✨ Addons: Add functionality for resolveConflicts: PRESERVE

cmd/clusterawsadm/api/bootstrap/v1alpha1/conversion.go

@@ -25,7 +25,3 @@ import (
 func Convert_v1beta1_AWSIAMConfigurationSpec_To_v1alpha1_AWSIAMConfigurationSpec(in *v1beta1.AWSIAMConfigurationSpec, out *AWSIAMConfigurationSpec, s conversion.Scope) error {
 	return autoConvert_v1beta1_AWSIAMConfigurationSpec_To_v1alpha1_AWSIAMConfigurationSpec(in, out, s)
 }
-
-func Convert_v1beta1_AWSIAMRoleSpec_To_v1alpha1_AWSIAMRoleSpec(in *v1beta1.AWSIAMRoleSpec, out *AWSIAMRoleSpec, s conversion.Scope) error {
-	return autoConvert_v1beta1_AWSIAMRoleSpec_To_v1alpha1_AWSIAMRoleSpec(in, out, s)
-}

cmd/clusterawsadm/api/bootstrap/v1beta1/types.go

@@ -83,14 +83,6 @@ type AWSIAMRoleSpec struct {
 	// ExtraStatements are additional IAM statements to be included inline for the role.
 	ExtraStatements []iamv1.StatementEntry `json:"extraStatements,omitempty"`
 
-	// Path sets the path to the role.
-	// +optional
-	Path string `json:"path,omitempty"`
-
-	// PermissionsBoundary sets the ARN of the managed policy that is used to set the permissions boundary for the role.
-	// +optional
-	PermissionsBoundary string `json:"permissionsBoundary,omitempty"`
-
 	// TrustStatements is an IAM PolicyDocument defining what identities are allowed to assume this role.
 	// See "sigs.k8s.io/cluster-api-provider-aws/v2/cmd/clusterawsadm/api/iam/v1beta1" for more documentation.
 	TrustStatements []iamv1.StatementEntry `json:"trustStatements,omitempty"`

cmd/clusterawsadm/cloudformation/bootstrap/template.go

@@ -138,30 +138,24 @@ func (t Template) RenderCloudFormation() *cloudformation.Template {
 
 	template.Resources[AWSIAMRoleControlPlane] = &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("control-plane"),
-		Path:                     t.Spec.ControlPlane.Path,
 		AssumeRolePolicyDocument: t.controlPlaneTrustPolicy(),
 		ManagedPolicyArns:        t.Spec.ControlPlane.ExtraPolicyAttachments,
 		Policies:                 t.controlPlanePolicies(),
-		PermissionsBoundary:      t.Spec.ControlPlane.PermissionsBoundary,
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.ControlPlane.Tags),
 	}
 
 	template.Resources[AWSIAMRoleControllers] = &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("controllers"),
-		Path:                     t.Spec.ControlPlane.Path,
 		AssumeRolePolicyDocument: t.controllersTrustPolicy(),
 		Policies:                 t.controllersRolePolicy(),
-		PermissionsBoundary:      t.Spec.ControlPlane.PermissionsBoundary,
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.ClusterAPIControllers.Tags),
 	}
 
 	template.Resources[AWSIAMRoleNodes] = &cfn_iam.Role{
 		RoleName:                 t.NewManagedName("nodes"),
-		Path:                     t.Spec.ControlPlane.Path,
 		AssumeRolePolicyDocument: t.nodeTrustPolicy(),
 		ManagedPolicyArns:        t.nodeManagedPolicies(),
 		Policies:                 t.nodePolicies(),
-		PermissionsBoundary:      t.Spec.ControlPlane.PermissionsBoundary,
 		Tags:                     converters.MapToCloudFormationTags(t.Spec.Nodes.Tags),
 	}
 

