CORS-4337: allow AWS Europe Sovereign Cloud partition

config/v1/tests/dnses.config.openshift.io/AWSEuropeanSovereignCloudInstall.yaml

@@ -0,0 +1,69 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "DNS"
+crdName: dnses.config.openshift.io
+featureGates:
+- AWSEuropeanSovereignCloudInstall
+tests:
+  onCreate:
+    - name: Should be able to create a minimal DNS
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        spec: {} # No spec is required for a DNS
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        spec: {}
+    - name: Should be able to specify an AWS Europe Sovereign Cloud IAM role ARN for privateZoneIAMRole
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        spec:
+          platform:
+            type: AWS
+            aws:
+              privateZoneIAMRole: arn:aws-eusc:iam::123456789012:role/my-role
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        spec:
+          platform:
+            type: AWS
+            aws:
+              privateZoneIAMRole: arn:aws-eusc:iam::123456789012:role/my-role
+    - name: Should not be able to specify invalid privateZoneIAMRole ARN
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        metadata:
+          name: cluster
+        spec:
+          platform:
+            type: AWS
+            aws:
+              privateZoneIAMRole: arn:invalid-partition:iam::123456789012:role/my-role
+      expectedError: "DNS.config.openshift.io \"cluster\" is invalid: spec.platform.aws.privateZoneIAMRole: Invalid value: \"arn:invalid-partition:iam::123456789012:role/my-role\": IAM role ARN must match \"^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\\/.*$\""
+  onUpdate:
+    - name: Can switch from empty (default), to AWS with aws-eusc IAM role ARN
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        spec:
+          platform:
+            type: ""
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        spec:
+          platform:
+            type: AWS
+            aws:
+              privateZoneIAMRole: arn:aws-eusc:iam::123456789012:role/my-role
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        spec:
+          platform:
+            type: AWS
+            aws:
+              privateZoneIAMRole: arn:aws-eusc:iam::123456789012:role/my-role

config/v1/types_dns.go

@@ -134,7 +134,8 @@ type AWSDNSSpec struct {
 	// privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing
 	// operations on the cluster's private hosted zone specified in the cluster DNS config.
 	// When left empty, no role should be assumed.
-	// +kubebuilder:validation:Pattern:=`^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$`
+	// +openshift:validation:FeatureGateAwareXValidation:featureGate="",rule=`matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$')`,message=`IAM role ARN must match "^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$"`
+	// +openshift:validation:FeatureGateAwareXValidation:featureGate=AWSEuropeanSovereignCloudInstall,rule=`matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\/.*$')`,message=`IAM role ARN must match "^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\/.*$"`
 	// +optional
 	PrivateZoneIAMRole string `json:"privateZoneIAMRole"`
 }

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-CustomNoUpgrade.crd.yaml

@@ -0,0 +1,194 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/470
+    api.openshift.io/merged-by-featuregates: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/bootstrap-required: "true"
+    release.openshift.io/feature-set: CustomNoUpgrade
+  name: dnses.config.openshift.io
+spec:
+  group: config.openshift.io
+  names:
+    kind: DNS
+    listKind: DNSList
+    plural: dnses
+    singular: dns
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          DNS holds cluster-wide information about DNS. The canonical name is `cluster`
+
+          Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec holds user settable values for configuration
+            properties:
+              baseDomain:
+                description: |-
+                  baseDomain is the base domain of the cluster. All managed DNS records will
+                  be sub-domains of this base.
+
+                  For example, given the base domain `openshift.example.com`, an API server
+                  DNS record may be created for `cluster-api.openshift.example.com`.
+
+                  Once set, this field cannot be changed.
+                type: string
+              platform:
+                description: |-
+                  platform holds configuration specific to the underlying
+                  infrastructure provider for DNS.
+                  When omitted, this means the user has no opinion and the platform is left
+                  to choose reasonable defaults. These defaults are subject to change over time.
+                properties:
+                  aws:
+                    description: aws contains DNS configuration specific to the Amazon
+                      Web Services cloud provider.
+                    properties:
+                      privateZoneIAMRole:
+                        description: |-
+                          privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing
+                          operations on the cluster's private hosted zone specified in the cluster DNS config.
+                          When left empty, no role should be assumed.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: IAM role ARN must match "^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$"
+                          rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$')
+                        - message: IAM role ARN must match "^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\/.*$"
+                          rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\/.*$')
+                    type: object
+                  type:
+                    description: |-
+                      type is the underlying infrastructure provider for the cluster.
+                      Allowed values: "", "AWS".
+
+                      Individual components may not support all platforms,
+                      and must handle unrecognized platforms with best-effort defaults.
+                    enum:
+                    - ""
+                    - AWS
+                    - Azure
+                    - BareMetal
+                    - GCP
+                    - Libvirt
+                    - OpenStack
+                    - None
+                    - VSphere
+                    - oVirt
+                    - IBMCloud
+                    - KubeVirt
+                    - EquinixMetal
+                    - PowerVS
+                    - AlibabaCloud
+                    - Nutanix
+                    - External
+                    type: string
+                    x-kubernetes-validations:
+                    - message: allowed values are '' and 'AWS'
+                      rule: self in ['','AWS']
+                required:
+                - type
+                type: object
+                x-kubernetes-validations:
+                - message: aws configuration is required when platform is AWS, and
+                    forbidden otherwise
+                  rule: 'has(self.type) && self.type == ''AWS'' ?  has(self.aws) :
+                    !has(self.aws)'
+              privateZone:
+                description: |-
+                  privateZone is the location where all the DNS records that are only available internally
+                  to the cluster exist.
+
+                  If this field is nil, no private records should be created.
+
+                  Once set, this field cannot be changed.
+                properties:
+                  id:
+                    description: |-
+                      id is the identifier that can be used to find the DNS hosted zone.
+
+                      on AWS zone can be fetched using `ID` as id in [1]
+                      on Azure zone can be fetched using `ID` as a pre-determined name in [2],
+                      on GCP zone can be fetched using `ID` as a pre-determined name in [3].
+
+                      [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options
+                      [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show
+                      [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      tags can be used to query the DNS hosted zone.
+
+                      on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters,
+
+                      [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options
+                    type: object
+                type: object
+              publicZone:
+                description: |-
+                  publicZone is the location where all the DNS records that are publicly accessible to
+                  the internet exist.
+
+                  If this field is nil, no public records should be created.
+
+                  Once set, this field cannot be changed.
+                properties:
+                  id:
+                    description: |-
+                      id is the identifier that can be used to find the DNS hosted zone.
+
+                      on AWS zone can be fetched using `ID` as id in [1]
+                      on Azure zone can be fetched using `ID` as a pre-determined name in [2],
+                      on GCP zone can be fetched using `ID` as a pre-determined name in [3].
+
+                      [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options
+                      [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show
+                      [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      tags can be used to query the DNS hosted zone.
+
+                      on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters,
+
+                      [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options
+                    type: object
+                type: object
+            type: object
+          status:
+            description: status holds observed values from the cluster. They may not
+              be overridden.
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}