Add the registration-auth flag for initializing an EKS cluster as hub.

Signed-off-by: Gaurav Jaswal <[email protected]>

go.mod

@@ -28,7 +28,7 @@ require (
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kubectl v0.31.1
 	k8s.io/utils v0.0.0-20240921022957-49e7df575cb6
-	open-cluster-management.io/api v0.15.1-0.20250109024121-1a5e25a78a43
+	open-cluster-management.io/api v0.15.1-0.20250116010516-3a595d6a4e40
 	open-cluster-management.io/cluster-proxy v0.4.0
 	open-cluster-management.io/managed-serviceaccount v0.6.0
 	open-cluster-management.io/ocm v0.15.1-0.20250116085531-34275ef1eac8

go.sum

@@ -557,8 +557,8 @@ k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24=
 k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM=
 k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 h1:MDF6h2H/h4tbzmtIKTuctcwZmY0tY9mD9fNT47QO6HI=
 k8s.io/utils v0.0.0-20240921022957-49e7df575cb6/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-open-cluster-management.io/api v0.15.1-0.20250109024121-1a5e25a78a43 h1:9kgKRQQHMGNM1t+J+OrmF7hgZmND9kRwyRVnHIULzqw=
-open-cluster-management.io/api v0.15.1-0.20250109024121-1a5e25a78a43/go.mod h1:9erZEWEn4bEqh0nIX2wA7f/s3KCuFycQdBrPrRzi0QM=
+open-cluster-management.io/api v0.15.1-0.20250116010516-3a595d6a4e40 h1:LckTHZ68rcy3hDFu6wa7BVOJ9wbWItJLZXmi0bpMyh8=
+open-cluster-management.io/api v0.15.1-0.20250116010516-3a595d6a4e40/go.mod h1:9erZEWEn4bEqh0nIX2wA7f/s3KCuFycQdBrPrRzi0QM=
 open-cluster-management.io/cluster-proxy v0.4.0 h1:rm0UDaDWe3/P3xLzwqdHtqNksKwSzsic02MkrEe6BnM=
 open-cluster-management.io/cluster-proxy v0.4.0/go.mod h1:gTvfDHAhGezhdg4BD3ECBn6jbg2Y5PbHhV2ceW5nrB0=
 open-cluster-management.io/managed-serviceaccount v0.6.0 h1:qIi5T9WQJBuoGqnYGIktXbtqfQoiN2H9XU2P/6lAQiw=

pkg/cmd/init/cmd.go

@@ -14,6 +14,9 @@ import (
 var example = `
 # Init the hub
 %[1]s init
+
+# Initialize the hub cluster with the type of authentication. Either or both of csr,awsirsa
+%[1]s init --registration-auth awsirsa --registration-auth csr
 `
 
 // NewCmd ...
@@ -78,6 +81,7 @@ func NewCmd(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, stream
 	_ = clusterManagerSet.SetAnnotation("singleton-name", "singletonSet", []string{})
 	o.Helm.AddFlags(singletonSet)
 	cmd.Flags().AddFlagSet(singletonSet)
+	cmd.Flags().StringArrayVar(&o.registrationAuth, "registration-auth", []string{}, "The type of authentication to use for registering and authenticating with hub, this flag can be repeated to specify multiple authentication types.")
 
