Add cluster registry config

Signed-off-by: melserngawy <[email protected]>

Author: serngawy

config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml

@@ -82,6 +82,77 @@ spec:
                   rule: self == oldSelf
                 - message: billingAccount must be a valid AWS account ID
                   rule: self.matches('^[0-9]{12}$')
+              clusterRegistryConfig:
+                description: ClusterRegistryConfig represents registry config used
+                  with the cluster.
+                properties:
+                  additionalTrustedCa:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      AdditionalTrustedCa containing the registry hostname as the key, and the PEM-encoded certificate as the value,
+                      for each additional registry CA to trust.
+                    type: object
+                  allowedRegistriesForImport:
+                    description: |-
+                      AllowedRegistriesForImport limits the container image registries that normal users may import
+                      images from. Set this list to the registries that you trust to contain valid Docker
+                      images and that you want applications to be able to import from.
+                    items:
+                      description: RegistryLocation contains a location of the registry
+                        specified by the registry domain name.
+                      properties:
+                        domainName:
+                          description: |-
+                            domainName specifies a domain name for the registry. The domain name might include wildcards, like '*' or '??'.
+                            In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well.
+                          type: string
+                        insecure:
+                          default: false
+                          description: insecure indicates whether the registry is
+                            secure (https) or insecure (http), default is secured.
+                          type: boolean
+                      type: object
+                    type: array
+                  platformAllowlistID:
+                    description: PlatformAllowlistID contains a reference to whitelisted
+                      internal registries for the platform to work.
+                    type: string
+                  registrySources:
+                    description: |-
+                      RegistrySources contains configuration that determines how the container runtime
+                      should treat individual registries when accessing images. It does not contain configuration
+                      for the internal cluster registry.
+                    properties:
+                      allowedRegistries:
+                        description: |-
+                          AllowedRegistries: registries for which image pull and push actions are allowed.
+                          To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+                          For example, *.example.com. You can specify an individual repository within a registry.
+                          For example: reg1.io/myrepo/myapp:latest. All other registries are blocked.
+                        items:
+                          type: string
+                        type: array
+                      blockedRegistries:
+                        description: |-
+                          BlockedRegistries: registries for which image pull and push actions are denied.
+                          To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+                          For example, *.example.com. You can specify an individual repository within a registry.
+                          For example: reg1.io/myrepo/myapp:latest. All other registries are allowed.
+                        items:
+                          type: string
+                        type: array
+                      insecureRegistries:
+                        description: |-
+                          InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections.
+                          To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+                          For example, *.example.com. You can specify an individual repository within a registry.
+                          For example: reg1.io/myrepo/myapp:latest.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                type: object
               controlPlaneEndpoint:
                 description: ControlPlaneEndpoint represents the endpoint used to
                   communicate with the control plane.

controlplane/rosa/api/v1beta2/rosacontrolplane_types.go

@@ -180,6 +180,71 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	// ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.
 	// +optional
 	ControlPlaneEndpoint clusterv1.APIEndpoint `json:"controlPlaneEndpoint"`
+
+	// ClusterRegistryConfig represents registry config used with the cluster.
+	// +optional
+	ClusterRegistryConfig *RegistryConfig `json:"clusterRegistryConfig,omitempty"`
+}
+
+// RegistryConfig for ROSA-HCP cluster
+type RegistryConfig struct {
+	// AdditionalTrustedCa containing the registry hostname as the key, and the PEM-encoded certificate as the value,
+	// for each additional registry CA to trust.
+	// +optional
+	AdditionalTrustedCa map[string]string `json:"additionalTrustedCa,omitempty"`
+
+	// AllowedRegistriesForImport limits the container image registries that normal users may import
+	// images from. Set this list to the registries that you trust to contain valid Docker
+	// images and that you want applications to be able to import from.
+	// +optional
+	AllowedRegistriesForImport []RegistryLocation `json:"allowedRegistriesForImport,omitempty"`
+
+	// PlatformAllowlistID contains a reference to whitelisted internal registries for the platform to work.
+	// +optional
+	PlatformAllowlistID string `json:"platformAllowlistID,omitempty"`
+
+	// RegistrySources contains configuration that determines how the container runtime
+	// should treat individual registries when accessing images. It does not contain configuration
+	// for the internal cluster registry.
+	// +optional
+	RegistrySources *RegistrySources `json:"registrySources,omitempty"`
+}
+
+// RegistryLocation contains a location of the registry specified by the registry domain name.
+type RegistryLocation struct {
+	// domainName specifies a domain name for the registry. The domain name might include wildcards, like '*' or '??'.
+	// In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well.
+	// +optional
+	DomainName string `json:"domainName,omitempty"`
+
+	// insecure indicates whether the registry is secure (https) or insecure (http), default is secured.
+	// +kubebuilder:default=false
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+}
+
+// RegistrySources contains registries configuration.
+type RegistrySources struct {
+	// AllowedRegistries: registries for which image pull and push actions are allowed.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+	// For example, *.example.com. You can specify an individual repository within a registry.
+	// For example: reg1.io/myrepo/myapp:latest. All other registries are blocked.
+	// +optional
+	AllowedRegistries []string `json:"allowedRegistries,omitempty"`
+
+	// BlockedRegistries: registries for which image pull and push actions are denied.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+	// For example, *.example.com. You can specify an individual repository within a registry.
+	// For example: reg1.io/myrepo/myapp:latest. All other registries are allowed.
+	// +optional
+	BlockedRegistries []string `json:"blockedRegistries,omitempty"`
+
+	// InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+	// For example, *.example.com. You can specify an individual repository within a registry.
+	// For example: reg1.io/myrepo/myapp:latest.
+	// +optional
+	InsecureRegistries []string `json:"insecureRegistries,omitempty"`
 }
 
 // NetworkSpec for ROSA-HCP.

controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go

@@ -28,6 +28,8 @@ import (
 	"strings"
 	"time"
 
+	stsv2 "github.com/aws/aws-sdk-go-v2/service/sts"
+	sts "github.com/aws/aws-sdk-go/service/sts"
 	"github.com/google/go-cmp/cmp"
 	idputils "github.com/openshift-online/ocm-common/pkg/idp/utils"
 	cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
@@ -206,7 +208,7 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 		return ctrl.Result{}, fmt.Errorf("failed to create OCM client: %w", err)
 	}
 
-	creator, err := rosaaws.CreatorForCallerIdentity(rosaScope.Identity)
+	creator, err := rosaaws.CreatorForCallerIdentity(convertStsV2(rosaScope.Identity))
 	if err != nil {
 		return ctrl.Result{}, fmt.Errorf("failed to transform caller identity to creator: %w", err)
 	}
@@ -334,7 +336,7 @@ func (r *ROSAControlPlaneReconciler) reconcileDelete(ctx context.Context, rosaSc
 		return ctrl.Result{}, fmt.Errorf("failed to create OCM client: %w", err)
 	}
 
-	creator, err := rosaaws.CreatorForCallerIdentity(rosaScope.Identity)
+	creator, err := rosaaws.CreatorForCallerIdentity(convertStsV2(rosaScope.Identity))
 	if err != nil {
 		return ctrl.Result{}, fmt.Errorf("failed to transform caller identity to creator: %w", err)
 	}
@@ -888,6 +890,32 @@ func buildOCMClusterSpec(controlPlaneSpec rosacontrolplanev1.RosaControlPlaneSpe
 		}
 	}
 
+	// Set the cluster registry config.
+	if controlPlaneSpec.ClusterRegistryConfig != nil {
+		if len(controlPlaneSpec.ClusterRegistryConfig.AdditionalTrustedCa) > 0 {
+			ocmClusterSpec.AdditionalTrustedCa = controlPlaneSpec.ClusterRegistryConfig.AdditionalTrustedCa
+		}
+
+		if len(controlPlaneSpec.ClusterRegistryConfig.AllowedRegistriesForImport) > 0 {
+			registers := make([]string, 0)
+			for id := range controlPlaneSpec.ClusterRegistryConfig.AllowedRegistriesForImport {
+				registers = append(registers, controlPlaneSpec.ClusterRegistryConfig.AllowedRegistriesForImport[id].DomainName+":"+
+					strconv.FormatBool(controlPlaneSpec.ClusterRegistryConfig.AllowedRegistriesForImport[id].Insecure))
+			}
+			ocmClusterSpec.AllowedRegistriesForImport = strings.Join(registers, ",")
+		}
+
+		if controlPlaneSpec.ClusterRegistryConfig.RegistrySources != nil {
+			ocmClusterSpec.BlockedRegistries = controlPlaneSpec.ClusterRegistryConfig.RegistrySources.BlockedRegistries
+			ocmClusterSpec.AllowedRegistries = controlPlaneSpec.ClusterRegistryConfig.RegistrySources.AllowedRegistries
+			ocmClusterSpec.InsecureRegistries = controlPlaneSpec.ClusterRegistryConfig.RegistrySources.InsecureRegistries
+		}
+
+		if controlPlaneSpec.ClusterRegistryConfig.PlatformAllowlistID != "" {
+			ocmClusterSpec.PlatformAllowlist = controlPlaneSpec.ClusterRegistryConfig.PlatformAllowlistID
+		}
+	}
+
 	return ocmClusterSpec, nil
 }
 
@@ -996,3 +1024,12 @@ func buildAPIEndpoint(cluster *cmv1.Cluster) (*clusterv1.APIEndpoint, error) {
 		Port: int32(port), // #nosec G109
 	}, nil
 }
+
+// TODO: Remove this and update the aws-sdk lib to v2.
+func convertStsV2(identity *sts.GetCallerIdentityOutput) *stsv2.GetCallerIdentityOutput {
+	return &stsv2.GetCallerIdentityOutput{
+		Account: identity.Account,
+		Arn:     identity.Arn,
+		UserId:  identity.UserId,
+	}
+}