Merge branch 'master' into fixdeletion

CHANGELOG.md

@@ -7,8 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
 - Fix deletion bug due to incorrect finalizer removal order. 
 
+## [0.13.1] - 2023-11-10
+
+### Fixed
+
+- Fix malformed cluster-autoscaler policy.
+
+## [0.13.0] - 2023-11-10
+
+### Added
+
+- Add new IAM role for cluster-autoscaler.
+
 ## [0.12.0] - 2023-11-02
 
 ### Added
@@ -152,7 +166,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Implement `AWSMachineTemplate` reconciler.
 - Implement `AWSMachinePool` reconciler.
 
-[Unreleased]: https://github.com/giantswarm/capa-iam-operator/compare/v0.12.0...HEAD
+[Unreleased]: https://github.com/giantswarm/capa-iam-operator/compare/v0.13.1...HEAD
+[0.13.1]: https://github.com/giantswarm/capa-iam-operator/compare/v0.13.0...v0.13.1
+[0.13.0]: https://github.com/giantswarm/capa-iam-operator/compare/v0.12.0...v0.13.0
 [0.12.0]: https://github.com/giantswarm/capa-iam-operator/compare/v0.11.0...v0.12.0
 [0.11.0]: https://github.com/giantswarm/capa-iam-operator/compare/v0.10.0...v0.11.0
 [0.10.0]: https://github.com/giantswarm/capa-iam-operator/compare/v0.9.0...v0.10.0

controllers/awsmachinetemplate_controller_test.go

@@ -332,6 +332,7 @@ var _ = Describe("AWSMachineTemplateReconciler", func() {
 		certManagerRoleInfo,
 		ALBControllerRoleInfo,
 		ebsCsiDriverRoleInfo,
+		clusterAutoscalerRoleInfo,
 	}
 
 	expectedIAMTags := []*iam.Tag{

controllers/common_test.go

@@ -534,3 +534,59 @@ var ebsCsiDriverRoleInfo = RoleInfo{
 
 	ReturnRoleArn: "arn:aws:iam::55554444:role/test-cluster-ebs-csi-driver",
 }
+
+var clusterAutoscalerRoleInfo = RoleInfo{
+	ExpectedName: "test-cluster-cluster-autoscaler-role",
+
+	ExpectedAssumeRolePolicyDocument: `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::012345678901:oidc-provider/irsa.test.gaws.gigantic.io"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "irsa.test.gaws.gigantic.io:sub": "system:serviceaccount:kube-system:cluster-autoscaler"
+        }
+      }
+    }
+  ]
+}
+`,
+
+	ExpectedPolicyName: "control-plane-test-cluster-policy",
+	ExpectedPolicyDocument: `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "autoscaling:DescribeAutoScalingGroups",
+        "autoscaling:DescribeAutoScalingInstances",
+        "autoscaling:DescribeLaunchConfigurations",
+        "autoscaling:DescribeScalingActivities",
+        "autoscaling:DescribeTags",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeLaunchTemplateVersions"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "autoscaling:SetDesiredCapacity",
+        "autoscaling:TerminateInstanceInAutoScalingGroup",
+        "ec2:DescribeImages",
+        "ec2:GetInstanceTypesFromInstanceRequirements",
+        "eks:DescribeNodegroup"
+      ],
+      "Resource": "*"
+    }
+  ]
+}`,
+
+	ReturnRoleArn: "arn:aws:iam::55554444:role/test-cluster-cluster-autoscaler",
+}

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/aws/aws-sdk-go v1.47.7
 	github.com/benbjohnson/clock v1.3.0 // indirect
-	github.com/giantswarm/microerror v0.4.0
+	github.com/giantswarm/microerror v0.4.1
 	github.com/go-logr/logr v1.3.0
 	github.com/golang/mock v1.6.0
 	github.com/google/uuid v1.4.0

go.sum

@@ -389,8 +389,8 @@ github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSy
 github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
 github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/giantswarm/microerror v0.4.0 h1:QeU+UZL0rRlVXKqYOHMxS0L7g8UD+dn84NT7myWVh4U=
-github.com/giantswarm/microerror v0.4.0/go.mod h1:Ju1YdC6TX/8witv7fIlkgiRr5FQUNyq3f4TX2QYnO7c=
+github.com/giantswarm/microerror v0.4.1 h1:WMiD7HQASoUA9lZzPlPK+erCEOJ0uT4cyo18VfCXHD0=
+github.com/giantswarm/microerror v0.4.1/go.mod h1:URFj0gFCmZihjya6saQCXxslBrgctXb4NsXYHB5JdrI=
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=

