From aff6a396f07839a8dc42de0ca0cea773368dfb70 Mon Sep 17 00:00:00 2001
From: Saurabh Parekh <sjparekh@amazon.com>
Date: Wed, 28 Feb 2024 19:58:21 -0800
Subject: [PATCH] Add api server extra args map to cluster spec

---
 .../anywhere.eks.amazonaws.com_clusters.yaml  |  6 ++++
 config/manifest/eksa-components.yaml          |  6 ++++
 pkg/api/v1alpha1/cluster_types.go             |  4 ++-
 pkg/api/v1alpha1/zz_generated.deepcopy.go     |  7 ++++
 pkg/clusterapi/extraargs.go                   |  8 +++++
 pkg/clusterapi/extraargs_test.go              | 33 +++++++++++++++++++
 pkg/providers/cloudstack/template.go          |  1 +
 pkg/providers/docker/docker.go                |  1 +
 pkg/providers/nutanix/template.go             |  3 +-
 pkg/providers/tinkerbell/template.go          |  3 +-
 pkg/providers/vsphere/template.go             |  1 +
 11 files changed, 70 insertions(+), 3 deletions(-)

diff --git a/config/crd/bases/anywhere.eks.amazonaws.com_clusters.yaml b/config/crd/bases/anywhere.eks.amazonaws.com_clusters.yaml
index bb23ca0f75235..116d66ddeefc9 100644
--- a/config/crd/bases/anywhere.eks.amazonaws.com_clusters.yaml
+++ b/config/crd/bases/anywhere.eks.amazonaws.com_clusters.yaml
@@ -151,6 +151,12 @@ spec:
                 type: object
               controlPlaneConfiguration:
                 properties:
+                  apiServerExtraArgs:
+                    additionalProperties:
+                      type: string
+                    description: ApiServerExtraArgs defines the flags to configure
+                      for the API server.
+                    type: object
                   certSans:
                     description: CertSANs is a slice of domain names or IPs to be
                       added as Subject Name Alternatives of the Kube API Servers Certificate.
diff --git a/config/manifest/eksa-components.yaml b/config/manifest/eksa-components.yaml
index 21679cf2c80f8..d786e60298987 100644
--- a/config/manifest/eksa-components.yaml
+++ b/config/manifest/eksa-components.yaml
@@ -3854,6 +3854,12 @@ spec:
                 type: object
               controlPlaneConfiguration:
                 properties:
+                  apiServerExtraArgs:
+                    additionalProperties:
+                      type: string
+                    description: ApiServerExtraArgs defines the flags to configure
+                      for the API server.
+                    type: object
                   certSans:
                     description: CertSANs is a slice of domain names or IPs to be
                       added as Subject Name Alternatives of the Kube API Servers Certificate.
diff --git a/pkg/api/v1alpha1/cluster_types.go b/pkg/api/v1alpha1/cluster_types.go
index 88936b4317cef..dcc01c8f41209 100644
--- a/pkg/api/v1alpha1/cluster_types.go
+++ b/pkg/api/v1alpha1/cluster_types.go
@@ -307,6 +307,8 @@ type ControlPlaneConfiguration struct {
 	CertSANs []string `json:"certSans,omitempty"`
 	// MachineHealthCheck is a control-plane level override for the timeouts and maxUnhealthy specified in the top-level MHC configuration. If not configured, the defaults in the top-level MHC configuration are used.
 	MachineHealthCheck *MachineHealthCheck `json:"machineHealthCheck,omitempty"`
+	// ApiServerExtraArgs defines the flags to configure for the API server.
+	ApiServerExtraArgs map[string]string `json:"apiServerExtraArgs,omitempty"`
 }
 
 // MachineHealthCheck allows to configure timeouts for machine health checks. Machine Health Checks are responsible for remediating unhealthy Machines.
@@ -363,7 +365,7 @@ func (n *ControlPlaneConfiguration) Equal(o *ControlPlaneConfiguration) bool {
 	}
 	return n.Count == o.Count && n.MachineGroupRef.Equal(o.MachineGroupRef) &&
 		TaintsSliceEqual(n.Taints, o.Taints) && MapEqual(n.Labels, o.Labels) &&
-		SliceEqual(n.CertSANs, o.CertSANs)
+		SliceEqual(n.CertSANs, o.CertSANs) && MapEqual(n.ApiServerExtraArgs, o.ApiServerExtraArgs)
 }
 
