Merge pull request #1 from kkb0318/feature/eks

EKS support

Author: kkb0318

api/v1alpha1/irsasetup_types.go

@@ -33,17 +33,34 @@ type IRSASetupSpec struct {
 	// +required
 	Cleanup bool `json:"cleanup"`
 
-	// Mode (Optional, Future Feature) Defines how the controller will operate once this feature is enabled.
-	// Currently unused. Planned values:
+	// Mode specifies the operation mode of the controller.
+	// Possible values:
 	//   - "selfhosted": For self-managed Kubernetes clusters.
 	//   - "eks": For Amazon EKS environments.
-	Mode string `json:"mode,omitempty"`
+	// Default: "selfhosted"
+	Mode SetupMode `json:"mode,omitempty"`
 
 	// Discovery configures the IdP Discovery process, essential for setting up IRSA by locating
 	// the OIDC provider information.
-	Discovery Discovery `json:"discovery"`
+	// Only applicable when Mode is "selfhosted".
+	// +optional
+	Discovery Discovery `json:"discovery,omitempty"`
+
+	// IamOIDCProvider configures IAM OIDC IamOIDCProvider Name
+	// Only applicable when Mode is "eks".
+	IamOIDCProvider string `json:"iamOIDCProvider,omitempty"`
 }
 
+// +kubebuilder:default=selfhosted
+// +kubebuilder:validation:Enum=selfhosted;eks
+// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
+type SetupMode string
+
+const (
+	ModeSelfhosted = SetupMode("selfhosted")
+	ModeEks        = SetupMode("eks")
+)
+
 // Discovery holds the configuration for IdP Discovery, which is crucial for locating
 // the OIDC provider in a self-hosted environment.
 type Discovery struct {
@@ -62,39 +79,39 @@ type S3Discovery struct {
 
 // IRSASetupStatus defines the observed state of IRSASetup
 type IRSASetupStatus struct {
-	SelfHostedSetup []metav1.Condition `json:"selfHostedSetup,omitempty"`
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
 }
 
-// GetSelfhostedStatusConditions returns a pointer to the Status.Conditions slice
-func (in *IRSASetup) GetSelfhostedStatusConditions() *[]metav1.Condition {
-	return &in.Status.SelfHostedSetup
+// GetStatusConditions returns a pointer to the Status.Conditions slice
+func (in *IRSASetup) GetStatusConditions() *[]metav1.Condition {
+	return &in.Status.Conditions
 }
 
-func SetupSelfHostedStatusReady(irsa IRSASetup, reason, message string) IRSASetup {
+func SetupStatusReady(irsa IRSASetup, reason, message string) IRSASetup {
 	newCondition := metav1.Condition{
 		Type:    ReadyCondition,
 		Status:  metav1.ConditionTrue,
 		Reason:  reason,
 		Message: message,
 	}
-	apimeta.SetStatusCondition(irsa.GetSelfhostedStatusConditions(), newCondition)
+	apimeta.SetStatusCondition(irsa.GetStatusConditions(), newCondition)
 	return irsa
 }
 
-func SelfHostedStatusNotReady(irsa IRSASetup, reason, message string) IRSASetup {
+func StatusNotReady(irsa IRSASetup, reason, message string) IRSASetup {
 	newCondition := metav1.Condition{
 		Type:    ReadyCondition,
 		Status:  metav1.ConditionFalse,
 		Reason:  reason,
 		Message: message,
 	}
-	apimeta.SetStatusCondition(irsa.GetSelfhostedStatusConditions(), newCondition)
+	apimeta.SetStatusCondition(irsa.GetStatusConditions(), newCondition)
 	return irsa
 }
 
-// SelfHostedReadyStatus
-func SelfHostedReadyStatus(irsa IRSASetup) *metav1.Condition {
-	if c := apimeta.FindStatusCondition(irsa.Status.SelfHostedSetup, ReadyCondition); c != nil {
+// ReadyStatus
+func ReadyStatus(irsa IRSASetup) *metav1.Condition {
+	if c := apimeta.FindStatusCondition(irsa.Status.Conditions, ReadyCondition); c != nil {
 		return c
 	}
 	return nil
@@ -113,22 +130,30 @@ func HasConditionReason(cond *metav1.Condition, reasons ...string) bool {
 	return false
 }
 
-func IsSelfHostedReadyConditionTrue(irsa IRSASetup) bool {
-	return apimeta.IsStatusConditionTrue(irsa.Status.SelfHostedSetup, ReadyCondition)
+func IsReadyConditionTrue(irsa IRSASetup) bool {
+	return apimeta.IsStatusConditionTrue(irsa.Status.Conditions, ReadyCondition)
 }
 
