add support for additional irsa domains

controllers/awsmachinetemplate_controller.go

@@ -278,7 +278,7 @@ func (r *AWSMachineTemplateReconciler) reconcileNormal(ctx context.Context, iamS
 
 			cloudFrontDomain := key.CloudFrontAlias(baseDomain)
 
-			err = iamService.ReconcileRolesForIRSA(accountID, cloudFrontDomain)
+			err = iamService.ReconcileRolesForIRSA(accountID, cloudFrontDomain, "")
 			if err != nil {
 				return ctrl.Result{}, errors.WithStack(err)
 			}

controllers/awsmanagedcontrolplane_controller.go

@@ -157,7 +157,7 @@ func (r *AWSManagedControlPlaneReconciler) Reconcile(ctx context.Context, req ct
 		}
 
 		iamService.SetPrincipalRoleARN(eksRoleARN)
-		err = iamService.ReconcileRolesForIRSA(accountID, eksOpenIdDomain)
+		err = iamService.ReconcileRolesForIRSA(accountID, eksOpenIdDomain, "")
 		if err != nil {
 			return ctrl.Result{}, microerror.Mask(err)
 		}

pkg/iam/iam.go

@@ -64,6 +64,7 @@ type Route53RoleParams struct {
 	Namespace        string
 	ServiceAccount   string
 	PrincipalRoleARN string
+	IsMigrate        bool
 }
 
 func New(config IAMServiceConfig) (*IAMService, error) {
@@ -156,12 +157,12 @@ func (s *IAMService) ReconcileKiamRole() error {
 	return nil
 }
 
-func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain string) error {
+func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain string, oldCloudFrontDomain string) error {
 	s.log.Info("reconciling IAM roles for IRSA")
 
 	for _, roleTypeToReconcile := range getIRSARoles() {
 		var params Route53RoleParams
-		params, err := s.generateRoute53RoleParams(roleTypeToReconcile, awsAccountID, cloudFrontDomain)
+		params, err := s.generateRoute53RoleParams(roleTypeToReconcile, awsAccountID, cloudFrontDomain, oldCloudFrontDomain)
 		if err != nil {
 			s.log.Error(err, "failed to generate Route53 role parameters")
 			return err
@@ -177,7 +178,7 @@ func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain
 	return nil
 }
 
-func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAccountID string, cloudFrontDomain string) (Route53RoleParams, error) {
+func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAccountID string, cloudFrontDomain string, oldCloudFrontDomain string) (Route53RoleParams, error) {
 	namespace := "kube-system"
 	serviceAccount, err := getServiceAccount(roleTypeToReconcile)
 	if err != nil {
@@ -193,6 +194,10 @@ func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAc
 		ServiceAccount:   serviceAccount,
 	}
 
+	if oldCloudFrontDomain != "" {
+		params.CloudFrontDomain = oldCloudFrontDomain
+	}
+
 	return params, nil
 }
 

pkg/iam/route53_template.go

@@ -14,10 +14,22 @@ const trustIdentityPolicyIRSA = `{
           "{{.CloudFrontDomain}}:sub": "system:serviceaccount:{{.Namespace}}:{{.ServiceAccount}}"
         }
       }
+    }{{if .IsMigrate}},
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::{{.AccountID}}:oidc-provider/{{.OldCloudFrontDomain}}"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "{{.OldCloudFrontDomain}}:sub": "system:serviceaccount:{{.Namespace}}:{{.ServiceAccount}}"
+        }
+      }
     }
+    {{end}}
   ]
-}
-`
+}`
 
 const route53RolePolicyTemplate = `{
   "Version": "2012-10-17",

pkg/key/key.go

@@ -158,3 +158,16 @@ func GetAWSAccountID(awsClusterRoleIdentity *capa.AWSClusterRoleIdentity) (strin
 
 	return a.AccountID, nil
 }
+
+func GetAdditionalIrsaDomain(o v1.Object) string {
+	return GetAnnotation(o, "aws.giantswarm.io/irsa-additional-domain")
+}
+
+// GetAnnotation returns the value of the specified annotation.
+func GetAnnotation(o v1.Object, annotation string) string {
+	annotations := o.GetAnnotations()
+	if annotations == nil {
+		return ""
+	}
+	return annotations[annotation]
+}