🐛 ARN pattern should be comma separated string instead of a string enclosed in square brackets (#865)

* ARN pattern should be comma separated string

Signed-off-by: Gaurav Jaswal <jaswalkiranavtar@gmail.com>

* Addressing review comment

Signed-off-by: Gaurav Jaswal <jaswalkiranavtar@gmail.com>

* Addressing review comments

Signed-off-by: Gaurav Jaswal <jaswalkiranavtar@gmail.com>

---------

Signed-off-by: Gaurav Jaswal <jaswalkiranavtar@gmail.com>
Co-authored-by: Amrutha <amrutha.hari12@gmail.com>

deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml

@@ -59,7 +59,7 @@ metadata:
     categories: Integration & Delivery,OpenShift Optional
     certified: "false"
     containerImage: quay.io/open-cluster-management/registration-operator:latest
-    createdAt: "2025-01-16T23:45:52Z"
+    createdAt: "2025-03-05T16:39:23Z"
     description: Manages the installation and upgrade of the ClusterManager.
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3

deploy/cluster-manager/olm-catalog/latest/manifests/operator.open-cluster-management.io_clustermanagers.yaml

@@ -269,6 +269,13 @@ spec:
                           - csr
                           - awsirsa
                           type: string
+                        autoApprovedIdentities:
+                          description: |-
+                            For csr authentication type, AutoApprovedIdentities represent a list of approved users
+                            For awsirsa authentication type, AutoApprovedIdentities represent a list of approved arn patterns
+                          items:
+                            type: string
+                          type: array
                         hubClusterArn:
                           description: |-
                             This represents the hub cluster ARN

deploy/klusterlet/olm-catalog/latest/manifests/klusterlet.clusterserviceversion.yaml

@@ -31,7 +31,7 @@ metadata:
     categories: Integration & Delivery,OpenShift Optional
     certified: "false"
     containerImage: quay.io/open-cluster-management/registration-operator:latest
-    createdAt: "2025-01-20T02:57:55Z"
+    createdAt: "2025-03-05T16:39:23Z"
     description: Manages the installation and upgrade of the Klusterlet.
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3

manifests/config.go

@@ -35,8 +35,8 @@ type HubConfig struct {
 	ManagedClusterIdentityCreatorRole string
 	HubClusterArn                     string
 	EnabledRegistrationDrivers        string
-	AutoApprovedCSRUsers              []string
-	AutoApprovedARNPatterns           []string
+	AutoApprovedCSRUsers              string
+	AutoApprovedARNPatterns           string
 }
 
 type Webhook struct {

pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_runtime_reconcile.go

@@ -79,9 +79,9 @@ func (c *runtimeReconcile) reconcile(ctx context.Context, cm *operatorapiv1.Clus
 			enabledRegistrationDrivers = append(enabledRegistrationDrivers, registrationDriver.AuthType)
 			if registrationDriver.AuthType == "awsirsa" {
 				config.HubClusterArn = registrationDriver.HubClusterArn
-				config.AutoApprovedARNPatterns = registrationDriver.AutoApprovedIdentities
+				config.AutoApprovedARNPatterns = strings.Join(registrationDriver.AutoApprovedIdentities, ",")
 			} else if registrationDriver.AuthType == "csr" {
-				config.AutoApprovedCSRUsers = registrationDriver.AutoApprovedIdentities
+				config.AutoApprovedCSRUsers = strings.Join(registrationDriver.AutoApprovedIdentities, ",")
 			}
 		}
 		config.EnabledRegistrationDrivers = strings.Join(enabledRegistrationDrivers, ",")