 type Endpoint struct {
diff --git a/pkg/api/v1alpha1/zz_generated.deepcopy.go b/pkg/api/v1alpha1/zz_generated.deepcopy.go
index 6104d7cacd9bc..f0cef8fb212c2 100644
--- a/pkg/api/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/api/v1alpha1/zz_generated.deepcopy.go
@@ -878,6 +878,13 @@ func (in *ControlPlaneConfiguration) DeepCopyInto(out *ControlPlaneConfiguration
 		*out = new(MachineHealthCheck)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.ApiServerExtraArgs != nil {
+		in, out := &in.ApiServerExtraArgs, &out.ApiServerExtraArgs
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControlPlaneConfiguration.
diff --git a/pkg/clusterapi/extraargs.go b/pkg/clusterapi/extraargs.go
index 027a79a335c78..4b10bb53be05d 100644
--- a/pkg/clusterapi/extraargs.go
+++ b/pkg/clusterapi/extraargs.go
@@ -53,6 +53,14 @@ func EtcdEncryptionExtraArgs(config *[]v1alpha1.EtcdEncryption) ExtraArgs {
 	return args
 }
 
+func ApiServerExtraArgs(apiServerExtraArgs map[string]string) ExtraArgs {
+	args := ExtraArgs{}
+	for k, v := range apiServerExtraArgs {
+		args.AddIfNotEmpty(k, v)
+	}
+	return args
+}
+
 func PodIAMAuthExtraArgs(podIAMConfig *v1alpha1.PodIAMConfig) ExtraArgs {
 	if podIAMConfig == nil {
 		return nil
diff --git a/pkg/clusterapi/extraargs_test.go b/pkg/clusterapi/extraargs_test.go
index b5769134867b8..30762955d577f 100644
--- a/pkg/clusterapi/extraargs_test.go
+++ b/pkg/clusterapi/extraargs_test.go
@@ -179,6 +179,39 @@ func TestExtraArgsToPartialYaml(t *testing.T) {
 	}
 }
 
+func TestApiServerExtraArgs(t *testing.T) {
+	tests := []struct {
+		testName           string
+		apiServerExtraArgs map[string]string
+		want               clusterapi.ExtraArgs
+	}{
+		{
+			testName:           "no args",
+			apiServerExtraArgs: map[string]string{},
+			want:               clusterapi.ExtraArgs{},
+		},
+		{
+			testName: "with args",
+			apiServerExtraArgs: map[string]string{
+				"service-account-issuer":   "https://my-custom-issuer-url",
+				"service-account-jwks-uri": "http://my-custom-jwks-uri/openid/v1/jwks",
+			},
+			want: clusterapi.ExtraArgs{
+				"service-account-issuer":   "https://my-custom-issuer-url",
+				"service-account-jwks-uri": "http://my-custom-jwks-uri/openid/v1/jwks",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.testName, func(t *testing.T) {
+			if got := clusterapi.ApiServerExtraArgs(tt.apiServerExtraArgs); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("ApiServerExtraArgs() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
 func TestAwsIamAuthExtraArgs(t *testing.T) {
 	tests := []struct {
 		testName string
diff --git a/pkg/providers/cloudstack/template.go b/pkg/providers/cloudstack/template.go
index a5ab2ffb0cf68..ff46da30332ee 100644
--- a/pkg/providers/cloudstack/template.go
+++ b/pkg/providers/cloudstack/template.go
@@ -123,6 +123,7 @@ func buildTemplateMapCP(clusterSpec *cluster.Spec) (map[string]interface{}, erro
 		Append(clusterapi.AwsIamAuthExtraArgs(clusterSpec.AWSIamConfig)).
 		Append(clusterapi.PodIAMAuthExtraArgs(clusterSpec.Cluster.Spec.PodIAMConfig)).
 		Append(clusterapi.EtcdEncryptionExtraArgs(clusterSpec.Cluster.Spec.EtcdEncryption)).
+		Append(clusterapi.ApiServerExtraArgs(clusterSpec.Cluster.Spec.ControlPlaneConfiguration.ApiServerExtraArgs)).
 		Append(sharedExtraArgs)
 
