Add cluster registry config

Signed-off-by: melserngawy <[email protected]>

Author: serngawy

config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml

@@ -82,6 +82,73 @@ spec:
                   rule: self == oldSelf
                 - message: billingAccount must be a valid AWS account ID
                   rule: self.matches('^[0-9]{12}$')
+              clusterRegistryConfig:
+                description: ClusterRegistryConfig represents registry config used
+                  with the cluster.
+                properties:
+                  additionalTrustedCa:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      AdditionalTrustedCa containing the registry hostname as the key, and the PEM-encoded certificate as the value,
+                      for each additional registry CA to trust.
+                    type: object
+                  allowedRegistriesForImport:
+                    description: |-
+                      AllowedRegistriesForImport limits the container image registries that normal users may import
+                      images from. Set this list to the registries that you trust to contain valid Docker
+                      images and that you want applications to be able to import from.
+                    items:
+                      description: RegistryLocation contains a location of the registry
+                        specified by the registry domain name.
+                      properties:
+                        domainName:
+                          description: |-
+                            domainName specifies a domain name for the registry. The domain name might include wildcards, like '*' or '??'.
+                            In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well.
+                          type: string
+                        insecure:
+                          default: false
+                          description: insecure indicates whether the registry is
+                            secure (https) or insecure (http), default is secured.
+                          type: boolean
+                      type: object
+                    type: array
+                  registrySources:
+                    description: |-
+                      RegistrySources contains configuration that determines how the container runtime
+                      should treat individual registries when accessing images. It does not contain configuration
+                      for the internal cluster registry. AllowedRegistries, BlockedRegistries are mutually exclusive.
+                    properties:
+                      allowedRegistries:
+                        description: |-
+                          AllowedRegistries: registries for which image pull and push actions are allowed.
+                          To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+                          For example, *.example.com. You can specify an individual repository within a registry.
+                          For example: reg1.io/myrepo/myapp:latest. All other registries are blocked.
+                        items:
+                          type: string
+                        type: array
+                      blockedRegistries:
+                        description: |-
+                          BlockedRegistries: registries for which image pull and push actions are denied.
+                          To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+                          For example, *.example.com. You can specify an individual repository within a registry.
+                          For example: reg1.io/myrepo/myapp:latest. All other registries are allowed.
+                        items:
+                          type: string
+                        type: array
+                      insecureRegistries:
+                        description: |-
+                          InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections.
+                          To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+                          For example, *.example.com. You can specify an individual repository within a registry.
+                          For example: reg1.io/myrepo/myapp:latest.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                type: object
               controlPlaneEndpoint:
                 description: ControlPlaneEndpoint represents the endpoint used to
                   communicate with the control plane.

controlplane/rosa/api/v1beta2/rosacontrolplane_types.go

@@ -180,6 +180,67 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	// ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.
 	// +optional
 	ControlPlaneEndpoint clusterv1.APIEndpoint `json:"controlPlaneEndpoint"`
+
+	// ClusterRegistryConfig represents registry config used with the cluster.
+	// +optional
+	ClusterRegistryConfig *RegistryConfig `json:"clusterRegistryConfig,omitempty"`
+}
+
+// RegistryConfig for ROSA-HCP cluster
+type RegistryConfig struct {
+	// AdditionalTrustedCa containing the registry hostname as the key, and the PEM-encoded certificate as the value,
+	// for each additional registry CA to trust.
+	// +optional
+	AdditionalTrustedCa map[string]string `json:"additionalTrustedCa,omitempty"`
+
+	// AllowedRegistriesForImport limits the container image registries that normal users may import
+	// images from. Set this list to the registries that you trust to contain valid Docker
+	// images and that you want applications to be able to import from.
+	// +optional
+	AllowedRegistriesForImport []RegistryLocation `json:"allowedRegistriesForImport,omitempty"`
+
+	// RegistrySources contains configuration that determines how the container runtime
+	// should treat individual registries when accessing images. It does not contain configuration
+	// for the internal cluster registry. AllowedRegistries, BlockedRegistries are mutually exclusive.
+	// +optional
+	RegistrySources *RegistrySources `json:"registrySources,omitempty"`
+}
+
+// RegistryLocation contains a location of the registry specified by the registry domain name.
+type RegistryLocation struct {
+	// domainName specifies a domain name for the registry. The domain name might include wildcards, like '*' or '??'.
+	// In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well.
+	// +optional
+	DomainName string `json:"domainName,omitempty"`
+
+	// insecure indicates whether the registry is secure (https) or insecure (http), default is secured.
+	// +kubebuilder:default=false
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+}
+
+// RegistrySources contains registries configuration.
+type RegistrySources struct {
+	// AllowedRegistries: registries for which image pull and push actions are allowed.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+	// For example, *.example.com. You can specify an individual repository within a registry.
+	// For example: reg1.io/myrepo/myapp:latest. All other registries are blocked.
+	// +optional
+	AllowedRegistries []string `json:"allowedRegistries,omitempty"`
+
+	// BlockedRegistries: registries for which image pull and push actions are denied.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+	// For example, *.example.com. You can specify an individual repository within a registry.
+	// For example: reg1.io/myrepo/myapp:latest. All other registries are allowed.
+	// +optional
+	BlockedRegistries []string `json:"blockedRegistries,omitempty"`
+
+	// InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+	// For example, *.example.com. You can specify an individual repository within a registry.
+	// For example: reg1.io/myrepo/myapp:latest.
+	// +optional
+	InsecureRegistries []string `json:"insecureRegistries,omitempty"`
 }
 
