Review fixes

Author: PanSpagetka

config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml

@@ -759,6 +759,15 @@ spec:
                       [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\":
                       \"*\"\n\t\t}\n\t]\n}"
                     type: string
+                required:
+                - controlPlaneOperatorARN
+                - imageRegistryARN
+                - ingressARN
+                - kmsProviderARN
+                - kubeCloudControllerARN
+                - networkARN
+                - nodePoolManagementARN
+                - storageARN
                 type: object
               rosaClusterName:
                 description: |-

config/crd/bases/infrastructure.cluster.x-k8s.io_rosaroleconfigs.yaml

@@ -410,6 +410,15 @@ spec:
                       [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\":
                       \"*\"\n\t\t}\n\t]\n}"
                     type: string
+                required:
+                - controlPlaneOperatorARN
+                - imageRegistryARN
+                - ingressARN
+                - kmsProviderARN
+                - kubeCloudControllerARN
+                - networkARN
+                - nodePoolManagementARN
+                - storageARN
                 type: object
             type: object
         type: object

controlplane/rosa/api/v1beta2/rosacontrolplane_types.go

@@ -414,7 +414,7 @@ type AWSRolesRef struct {
 	//		}
 	//	]
 	// }
-	IngressARN string `json:"ingressARN,omitempty"`
+	IngressARN string `json:"ingressARN"`
 
 	// ImageRegistryARN is an ARN value referencing a role appropriate for the Image Registry Operator.
 	//
@@ -449,7 +449,7 @@ type AWSRolesRef struct {
 	//		}
 	//	]
 	// }
-	ImageRegistryARN string `json:"imageRegistryARN,omitempty"`
+	ImageRegistryARN string `json:"imageRegistryARN"`
 
 	// StorageARN is an ARN value referencing a role appropriate for the Storage Operator.
 	//
@@ -480,7 +480,7 @@ type AWSRolesRef struct {
 	//		}
 	//	]
 	// }
-	StorageARN string `json:"storageARN,omitempty"`
+	StorageARN string `json:"storageARN"`
 
 	// NetworkARN is an ARN value referencing a role appropriate for the Network Operator.
 	//
@@ -506,7 +506,7 @@ type AWSRolesRef struct {
 	//		}
 	//	]
 	// }
-	NetworkARN string `json:"networkARN,omitempty"`
+	NetworkARN string `json:"networkARN"`
 
 	// KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC.
 	// Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies
@@ -584,7 +584,7 @@ type AWSRolesRef struct {
 	//  ]
 	// }
 	// +immutable
-	KubeCloudControllerARN string `json:"kubeCloudControllerARN,omitempty"`
+	KubeCloudControllerARN string `json:"kubeCloudControllerARN"`
 
 	// NodePoolManagementARN is an ARN value referencing a role appropriate for the CAPI Controller.
 	//
@@ -697,7 +697,7 @@ type AWSRolesRef struct {
 	// }
 	//
 	// +immutable
-	NodePoolManagementARN string `json:"nodePoolManagementARN,omitempty"`
+	NodePoolManagementARN string `json:"nodePoolManagementARN"`
 
 	// ControlPlaneOperatorARN  is an ARN value referencing a role appropriate for the Control Plane Operator.
 	//
@@ -737,8 +737,8 @@ type AWSRolesRef struct {
 	//	]
 	// }
 	// +immutable
-	ControlPlaneOperatorARN string `json:"controlPlaneOperatorARN,omitempty"`
-	KMSProviderARN          string `json:"kmsProviderARN,omitempty"`
+	ControlPlaneOperatorARN string `json:"controlPlaneOperatorARN"`
+	KMSProviderARN          string `json:"kmsProviderARN"`
 }
 
 // RosaControlPlaneStatus defines the observed state of ROSAControlPlane.

controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go

@@ -1,3 +1,19 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package v1beta2
 
 import (

exp/api/v1beta2/rosaroleconfig_types.go

@@ -1,5 +1,5 @@
 /*
-Copyright The Kubernetes Authors.
+Copyright 2025 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -25,9 +25,6 @@ import (
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
 
-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
-
 // ROSARoleConfigSpec defines the desired state of ROSARoleConfig
 type ROSARoleConfigSpec struct {
 	AccountRoleConfig  AccountRoleConfig             `json:"accountRoleConfig"`
@@ -158,6 +155,25 @@ const (
 	RosaRoleConfigCreatedReason = "Created"
 )
 
+const (
+	// IngressOperatorARNSuffix is the suffix for the ingress operator role.
+	IngressOperatorARNSuffix = "-openshift-ingress-operator-cloud-credentials"
+	// ImageRegistryARNSuffix is the suffix for the image registry operator role.
+	ImageRegistryARNSuffix = "-openshift-image-registry-installer-cloud-credentials"
+	// StorageARNSuffix is the suffix for the storage operator role.
+	StorageARNSuffix = "-openshift-cluster-csi-drivers-ebs-cloud-credentials"
+	// NetworkARNSuffix is the suffix for the network operator role.
+	NetworkARNSuffix = "-openshift-cloud-network-config-controller-cloud-credentials"
+	// KubeCloudControllerARNSuffix is the suffix for the kube cloud controller role.
+	KubeCloudControllerARNSuffix = "-kube-system-kube-controller-manager"
+	// NodePoolManagementARNSuffix is the suffix for the node pool management role.
+	NodePoolManagementARNSuffix = "-kube-system-capa-controller-manager"
+	// ControlPlaneOperatorARNSuffix is the suffix for the control plane operator role.
+	ControlPlaneOperatorARNSuffix = "-kube-system-control-plane-operator"
+	// KMSProviderARNSuffix is the suffix for the kms provider role.
+	KMSProviderARNSuffix = "-kube-system-kms-provider"
+)
+
 // SetConditions sets the conditions of the ROSARoleConfig.
 func (r *ROSARoleConfig) SetConditions(conditions clusterv1.Conditions) {
 	r.Status.Conditions = conditions
@@ -168,6 +184,11 @@ func (r *ROSARoleConfig) GetConditions() clusterv1.Conditions {
 	return r.Status.Conditions
 }
 
+// IsSharedVPC checks if the shared VPC config is set.
+func (s SharedVPCConfig) IsSharedVPC() bool {
+	return s.VPCEndpointRoleARN != "" && s.RouteRoleARN != ""
+}
+
 func init() {
 	SchemeBuilder.Register(&ROSARoleConfig{}, &ROSARoleConfigList{})
 }

exp/controllers/rosamachinepool_controller.go

@@ -1,3 +1,19 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package controllers
 
 import (

exp/controllers/rosaroleconfig_controller.go

@@ -1,5 +1,5 @@
 /*
-Copyright The Kubernetes Authors.
+Copyright 2025 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -63,7 +63,6 @@ type ROSARoleConfigReconciler struct {
 	client.Client
 	Log              logr.Logger
 	Scheme           *runtime.Scheme
-	Endpoints        []scope.ServiceEndpoint
 	WatchFilterValue string
 	NewStsClient     func(cloud.ScopeUsage, cloud.Session, logger.Wrapper, runtime.Object) stsiface.STSClient
 	NewOCMClient     func(ctx context.Context, scope rosa.OCMSecretsRetriever) (rosa.OCMClient, error)
@@ -93,6 +92,7 @@ func (r *ROSARoleConfigReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		if apierrors.IsNotFound(err) {
 			return ctrl.Result{}, nil
 		}
+		log.Error(err, "Failed to get ROSARoleConfig")
 		return ctrl.Result{Requeue: true}, nil
 	}
 
@@ -101,7 +101,6 @@ func (r *ROSARoleConfigReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		Client:         r.Client,
 		RosaRoleConfig: roleConfig,
 		ControllerName: "rosaroleconfig",
-		Endpoints:      r.Endpoints,
 		Logger:         log,
 	})
 
