PEM-4967: CAPA TopSecret region support

Author: jayesh-srivastava

cmd/clusterawsadm/cloudformation/bootstrap/fargate.go

@@ -22,12 +22,7 @@ import (
 )
 
 func (t Template) fargateProfilePolicies(roleSpec *bootstrapv1.AWSIAMRoleSpec) []string {
-	var policies []string
-	if t.Spec.Partition == bootstrapv1.DefaultPartitionNameUSGov {
-		policies = eks.FargateRolePoliciesAWSUSGov()
-	} else {
-		policies = eks.FargateRolePolicies()
-	}
+	policies := eks.GenerateFargateRolePoliciesARN(t.Spec.Partition)
 	if roleSpec.ExtraPolicyAttachments != nil {
 		policies = append(policies, roleSpec.ExtraPolicyAttachments...)
 	}

cmd/clusterawsadm/cloudformation/bootstrap/managed_nodegroup.go

@@ -17,18 +17,12 @@ limitations under the License.
 package bootstrap
 
 import (
-	"sigs.k8s.io/cluster-api-provider-aws/cmd/clusterawsadm/api/bootstrap/v1beta1"
 	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/services/eks"
 )
 
 func (t Template) eksMachinePoolPolicies() []string {
 
-	var policies []string
-	if t.Spec.Partition == v1beta1.DefaultPartitionNameUSGov {
-		policies = eks.NodegroupRolePoliciesAWSUSGov()
-	} else {
-		policies = eks.NodegroupRolePolicies()
-	}
+	policies := eks.GenerateNodegroupRolePoliciesARN(t.Spec.Partition)
 	if t.Spec.EKS.ManagedMachinePool.ExtraPolicyAttachments != nil {
 		policies = append(policies, t.Spec.EKS.ManagedMachinePool.ExtraPolicyAttachments...)
 	}

cmd/clusterawsadm/cloudformation/bootstrap/template.go

@@ -36,13 +36,13 @@ const (
 	AWSIAMInstanceProfileControllers             = "AWSIAMInstanceProfileControllers"
 	AWSIAMInstanceProfileControlPlane            = "AWSIAMInstanceProfileControlPlane"
 	AWSIAMInstanceProfileNodes                   = "AWSIAMInstanceProfileNodes"
+	AWSIAMUserBootstrapper                       = "AWSIAMUserBootstrapper"
 	AWSIAMRoleControllers                        = "AWSIAMRoleControllers"
 	AWSIAMRoleControlPlane                       = "AWSIAMRoleControlPlane"
 	AWSIAMRoleNodes                              = "AWSIAMRoleNodes"
 	AWSIAMRoleEKSControlPlane                    = "AWSIAMRoleEKSControlPlane"
 	AWSIAMRoleEKSNodegroup                       = "AWSIAMRoleEKSNodegroup"
 	AWSIAMRoleEKSFargate                         = "AWSIAMRoleEKSFargate"
-	AWSIAMUserBootstrapper                       = "AWSIAMUserBootstrapper"
 	ControllersPolicy                 PolicyName = "AWSIAMManagedPolicyControllers"
 	ControllersPolicyEKS              PolicyName = "AWSIAMManagedPolicyControllersEKS"
 	ControlPlanePolicy                PolicyName = "AWSIAMManagedPolicyCloudProviderControlPlane"
@@ -71,18 +71,26 @@ func (t Template) NewManagedName(name string) string {
 	return fmt.Sprintf("%s%s%s", t.Spec.NamePrefix, name, *t.Spec.NameSuffix)
 }
 
+func (t Template) NewEKSManagedName(name string) string {
+	return fmt.Sprintf("%s%s", t.Spec.NamePrefix, name)
+}
+
 // RenderCloudFormation will render and return a cloudformation Template.
-func (t Template) RenderCloudFormation() *cloudformation.Template {
+func (t Template) RenderCloudFormation(permissionsBoundary *string) *cloudformation.Template {
 	template := cloudformation.NewTemplate()
 
 	if t.Spec.BootstrapUser.Enable {
-		template.Resources[AWSIAMUserBootstrapper] = &cfn_iam.User{
+		user := &cfn_iam.User{
 			UserName:          t.Spec.BootstrapUser.UserName,
 			Groups:            t.bootstrapUserGroups(),
 			ManagedPolicyArns: t.Spec.ControlPlane.ExtraPolicyAttachments,
 			Policies:          t.bootstrapUserPolicy(),
 			Tags:              converters.MapToCloudFormationTags(t.Spec.BootstrapUser.Tags),
 		}
+		if permissionsBoundary != nil && len(*permissionsBoundary) > 0 {
+			user.PermissionsBoundary = *permissionsBoundary
+		}
+		template.Resources[AWSIAMUserBootstrapper] = user
 
 		template.Resources[AWSIAMGroupBootstrapper] = &cfn_iam.Group{
 			GroupName: t.Spec.BootstrapUser.GroupName,
@@ -134,28 +142,40 @@ func (t Template) RenderCloudFormation() *cloudformation.Template {
 		}
 	}
 
