Add OIDC id for Operator roles

Author: PanSpagetka

config/crd/bases/infrastructure.cluster.x-k8s.io_rosaroleconfigs.yaml

@@ -15,6 +15,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
+// log is for logging in this package.
+var rosacpLog = ctrl.Log.WithName("rosacontrolplane-resource")
+
 // SetupWebhookWithManager will setup the webhooks for the ROSAControlPlane.
 func (r *ROSAControlPlane) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	w := new(rosaControlPlaneWebhook)
@@ -184,25 +187,54 @@ func (r *ROSAControlPlane) validateExternalAuthProviders() *field.Error {
 }
 
 func (r *ROSAControlPlane) validateRosaRoleConfig() *field.Error {
-	hasRosaRoleConfigRef := r.Spec.RosaRoleConfigRef != nil
 	hasAnyDirectRoleFields := r.Spec.OIDCID != "" || r.Spec.InstallerRoleARN != "" || r.Spec.SupportRoleARN != "" || r.Spec.WorkerRoleARN != "" ||
 		r.Spec.RolesRef.IngressARN != "" || r.Spec.RolesRef.ImageRegistryARN != "" || r.Spec.RolesRef.StorageARN != "" ||
 		r.Spec.RolesRef.NetworkARN != "" || r.Spec.RolesRef.KubeCloudControllerARN != "" || r.Spec.RolesRef.NodePoolManagementARN != "" ||
 		r.Spec.RolesRef.ControlPlaneOperatorARN != "" || r.Spec.RolesRef.KMSProviderARN != ""
 
-	hasAllDirectRoleFields := r.Spec.OIDCID != "" && r.Spec.InstallerRoleARN != "" && r.Spec.SupportRoleARN != "" && r.Spec.WorkerRoleARN != "" &&
-		r.Spec.RolesRef.IngressARN != "" && r.Spec.RolesRef.ImageRegistryARN != "" && r.Spec.RolesRef.StorageARN != "" &&
-		r.Spec.RolesRef.NetworkARN != "" && r.Spec.RolesRef.KubeCloudControllerARN != "" && r.Spec.RolesRef.NodePoolManagementARN != "" &&
-		r.Spec.RolesRef.ControlPlaneOperatorARN != "" && r.Spec.RolesRef.KMSProviderARN != ""
-
-	if hasRosaRoleConfigRef && hasAnyDirectRoleFields {
-		return field.Invalid(field.NewPath("spec.rosaRoleConfigRef"), r.Spec.RosaRoleConfigRef, "rosaRoleConfigRef and direct role fields (oidcID, installerRoleARN, supportRoleARN, workerRoleARN, rolesRef) are mutually exclusive")
+	if r.Spec.RosaRoleConfigRef != nil {
+		if hasAnyDirectRoleFields {
+			rosacpLog.Info("rosaRoleConfigRef and direct role fields (oidcID, installerRoleARN, supportRoleARN, workerRoleARN, rolesRef) are mutually exclusive")
+		}
+		return nil
 	}
 