@@ -113,7 +112,7 @@ func (r *ROSARoleConfigReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 	defer func() {
 		conditions.SetSummary(scope.RosaRoleConfig, conditions.WithConditions(expinfrav1.RosaRoleConfigReadyCondition), conditions.WithStepCounter())
 
-		if err := scope.Close(); err != nil {
+		if err := scope.PatchObject(); err != nil {
 			reterr = errors.Join(reterr, err)
 		}
 	}()
@@ -134,9 +133,7 @@ func (r *ROSARoleConfigReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 	}
 
 	if controllerutil.AddFinalizer(scope.RosaRoleConfig, expinfrav1.RosaRoleConfigFinalizer) {
-		if err := scope.PatchObject(); err != nil {
-			return ctrl.Result{}, err
-		}
+		return ctrl.Result{}, err
 	}
 
 	err = r.createAccountRoles(ctx, roleConfig, scope, ocmClient)
@@ -260,7 +257,6 @@ func (r *ROSARoleConfigReconciler) createOperatorRoles(ctx context.Context, role
 	version := roleConfig.Spec.AccountRoleConfig.Version
 	hostedCp := true
 	forcePolicyCreation := true
-	isSharedVpc := config.SharedVPCConfig.VPCEndpointRoleARN != "" && config.SharedVPCConfig.RouteRoleARN != ""
 
 	operatorRoles, err := runtime.AWSClient.ListOperatorRoles(version, "", config.Prefix)
 
@@ -270,28 +266,35 @@ func (r *ROSARoleConfigReconciler) createOperatorRoles(ctx context.Context, role
 
 	for _, roles := range operatorRoles {
 		for _, role := range roles {
-			if role.RoleName == fmt.Sprintf("%s-openshift-ingress-operator-cloud-credentials", config.Prefix) {
+			roleSuffix := strings.TrimPrefix(role.RoleName, config.Prefix)
+			if roleSuffix == role.RoleName {
+				continue
+			}
+			switch roleSuffix {
+			case expinfrav1.IngressOperatorARNSuffix:
 				scope.RosaRoleConfig.Status.OperatorRolesRef.IngressARN = role.RoleARN
-			} else if role.RoleName == fmt.Sprintf("%s-openshift-image-registry-installer-cloud-credentials", config.Prefix) {
+			case expinfrav1.ImageRegistryARNSuffix:
 				scope.RosaRoleConfig.Status.OperatorRolesRef.ImageRegistryARN = role.RoleARN
-			} else if role.RoleName == fmt.Sprintf("%s-openshift-cluster-csi-drivers-ebs-cloud-credentials", config.Prefix) {
+			case expinfrav1.StorageARNSuffix:
 				scope.RosaRoleConfig.Status.OperatorRolesRef.StorageARN = role.RoleARN
-			} else if role.RoleName == fmt.Sprintf("%s-openshift-cloud-network-config-controller-cloud-credentials", config.Prefix) {
+			case expinfrav1.NetworkARNSuffix:
 				scope.RosaRoleConfig.Status.OperatorRolesRef.NetworkARN = role.RoleARN
-			} else if role.RoleName == fmt.Sprintf("%s-kube-system-kube-controller-manager", config.Prefix) {
+			case expinfrav1.KubeCloudControllerARNSuffix:
 				scope.RosaRoleConfig.Status.OperatorRolesRef.KubeCloudControllerARN = role.RoleARN
-			} else if role.RoleName == fmt.Sprintf("%s-kube-system-capa-controller-manager", config.Prefix) {
+			case expinfrav1.NodePoolManagementARNSuffix:
 				scope.RosaRoleConfig.Status.OperatorRolesRef.NodePoolManagementARN = role.RoleARN
-			} else if role.RoleName == fmt.Sprintf("%s-kube-system-control-plane-operator", config.Prefix) {
+			case expinfrav1.ControlPlaneOperatorARNSuffix:
 				scope.RosaRoleConfig.Status.OperatorRolesRef.ControlPlaneOperatorARN = role.RoleARN
-			} else if role.RoleName == fmt.Sprintf("%s-kube-system-kms-provider", config.Prefix) {
+			case expinfrav1.KMSProviderARNSuffix:
 				scope.RosaRoleConfig.Status.OperatorRolesRef.KMSProviderARN = role.RoleARN
 			}
 		}
 	}
 
