Update clustermanager API spec for auto approval identities

Signed-off-by: “Jeffrey <[email protected]>

Author: jeffw17

operator/v1/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml

@@ -216,6 +216,32 @@ spec:
                 description: RegistrationConfiguration contains the configuration
                   of registration
                 properties:
+                  autoApprovalIdentities:
+                    description: |-
+                      AutoApprovalIdentities represent the list of approved identities which is used to whitelist certain identities to join with the hub cluster
+                      An ApprovedIdentities contains details of the driver type (csr, awsirsa) and a list of identities to whitelist.
+                    items:
+                      properties:
+                        driver:
+                          default: csr
+                          description: Type of authentication used for specific set
+                            of identities to whitelist. Possible values are csr and
+                            awsirsa.
+                          enum:
+                          - csr
+                          - awsirsa
+                          type: string
+                        identities:
+                          description: Identities represent a list of users in which
+                            we will allow to join with hub cluster
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                    x-kubernetes-list-map-keys:
+                    - driver
+                    x-kubernetes-list-type: map
                   autoApproveUsers:
                     description: |-
                       AutoApproveUser represents a list of users that can auto approve CSR and accept client. If the credential of the
@@ -270,7 +296,10 @@ spec:
                           - awsirsa
                           type: string
                         hubClusterArn:
-                          description: This represents the hub cluster ARN
+                          description: |-
+                            This represents the hub cluster ARN
+                            Example - arn:eks:us-west-2:12345678910:cluster/hub-cluster1
+                          pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$
                           type: string
                       type: object
                     type: array

operator/v1/types_clustermanager.go

@@ -115,6 +115,13 @@ type RegistrationHubConfiguration struct {
 	// +listType=map
 	// +listMapKey=authType
 	RegistrationDrivers []RegistrationDriverHub `json:"registrationDrivers,omitempty"`
+
+	// AutoApprovalIdentities represent the list of approved identities which is used to whitelist certain identities to join with the hub cluster
+	// An ApprovedIdentities contains details of the driver type (csr, awsirsa) and a list of identities to whitelist.
+	// +optional
+	// +listType=map
+	// +listMapKey=driver
+	AutoApprovalIdentities []ApprovedIdentities `json:"autoApprovalIdentities,omitempty"`
 }
 
 type RegistrationDriverHub struct {
@@ -126,10 +133,24 @@ type RegistrationDriverHub struct {
 	AuthType string `json:"authType,omitempty"`
 
 	// This represents the hub cluster ARN
+	// Example - arn:eks:us-west-2:12345678910:cluster/hub-cluster1
 	// +optional
+	// +kubebuilder:validation:Pattern=`^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$`
 	HubClusterArn string `json:"hubClusterArn,omitempty"`
 }
 
+type ApprovedIdentities struct {
+	// Type of authentication used for specific set of identities to whitelist. Possible values are csr and awsirsa.
+	// +required
+	// +kubebuilder:default:=csr
+	// +kubebuilder:validation:Enum=csr;awsirsa
+	Driver string `json:"driver,omitempty"`
+
+	// Identities represent a list of users in which we will allow to join with hub cluster
+	// +required
+	Identities []string `json:"identities,omitempty"`
+}
+
 type WorkConfiguration struct {
 	// FeatureGates represents the list of feature gates for work
 	// If it is set empty, default feature gates will be used.

operator/v1/zz_generated.deepcopy.go

@@ -261,6 +261,46 @@ var _ = Describe("ClusterManager API test with RegistrationConfiguration", func(
 		Expect(clusterManager.Spec.RegistrationConfiguration.FeatureGates[0].Mode).Should(Equal(operatorv1.FeatureGateModeTypeDisable))
 		Expect(clusterManager.Spec.RegistrationConfiguration.FeatureGates[1].Mode).Should(Equal(operatorv1.FeatureGateModeTypeEnable))
 	})
+
+	It("Create a cluster manager with aws registration and invalid hubClusterArn", func() {
+		clusterManager := &operatorv1.ClusterManager{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: clusterManagerName,
+			},
+			Spec: operatorv1.ClusterManagerSpec{
+				RegistrationConfiguration: &operatorv1.RegistrationHubConfiguration{
+					RegistrationDrivers: []operatorv1.RegistrationDriverHub{
+						{
+							AuthType:      "awsirsa",
+							HubClusterArn: "arn:aws:bks:us-west-2:123456789012:cluster/hub-cluster1",
+						},
+					},
+				},
+			},
+		}
+		_, err := operatorClient.OperatorV1().ClusterManagers().Create(context.TODO(), clusterManager, metav1.CreateOptions{})
+		Expect(err).ToNot(BeNil())
+	})
+
+	It("Create a cluster manager with aws registration and valid hubClusterArn", func() {
+		clusterManager := &operatorv1.ClusterManager{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: clusterManagerName,
+			},
+			Spec: operatorv1.ClusterManagerSpec{
+				RegistrationConfiguration: &operatorv1.RegistrationHubConfiguration{
+					RegistrationDrivers: []operatorv1.RegistrationDriverHub{
+						{
+							AuthType:      "awsirsa",
+							HubClusterArn: "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1",
+						},
+					},
+				},
+			},
+		}
+		_, err := operatorClient.OperatorV1().ClusterManagers().Create(context.TODO(), clusterManager, metav1.CreateOptions{})
+		Expect(err).To(BeNil())
+	})
 })
 
 var _ = Describe("ClusterManager API test with WorkConfiguration", func() {