diff --git a/control-plane-operator/controllers/awsprivatelink/awsprivatelink_controller.go b/control-plane-operator/controllers/awsprivatelink/awsprivatelink_controller.go index 4841e67420..d47f25e7a9 100644 --- a/control-plane-operator/controllers/awsprivatelink/awsprivatelink_controller.go +++ b/control-plane-operator/controllers/awsprivatelink/awsprivatelink_controller.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "strings" + "sync" "time" "github.com/go-logr/logr" @@ -12,6 +13,8 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/credentials/stscreds" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/ec2" "github.com/aws/aws-sdk-go/service/ec2/ec2iface" "github.com/aws/aws-sdk-go/service/route53" @@ -40,7 +43,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/source" hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" - awsutil "github.com/openshift/hypershift/cmd/infra/aws/util" "github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/manifests" supportawsutil "github.com/openshift/hypershift/support/awsutil" "github.com/openshift/hypershift/support/config" @@ -187,12 +189,113 @@ const ( // the existence of AWS Endpoints for it in the guest cluster infrastructure. type AWSEndpointServiceReconciler struct { client.Client - ec2Client ec2iface.EC2API - route53Client route53iface.Route53API upsert.CreateOrUpdateProvider - AssumeEndpointRoleARN *string - AssumeRoute53RoleARN *string - LocalZoneID *string + awsClientBuilder clientBuilder +} + +type clientBuilder struct { + mu sync.Mutex + initialized bool + assumeEndpointRoleARN string + assumeRoute53RoleARN string + localZoneID string +} + +func (b *clientBuilder) awsSession() (*session.Session, error) { + s, err := session.NewSession() + if err != nil { + return nil, fmt.Errorf("failed to create AWS session: %w", err) + } + s.Handlers.Build.PushBackNamed(request.NamedHandler{ + Name: "openshift.io/hypershift", + Fn: request.MakeAddToUserAgentHandler("openshift.io hypershift", "control-plane-operator"), + }) + return s, nil +} + +func (b *clientBuilder) getClients() (ec2iface.EC2API, route53iface.Route53API, error) { + b.mu.Lock() + defer b.mu.Unlock() + + if !b.initialized { + return nil, nil, errors.New("clients not initialized") + } + + // AWS_SHARED_CREDENTIALS_FILE and AWS_REGION envvar should be set in operator deployment + awsEndpointSession, err := b.awsSession() + if err != nil { + return nil, nil, err + } + if b.assumeEndpointRoleARN != "" { + awsEndpointSession.Config.WithCredentials(stscreds.NewCredentials(awsEndpointSession, b.assumeEndpointRoleARN)) + } + awsRoute53Session, err := b.awsSession() + if err != nil { + return nil, nil, err + } + if b.assumeRoute53RoleARN != "" { + awsRoute53Session.Config.WithCredentials(stscreds.NewCredentials(awsRoute53Session, b.assumeRoute53RoleARN)) + } + awsConfig := aws.NewConfig() + ec2Client := ec2.New(awsEndpointSession, awsConfig) + route53Config := aws.NewConfig() + // Hardcode region for route53 config + route53Config.Region = aws.String("us-east-1") + route53Client := route53.New(awsRoute53Session, route53Config) + + return ec2Client, route53Client, nil +} + +func (b *clientBuilder) localHostedZoneID() string { + b.mu.Lock() + defer b.mu.Unlock() + + return b.localZoneID +} + +func (b *clientBuilder) initializeWithHCP(log logr.Logger, hcp *hyperv1.HostedControlPlane) { + b.mu.Lock() + defer b.mu.Unlock() + + if !b.initialized { + b.setFromHCP(hcp) + b.initialized = true + } else { + b.warnOnDifferentValues(log, hcp) + b.setFromHCP(hcp) + } +} + +func (b *clientBuilder) warnOnDifferentValues(log logr.Logger, hcp *hyperv1.HostedControlPlane) { + newEndpointRoleARN := "" + newRoute53RoleARN := "" + newLocalZoneID := "" + if