-	template.Resources[AWSIAMRoleControlPlane] = &cfn_iam.Role{
+	cpRole := &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("control-plane"),
 		AssumeRolePolicyDocument: t.controlPlaneTrustPolicy(),
 		ManagedPolicyArns:        t.Spec.ControlPlane.ExtraPolicyAttachments,
 		Policies:                 t.controlPlanePolicies(),
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.ControlPlane.Tags),
 	}
+	if permissionsBoundary != nil && len(*permissionsBoundary) > 0 {
+		cpRole.PermissionsBoundary = *permissionsBoundary
+	}
+	template.Resources[AWSIAMRoleControlPlane] = cpRole
 
-	template.Resources[AWSIAMRoleControllers] = &cfn_iam.Role{
+	ctrRole := &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("controllers"),
 		AssumeRolePolicyDocument: t.controllersTrustPolicy(),
 		Policies:                 t.controllersRolePolicy(),
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.ClusterAPIControllers.Tags),
 	}
+	if permissionsBoundary != nil && len(*permissionsBoundary) > 0 {
+		ctrRole.PermissionsBoundary = *permissionsBoundary
+	}
+	template.Resources[AWSIAMRoleControllers] = ctrRole
 
-	template.Resources[AWSIAMRoleNodes] = &cfn_iam.Role{
+	nodeRole := &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("nodes"),
 		AssumeRolePolicyDocument: t.nodeTrustPolicy(),
 		ManagedPolicyArns:        t.nodeManagedPolicies(),
 		Policies:                 t.nodePolicies(),
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.Nodes.Tags),
 	}
+	if permissionsBoundary != nil && len(*permissionsBoundary) > 0 {
+		nodeRole.PermissionsBoundary = *permissionsBoundary
+	}
+	template.Resources[AWSIAMRoleNodes] = nodeRole
 
 	template.Resources[AWSIAMInstanceProfileControlPlane] = &cfn_iam.InstanceProfile{
 		InstanceProfileName: t.NewManagedName("control-plane"),
@@ -179,30 +199,42 @@ func (t Template) RenderCloudFormation() *cloudformation.Template {
 	}
 
 	if !t.Spec.EKS.DefaultControlPlaneRole.Disable && !t.Spec.EKS.Disable {
-		template.Resources[AWSIAMRoleEKSControlPlane] = &cfn_iam.Role{
-			RoleName:                 ekscontrolplanev1.DefaultEKSControlPlaneRole,
+		eksCPRole := &cfn_iam.Role{
+			RoleName:                 t.NewEKSManagedName(ekscontrolplanev1.DefaultEKSControlPlaneRole),
 			AssumeRolePolicyDocument: AssumeRolePolicy(iamv1.PrincipalService, []string{"eks.amazonaws.com"}),
 			ManagedPolicyArns:        t.eksControlPlanePolicies(),
 			Tags:                     converters.MapToCloudFormationTags(t.Spec.EKS.DefaultControlPlaneRole.Tags),
 		}
+		if permissionsBoundary != nil && len(*permissionsBoundary) > 0 {
+			eksCPRole.PermissionsBoundary = *permissionsBoundary
+		}
+		template.Resources[AWSIAMRoleEKSControlPlane] = eksCPRole
 	}
 
 	if !t.Spec.EKS.ManagedMachinePool.Disable && !t.Spec.EKS.Disable {
-		template.Resources[AWSIAMRoleEKSNodegroup] = &cfn_iam.Role{
-			RoleName:                 expinfrav1.DefaultEKSNodegroupRole,
+		eksNGRole := &cfn_iam.Role{
+			RoleName:                 t.NewEKSManagedName(expinfrav1.DefaultEKSNodegroupRole),
 			AssumeRolePolicyDocument: AssumeRolePolicy(iamv1.PrincipalService, []string{"ec2.amazonaws.com", "eks.amazonaws.com"}),
 			ManagedPolicyArns:        t.eksMachinePoolPolicies(),
 			Tags:                     converters.MapToCloudFormationTags(t.Spec.EKS.ManagedMachinePool.Tags),
 		}
+		if permissionsBoundary != nil && len(*permissionsBoundary) > 0 {
+			eksNGRole.PermissionsBoundary = *permissionsBoundary
+		}
+		template.Resources[AWSIAMRoleEKSNodegroup] = eksNGRole
 	}
 