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

@@ -2135,10 +2135,11 @@ spec:
                       default: overwrite
                       description: |-
                         ConflictResolution is used to declare what should happen if there
-                        are parameter conflicts. Defaults to none
+                        are parameter conflicts. Defaults to overwrite
                       enum:
                       - overwrite
                       - none
+                      - preserve
                       type: string
                     name:
                       description: Name is the name of the addon
@@ -2937,30 +2938,6 @@ spec:
                   and no name is supplied then a role is created.
                 minLength: 2
                 type: string
-              rolePath:
-                description: |-
-                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
-                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
-                  in the IAM User Guide.
-
-                  This parameter is optional. If it is not included, it defaults to a slash
-                  (/).
-                type: string
-              rolePermissionsBoundary:
-                description: |-
-                  RolePermissionsBoundary sets the ARN of the managed policy that is used
-                  to set the permissions boundary for the role.
-
-                  A permissions boundary policy defines the maximum permissions that identity-based
-                  policies can grant to an entity, but does not grant permissions. Permissions
-                  boundaries do not define the maximum permissions that a resource-based policy
-                  can grant to an entity. To learn more, see Permissions boundaries for IAM
-                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
-                  in the IAM User Guide.
-
-                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
-                  in the IAM User Guide.
-                type: string
               secondaryCidrBlock:
                 description: |-
                   SecondaryCidrBlock is the additional CIDR range to use for pod IPs.

config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml

@@ -911,9 +911,6 @@ spec:
                 description: Ready denotes that the ROSAControlPlane API Server is
                   ready to receive requests.
                 type: boolean
-              version:
-                description: OpenShift semantic version, for example "4.14.5".
-                type: string
             required:
             - ready
             type: object

config/crd/bases/infrastructure.cluster.x-k8s.io_awsfargateprofiles.yaml

@@ -264,30 +264,6 @@ spec:
                   and not delete it on deletion. If the EKSEnableIAM feature
                   flag is true and no name is supplied then a role is created.
                 type: string
-              rolePath:
-                description: |-
-                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
-                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
-                  in the IAM User Guide.
-
-                  This parameter is optional. If it is not included, it defaults to a slash
-                  (/).
-                type: string
-              rolePermissionsBoundary:
-                description: |-
-                  RolePermissionsBoundary sets the ARN of the managed policy that is used
-                  to set the permissions boundary for the role.
-
-                  A permissions boundary policy defines the maximum permissions that identity-based
-                  policies can grant to an entity, but does not grant permissions. Permissions
-                  boundaries do not define the maximum permissions that a resource-based policy
-                  can grant to an entity. To learn more, see Permissions boundaries for IAM
-                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
-                  in the IAM User Guide.
-
-                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
-                  in the IAM User Guide.
-                type: string
               selectors:
                 description: Selectors specify fargate pod selectors.
                 items:

config/crd/bases/infrastructure.cluster.x-k8s.io_awsmanagedmachinepools.yaml

@@ -938,30 +938,6 @@ spec:
                   and not delete it on deletion. If the EKSEnableIAM feature
                   flag is true and no name is supplied then a role is created.
                 type: string
-              rolePath:
-                description: |-
-                  RolePath sets the path to the role. For more information about paths, see IAM Identifiers
-                  (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
-                  in the IAM User Guide.
-
-                  This parameter is optional. If it is not included, it defaults to a slash
-                  (/).
-                type: string
-              rolePermissionsBoundary:
-                description: |-
-                  RolePermissionsBoundary sets the ARN of the managed policy that is used
-                  to set the permissions boundary for the role.
-
-                  A permissions boundary policy defines the maximum permissions that identity-based
-                  policies can grant to an entity, but does not grant permissions. Permissions
-                  boundaries do not define the maximum permissions that a resource-based policy
-                  can grant to an entity. To learn more, see Permissions boundaries for IAM
-                  entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
-                  in the IAM User Guide.
-
-                  For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
-                  in the IAM User Guide.
-                type: string
               scaling:
                 description: Scaling specifies scaling for the ASG behind this pool
                 properties:

controllers/awsmachine_controller.go

@@ -204,7 +204,6 @@ func (r *AWSMachineReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	machineScope, err := scope.NewMachineScope(scope.MachineScopeParams{
 		Client:       r.Client,
 		Cluster:      cluster,
-		Logger:       log,
 		Machine:      machine,
 		InfraCluster: infraCluster,
 		AWSMachine:   awsMachine,