-type SelfHostedReason string
+type SelfhostedConditionReason string
+
+const (
+	SelfHostedReasonFailedWebhook SelfhostedConditionReason = "SelfHostedSetupFailedWebhookCreation"
+	SelfHostedReasonFailedOidc    SelfhostedConditionReason = "SelfHostedSetupFailedOidcCreation"
+	SelfHostedReasonFailedIssuer  SelfhostedConditionReason = "SelfHostedSetupFailedIssuer"
+	SelfHostedReasonFailedKeys    SelfhostedConditionReason = "SelfHostedSetupFailedKeysCreation"
+	SelfHostedReasonReady         SelfhostedConditionReason = "SelfHostedSetupReady"
+)
+
+type EksConditionReason string
 
 const (
-	SelfHostedReasonFailedWebhook SelfHostedReason = "SelfHostedSetupFailedWebhookCreation"
-	SelfHostedReasonFailedOidc    SelfHostedReason = "SelfHostedSetupFailedOidcCreation"
-	SelfHostedReasonFailedKeys    SelfHostedReason = "SelfHostedSetupFailedKeysCreation"
-	SelfHostedReasonReady         SelfHostedReason = "SelfHostedSetupReady"
+	EksNotReady    EksConditionReason = "EksOIDCNotReady"
+	EksReasonReady EksConditionReason = "EksOIDCSetupReady"
 )
 
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
-//+kubebuilder:printcolumn:name="SelfHostedReady",type="string",JSONPath=".status.selfHostedSetup[?(@.type==\"Ready\")].status",description=""
+//+kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
 
 // IRSASetup represents a configuration for setting up IAM Roles for Service Accounts (IRSA) in a Kubernetes cluster.
 type IRSASetup struct {

api/v1alpha1/zz_generated.deepcopy.go

@@ -14,8 +14,8 @@ spec:
   scope: Namespaced
   versions:
   - additionalPrinterColumns:
-    - jsonPath: .status.selfHostedSetup[?(@.type=="Ready")].status
-      name: SelfHostedReady
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
       type: string
     name: v1alpha1
     schema:
@@ -52,6 +52,7 @@ spec:
                 description: |-
                   Discovery configures the IdP Discovery process, essential for setting up IRSA by locating
                   the OIDC provider information.
+                  Only applicable when Mode is "selfhosted".
                 properties:
                   s3:
                     description: S3 specifies the AWS S3 bucket details where the
@@ -70,21 +71,32 @@ spec:
                     - region
                     type: object
                 type: object
+              iamOIDCProvider:
+                description: |-
+                  IamOIDCProvider configures IAM OIDC IamOIDCProvider Name
+                  Only applicable when Mode is "eks".
+                type: string
               mode:
                 description: |-
-                  Mode (Optional, Future Feature) Defines how the controller will operate once this feature is enabled.
-                  Currently unused. Planned values:
+                  Mode specifies the operation mode of the controller.
+                  Possible values:
                     - "selfhosted": For self-managed Kubernetes clusters.
                     - "eks": For Amazon EKS environments.
+                  Default: "selfhosted"
+                enum:
+                - selfhosted
+                - eks
                 type: string
+                x-kubernetes-validations:
+                - message: Value is immutable
+                  rule: self == oldSelf
             required:
             - cleanup
-            - discovery
             type: object
           status:
             description: IRSASetupStatus defines the observed state of IRSASetup
             properties:
-              selfHostedSetup:
+              conditions:
                 items:
                   description: "Condition contains details for one aspect of the current
                     state of this API Resource.\n---\nThis struct is intended for

charts/irsa-manager/crds/irsasetup-crd.yaml

@@ -71,5 +71,7 @@ spec:
           | nindent 10 }}
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: {{ include "irsa-manager.fullname" . }}-controller-manager
       terminationGracePeriodSeconds: 10

charts/irsa-manager/templates/deployment.yaml

@@ -15,8 +15,8 @@ spec:
   scope: Namespaced
   versions:
   - additionalPrinterColumns:
-    - jsonPath: .status.selfHostedSetup[?(@.type=="Ready")].status
-      name: SelfHostedReady
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
       type: string
     name: v1alpha1
     schema:
@@ -53,6 +53,7 @@ spec:
                 description: |-
                   Discovery configures the IdP Discovery process, essential for setting up IRSA by locating
                   the OIDC provider information.
+                  Only applicable when Mode is "selfhosted".
                 properties:
                   s3:
                     description: S3 specifies the AWS S3 bucket details where the
@@ -71,21 +72,32 @@ spec:
                     - region
                     type: object
                 type: object
+              iamOIDCProvider:
+                description: |-
+                  IamOIDCProvider configures IAM OIDC IamOIDCProvider Name
+                  Only applicable when Mode is "eks".
+                type: string
               mode:
                 description: |-
-                  Mode (Optional, Future Feature) Defines how the controller will operate once this feature is enabled.
-                  Currently unused. Planned values:
+                  Mode specifies the operation mode of the controller.
+                  Possible values:
                     - "selfhosted": For self-managed Kubernetes clusters.
                     - "eks": For Amazon EKS environments.
+                  Default: "selfhosted"
+                enum:
+                - selfhosted
+                - eks
                 type: string
+                x-kubernetes-validations:
+                - message: Value is immutable
+                  rule: self == oldSelf
             required:
             - cleanup
-            - discovery
             type: object
           status:
             description: IRSASetupStatus defines the observed state of IRSASetup
             properties:
-              selfHostedSetup:
+              conditions:
                 items:
                   description: "Condition contains details for one aspect of the current
                     state of this API Resource.\n---\nThis struct is intended for

