feat: add identityRef to AWS and EKS clusters

Author: dkoshkin

api/v1alpha1/aws_clusterconfig_types.go

@@ -8,6 +8,11 @@ import (
 )
 
 type AWSSpec struct {
+	// IdentityRef is a reference to an identity to be used when reconciling the managed control plane.
+	// If no identity is specified, the default identity for this controller will be used.
+	// +kubebuilder:validation:Optional
+	IdentityRef *capav1.AWSIdentityReference `json:"identityRef,omitempty"`
+
 	// AWS region to create cluster in.
 	// +kubebuilder:validation:Optional
 	Region *Region `json:"region,omitempty"`

api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml

@@ -301,6 +301,26 @@ spec:
                             - internal
                           type: string
                       type: object
+                    identityRef:
+                      description: |-
+                        IdentityRef is a reference to an identity to be used when reconciling the managed control plane.
+                        If no identity is specified, the default identity for this controller will be used.
+                      properties:
+                        kind:
+                          description: Kind of the identity.
+                          enum:
+                            - AWSClusterControllerIdentity
+                            - AWSClusterRoleIdentity
+                            - AWSClusterStaticIdentity
+                          type: string
+                        name:
+                          description: Name of the identity.
+                          minLength: 1
+                          type: string
+                      required:
+                        - kind
+                        - name
+                      type: object
                     network:
                       description: AWS network configuration.
                       properties:

api/v1alpha1/crds/caren.nutanix.com_eksclusterconfigs.yaml

@@ -316,6 +316,26 @@ spec:
               eks:
                 description: EKS cluster configuration.
                 properties:
+                  identityRef:
+                    description: |-
+                      IdentityRef is a reference to an identity to be used when reconciling the managed control plane.
+                      If no identity is specified, the default identity for this controller will be used.
+                    properties:
+                      kind:
+                        description: Kind of the identity.
+                        enum:
+                        - AWSClusterControllerIdentity
+                        - AWSClusterRoleIdentity
+                        - AWSClusterStaticIdentity
+                        type: string
+                      name:
+                        description: Name of the identity.
+                        minLength: 1
+                        type: string
+                    required:
+                    - kind
+                    - name
+                    type: object
                   network:
                     description: AWS network configuration.
                     properties:

api/v1alpha1/eks_clusterconfig_types.go

@@ -3,7 +3,16 @@
 
 package v1alpha1
 
+import (
+	capav1 "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/external/sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
+)
+
 type EKSSpec struct {
+	// IdentityRef is a reference to an identity to be used when reconciling the managed control plane.
+	// If no identity is specified, the default identity for this controller will be used.
+	// +kubebuilder:validation:Optional
+	IdentityRef *capav1.AWSIdentityReference `json:"identityRef,omitempty"`
+
 	// AWS region to create cluster in.
 	// +kubebuilder:validation:Optional
 	Region *Region `json:"region,omitempty"`

api/v1alpha1/zz_generated.deepcopy.go

@@ -29,20 +29,6 @@ spec:
       discoverVariablesExtension: awsworkerconfigvars-dv.cluster-api-runtime-extensions-nutanix
       generateExtension: awsworkerv4configpatch-gp.cluster-api-runtime-extensions-nutanix
     name: worker-config
-  - definitions:
-    - jsonPatches:
-      - op: add
-        path: /spec/template/spec/identityRef
-        value:
-          kind: AWSClusterControllerIdentity
-          name: default
-      selector:
-        apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
-        kind: AWSClusterTemplate
-        matchResources:
-          infrastructureCluster: true
-    description: AWSClusterStaticIdentity identityRef to use when creating the cluster
-    name: identityRef
   workers:
     machineDeployments:
     - class: default-worker

charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml

@@ -24,20 +24,6 @@ spec:
       discoverVariablesExtension: eksworkerconfigvars-dv.cluster-api-runtime-extensions-nutanix
       generateExtension: eksworkerv4configpatch-gp.cluster-api-runtime-extensions-nutanix
     name: worker-config
-  - definitions:
-    - jsonPatches:
-      - op: add
-        path: /spec/template/spec/identityRef
-        value:
-          kind: AWSClusterControllerIdentity
-          name: default
-      selector:
-        apiVersion: controlplane.cluster.x-k8s.io/v1beta2
-        kind: AWSManagedControlPlaneTemplate
-        matchResources:
-          controlPlane: true
-    description: AWSClusterStaticIdentity identityRef to use when creating the cluster
-    name: identityRef
   workers:
     machineDeployments:
     - class: default-worker

charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/eks-cluster-class.yaml

@@ -29,7 +29,7 @@ spec:
 
 Applying this configuration will result in the following value being set:
 
-- `AWSClusterTemplate`:
+- `AWSCluster`:
 
   - ```yaml
     spec:

docs/content/customization/aws/controlplaneloadbalancer.md

@@ -0,0 +1,99 @@
++++
+title = "Identity Reference"
++++
+
+The identity reference customization allows the user to specify the AWS identity to use when reconciling the cluster.
+This identity reference can be used to authenticate with AWS services using different identity types such as
+AWSClusterControllerIdentity, AWSClusterRoleIdentity, or AWSClusterStaticIdentity.
+
+This customization is available for AWS clusters when the
+[provider-specific cluster configuration patch]({{< ref "..">}}) is included in the `ClusterClass`.
+
+For detailed information about AWS multi-tenancy and identity management, see the
+[Cluster API AWS Multi-tenancy documentation](https://cluster-api-aws.sigs.k8s.io/topics/multitenancy).
+
+## Example
+
+To specify the AWS identity reference for an AWS cluster, use the following configuration:
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: <NAME>
+spec:
+  topology:
+    variables:
+      - name: clusterConfig
+        value:
+          aws:
+            identityRef:
+              kind: AWSClusterStaticIdentity
+              name: my-aws-identity
+```
+
+## Identity Types
+
+The following identity types are supported:
+
+- **AWSClusterControllerIdentity**: Uses the default identity for the controller
+- **AWSClusterRoleIdentity**: Assumes a role using the provided source reference
+- **AWSClusterStaticIdentity**: Uses static credentials stored in a secret
+
+## Example with Different Identity Types
+
+### Using AWSClusterRoleIdentity
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: <NAME>
+spec:
+  topology:
+    variables:
+      - name: clusterConfig
+        value:
+          aws:
+            identityRef:
+              kind: AWSClusterRoleIdentity
+              name: my-role-identity
+```
+
+### Using AWSClusterStaticIdentity
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: <NAME>
+spec:
+  topology:
+    variables:
+      - name: clusterConfig
+        value:
+          aws:
+            identityRef:
+              kind: AWSClusterStaticIdentity
+              name: my-static-identity
+```
+
+Applying this configuration will result in the following value being set:
+
+- `AWSCluster`:
+
+  - ```yaml
+    spec:
+      template:
+        spec:
+          identityRef:
+            kind: AWSClusterStaticIdentity
+            name: my-aws-identity
+    ```
+
+## Notes
+
+- If no identity is specified, the default identity for the controller will be used
+- The identity reference must exist in the cluster before creating the cluster
+- For AWSClusterStaticIdentity, the referenced secret must contain the required AWS credentials
+- For AWSClusterRoleIdentity, the role must be properly configured with the necessary permissions

docs/content/customization/aws/identity-ref.md

@@ -51,7 +51,7 @@ spec:
 
 Applying this configuration will result in the following value being set:
 
-- `AWSClusterTemplate`:
+- `AWSCluster`:
 
   - ```yaml
     spec: