adding IRSA functionality through an OIDC provider using an s3 bucket

Author: luthermonson

api/v1beta1/awscluster_conversion.go

@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	apiconversion "k8s.io/apimachinery/pkg/conversion"
+	"sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	infrav2 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	utilconversion "sigs.k8s.io/cluster-api/util/conversion"
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
@@ -50,6 +51,8 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Status.Bastion.PlacementGroupName = restored.Status.Bastion.PlacementGroupName
 	}
 	dst.Spec.Partition = restored.Spec.Partition
+	dst.Spec.AssociateOIDCProvider = restored.Spec.AssociateOIDCProvider
+	dst.Status.OIDCProvider = restored.Status.OIDCProvider
 
 	for role, sg := range restored.Status.Network.SecurityGroups {
 		dst.Status.Network.SecurityGroups[role] = sg
@@ -170,3 +173,7 @@ func (r *AWSClusterList) ConvertFrom(srcRaw conversion.Hub) error {
 func Convert_v1beta2_SubnetSpec_To_v1beta1_SubnetSpec(in *infrav2.SubnetSpec, out *SubnetSpec, s apiconversion.Scope) error {
 	return autoConvert_v1beta2_SubnetSpec_To_v1beta1_SubnetSpec(in, out, s)
 }
+
+func Convert_v1beta2_AWSClusterStatus_To_v1beta1_AWSClusterStatus(in *v1beta2.AWSClusterStatus, out *AWSClusterStatus, scope apiconversion.Scope) error {
+	return autoConvert_v1beta2_AWSClusterStatus_To_v1beta1_AWSClusterStatus(in, out, scope)
+}

api/v1beta1/conversion_test.go

@@ -19,9 +19,8 @@ package v1beta1
 import (
 	"testing"
 
-	. "github.com/onsi/gomega"
-
 	fuzz "github.com/google/gofuzz"
+	. "github.com/onsi/gomega"
 	"k8s.io/apimachinery/pkg/api/apitesting/fuzzer"
 	"k8s.io/apimachinery/pkg/runtime"
 	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
@@ -38,7 +37,7 @@ func fuzzFuncs(_ runtimeserializer.CodecFactory) []interface{} {
 
 func AWSMachineFuzzer(obj *AWSMachine, c fuzz.Continue) {
 	c.FuzzNoCustom(obj)
-	
+
 	// AWSMachine.Spec.FailureDomain, AWSMachine.Spec.Subnet.ARN and AWSMachine.Spec.AdditionalSecurityGroups.ARN has been removed in v1beta2, so setting it to nil in order to avoid v1beta1 --> v1beta2 --> v1beta1 round trip errors.
 	if obj.Spec.Subnet != nil {
 		obj.Spec.Subnet.ARN = nil
@@ -54,7 +53,7 @@ func AWSMachineFuzzer(obj *AWSMachine, c fuzz.Continue) {
 
 func AWSMachineTemplateFuzzer(obj *AWSMachineTemplate, c fuzz.Continue) {
 	c.FuzzNoCustom(obj)
-	
+
 	// AWSMachineTemplate.Spec.Template.Spec.FailureDomain, AWSMachineTemplate.Spec.Template.Spec.Subnet.ARN and AWSMachineTemplate.Spec.Template.Spec.AdditionalSecurityGroups.ARN has been removed in v1beta2, so setting it to nil in order to avoid  v1beta1 --> v1beta2 --> v1beta round trip errors.
 	if obj.Spec.Template.Spec.Subnet != nil {
 		obj.Spec.Template.Spec.Subnet.ARN = nil
@@ -81,16 +80,16 @@ func TestFuzzyConversion(t *testing.T) {
 	}))
 
 	t.Run("for AWSMachine", utilconversion.FuzzTestFunc(utilconversion.FuzzTestFuncInput{
-		Scheme: scheme,
-		Hub:    &v1beta2.AWSMachine{},
-		Spoke:  &AWSMachine{},
+		Scheme:      scheme,
+		Hub:         &v1beta2.AWSMachine{},
+		Spoke:       &AWSMachine{},
 		FuzzerFuncs: []fuzzer.FuzzerFuncs{fuzzFuncs},
 	}))
 
 	t.Run("for AWSMachineTemplate", utilconversion.FuzzTestFunc(utilconversion.FuzzTestFuncInput{
-		Scheme: scheme,
-		Hub:    &v1beta2.AWSMachineTemplate{},
-		Spoke:  &AWSMachineTemplate{},
+		Scheme:      scheme,
+		Hub:         &v1beta2.AWSMachineTemplate{},
+		Spoke:       &AWSMachineTemplate{},
 		FuzzerFuncs: []fuzzer.FuzzerFuncs{fuzzFuncs},
 	}))
 

api/v1beta1/s3bucket.go

@@ -21,8 +21,6 @@ import (
 	"net"
 
 	"k8s.io/apimachinery/pkg/util/validation/field"
-
-	"sigs.k8s.io/cluster-api-provider-aws/v2/feature"
 )
 