 // NetworkSpec for ROSA-HCP.

controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go

@@ -24,10 +24,13 @@ import (
 	"fmt"
 	"net"
 	"net/url"
+	"reflect"
 	"strconv"
 	"strings"
 	"time"
 
+	stsv2 "github.com/aws/aws-sdk-go-v2/service/sts"
+	sts "github.com/aws/aws-sdk-go/service/sts"
 	"github.com/google/go-cmp/cmp"
 	idputils "github.com/openshift-online/ocm-common/pkg/idp/utils"
 	cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
@@ -206,7 +209,7 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc
 		return ctrl.Result{}, fmt.Errorf("failed to create OCM client: %w", err)
 	}
 
-	creator, err := rosaaws.CreatorForCallerIdentity(rosaScope.Identity)
+	creator, err := rosaaws.CreatorForCallerIdentity(convertStsV2(rosaScope.Identity))
 	if err != nil {
 		return ctrl.Result{}, fmt.Errorf("failed to transform caller identity to creator: %w", err)
 	}
@@ -334,7 +337,7 @@ func (r *ROSAControlPlaneReconciler) reconcileDelete(ctx context.Context, rosaSc
 		return ctrl.Result{}, fmt.Errorf("failed to create OCM client: %w", err)
 	}
 
-	creator, err := rosaaws.CreatorForCallerIdentity(rosaScope.Identity)
+	creator, err := rosaaws.CreatorForCallerIdentity(convertStsV2(rosaScope.Identity))
 	if err != nil {
 		return ctrl.Result{}, fmt.Errorf("failed to transform caller identity to creator: %w", err)
 	}
@@ -439,23 +442,75 @@ func (r *ROSAControlPlaneReconciler) reconcileClusterVersion(rosaScope *scope.RO
 }
 
 func (r *ROSAControlPlaneReconciler) updateOCMCluster(rosaScope *scope.ROSAControlPlaneScope, ocmClient *ocm.Client, cluster *cmv1.Cluster, creator *rosaaws.Creator) error {
+	ocmClusterSpec := ocm.Spec{}
+	updated := false
 	currentAuditLogRole := cluster.AWS().AuditLog().RoleArn()
-	if currentAuditLogRole == rosaScope.ControlPlane.Spec.AuditLogRoleARN {
-		return nil
+
+	if currentAuditLogRole != rosaScope.ControlPlane.Spec.AuditLogRoleARN {
+		ocmClusterSpec.AuditLogRoleARN = ptr.To(rosaScope.ControlPlane.Spec.AuditLogRoleARN)
+		updated = true
 	}
 
-	ocmClusterSpec := ocm.Spec{
-		AuditLogRoleARN: ptr.To(rosaScope.ControlPlane.Spec.AuditLogRoleARN),
+	// Check for registry config changes
+	regConfig := &rosacontrolplanev1.RegistryConfig{
+		RegistrySources: &rosacontrolplanev1.RegistrySources{},
 	}
+	if rosaScope.ControlPlane.Spec.ClusterRegistryConfig != nil {
+		regConfig.AdditionalTrustedCa = rosaScope.ControlPlane.Spec.ClusterRegistryConfig.AdditionalTrustedCa
+		regConfig.AllowedRegistriesForImport = rosaScope.ControlPlane.Spec.ClusterRegistryConfig.AllowedRegistriesForImport
 