 	controllerManagerExtraArgs := clusterapi.SecureTlsCipherSuitesExtraArgs().
diff --git a/pkg/providers/docker/docker.go b/pkg/providers/docker/docker.go
index 80f8837b9186d..b07e623e0154f 100644
--- a/pkg/providers/docker/docker.go
+++ b/pkg/providers/docker/docker.go
@@ -295,6 +295,7 @@ func buildTemplateMapCP(clusterSpec *cluster.Spec) (map[string]interface{}, erro
 	apiServerExtraArgs := clusterapi.OIDCToExtraArgs(clusterSpec.OIDCConfig).
 		Append(clusterapi.AwsIamAuthExtraArgs(clusterSpec.AWSIamConfig)).
 		Append(clusterapi.PodIAMAuthExtraArgs(clusterSpec.Cluster.Spec.PodIAMConfig)).
+		Append(clusterapi.ApiServerExtraArgs(clusterSpec.Cluster.Spec.ControlPlaneConfiguration.ApiServerExtraArgs)).
 		Append(sharedExtraArgs)
 	controllerManagerExtraArgs := clusterapi.SecureTlsCipherSuitesExtraArgs().
 		Append(clusterapi.NodeCIDRMaskExtraArgs(&clusterSpec.Cluster.Spec.ClusterNetwork))
diff --git a/pkg/providers/nutanix/template.go b/pkg/providers/nutanix/template.go
index 1294c8a3bad12..8b145dd9584c5 100644
--- a/pkg/providers/nutanix/template.go
+++ b/pkg/providers/nutanix/template.go
@@ -162,7 +162,8 @@ func buildTemplateMapCP(
 	apiServerExtraArgs := clusterapi.OIDCToExtraArgs(clusterSpec.OIDCConfig).
 		Append(clusterapi.AwsIamAuthExtraArgs(clusterSpec.AWSIamConfig)).
 		Append(clusterapi.PodIAMAuthExtraArgs(clusterSpec.Cluster.Spec.PodIAMConfig)).
-		Append(clusterapi.EtcdEncryptionExtraArgs(clusterSpec.Cluster.Spec.EtcdEncryption))
+		Append(clusterapi.EtcdEncryptionExtraArgs(clusterSpec.Cluster.Spec.EtcdEncryption)).
+		Append(clusterapi.ApiServerExtraArgs(clusterSpec.Cluster.Spec.ControlPlaneConfiguration.ApiServerExtraArgs))
 	kubeletExtraArgs := clusterapi.SecureTlsCipherSuitesExtraArgs().
 		Append(clusterapi.ResolvConfExtraArgs(clusterSpec.Cluster.Spec.ClusterNetwork.DNS.ResolvConf)).
 		Append(clusterapi.ControlPlaneNodeLabelsExtraArgs(clusterSpec.Cluster.Spec.ControlPlaneConfiguration))
diff --git a/pkg/providers/tinkerbell/template.go b/pkg/providers/tinkerbell/template.go
index 5ece85852b20a..4ab6096e32c54 100644
--- a/pkg/providers/tinkerbell/template.go
+++ b/pkg/providers/tinkerbell/template.go
@@ -399,7 +399,8 @@ func buildTemplateMapCP(
 
 	apiServerExtraArgs := clusterapi.OIDCToExtraArgs(clusterSpec.OIDCConfig).
 		Append(clusterapi.AwsIamAuthExtraArgs(clusterSpec.AWSIamConfig)).
-		Append(clusterapi.PodIAMAuthExtraArgs(clusterSpec.Cluster.Spec.PodIAMConfig))
+		Append(clusterapi.PodIAMAuthExtraArgs(clusterSpec.Cluster.Spec.PodIAMConfig)).
+		Append(clusterapi.ApiServerExtraArgs(clusterSpec.Cluster.Spec.ControlPlaneConfiguration.ApiServerExtraArgs))
 
 	kubeletExtraArgs := clusterapi.SecureTlsCipherSuitesExtraArgs().
 		Append(clusterapi.ResolvConfExtraArgs(clusterSpec.Cluster.Spec.ClusterNetwork.DNS.ResolvConf)).
diff --git a/pkg/providers/vsphere/template.go b/pkg/providers/vsphere/template.go
index 9cd2003920572..c832a0c178c3f 100644
--- a/pkg/providers/vsphere/template.go
+++ b/pkg/providers/vsphere/template.go
@@ -145,6 +145,7 @@ func buildTemplateMapCP(
 		Append(clusterapi.AwsIamAuthExtraArgs(clusterSpec.AWSIamConfig)).
 		Append(clusterapi.PodIAMAuthExtraArgs(clusterSpec.Cluster.Spec.PodIAMConfig)).
 		Append(clusterapi.EtcdEncryptionExtraArgs(clusterSpec.Cluster.Spec.EtcdEncryption)).
+		Append(clusterapi.ApiServerExtraArgs(clusterSpec.Cluster.Spec.ControlPlaneConfiguration.ApiServerExtraArgs)).
 		Append(sharedExtraArgs)
 	controllerManagerExtraArgs := clusterapi.SecureTlsCipherSuitesExtraArgs().
 		Append(clusterapi.NodeCIDRMaskExtraArgs(&clusterSpec.Cluster.Spec.ClusterNetwork))