cluster-management.io/api v0.15.1-0.20250219064651-4281b7684d9b
+# open-cluster-management.io/api v0.15.1-0.20250226073118-8c9793267c9e
 ## explicit; go 1.22.0
 open-cluster-management.io/api/addon/v1alpha1
 open-cluster-management.io/api/client/addon/clientset/versioned
@@ -1288,7 +1288,7 @@ open-cluster-management.io/managed-serviceaccount/pkg/generated/clientset/versio
 open-cluster-management.io/managed-serviceaccount/pkg/generated/clientset/versioned/scheme
 open-cluster-management.io/managed-serviceaccount/pkg/generated/clientset/versioned/typed/authentication/v1alpha1
 open-cluster-management.io/managed-serviceaccount/pkg/generated/clientset/versioned/typed/authentication/v1beta1
-# open-cluster-management.io/ocm v0.15.1-0.20250228202623-6c270f90a09a
+# open-cluster-management.io/ocm v0.15.1-0.20250306192929-c4e706f12358
 ## explicit; go 1.22.5
 open-cluster-management.io/ocm/deploy/cluster-manager/chart
 open-cluster-management.io/ocm/deploy/klusterlet/chart