hcp.Spec.Platform.AWS != nil && hcp.Spec.Platform.AWS.SharedVPC != nil { + newEndpointRoleARN = hcp.Spec.Platform.AWS.SharedVPC.RolesRef.ControlPlaneARN + newRoute53RoleARN = hcp.Spec.Platform.AWS.SharedVPC.RolesRef.IngressARN + newLocalZoneID = hcp.Spec.Platform.AWS.SharedVPC.LocalZoneID + } + if b.assumeEndpointRoleARN != newEndpointRoleARN { + log.Info("WARNING: Setting different value for the endpoint role ARN", "previous", b.assumeEndpointRoleARN, "new", newEndpointRoleARN) + } + if b.assumeRoute53RoleARN != newRoute53RoleARN { + log.Info("WARNING: Setting different value for the route53 role ARN", "previous", b.assumeRoute53RoleARN, "new", newRoute53RoleARN) + } + if b.localZoneID != newLocalZoneID { + log.Info("WARNING: Setting different value for local zone ID", "previous", b.localZoneID, "new", newLocalZoneID) + } +} + +func (b *clientBuilder) setFromHCP(hcp *hyperv1.HostedControlPlane) { + if hcp.Spec.Platform.AWS != nil && hcp.Spec.Platform.AWS.SharedVPC != nil { + b.assumeEndpointRoleARN = hcp.Spec.Platform.AWS.SharedVPC.RolesRef.ControlPlaneARN + b.assumeRoute53RoleARN = hcp.Spec.Platform.AWS.SharedVPC.RolesRef.IngressARN + b.localZoneID = hcp.Spec.Platform.AWS.SharedVPC.LocalZoneID + } else { + b.assumeEndpointRoleARN = "" + b.assumeRoute53RoleARN = "" + b.localZoneID = "" + } } func (r *AWSEndpointServiceReconciler) SetupWithManager(mgr ctrl.Manager) error { @@ -209,23 +312,6 @@ func (r *AWSEndpointServiceReconciler) SetupWithManager(mgr ctrl.Manager) error } r.Client = mgr.GetClient() - // AWS_SHARED_CREDENTIALS_FILE and AWS_REGION envvar should be set in operator deployment - awsEndpointSession := awsutil.NewSession("control-plane-operator", "", "", "", "") - if r.AssumeEndpointRoleARN != nil { - awsEndpointSession.Config.WithCredentials(stscreds.NewCredentials(awsEndpointSession, *r.AssumeEndpointRoleARN)) - } - awsRoute53Session := awsutil.NewSession("control-plane-operator", "", "", "", "") - if r.AssumeRoute53RoleARN != nil { - awsRoute53Session.Config.WithCredentials(stscreds.NewCredentials(awsRoute53Session, *r.AssumeRoute53RoleARN)) - } - - awsConfig := aws.NewConfig() - r.ec2Client = ec2.New(awsEndpointSession, awsConfig) - route53Config := aws.NewConfig() - // Hardcode region for route53 config - route53Config.Region = aws.String("us-east-1") - r.route53Client = route53.New(awsRoute53Session, route53Config) - return nil } @@ -287,12 +373,18 @@ func (r *AWSEndpointServiceReconciler) Reconcile(ctx context.Context, req ctrl.R // If we previously removed our finalizer, don't delete again and return early return ctrl.Result{}, nil } - completed, err := r.delete(ctx, awsEndpointService, r.ec2Client, r.route53Client) + + ec2Client, route53Client, err := r.awsClientBuilder.getClients() if err != nil { - return ctrl.Result{}, fmt.Errorf("failed to delete resource: %w", err) - } - if !completed { - return ctrl.Result{RequeueAfter: endpointServiceDeletionRequeueDuration}, nil + log.Error(err, "failed to get AWS client, skipping aws endpoint service cleanup") + } else { + completed, err := r.delete(ctx, awsEndpointService, ec2Client, route53Client) + if err != nil { + return ctrl.Result{}, fmt.Errorf("failed to delete resource: %w", err) + } + if !completed { + return ctrl.Result{RequeueAfter: endpointServiceDeletionRequeueDuration}, nil + } } if controllerutil.ContainsFinalizer(awsEndpointService, finalizer) { controllerutil.RemoveFinalizer(awsEndpointService, finalizer) @@ -340,9 +432,15 @@ func (r *AWSEndpointServiceReconciler) Reconcile(ctx context.Context, req ctrl.R return ctrl.Result{RequeueAfter: duration}, nil } + r.awsClientBuilder.initializeWithHCP(log, hcp) + ec2Client, route53Client, err := r.awsClientBuilder.getClients() + if err != nil { + return ctrl.Result{}, err + } + // Reconcile the AWSEndpointService oldStatus := awsEndpointService.Status.DeepCopy() - if err := r.reconcileAWSEndpointService(ctx, awsEndpointService, hcp, r.ec2Client, r.route53Client); err != nil { + if err := r.reconcileAWSEndpointService(ctx, awsEndpointService, hcp, ec2Client, route53Client); err != nil { meta.SetStatusCondition(&awsEndpointService.Status.Conditions, metav1.Condition{ Type: string(hyperv1.AWSEndpointAvailable), Status: metav1.ConditionFalse, @@ -421,7 +519,7 @@ func (r *AWSEndpointServiceReconciler) reconcileAWSEndpointService(ctx context.C return nil } - if err := r.reconcileAWSEndpointSecurityGroup(ctx, awsEndpointService, hcp); err != nil { + if err := r.reconcileAWSEndpointSecurityGroup(ctx, ec2Client, awsEndpointService, hcp); err != nil { return err } @@ -433,6 +531,7 @@ func (r *AWSEndpointServiceReconciler) reconcileAWSEndpointService(ctx context.C VpcEndpointIds: []*string{aws.String(endpointID)}, }) if err != nil { + log.Error(err, "failed to describe vpc endpoint", "endpointID", endpointID) if awsErr, ok := err.(awserr.Error); ok { if awsErr.Code() == "InvalidVpcEndpointId.NotFound" { // clear the EndpointID so a new Endpoint is created on the requeue @@ -450,6 +549,7 @@ func (r *AWSEndpointServiceReconciler) reconcileAWSEndpointService(ctx context.C if _, err := ec2Client.DeleteVpcEndpointsWithContext(ctx, &ec2.DeleteVpcEndpointsInput{ VpcEndpointIds: []*string{output.VpcEndpoints[0].VpcEndpointId}, }); err != nil { + log.Error(err, "failed to delete vpc endpoint", "id", output.VpcEndpoints[0].VpcEndpointId) return fmt.Errorf("error deleting AWSEndpoint: %w", err) } @@ -485,6 +585,7 @@ func (r *AWSEndpointServiceReconciler) reconcileAWSEndpointService(ctx context.C AddSecurityGroupIds: addedSG, }) if err != nil { + log.Error(err, "failed to modify vpc endpoint", "id", endpointID, "addSubnets", addedSubnet, "removeSubnets", removedSubnet, "addSG", addedSG) msg := err.Error() if awsErr, ok := err.(awserr.Error); ok { msg = awsErr.Code() @@ -521,6 +622,7 @@ func (r *AWSEndpointServiceReconciler) reconcileAWSEndpointService(ctx context.C if _, err := ec2Client.DeleteVpcEndpointsWithContext(ctx, &ec2.DeleteVpcEndpointsInput{ VpcEndpointIds: []*string{output.VpcEndpoints[0].VpcEndpointId}, }); err != nil { + log.Error(err, "failed to delete vpc endpoint", "id", output.VpcEndpoints[0].VpcEndpointId) return fmt.Errorf("error deleting AWSEndpoint: %w", err) } @@ -585,13 +687,13 @@ func (r *AWSEndpointServiceReconciler) reconcileAWSEndpointService(ctx context.C zoneName := zoneName(hcp.Name) var zoneID string - if r.LocalZoneID == nil { + if r.awsClientBuilder.localHostedZoneID() == "" { zoneID, err = lookupZoneID(ctx, route53Client, zoneName) if err != nil { return err } } else { - zoneID = *r.LocalZoneID + zoneID = r.awsClientBuilder.localHostedZoneID() } var fqdns []string @@ -654,14 +756,15 @@ func (r *AWSEndpointServiceReconciler) reconcileAWSEndpointService(ctx context.C return nil } -func (r *AWSEndpointServiceReconciler) reconcileAWSEndpointSecurityGroup(ctx context.Context, awsEndpointService *hyperv1.AWSEndpointService, hcp *hyperv1.HostedControlPlane) error { +func (r *AWSEndpointServiceReconciler) reconcileAWSEndpointSecurityGroup(ctx context.Context, ec2Client ec2iface.EC2API, awsEndpointService *hyperv1.AWSEndpointService, hcp *hyperv1.HostedControlPlane) error { var sgID string var sg *ec2.SecurityGroup log := ctrl.LoggerFrom(ctx) var err error - sg, err = supportawsutil.GetSecurityGroup(r.ec2Client, vpcEndpointSecurityGroupFilter(hcp.Spec.InfraID, awsEndpointService.Name)) + sg, err = supportawsutil.GetSecurityGroup(ec2Client, vpcEndpointSecurityGroupFilter(hcp.Spec.InfraID, awsEndpointService.Name)) if