config/crd/bases/irsa-manager.kkb0318.github.io_irsasetups.yaml

@@ -1,2 +1,8 @@
 resources:
-  - manager.yaml
+- manager.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+images:
+- name: controller
+  newName: ghcr.io/kkb0318/irsa-manager
+  newTag: latest

config/manager/kustomization.yaml

@@ -31,6 +31,8 @@ _Appears in:_
 | `s3` _[S3Discovery](#s3discovery)_ | S3 specifies the AWS S3 bucket details where the OIDC provider's discovery information is hosted. |  |  |
 
 
+
+
 #### IRSA
 
 
@@ -102,8 +104,9 @@ _Appears in:_
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
 | `cleanup` _boolean_ | Cleanup, when enabled, allows the IRSASetup to perform garbage collection<br />of resources that are no longer needed or managed. |  |  |
-| `mode` _string_ | Mode (Optional, Future Feature) Defines how the controller will operate once this feature is enabled.<br />Currently unused. Planned values:<br />  - "selfhosted": For self-managed Kubernetes clusters.<br />  - "eks": For Amazon EKS environments. |  |  |
-| `discovery` _[Discovery](#discovery)_ | Discovery configures the IdP Discovery process, essential for setting up IRSA by locating<br />the OIDC provider information. |  |  |
+| `mode` _[SetupMode](#setupmode)_ | Mode specifies the operation mode of the controller.<br />Possible values:<br />  - "selfhosted": For self-managed Kubernetes clusters.<br />  - "eks": For Amazon EKS environments.<br />Default: "selfhosted" |  | Enum: [selfhosted eks] <br /> |
+| `discovery` _[Discovery](#discovery)_ | Discovery configures the IdP Discovery process, essential for setting up IRSA by locating<br />the OIDC provider information.<br />Only applicable when Mode is "selfhosted". |  |  |
+| `iamOIDCProvider` _string_ | IamOIDCProvider configures IAM OIDC IamOIDCProvider Name<br />Only applicable when Mode is "eks". |  |  |
 
 
 
@@ -164,3 +167,17 @@ _Appears in:_
 
 
 
+#### SetupMode
+
+_Underlying type:_ _string_
+
+
+
+_Validation:_
+- Enum: [selfhosted eks]
+
+_Appears in:_
+- [IRSASetupSpec](#irsasetupspec)
+
+
+

docs/api.md

@@ -0,0 +1,9 @@
+apiVersion: irsa-manager.kkb0318.github.io/v1alpha1
+kind: IRSASetup
+metadata:
+  name: irsa-init
+  namespace: irsa-manager-system
+spec:
+  mode: eks
+  cleanup: true
+  iamOIDCProvider: "oidc.eks.<region>.amazonaws.com/id/<id>"

examples/eks.yaml

@@ -6,11 +6,11 @@ metadata:
 spec:
   cleanup: true
   serviceAccount:
-    name: irsa1-sa
+    name: irsa111-sa
     namespaces:
       - kube-system
       - default
   iamRole:
-    name: irsa1-role
+    name: irsa111-role
   iamPolicies:
     - AmazonS3FullAccess

examples/irsa.yaml

@@ -51,13 +51,6 @@ type IRSAReconciler struct {
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
-// TODO(user): Modify the Reconcile function to compare the state specified by
-// the IRSA object against the actual cluster state, and then
-// perform operations to make the cluster state reflect the state specified by
-// the user.
-//
-// For more details, check Reconcile and its Result here:
-// - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcile
 func (r *IRSAReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := ctrllog.FromContext(ctx)
 	obj := &irsav1alpha1.IRSA{}
@@ -152,7 +145,7 @@ func (r *IRSAReconciler) reconcile(ctx context.Context, obj *irsav1alpha1.IRSA,
 		return fmt.Errorf("error converting to IRSASetup for %s: %v", list.Items[0].GetName(), err)
 	}
 	serviceAccount := obj.Spec.ServiceAccount
-	issuerMeta, err := issuer.NewS3IssuerMeta(&irsaSetup.Spec.Discovery.S3)
+	issuerMeta, err := issuer.NewOIDCIssuerMeta(irsaSetup)
 	if err != nil {
 		return err
 	}