 	if !r.operatorRolesReady(&scope.RosaRoleConfig.Status.OperatorRolesRef) {
-		err = operatorroles.CreateOperatorRoles(runtime, ocm.Production, config.PermissionsBoundaryARN, interactive.ModeAuto, policies, version, isSharedVpc, config.Prefix, hostedCp, installerRoleArn, forcePolicyCreation,
+		// not all operator roles are set, operator roles are not ready yet.
+		r.clearOperatorRolesRef(&scope.RosaRoleConfig.Status.OperatorRolesRef)
+		err = operatorroles.CreateOperatorRoles(runtime, ocm.Production, config.PermissionsBoundaryARN, interactive.ModeAuto, policies, version, config.SharedVPCConfig.IsSharedVPC(), config.Prefix, hostedCp, installerRoleArn, forcePolicyCreation,
 			oidcConfigID, config.SharedVPCConfig.RouteRoleARN, ocm.DefaultChannelGroup, config.SharedVPCConfig.VPCEndpointRoleARN)
 		return err
 	}
@@ -301,33 +304,21 @@ func (r *ROSARoleConfigReconciler) createOperatorRoles(ctx context.Context, role
 
 func (r *ROSARoleConfigReconciler) reconcileOIDCConfig(roleConfig *expinfrav1.ROSARoleConfig, scope *scope.RosaRoleConfigScope, ocmClient *ocm.Client) error {
 	if scope.RosaRoleConfig.Status.OIDCID != "" {
+		oidcConfig, err := ocmClient.GetOidcConfig(scope.RosaRoleConfig.Status.OIDCID)
+		if err != nil || oidcConfig == nil {
+			return fmt.Errorf("failed to get OIDC config: %w", err)
+		}
 		return nil
 	}
 	if roleConfig.Spec.OperatorRoleConfig.OIDCID != "" {
 		scope.RosaRoleConfig.Status.OIDCID = roleConfig.Spec.OperatorRoleConfig.OIDCID
 		return nil
 	}
-	// Try to get OIDC UUID from some operator role policy document.
-	roleName := fmt.Sprintf("%s-openshift-ingress-operator-cloud-credentials", roleConfig.Spec.OperatorRoleConfig.Prefix)
-	roleDetails, err := scope.IAMClient().GetRole(context.TODO(), &iamv2.GetRoleInput{
-		RoleName: &roleName,
-	})
-	if err != nil {
-		return r.createOIDCConfig(scope, ocmClient)
-	}
-	oidcID, err := r.GetOIDCIDFromOperatorRole(scope, roleDetails)
-	if err != nil {
-		return r.createOIDCConfig(scope, ocmClient)
-	}
-	scope.RosaRoleConfig.Status.OIDCID = oidcID
-	return nil
+
+	return r.createOIDCConfig(scope, ocmClient)
 }
 
 func (r *ROSARoleConfigReconciler) createOIDCProvider(scope *scope.RosaRoleConfigScope, ocmClient *ocm.Client) error {
-	if scope.RosaRoleConfig.Status.OIDCProviderARN != "" {
-		return nil
-	}
-
 	var err error
 	oidcID := scope.RosaRoleConfig.Status.OIDCID
 	if oidcID == "" {
@@ -423,8 +414,7 @@ func (r *ROSARoleConfigReconciler) createAccountRoles(ctx context.Context, roleC
 		}
 