controlplane/eks/api/v1beta1/conversion.go

@@ -42,8 +42,6 @@ func (r *AWSManagedControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.VpcCni.Disable = r.Spec.DisableVPCCNI
 	dst.Spec.Partition = restored.Spec.Partition
 	dst.Spec.RestrictPrivateSubnets = restored.Spec.RestrictPrivateSubnets
-	dst.Spec.RolePath = restored.Spec.RolePath
-	dst.Spec.RolePermissionsBoundary = restored.Spec.RolePermissionsBoundary
 	dst.Status.Version = restored.Status.Version
 	dst.Spec.BootstrapSelfManagedAddons = restored.Spec.BootstrapSelfManagedAddons
 	return nil

controlplane/eks/api/v1beta2/awsmanagedcontrolplane_types.go

@@ -88,30 +88,6 @@ type AWSManagedControlPlaneSpec struct { //nolint: maligned
 	// +optional
 	RoleAdditionalPolicies *[]string `json:"roleAdditionalPolicies,omitempty"`
 
-	// RolePath sets the path to the role. For more information about paths, see IAM Identifiers
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
-	// in the IAM User Guide.
-	//
-	// This parameter is optional. If it is not included, it defaults to a slash
-	// (/).
-	// +optional
-	RolePath string `json:"rolePath,omitempty"`
-
-	// RolePermissionsBoundary sets the ARN of the managed policy that is used
-	// to set the permissions boundary for the role.
-	//
-	// A permissions boundary policy defines the maximum permissions that identity-based
-	// policies can grant to an entity, but does not grant permissions. Permissions
-	// boundaries do not define the maximum permissions that a resource-based policy
-	// can grant to an entity. To learn more, see Permissions boundaries for IAM
-	// entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
-	// in the IAM User Guide.
-	//
-	// For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
-	// in the IAM User Guide.
-	// +optional
-	RolePermissionsBoundary string `json:"rolePermissionsBoundary,omitempty"`
-
 	// Logging specifies which EKS Cluster logs should be enabled. Entries for
 	// each of the enabled logs will be sent to CloudWatch
 	// +optional

controlplane/eks/api/v1beta2/types.go

@@ -134,9 +134,9 @@ type Addon struct {
 	// +optional
 	Configuration string `json:"configuration,omitempty"`
 	// ConflictResolution is used to declare what should happen if there
-	// are parameter conflicts. Defaults to none
+	// are parameter conflicts. Defaults to overwrite
 	// +kubebuilder:default=overwrite
-	// +kubebuilder:validation:Enum=overwrite;none
+	// +kubebuilder:validation:Enum=overwrite;none;preserve
 	ConflictResolution *AddonResolution `json:"conflictResolution,omitempty"`
 	// ServiceAccountRoleArn is the ARN of an IAM role to bind to the addons service account
 	// +optional
@@ -154,6 +154,10 @@ var (
 	// AddonResolutionNone indicates that if there are parameter conflicts then
 	// resolution will not be done and an error will be reported.
 	AddonResolutionNone = AddonResolution("none")
+
+	// AddonResolutionPreserve indicates that if there are parameter conflicts then
+	// resolution will result in preserving the existing value
+	AddonResolutionPreserve = AddonResolution("preserve")
 )
 
 // AddonStatus defines the status for an addon.

controlplane/rosa/api/v1beta2/rosacontrolplane_types.go

@@ -749,10 +749,6 @@ type RosaControlPlaneStatus struct {
 	// OIDCEndpointURL is the endpoint url for the managed OIDC provider.
 	OIDCEndpointURL string `json:"oidcEndpointURL,omitempty"`
 
-	// OpenShift semantic version, for example "4.14.5".
-	// +optional
-	Version string `json:"version"`
-
 	// Available upgrades for the ROSA hosted control plane.
 	AvailableUpgrades []string `json:"availableUpgrades,omitempty"`
 }