-	if !hasRosaRoleConfigRef && !hasAllDirectRoleFields {
-		return field.Invalid(field.NewPath("spec"), r.Spec, "either rosaRoleConfigRef or direct role fields (oidcID, installerRoleARN, supportRoleARN, workerRoleARN, rolesRef) must be specified")
+	if r.Spec.OIDCID == "" {
+		return field.Invalid(field.NewPath("spec.oidcID"), r.Spec.OIDCID, "must be specified")
+	}
+	if r.Spec.InstallerRoleARN == "" {
+		return field.Invalid(field.NewPath("spec.installerRoleARN"), r.Spec.InstallerRoleARN, "must be specified")
+	}
+	if r.Spec.SupportRoleARN == "" {
+		return field.Invalid(field.NewPath("spec.supportRoleARN"), r.Spec.SupportRoleARN, "must be specified")
+	}
+	if r.Spec.WorkerRoleARN == "" {
+		return field.Invalid(field.NewPath("spec.workerRoleARN"), r.Spec.WorkerRoleARN, "must be specified")
+	}
+	if r.Spec.RolesRef.IngressARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.ingressARN"), r.Spec.RolesRef.IngressARN, "must be specified")
+	}
+	if r.Spec.RolesRef.ImageRegistryARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.imageRegistryARN"), r.Spec.RolesRef.ImageRegistryARN, "must be specified")
+	}
+	if r.Spec.RolesRef.StorageARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.storageARN"), r.Spec.RolesRef.StorageARN, "must be specified")
+	}
+	if r.Spec.RolesRef.NetworkARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.networkARN"), r.Spec.RolesRef.NetworkARN, "must be specified")
+	}
+	if r.Spec.RolesRef.KubeCloudControllerARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.kubeCloudControllerARN"), r.Spec.RolesRef.KubeCloudControllerARN, "must be specified")
+	}
+	if r.Spec.RolesRef.NodePoolManagementARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.nodePoolManagementARN"), r.Spec.RolesRef.NodePoolManagementARN, "must be specified")
+	}
+	if r.Spec.RolesRef.ControlPlaneOperatorARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.controlPlaneOperatorARN"), r.Spec.RolesRef.ControlPlaneOperatorARN, "must be specified")
+	}
+	if r.Spec.RolesRef.KMSProviderARN == "" {
+		return field.Invalid(field.NewPath("spec.rolesRef.kmsProviderARN"), r.Spec.RolesRef.KMSProviderARN, "must be specified")
 	}
-
 	return nil
 }
 

controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go

@@ -171,7 +171,6 @@ func (r *ROSAControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.Req
 	}
 
 	log = log.WithValues("cluster", klog.KObj(cluster))
-
 	if isPaused, conditionChanged, err := paused.EnsurePausedCondition(ctx, r.Client, cluster, rosaControlPlane); err != nil || isPaused || conditionChanged {
 		return ctrl.Result{}, err
 	}
@@ -202,10 +201,10 @@ func (r *ROSAControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.Req
 	}
 
 	// Handle normal reconciliation loop.
-	return r.reconcileNormal(ctx, rosaScope)
+	return r.reconcileNormal(ctx, rosaScope, log)
 }
 
-func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaScope *scope.ROSAControlPlaneScope) (res ctrl.Result, reterr error) {
+func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaScope *scope.ROSAControlPlaneScope, log *logger.Logger) (res ctrl.Result, reterr error) {
 	rosaScope.Info("Reconciling ROSAControlPlane")
 
 	if controllerutil.AddFinalizer(rosaScope.ControlPlane, ROSAControlPlaneFinalizer) {
@@ -245,9 +244,11 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 					rosacontrolplanev1.ROSARoleConfigNotFoundReason,
 					clusterv1.ConditionSeverityError,
 					"RosaRoleConfig %s/%s not found", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name)
-				return ctrl.Result{}, fmt.Errorf("RosaRoleConfig %s/%s not found: %w", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name, err)
+				log.Error(err, fmt.Sprintf("RosaRoleConfig %s/%s not found: %w", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name, err))
+				return ctrl.Result{RequeueAfter: time.Second * 60}, nil
 			}
-			return ctrl.Result{}, fmt.Errorf("failed to get RosaRoleConfig %s/%s: %w", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name, err)
+			log.Error(err, fmt.Sprintf("failed to get RosaRoleConfig %s/%s: %w", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name, err))
+			return ctrl.Result{RequeueAfter: time.Second * 60}, nil
 		}
 
 		// Check if RosaRoleConfig is ready
@@ -257,7 +258,9 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 				rosacontrolplanev1.ROSARoleConfigNotReadyReason,
 				clusterv1.ConditionSeverityWarning,
 				"RosaRoleConfig %s/%s is not ready", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name)
-			return ctrl.Result{}, fmt.Errorf("RosaRoleConfig %s/%s is not ready", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name)
+			log.Error(err, fmt.Sprintf("RosaRoleConfig %s/%s is not ready", rosaScope.ControlPlane.Namespace, rosaScope.ControlPlane.Spec.RosaRoleConfigRef.Name))
+
+			return ctrl.Result{RequeueAfter: time.Second * 60}, nil
 		}
 