-	// if this fails, the provided role is likely invalid or it doesn't have the required permissions.
-	if err := ocmClient.UpdateCluster(cluster.ID(), creator, ocmClusterSpec); err != nil {
-		conditions.MarkFalse(rosaScope.ControlPlane,
-			rosacontrolplanev1.ROSAControlPlaneValidCondition,
-			rosacontrolplanev1.ROSAControlPlaneInvalidConfigurationReason,
-			clusterv1.ConditionSeverityError,
-			err.Error())
-		return err
+		if rosaScope.ControlPlane.Spec.ClusterRegistryConfig.RegistrySources != nil {
+			regConfig.RegistrySources.AllowedRegistries = rosaScope.ControlPlane.Spec.ClusterRegistryConfig.RegistrySources.AllowedRegistries
+			regConfig.RegistrySources.BlockedRegistries = rosaScope.ControlPlane.Spec.ClusterRegistryConfig.RegistrySources.BlockedRegistries
+			regConfig.RegistrySources.InsecureRegistries = rosaScope.ControlPlane.Spec.ClusterRegistryConfig.RegistrySources.InsecureRegistries
+		}
+	}
+	if !reflect.DeepEqual(regConfig.AdditionalTrustedCa, cluster.RegistryConfig().AdditionalTrustedCa()) {
+		ocmClusterSpec.AdditionalTrustedCa = regConfig.AdditionalTrustedCa
+		updated = true
+	}
+	if !reflect.DeepEqual(regConfig.RegistrySources.AllowedRegistries, cluster.RegistryConfig().RegistrySources().AllowedRegistries()) {
+		ocmClusterSpec.AllowedRegistries = regConfig.RegistrySources.AllowedRegistries
+		updated = true
+	}
+	if !reflect.DeepEqual(regConfig.RegistrySources.BlockedRegistries, cluster.RegistryConfig().RegistrySources().BlockedRegistries()) {
+		ocmClusterSpec.BlockedRegistries = regConfig.RegistrySources.BlockedRegistries
+		updated = true
+	}
+	if !reflect.DeepEqual(regConfig.RegistrySources.InsecureRegistries, cluster.RegistryConfig().RegistrySources().InsecureRegistries()) {
+		ocmClusterSpec.InsecureRegistries = regConfig.RegistrySources.InsecureRegistries
+		updated = true
+	}
+
+	var newAllowedRegisters, oldAllowedRegisters []string
+	if len(regConfig.AllowedRegistriesForImport) > 0 {
+		for id := range regConfig.AllowedRegistriesForImport {
+			newAllowedRegisters = append(newAllowedRegisters, regConfig.AllowedRegistriesForImport[id].DomainName+":"+
+				strconv.FormatBool(regConfig.AllowedRegistriesForImport[id].Insecure))
+		}
+	}
+	if len(cluster.RegistryConfig().AllowedRegistriesForImport()) > 0 {
+		for id := range cluster.RegistryConfig().AllowedRegistriesForImport() {
+			oldAllowedRegisters = append(oldAllowedRegisters, cluster.RegistryConfig().AllowedRegistriesForImport()[id].DomainName()+":"+
+				strconv.FormatBool(cluster.RegistryConfig().AllowedRegistriesForImport()[id].Insecure()))
+		}
+	}
+	if !reflect.DeepEqual(newAllowedRegisters, oldAllowedRegisters) {
+		ocmClusterSpec.AllowedRegistriesForImport = strings.Join(newAllowedRegisters, ",")
+		updated = true
+	}
+
+	if updated {
+		// Update the cluster.
+		rosaScope.Info("Updating cluster")
+		if err := ocmClient.UpdateCluster(cluster.ID(), creator, ocmClusterSpec); err != nil {
+			conditions.MarkFalse(rosaScope.ControlPlane,
+				rosacontrolplanev1.ROSAControlPlaneValidCondition,
+				rosacontrolplanev1.ROSAControlPlaneInvalidConfigurationReason,
+				clusterv1.ConditionSeverityError,
+				err.Error())
+			return err
+		}
 	}
 
 	return nil
@@ -888,6 +943,28 @@ func buildOCMClusterSpec(controlPlaneSpec rosacontrolplanev1.RosaControlPlaneSpe
 		}
 	}
 
+	// Set the cluster registry config.
+	if controlPlaneSpec.ClusterRegistryConfig != nil {
+		if len(controlPlaneSpec.ClusterRegistryConfig.AdditionalTrustedCa) > 0 {
+			ocmClusterSpec.AdditionalTrustedCa = controlPlaneSpec.ClusterRegistryConfig.AdditionalTrustedCa
+		}
+
+		if len(controlPlaneSpec.ClusterRegistryConfig.AllowedRegistriesForImport) > 0 {
+			registers := make([]string, 0)
+			for id := range controlPlaneSpec.ClusterRegistryConfig.AllowedRegistriesForImport {
+				registers = append(registers, controlPlaneSpec.ClusterRegistryConfig.AllowedRegistriesForImport[id].DomainName+":"+
+					strconv.FormatBool(controlPlaneSpec.ClusterRegistryConfig.AllowedRegistriesForImport[id].Insecure))
+			}
+			ocmClusterSpec.AllowedRegistriesForImport = strings.Join(registers, ",")
+		}
+
+		if controlPlaneSpec.ClusterRegistryConfig.RegistrySources != nil {
+			ocmClusterSpec.BlockedRegistries = controlPlaneSpec.ClusterRegistryConfig.RegistrySources.BlockedRegistries
+			ocmClusterSpec.AllowedRegistries = controlPlaneSpec.ClusterRegistryConfig.RegistrySources.AllowedRegistries
+			ocmClusterSpec.InsecureRegistries = controlPlaneSpec.ClusterRegistryConfig.RegistrySources.InsecureRegistries
+		}
+	}
+
 	return ocmClusterSpec, nil
 }
 
@@ -996,3 +1073,12 @@ func buildAPIEndpoint(cluster *cmv1.Cluster) (*clusterv1.APIEndpoint, error) {
 		Port: int32(port), // #nosec G109
 	}, nil
 }
+
+// TODO: Remove this and update the aws-sdk lib to v2.
+func convertStsV2(identity *sts.GetCallerIdentityOutput) *stsv2.GetCallerIdentityOutput {
+	return &stsv2.GetCallerIdentityOutput{
+		Account: identity.Account,
+		Arn:     identity.Arn,
+		UserId:  identity.UserId,
+	}
+}