 	return cmd
 }

pkg/cmd/init/exec.go

@@ -15,6 +15,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/retry"
 	"k8s.io/klog/v2"
+	"k8s.io/utils/strings/slices"
 	ocmfeature "open-cluster-management.io/api/feature"
 	operatorv1 "open-cluster-management.io/api/operator/v1"
 	"open-cluster-management.io/clusteradm/pkg/cmd/init/preflight"
@@ -70,10 +71,15 @@ func (o *Options) complete(cmd *cobra.Command, args []string) (err error) {
 			},
 			Tag: bundleVersion.OCM,
 		}
+		registrationDrivers, err := getRegistrationDrivers(o)
+		if err != nil {
+			return err
+		}
 		o.clusterManagerChartConfig.ClusterManager = chart.ClusterManagerConfig{
 			RegistrationConfiguration: operatorv1.RegistrationHubConfiguration{
 				FeatureGates: genericclioptionsclusteradm.ConvertToFeatureGateAPI(
 					genericclioptionsclusteradm.HubMutableFeatureGate, ocmfeature.DefaultHubRegistrationFeatureGates),
+				RegistrationDrivers: registrationDrivers,
 			},
 			WorkConfiguration: operatorv1.WorkConfiguration{
 				FeatureGates: genericclioptionsclusteradm.ConvertToFeatureGateAPI(
@@ -353,3 +359,24 @@ func (o *Options) deploySingletonControlplane(kubeClient kubernetes.Interface) e
 	}
 	return nil
 }
+
+func getRegistrationDrivers(o *Options) ([]operatorv1.RegistrationDriverHub, error) {
+	registrationDrivers := []operatorv1.RegistrationDriverHub{}
+	if slices.Contains(o.registrationAuth, "csr") {
+		registrationDrivers = append(registrationDrivers, operatorv1.RegistrationDriverHub{AuthType: "csr"})
+	}
+	if slices.Contains(o.registrationAuth, "awsirsa") {
+		rawConfig, err := o.ClusteradmFlags.KubectlFactory.ToRawKubeConfigLoader().RawConfig()
+		if err != nil {
+			klog.Errorf("unable to load hub cluster kubeconfig: %v", err)
+			return nil, err
+		}
+		hubClusterArn := rawConfig.Contexts[rawConfig.CurrentContext].Cluster
+		if hubClusterArn == "" {
+			klog.Errorf("hubClusterArn has empty value in kubeconfig")
+			return nil, fmt.Errorf("unable to retrieve hubClusterArn from kubeconfig")
+		}
+		registrationDrivers = append(registrationDrivers, operatorv1.RegistrationDriverHub{AuthType: "awsirsa", HubClusterArn: hubClusterArn})
+	}
+	return registrationDrivers, nil
+}

pkg/cmd/init/options.go

@@ -50,6 +50,9 @@ type Options struct {
 	output string
 
 	Streams genericiooptions.IOStreams
+
+	// The type of authentication to use for initializing the hub cluster
+	registrationAuth []string
 }
 
 func newOptions(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, streams genericiooptions.IOStreams) *Options {

test/e2e/clusteradm/init_test.go

@@ -34,6 +34,33 @@ var _ = ginkgo.Describe("test clusteradm with bootstrap token in singleton mode"
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 			gomega.Expect(len(cm.Spec.RegistrationConfiguration.FeatureGates)).Should(gomega.Equal(1))
 
+			err = e2e.Clusteradm().Init(
+				"--use-bootstrap-token",
+				"--context", e2e.Cluster().Hub().Context(),
+				"--bundle-version=latest",
+				"--registration-auth awsirsa",
+			)
+			gomega.Expect(err).NotTo(gomega.HaveOccurred(), "clusteradm init error")
+
+			cm, err = operatorClient.OperatorV1().ClusterManagers().Get(context.TODO(), "cluster-manager", metav1.GetOptions{})
+			gomega.Expect(err).NotTo(gomega.HaveOccurred())
+			// Ensure that when only awsirsa is passed as registration-auth only awsirsa driver is available
+			gomega.Expect(len(cm.Spec.RegistrationConfiguration.RegistrationDrivers)).Should(gomega.Equal(1))
+
+			err = e2e.Clusteradm().Init(
+				"--use-bootstrap-token",
+				"--context", e2e.Cluster().Hub().Context(),
+				"--bundle-version=latest",
+				"--registration-auth awsirsa",
+				"--registration-auth csr",
+			)
+			gomega.Expect(err).NotTo(gomega.HaveOccurred(), "clusteradm init error")
+
+			cm, err = operatorClient.OperatorV1().ClusterManagers().Get(context.TODO(), "cluster-manager", metav1.GetOptions{})
+			gomega.Expect(err).NotTo(gomega.HaveOccurred())
+			// Ensure that awsirsa and csr is passed as registration-auth both the values are set.
+			gomega.Expect(len(cm.Spec.RegistrationConfiguration.RegistrationDrivers)).Should(gomega.Equal(2))
+
 			err = e2e.Clusteradm().Init(
 				"--use-bootstrap-token",
 				"--context", e2e.Cluster().Hub().Context(),

vendor/modules.txt

@@ -1239,7 +1239,7 @@ k8s.io/utils/pointer
 k8s.io/utils/ptr
 k8s.io/utils/strings/slices
 k8s.io/utils/trace
-# open-cluster-management.io/api v0.15.1-0.20250109024121-1a5e25a78a43
+# open-cluster-management.io/api v0.15.1-0.20250116010516-3a595d6a4e40
 ## explicit; go 1.22.0
 open-cluster-management.io/api/addon/v1alpha1
 open-cluster-management.io/api/client/addon/clientset/versioned