 		conditions.MarkTrue(rosaScope.ControlPlane, rosacontrolplanev1.ROSARoleConfigReadyCondition)
@@ -267,7 +270,6 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 		rosaRoleConfig.Status.AccountRolesRef.SupportRoleARN = rosaScope.ControlPlane.Spec.SupportRoleARN
 		rosaRoleConfig.Status.AccountRolesRef.WorkerRoleARN = rosaScope.ControlPlane.Spec.WorkerRoleARN
 		rosaRoleConfig.Status.OperatorRolesRef = rosaScope.ControlPlane.Spec.RolesRef
-		rosaRoleConfig.Spec.OIDCConfig.ExternalAuthProviders = rosaScope.ControlPlane.Spec.ExternalAuthProviders
 	}
 
 	validationMessage, err := validateControlPlaneSpec(ocmClient, rosaScope)

controlplane/rosa/controllers/rosacontrolplane_controller.go

@@ -32,13 +32,9 @@ import (
 type ROSARoleConfigSpec struct {
 	AccountRoleConfig  AccountRoleConfig             `json:"accountRoleConfig"`
 	OperatorRoleConfig OperatorRoleConfig            `json:"operatorRoleConfig"`
-	OIDCConfig         OIDCConfig                    `json:"oidcConfig"`
 	IdentityRef        *infrav1.AWSIdentityReference `json:"identityRef,omitempty"`
 	Region             string                        `json:"region,omitempty"`
 	// CredentialsSecretRef references a secret with necessary credentials to connect to the OCM API.
-	// The secret should contain the following data keys:
-	// - ocmToken: eyJhbGciOiJIUzI1NiIsI....
-	// - ocmApiUrl: Optional, defaults to 'https://api.openshift.com'
 	// +optional
 	CredentialsSecretRef *corev1.LocalObjectReference `json:"credentialsSecretRef,omitempty"`
 }
@@ -60,7 +56,7 @@ type ROSARoleConfig struct {
 // AccountRoleConfig defines account-wide IAM roles before creating your ROSA cluster.
 type AccountRoleConfig struct {
 	// User-defined prefix for all generated AWS resources
-	// +kubebuilder:validation:MaxLength:=40
+	// +kubebuilder:validation:MaxLength:=4
 	// +kubebuilder:validation:Required
 	// +immutable
 	Prefix string `json:"prefix"`
@@ -99,6 +95,10 @@ type OperatorRoleConfig struct {
 	// +optional
 	// +immutable
 	SharedVPCConfig SharedVPCConfig `json:"sharedVPCConfig,omitempty"`
+	// OIDCID is the ID of the OIDC config that will be used to create the operator roles.
+	// +optional
+	// +immutable
+	OIDCID string `json:"oidcID,omitempty"`
 }
 
 // SharedVPCConfig is used to set up shared VPC.
@@ -109,34 +109,6 @@ type SharedVPCConfig struct {
 	VPCEndpointRoleARN string `json:"vpcEndpointRoleArn,omitempty"`
 }
 
-// OIDCConfig creates OIDC config in a S3 bucket for the client AWS account and populates it to be compliant with OIDC protocol.
-// It also creates a Secret in Secrets Manager containing the private key.
-type OIDCConfig struct {
-	// ManagedOIDC indicates whether it is a Red Hat managed or unmanaged (Customer hosted) OIDC Configuration. Default is true.
-	// +kubebuilder:default=true
-	// +immutable
-	ManagedOIDC bool `json:"managedOIDC"`
-	// ExternalAuthProviders are external OIDC identity providers that can issue tokens for this cluster.
-	// Can only be set if "enableExternalAuthProviders" is set to "True".
-	//
-	// At most one provider can be configured.
-	//
-	// +listType=map
-	// +listMapKey=name
-	// +kubebuilder:validation:MaxItems=1
-	// +immutable
-	ExternalAuthProviders []rosacontrolplanev1.ExternalAuthProvider `json:"externalAuthProviders,omitempty"`
-	// IdentityRef is the AWS identity reference for the OIDC config.
-	// +immutable
-	IdentityRef *infrav1.AWSIdentityReference `json:"identityRef,omitempty"`
-	// Region is the AWS region for the OIDC config.
-	// +immutable
-	Region string `json:"region,omitempty"`
-	// Prefix is the prefix for the OIDC config.
-	// +immutable
-	Prefix string `json:"prefix"`
-}
-
 // ROSARoleConfigStatus defines the observed state of ROSARoleConfig
 type ROSARoleConfigStatus struct {
 	// ID of created OIDC config