err != nil { + log.Error(err, "failed to get security group for endpoint", "infraID", hcp.Spec.InfraID, "name", awsEndpointService.Name) return err } if sg != nil { @@ -673,7 +776,7 @@ func (r *AWSEndpointServiceReconciler) reconcileAWSEndpointSecurityGroup(ctx con } if sgID == "" { var err error - if sg, err = r.createSecurityGroup(ctx, awsEndpointService, hcp); err != nil { + if sg, err = r.createSecurityGroup(ctx, ec2Client, awsEndpointService, hcp); err != nil { return err } sgID = aws.StringValue(sg.GroupId) @@ -686,10 +789,11 @@ func (r *AWSEndpointServiceReconciler) reconcileAWSEndpointSecurityGroup(ctx con ingressPermissions := supportawsutil.VPCEndpointSecurityGroupRules(machineCIDRs, vpcEndpointPort(awsEndpointService)) missingPermissions := diffPermissions(sg.IpPermissions, ingressPermissions) if len(missingPermissions) > 0 { - if _, err = r.ec2Client.AuthorizeSecurityGroupIngressWithContext(ctx, &ec2.AuthorizeSecurityGroupIngressInput{ + if _, err = ec2Client.AuthorizeSecurityGroupIngressWithContext(ctx, &ec2.AuthorizeSecurityGroupIngressInput{ GroupId: aws.String(sgID), IpPermissions: ingressPermissions, }); err != nil { + log.Error(err, "failed to sect security group ingress rules", "id", sgID) if supportawsutil.AWSErrorCode(err) != "InvalidPermission.Duplicate" { return fmt.Errorf("failed to set security group ingress rules, code: %s", supportawsutil.AWSErrorCode(err)) } @@ -711,7 +815,7 @@ func vpcEndpointPort(awsEndpointService *hyperv1.AWSEndpointService) int64 { } } -func (r *AWSEndpointServiceReconciler) createSecurityGroup(ctx context.Context, awsEndpointService *hyperv1.AWSEndpointService, hcp *hyperv1.HostedControlPlane) (*ec2.SecurityGroup, error) { +func (r *AWSEndpointServiceReconciler) createSecurityGroup(ctx context.Context, ec2Client ec2iface.EC2API, awsEndpointService *hyperv1.AWSEndpointService, hcp *hyperv1.HostedControlPlane) (*ec2.SecurityGroup, error) { log := ctrl.LoggerFrom(ctx) tagKeys := sets.NewString() var tags []*ec2.Tag @@ -736,7 +840,7 @@ func (r *AWSEndpointServiceReconciler) createSecurityGroup(ctx context.Context, Value: aws.String(name), }) } - createSGResult, err := r.ec2Client.CreateSecurityGroup(&ec2.CreateSecurityGroupInput{ + createSGResult, err := ec2Client.CreateSecurityGroup(&ec2.CreateSecurityGroupInput{ GroupName: aws.String(name), Description: aws.String("VPC endpoint security group"), VpcId: aws.String(hcp.Spec.Platform.AWS.CloudProviderConfig.VPC), @@ -748,6 +852,7 @@ func (r *AWSEndpointServiceReconciler) createSecurityGroup(ctx context.Context, }, }) if err != nil { + log.Error(err, "failed to create security group for aws endpoint", "name", name, "vpc", hcp.Spec.Platform.AWS.CloudProviderConfig.VPC) return nil, fmt.Errorf("failed to create security group, code: %s", supportawsutil.AWSErrorCode(err)) } sgID := aws.StringValue(createSGResult.GroupId) @@ -756,14 +861,17 @@ func (r *AWSEndpointServiceReconciler) createSecurityGroup(ctx context.Context, describeSGInput := &ec2.DescribeSecurityGroupsInput{ GroupIds: []*string{aws.String(sgID)}, } - if err = r.ec2Client.WaitUntilSecurityGroupExistsWithContext(ctx, describeSGInput); err != nil { + if err = ec2Client.WaitUntilSecurityGroupExistsWithContext(ctx, describeSGInput); err != nil { + log.Error(err, "failed to wait for security group to exist", "id", sgID) return nil, fmt.Errorf("failed to find created security group (id: %s), code: %s", sgID, supportawsutil.AWSErrorCode(err)) } - sg, err := supportawsutil.GetSecurityGroupById(r.ec2Client, sgID) + sg, err := supportawsutil.GetSecurityGroupById(ec2Client, sgID) if err != nil { + log.Error(err, "failed to fetch security group by ID", "id", sgID) return nil, err } if sg == nil { + log.Error(errors.New("security group not found"), "id", sgID) return nil, fmt.Errorf("failed to fetch security group (id: %s)", sgID) } log.Info("created security group", "id", sgID) @@ -902,7 +1010,7 @@ func (r *AWSEndpointServiceReconciler) delete(ctx context.Context, awsEndpointSe } if awsEndpointService.Status.SecurityGroupID != "" { - if err := r.deleteSecurityGroup(ctx, awsEndpointService.Status.SecurityGroupID); err != nil { + if err := r.deleteSecurityGroup(ctx, ec2Client, awsEndpointService.Status.SecurityGroupID); err != nil { return false, err } log.Info("security group deleted", "id", awsEndpointService.Status.SecurityGroupID) @@ -938,9 +1046,9 @@ func (r *AWSEndpointServiceReconciler) delete(ctx context.Context, awsEndpointSe return true, nil } -func (r *AWSEndpointServiceReconciler) deleteSecurityGroup(ctx context.Context, sgID string) error { +func (r *AWSEndpointServiceReconciler) deleteSecurityGroup(ctx context.Context, ec2Client ec2iface.EC2API, sgID string) error { log := ctrl.LoggerFrom(ctx) - describeSGResult, err := r.ec2Client.DescribeSecurityGroupsWithContext(ctx, &ec2.DescribeSecurityGroupsInput{GroupIds: []*string{aws.String(sgID)}}) + describeSGResult, err := ec2Client.DescribeSecurityGroupsWithContext(ctx, &ec2.DescribeSecurityGroupsInput{GroupIds: []*string{aws.String(sgID)}}) if err != nil { if supportawsutil.AWSErrorCode(err) == "InvalidGroup.NotFound" { return nil @@ -953,7 +1061,7 @@ func (r *AWSEndpointServiceReconciler) deleteSecurityGroup(ctx context.Context, sg := describeSGResult.SecurityGroups[0] if len(sg.IpPermissions) > 0 { - if _, err = r.ec2Client.RevokeSecurityGroupIngressWithContext(ctx, &ec2.RevokeSecurityGroupIngressInput{ + if _, err = ec2Client.RevokeSecurityGroupIngressWithContext(ctx, &ec2.RevokeSecurityGroupIngressInput{ GroupId: sg.GroupId, IpPermissions: sg.IpPermissions, }); err != nil { @@ -964,7 +1072,7 @@ func (r *AWSEndpointServiceReconciler) deleteSecurityGroup(ctx context.Context, } if len(sg.IpPermissionsEgress) > 0 { - if _, err = r.ec2Client.RevokeSecurityGroupEgressWithContext(ctx, &ec2.RevokeSecurityGroupEgressInput{ + if _, err = ec2Client.RevokeSecurityGroupEgressWithContext(ctx, &ec2.RevokeSecurityGroupEgressInput{ GroupId: sg.GroupId, IpPermissions: sg.IpPermissionsEgress, }); err != nil { @@ -973,7 +1081,7 @@ func (r *AWSEndpointServiceReconciler) deleteSecurityGroup(ctx context.Context, } } - if _, err = r.ec2Client.DeleteSecurityGroupWithContext(ctx, &ec2.DeleteSecurityGroupInput{ + if _, err = ec2Client.DeleteSecurityGroupWithContext(ctx, &ec2.DeleteSecurityGroupInput{ GroupId: sg.GroupId, }); err != nil { log.Error(err, "failed to delete security group", "SecurityGroupID", aws.StringValue(sg.GroupId), "code", supportawsutil.AWSErrorCode(err)) diff --git a/control-plane-operator/controllers/awsprivatelink/route53.go b/control-plane-operator/controllers/awsprivatelink/route53.go index a88fb6dfd5..dbcc821885 100644 --- a/control-plane-operator/controllers/awsprivatelink/route53.go +++ b/control-plane-operator/controllers/awsprivatelink/route53.go @@ -11,9 +11,11 @@ import ( "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/service/route53" "github.com/aws/aws-sdk-go/service/route53/route53iface" + ctrl "sigs.k8s.io/controller-runtime" ) func lookupZoneID(ctx context.Context, client route53iface.Route53API, name string) (string, error) { + log := ctrl.LoggerFrom(ctx) var res *route53.HostedZone f := func(resp *route53.ListHostedZonesOutput, lastPage bool) (shouldContinue bool) { for idx, zone := range resp.HostedZones { @@ -25,6 +27,7 @@ func lookupZoneID(ctx context.Context, client route53iface.Route53API, name stri return !lastPage } if err := client.ListHostedZonesPagesWithContext(ctx, &route53.ListHostedZonesInput{}, f); err != nil { + log.Error(err, "failed to list hosted zones") return "", err } if res == nil { @@ -33,7 +36,8 @@ func lookupZoneID(ctx context.Context, client route53iface.Route53API, name stri return cleanZoneID(*res.Id), nil } -func CreateRecord(ctx context.Context, client route53iface.Route53API, zondID, name, value, recordType string) error { +func CreateRecord(ctx context.Context, client route53iface.Route53API, zoneID, name, value, recordType string) error { + log := ctrl.LoggerFrom(ctx) record := &route53.ResourceRecordSet{ Name: aws.String(name), Type: aws.String(recordType), @@ -55,12 +59,13 @@ func CreateRecord(ctx context.Context, client route53iface.Route53API, zondID, n } input := &route53.ChangeResourceRecordSetsInput{ - HostedZoneId: aws.String(zondID), + HostedZoneId: aws.String(zoneID), ChangeBatch: changeBatch, } _, err := client.ChangeResourceRecordSetsWithContext(ctx, input) if awsErr, ok := err.(awserr.Error); ok { + log.Error(err, "failed to create records in hosted zone", "zone", zoneID) return errors.New(awsErr.Code()) } return err diff --git a/control-plane-operator/main.go b/control-plane-operator/main.go index 2024b4505e..0d067d35d2 100644 --- a/control-plane-operator/main.go +++ b/control-plane-operator/main.go @@ -45,7 +45,6 @@ import ( _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" - hyperclient "github.com/openshift/hypershift/client/clientset/clientset" "github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane" hyperapi "github.com/openshift/hypershift/support/api" "github.com/openshift/hypershift/support/releaseinfo" @@ -241,18 +240,6 @@ func NewStartCommand() *cobra.Command { os.Exit(1) } - hcpClient, err := hyperclient.NewForConfig(mgr.GetConfig()) - if err != nil { - setupLog.Error(err, "unable to create hcp client") - os.Exit(1) - } - hcpList, err := hcpClient.HypershiftV1beta1().HostedControlPlanes(namespace).List(ctx, metav1.ListOptions{}) - if err != nil || len(hcpList.Items) == 0 { - setupLog.Error(err, "failed to get hostedcontrolplane for the cluster") - os.Exit(1) - } - hcp := &hcpList.Items[0] - // The HyperShift operator is generally able to specify with precision the images // that we need to use here. In order to be backwards-compatible, though, we need // to do so with environment variables. While it's possible that a more vigorous @@ -447,7 +434,7 @@ func NewStartCommand() *cobra.Command { os.Exit(1) } - if hcp.Spec.Platform.AWS != nil && mgmtClusterCaps.Has(capabilities.CapabilityRoute) { + if isAWS() && mgmtClusterCaps.Has(capabilities.CapabilityRoute) { controllerName := "PrivateKubeAPIServerServiceObserver" if err := (&awsprivatelink.PrivateServiceObserver{ Client: mgr.GetClient(), @@ -476,20 +463,8 @@ func NewStartCommand() *cobra.Command { os.Exit(1) } - var assumeEndpointRole, assumeRoute53Role *string - var localZoneID *string - - if hcp.Spec.Platform.AWS != nil && hcp.Spec.Platform.AWS.SharedVPC != nil { - assumeEndpointRole = &hcp.Spec.Platform.AWS.SharedVPC.RolesRef.ControlPlaneARN - assumeRoute53Role = &hcp.Spec.Platform.AWS.SharedVPC.RolesRef.IngressARN - localZoneID = &hcp.Spec.Platform.AWS.SharedVPC.LocalZoneID - } - if err := (&awsprivatelink.AWSEndpointServiceReconciler{ - AssumeEndpointRoleARN: assumeEndpointRole, - AssumeRoute53RoleARN: assumeRoute53Role, CreateOrUpdateProvider: upsert.New(enableCIDebugOutput), - LocalZoneID: localZoneID, }).SetupWithManager(mgr); err != nil { setupLog.Error(err, "unable to create controller", "controller", "aws-endpoint-service") os.Exit(1) @@ -513,3 +488,7 @@ func NewStartCommand() *cobra.Command { return cmd } + +func isAWS() bool { + return os.Getenv("AWS_REGION") != "" +}