 		managedPolicies := true
-		isSharedVpc := config.SharedVPCConfig.VPCEndpointRoleARN != "" && config.SharedVPCConfig.RouteRoleARN != ""
-		err := accountroles.CreateHCPRoles(runtime, config.Prefix, managedPolicies, config.PermissionsBoundaryARN, ocm.Production, policies, config.Version, config.Path, isSharedVpc, config.SharedVPCConfig.RouteRoleARN, config.SharedVPCConfig.VPCEndpointRoleARN)
+		err := accountroles.CreateHCPRoles(runtime, config.Prefix, managedPolicies, config.PermissionsBoundaryARN, ocm.Production, policies, config.Version, config.Path, config.SharedVPCConfig.IsSharedVPC(), config.SharedVPCConfig.RouteRoleARN, config.SharedVPCConfig.VPCEndpointRoleARN)
 		return err
 	}
 
@@ -471,23 +461,16 @@ func (r *ROSARoleConfigReconciler) deleteAccountRoles(ocmClient *ocm.Client, aws
 		return err
 	}
 
-	var err2, err3 error
 	if canDeleteRole(clusters, roles.InstallerRoleARN) {
-		err = awsClient.DeleteAccountRole(strings.Split(roles.InstallerRoleARN, "/")[1], config.Prefix, true, deleteHcpSharedVpcPolicies)
+		err = errors.Join(err, awsClient.DeleteAccountRole(strings.Split(roles.InstallerRoleARN, "/")[1], config.Prefix, true, deleteHcpSharedVpcPolicies))
 	}
 	if canDeleteRole(clusters, roles.WorkerRoleARN) {
-		err2 = awsClient.DeleteAccountRole(strings.Split(roles.WorkerRoleARN, "/")[1], config.Prefix, true, deleteHcpSharedVpcPolicies)
+		err = errors.Join(err, awsClient.DeleteAccountRole(strings.Split(roles.WorkerRoleARN, "/")[1], config.Prefix, true, deleteHcpSharedVpcPolicies))
 	}
 	if canDeleteRole(clusters, roles.SupportRoleARN) {
-		err3 = awsClient.DeleteAccountRole(strings.Split(roles.SupportRoleARN, "/")[1], config.Prefix, true, deleteHcpSharedVpcPolicies)
-	}
-	if err != nil {
-		return err
-	}
-	if err2 != nil {
-		return err2
+		err = errors.Join(err, awsClient.DeleteAccountRole(strings.Split(roles.SupportRoleARN, "/")[1], config.Prefix, true, deleteHcpSharedVpcPolicies))
 	}
-	return err3
+	return err
 }
 
 func (r *ROSARoleConfigReconciler) deleteOIDCProvider(ocmClient *ocm.Client, awsClient aws.Client, oidcConfigID string) error {
@@ -661,3 +644,19 @@ func (r *ROSARoleConfigReconciler) GetOIDCIDFromOperatorRole(scope *scope.RosaRo
 
 	return "", fmt.Errorf("cant extract oidc uuid from the %s policy document", *roleDetails.Role.RoleName)
 }
+
+// clearOperatorRolesRef clears all field values in the OperatorRolesRef by setting them to empty strings.
+func (r ROSARoleConfigReconciler) clearOperatorRolesRef(operatorRolesRef *v1beta2.AWSRolesRef) {
+	if operatorRolesRef == nil {
+		return
+	}
+
+	operatorRolesRef.IngressARN = ""
+	operatorRolesRef.ImageRegistryARN = ""
+	operatorRolesRef.StorageARN = ""
+	operatorRolesRef.NetworkARN = ""
+	operatorRolesRef.KubeCloudControllerARN = ""
+	operatorRolesRef.NodePoolManagementARN = ""
+	operatorRolesRef.ControlPlaneOperatorARN = ""
+	operatorRolesRef.KMSProviderARN = ""
+}