pkg/iam/cluster_autoscaler_template.go

@@ -0,0 +1,31 @@
+package iam
+
+const clusterAutoscalerPolicyTemplate = `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "autoscaling:DescribeAutoScalingGroups",
+        "autoscaling:DescribeAutoScalingInstances",
+        "autoscaling:DescribeLaunchConfigurations",
+        "autoscaling:DescribeScalingActivities",
+        "autoscaling:DescribeTags",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeLaunchTemplateVersions"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "autoscaling:SetDesiredCapacity",
+        "autoscaling:TerminateInstanceInAutoScalingGroup",
+        "ec2:DescribeImages",
+        "ec2:GetInstanceTypesFromInstanceRequirements",
+        "eks:DescribeNodegroup"
+      ],
+      "Resource": "*"
+    }
+  ]
+}`

pkg/iam/iam.go

@@ -16,15 +16,16 @@ import (
 )
 
 const (
-	BastionRole      = "bastion"
-	ControlPlaneRole = "control-plane" // also used as part of finalizer name
-	NodesRole        = "nodes"         // also used as part of finalizer name
-	Route53Role      = "route53-role"
-	KIAMRole         = "kiam-role"
-	IRSARole         = "irsa-role"
-	CertManagerRole  = "cert-manager-role"
-	ALBConrollerRole = "ALBController-Role"
-	EBSCSIDriverRole = "ebs-csi-driver-role"
+	BastionRole           = "bastion"
+	ControlPlaneRole      = "control-plane" // also used as part of finalizer name
+	NodesRole             = "nodes"         // also used as part of finalizer name
+	Route53Role           = "route53-role"
+	KIAMRole              = "kiam-role"
+	IRSARole              = "irsa-role"
+	CertManagerRole       = "cert-manager-role"
+	ALBConrollerRole      = "ALBController-Role"
+	EBSCSIDriverRole      = "ebs-csi-driver-role"
+	ClusterAutoscalerRole = "cluster-autoscaler-role"
 
 	IAMControllerOwnedTag = "capi-iam-controller/owned"
 	ClusterIDTag          = "sigs.k8s.io/cluster-api-provider-aws/cluster/%s"
@@ -157,7 +158,7 @@ func (s *IAMService) ReconcileKiamRole() error {
 func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain string) error {
 	s.log.Info("reconciling IAM roles for IRSA")
 
-	for _, roleTypeToReconcile := range []string{Route53Role, CertManagerRole, ALBConrollerRole, EBSCSIDriverRole} {
+	for _, roleTypeToReconcile := range []string{Route53Role, CertManagerRole, ALBConrollerRole, EBSCSIDriverRole, ClusterAutoscalerRole} {
 		var params Route53RoleParams
 		params, err := s.generateRoute53RoleParams(roleTypeToReconcile, awsAccountID, cloudFrontDomain)
 		if err != nil {
@@ -670,6 +671,8 @@ func getServiceAccount(role string) (string, error) {
 		return "aws-load-balancer-controller", nil
 	} else if role == EBSCSIDriverRole {
 		return "ebs-csi-controller-sa", nil
+	} else if role == ClusterAutoscalerRole {
+		return "cluster-autoscaler", nil
 	}
 
 	return "", fmt.Errorf("cannot get service account for specified role - %s", role)

pkg/iam/template.go

@@ -55,6 +55,8 @@ func getInlinePolicyTemplate(roleType string) string {
 		return ALBControllerPolicyTemplate
 	case EBSCSIDriverRole:
 		return EBSCSIDriverPolicyTemplate
+	case ClusterAutoscalerRole:
+		return clusterAutoscalerPolicyTemplate
 	default:
 		return ""
 	}
@@ -80,6 +82,8 @@ func getTrustPolicyTemplate(roleType string) string {
 		return trustIdentityPolicyKIAMAndIRSA
 	case EBSCSIDriverRole:
 		return trustIdentityPolicyKIAMAndIRSA
+	case ClusterAutoscalerRole:
+		return trustIdentityPolicyKIAMAndIRSA
 
 	default:
 		return ""