 // Validate validates S3Bucket fields.
@@ -37,12 +35,6 @@ func (b *S3Bucket) Validate() []*field.Error {
 		errs = append(errs, field.Required(field.NewPath("spec", "s3Bucket", "name"), "can't be empty"))
 	}
 
-	// Feature gate is not enabled but ignition is enabled then send a forbidden error.
-	if !feature.Gates.Enabled(feature.BootstrapFormatIgnition) {
-		errs = append(errs, field.Forbidden(field.NewPath("spec", "s3Bucket"),
-			"can be set only if the BootstrapFormatIgnition feature gate is enabled"))
-	}
-
 	if b.ControlPlaneIAMInstanceProfile == "" {
 		errs = append(errs,
 			field.Required(field.NewPath("spec", "s3Bucket", "controlPlaneIAMInstanceProfiles"), "can't be empty"))

api/v1beta1/zz_generated.conversion.go

@@ -96,11 +96,18 @@ type AWSClusterSpec struct {
 	IdentityRef *AWSIdentityReference `json:"identityRef,omitempty"`
 
 	// S3Bucket contains options to configure a supporting S3 bucket for this
-	// cluster - currently used for nodes requiring Ignition
+	// cluster - Used  for nodes requiring Ignition
 	// (https://coreos.github.io/ignition/) for bootstrapping (requires
-	// BootstrapFormatIgnition feature flag to be enabled).
+	// BootstrapFormatIgnition feature flag to be enabled) and for storing OIDC endpoint
+	// certificates for use with IRSA
 	// +optional
 	S3Bucket *S3Bucket `json:"s3Bucket,omitempty"`
+
+	// AssociateOIDCProvider can be enabled to automatically create an identity
+	// provider and install the pod identity webhook from AWS for use with IRSA.
+	// This will only work if the S3Bucket is configured properly.
+	// +kubebuilder:default=false
+	AssociateOIDCProvider bool `json:"associateOIDCProvider,omitempty"`
 }
 
 // AWSIdentityKind defines allowed AWS identity types.
@@ -255,6 +262,10 @@ type AWSClusterStatus struct {
 	FailureDomains clusterv1.FailureDomains `json:"failureDomains,omitempty"`
 	Bastion        *Instance                `json:"bastion,omitempty"`
 	Conditions     clusterv1.Conditions     `json:"conditions,omitempty"`
+
+	// OIDCProvider holds the status of the identity provider for this cluster
+	// +optional
+	OIDCProvider OIDCProviderStatus `json:"oidcProvider,omitempty"`
 }
 
 type S3Bucket struct {

api/v1beta2/awscluster_types.go

@@ -407,3 +407,11 @@ const (
 	// AmazonLinuxGPU is the AmazonLinux GPU AMI type.
 	AmazonLinuxGPU EKSAMILookupType = "AmazonLinuxGPU"
 )
+
+// OIDCProviderStatus holds the status of the AWS OIDC identity provider.
+type OIDCProviderStatus struct {
+	// ARN holds the ARN of the provider
+	ARN string `json:"arn,omitempty"`
+	// TrustPolicy contains the boilerplate IAM trust policy to use for IRSA
+	TrustPolicy string `json:"trustPolicy,omitempty"`
+}

api/v1beta2/types.go

@@ -174,6 +174,11 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 				"ec2:DeleteLaunchTemplateVersions",
 				"ec2:DescribeKeyPairs",
 				"ec2:ModifyInstanceMetadataOptions",
+				"iam:CreateOpenIDConnectProvider",
+				"iam:DeleteOpenIDConnectProvider",
+				"iam:ListOpenIDConnectProviders",
+				"iam:GetOpenIDConnectProvider",
+				"iam:TagOpenIDConnectProvider",
 			},
 		},
 		{
@@ -284,6 +289,9 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 				"s3:DeleteObject",
 				"s3:PutBucketPolicy",
 				"s3:PutBucketTagging",
+				"s3:PutBucketOwnershipControls",
+				"s3:PutObjectAcl",
+				"s3:PutBucketPublicAccessBlock",
 			},
 		})
 	}

api/v1beta2/zz_generated.deepcopy.go

@@ -233,6 +233,11 @@ Resources:
           - ec2:DeleteLaunchTemplateVersions
           - ec2:DescribeKeyPairs
           - ec2:ModifyInstanceMetadataOptions
+          - iam:CreateOpenIDConnectProvider
+          - iam:DeleteOpenIDConnectProvider
+          - iam:ListOpenIDConnectProviders
+          - iam:GetOpenIDConnectProvider
+          - iam:TagOpenIDConnectProvider
           Effect: Allow
           Resource:
           - '*'

cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go

@@ -233,6 +233,11 @@ Resources:
           - ec2:DeleteLaunchTemplateVersions
           - ec2:DescribeKeyPairs
           - ec2:ModifyInstanceMetadataOptions
+          - iam:CreateOpenIDConnectProvider
+          - iam:DeleteOpenIDConnectProvider
+          - iam:ListOpenIDConnectProviders
+          - iam:GetOpenIDConnectProvider
+          - iam:TagOpenIDConnectProvider
           Effect: Allow
           Resource:
           - '*'