 	if !t.Spec.EKS.Fargate.Disable && !t.Spec.EKS.Disable {
-		template.Resources[AWSIAMRoleEKSFargate] = &cfn_iam.Role{
-			RoleName:                 expinfrav1.DefaultEKSFargateRole,
+		eksFGRole := &cfn_iam.Role{
+			RoleName:                 t.NewEKSManagedName(expinfrav1.DefaultEKSFargateRole),
 			AssumeRolePolicyDocument: AssumeRolePolicy(iamv1.PrincipalService, []string{eksiam.EKSFargateService}),
 			ManagedPolicyArns:        t.fargateProfilePolicies(t.Spec.EKS.Fargate),
 			Tags:                     converters.MapToCloudFormationTags(t.Spec.EKS.Fargate.Tags),
 		}
+		if permissionsBoundary != nil && len(*permissionsBoundary) > 0 {
+			eksFGRole.PermissionsBoundary = *permissionsBoundary
+		}
+		template.Resources[AWSIAMRoleEKSFargate] = eksFGRole
 	}
 
 	if t.Spec.EKS.EnableUserEKSConsolePolicy && !t.Spec.EKS.Disable {

cmd/clusterawsadm/cloudformation/bootstrap/template_test.go

@@ -188,7 +188,7 @@ func Test_RenderCloudformation(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			tData, err := c.template().RenderCloudFormation().YAML()
+			tData, err := c.template().RenderCloudFormation(nil).YAML()
 			if err != nil {
 				t.Fatal(err)
 			}

cmd/clusterawsadm/cmd/bootstrap/iam/cloudformation.go

@@ -54,7 +54,7 @@ func printCloudFormationTemplateCmd() *cobra.Command {
 				return err
 			}
 
-			cfnTemplate := t.RenderCloudFormation()
+			cfnTemplate := t.RenderCloudFormation(nil)
 			yml, err := cfnTemplate.YAML()
 			if err != nil {
 				return err
@@ -109,7 +109,7 @@ func createCloudFormationStackCmd() *cobra.Command {
 
 			cfnSvc := cloudformation.NewService(cfn.New(sess))
 
-			err = cfnSvc.ReconcileBootstrapStack(t.Spec.StackName, *t.RenderCloudFormation(), t.Spec.StackTags)
+			err = cfnSvc.ReconcileBootstrapStack(t.Spec.StackName, *t.RenderCloudFormation(nil), t.Spec.StackTags)
 			if err != nil {
 				fmt.Printf("Error: %v\n", err)
 				return err

config/default/credentials.yaml

@@ -6,3 +6,12 @@ metadata:
 type: Opaque
 data:
   credentials: ${AWS_B64ENCODED_CREDENTIALS}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: manager-bootstrap-ca-bundle
+  namespace: system
+type: Opaque
+data:
+  credentials: ${AWS_B64ENCODED_CABUNDLE}

config/default/manager_credentials_patch.yaml

@@ -11,10 +11,19 @@ spec:
         env:
         - name: AWS_SHARED_CREDENTIALS_FILE
           value: /home/.aws/credentials
+        - name: AWS_CONFIG_FILE # required for AWS SDK to load config and for aws secret regions
+          value: /home/.aws/config
+        - name: AWS_SDK_LOAD_CONFIG
+          value: "true"
         volumeMounts:
         - name: credentials
           mountPath: /home/.aws
+        - name: ca-bundle
+          mountPath: /home/.aws/ca-bundle
       volumes:
       - name: credentials
         secret:
           secretName: manager-bootstrap-credentials
+      - name: ca-bundle
+        secret:
+          secretName: manager-bootstrap-ca-bundle

go.mod

@@ -27,8 +27,8 @@ require (
 	github.com/sergi/go-diff v1.2.0
 	github.com/spf13/cobra v1.5.0
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/crypto v0.21.0
-	golang.org/x/text v0.14.0
+	golang.org/x/crypto v0.31.0
+	golang.org/x/text v0.21.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.25.0
 	k8s.io/apiextensions-apiserver v0.25.0
@@ -138,10 +138,10 @@ require (
 	github.com/subosito/gotenv v1.3.0 // indirect
 	github.com/valyala/fastjson v1.6.3 // indirect
 	github.com/vincent-petithory/dataurl v1.0.0 // indirect
-	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb // indirect
-	golang.org/x/sys v0.18.0 // indirect
-	golang.org/x/term v0.18.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/term v0.27.0 // indirect
 	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect

go.sum

@@ -795,8 +795,8 @@ golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -887,8 +887,8 @@ golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
-golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -992,14 +992,14 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
-golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1010,8 +1010,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

pkg/cloud/services/eks/iam/iam.go

@@ -183,6 +183,7 @@ func (s *IAMService) CreateRole(
 	key string,
 	trustRelationship *iamv1.PolicyDocument,
 	additionalTags infrav1.Tags,
+	permissionsBoundary string,
 ) (*iam.Role, error) {
 	tags := RoleTags(key, additionalTags)
 
@@ -197,6 +198,10 @@ func (s *IAMService) CreateRole(
 		AssumeRolePolicyDocument: aws.String(trustRelationshipJSON),
 	}
 
+	if len(permissionsBoundary) > 0 {
+		input.PermissionsBoundary = aws.String(permissionsBoundary)
+	}
+
 	out, err := s.IAMClient.CreateRole(input)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to call CreateRole")