test/integration/operator/clustermanager_aws_test.go

@@ -2,6 +2,8 @@ package operator
 
 import (
 	"context"
+	"fmt"
+	"strings"
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
@@ -42,8 +44,9 @@ var _ = ginkgo.Describe("ClusterManager Default Mode with aws registration", fun
 					clusterManager.Spec.RegistrationConfiguration = &operatorapiv1.RegistrationHubConfiguration{}
 					clusterManager.Spec.RegistrationConfiguration.RegistrationDrivers = []operatorapiv1.RegistrationDriverHub{
 						{
-							AuthType:      "awsirsa",
-							HubClusterArn: "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster",
+							AuthType:               "awsirsa",
+							HubClusterArn:          "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster",
+							AutoApprovedIdentities: []string{"arn:aws:eks:us-west-2:123456789013:cluster/.*", "arn:aws:eks:us-west-2:123456789012:cluster/.*"},
 						},
 					}
 				}
@@ -77,5 +80,27 @@ var _ = ginkgo.Describe("ClusterManager Default Mode with aws registration", fun
 				return annotation == "arn:aws:iam::123456789012:role/hub-cluster_managed-cluster-identity-creator"
 			}, eventuallyTimeout, eventuallyInterval).Should(gomega.BeTrue())
 		})
+		ginkgo.It("should have auto approved arn patterns separated by comma with awsirsa", func() {
+			gomega.Eventually(func() bool {
+				registrationControllerDeployment, err := kubeClient.AppsV1().Deployments(hubNamespace).
+					Get(context.Background(), fmt.Sprintf("%s-registration-controller", clusterManagerName), metav1.GetOptions{})
+				if err != nil {
+					return false
+				}
+				commandLineArgs := registrationControllerDeployment.Spec.Template.Spec.Containers[0].Args
+				autoApprovedArnPatterns, present := findMatchingArg(commandLineArgs, "--auto-approved-arn-patterns")
+				return present && strings.SplitN(autoApprovedArnPatterns, "=", 2)[1] ==
+					"arn:aws:eks:us-west-2:123456789013:cluster/.*,arn:aws:eks:us-west-2:123456789012:cluster/.*"
+			}, eventuallyTimeout, eventuallyInterval).Should(gomega.BeTrue())
+		})
 	})
 })
+
+func findMatchingArg(args []string, pattern string) (string, bool) {
+	for _, commandLineArg := range args {
+		if strings.SplitN(commandLineArg, "=", 2)[0] == pattern {
+			return commandLineArg, true
+		}
+	}
+	return "", false
+}

test/integration/operator/clustermanager_test.go

@@ -1141,6 +1141,43 @@ var _ = ginkgo.Describe("ClusterManager Default Mode", func() {
 			}, eventuallyTimeout, eventuallyInterval).Should(gomega.BeNil())
 		})
 
+		ginkgo.It("should have auto approved csr users set on registration-controller if csr driver is present", func() {
+			// Update cluster manager configuration
+			gomega.Eventually(func() error {
+				clusterManager, err := operatorClient.OperatorV1().ClusterManagers().Get(context.Background(), clusterManagerName, metav1.GetOptions{})
+				if err != nil {
+					return err
+				}
+
+				// Check addon manager enabled mode
+				if clusterManager.Spec.RegistrationConfiguration == nil {
+					clusterManager.Spec.RegistrationConfiguration = &operatorapiv1.RegistrationHubConfiguration{}
+				}
+				clusterManager.Spec.RegistrationConfiguration.RegistrationDrivers = []operatorapiv1.RegistrationDriverHub{
+					{
+						AuthType:               "csr",
+						AutoApprovedIdentities: []string{"user3", "user4"},
+					},
+				}
+				_, err = operatorClient.OperatorV1().ClusterManagers().Update(context.Background(), clusterManager, metav1.UpdateOptions{})
+				return err
+			}, eventuallyTimeout, eventuallyInterval).Should(gomega.BeNil())
+
+			gomega.Eventually(func() error {
+				actual, err := kubeClient.AppsV1().Deployments(hubNamespace).Get(context.Background(), hubRegistrationDeployment, metav1.GetOptions{})
+				if err != nil {
+					return err
+				}
+				gomega.Expect(len(actual.Spec.Template.Spec.Containers)).Should(gomega.Equal(1))
+				for _, arg := range actual.Spec.Template.Spec.Containers[0].Args {
+					if arg == "--auto-approved-csr-users=user3,user4" {
+						return nil
+					}
+				}
+				return fmt.Errorf("do not find the auto-approved-csr-users args, got %v", actual.Spec.Template.Spec.Containers[0].Args)
+			}, eventuallyTimeout, eventuallyInterval).Should(gomega.BeNil())
+		})
+
 	})
 
 	ginkgo.Context("Cluster manager statuses", func() {