- drop PresignedURLDuration spec

- cos access fix

Signed-off-by: Prajyot-Parab <[email protected]>

Author: Prajyot-Parab

api/v1beta2/ibmpowervscluster_types.go

@@ -191,15 +191,6 @@ type VPCResourceReference struct {
 
 // CosInstance represents IBM Cloud COS instance.
 type CosInstance struct {
-	// PresignedURLDuration defines the duration for which presigned URLs are valid.
-	//
-	// This is used to generate presigned URLs for S3 Bucket objects, which are used by
-	// control-plane and worker nodes to fetch bootstrap data.
-	//
-	// When enabled, the IAM instance profiles specified are not used.
-	// +optional
-	PresignedURLDuration *metav1.Duration `json:"presignedURLDuration,omitempty"`
-
 	// Name defines name of IBM cloud COS instance to be created.
 	// +kubebuilder:validation:MinLength:=3
 	// +kubebuilder:validation:MaxLength:=63

api/v1beta2/zz_generated.deepcopy.go

@@ -23,13 +23,14 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/IBM/go-sdk-core/v5/core"
 	"net/url"
 	"path"
 	"regexp"
 	"strconv"
 	"strings"
 
+	"github.com/IBM/go-sdk-core/v5/core"
+
 	"github.com/blang/semver/v4"
 	ignTypes "github.com/coreos/ignition/config/v2_3/types"
 	ignV3Types "github.com/coreos/ignition/v2/config/v3_4/types"
@@ -68,6 +69,8 @@ import (
 	genUtil "sigs.k8s.io/cluster-api-provider-ibmcloud/util"
 )
 
+const cosURLDomain = "cloud-object-storage.appdomain.cloud"
+
 // PowerVSMachineScopeParams defines the input parameters used to create a new PowerVSMachineScope.
 type PowerVSMachineScopeParams struct {
 	Logger            logr.Logger
@@ -401,18 +404,11 @@ func (m *PowerVSMachineScope) createIgnitionData(data []byte) (string, error) {
 		return "", fmt.Errorf("putting object to cos bucket %w", err)
 	}
 
-	if exp := m.IBMPowerVSCluster.Spec.CosInstance.PresignedURLDuration; exp != nil {
-		m.Info("assigning presigned url", "exp", exp)
-		req, _ := cosClient.GetObjectRequest(&s3.GetObjectInput{
-			Bucket: aws.String(bucket),
-			Key:    aws.String(key),
-		})
-		return req.Presign(exp.Duration)
-	}
-
+	bucketRegion := m.IBMPowerVSCluster.Spec.CosInstance.BucketRegion
+	objHost := fmt.Sprintf("%s.s3.%s.%s", bucket, bucketRegion, cosURLDomain)
 	objectURL := &url.URL{
-		Scheme: "s3",
-		Host:   bucket,
+		Scheme: "https",
+		Host:   objHost,
 		Path:   key,
 	}
 
@@ -424,6 +420,21 @@ func (m *PowerVSMachineScope) ignitionUserData(userData []byte) ([]byte, error)
 	if err != nil {
 		return nil, fmt.Errorf("error creating userdata object %w", err)
 	}
+
+	auth, err := authenticator.GetIAMAuthenticator()
+	if err != nil {
+		return nil, err
+	}
+
+	iamtoken, err := auth.GetToken()
+	if err != nil {
+		return nil, err
+	}
+	if iamtoken == "" {
+		return nil, fmt.Errorf("IAM token empty")
+	}
+	token := "Bearer " + iamtoken
+
 	ignVersion := getIgnitionVersion(m)
 	semver, err := semver.ParseTolerant(ignVersion)
 	if err != nil {
@@ -450,9 +461,13 @@ func (m *PowerVSMachineScope) ignitionUserData(userData []byte) ([]byte, error)
 			Ignition: ignV3Types.Ignition{
 				Version: semver.String(),
 				Config: ignV3Types.IgnitionConfig{
-					Merge: []ignV3Types.Resource{
-						{
-							Source: aws.String(objectURL),
+					Replace: ignV3Types.Resource{
+						Source: aws.String(objectURL),
+						HTTPHeaders: ignV3Types.HTTPHeaders{
+							{
+								Name:  "Authorization",
+								Value: aws.String(token),
+							},
 						},
 					},
 				},

cloud/scope/powervs_machine.go

@@ -193,13 +193,6 @@ spec:
                     minLength: 3
                     pattern: ^[a-z0-9][a-z0-9.-]{1,61}[a-z0-9]$
                     type: string
-                  presignedURLDuration:
-                    description: "PresignedURLDuration defines the duration for which
-                      presigned URLs are valid. \n This is used to generate presigned
-                      URLs for S3 Bucket objects, which are used by control-plane
-                      and worker nodes to fetch bootstrap data. \n When enabled, the
-                      IAM instance profiles specified are not used."
-                    type: string
                 type: object
               loadBalancers:
                 description: loadBalancers is optional configuration for configuring

config/crd/bases/infrastructure.cluster.x-k8s.io_ibmpowervsclusters.yaml

@@ -218,14 +218,6 @@ spec:
                             minLength: 3
                             pattern: ^[a-z0-9][a-z0-9.-]{1,61}[a-z0-9]$
                             type: string
-                          presignedURLDuration:
-                            description: "PresignedURLDuration defines the duration
-                              for which presigned URLs are valid. \n This is used
-                              to generate presigned URLs for S3 Bucket objects, which
-                              are used by control-plane and worker nodes to fetch
-                              bootstrap data. \n When enabled, the IAM instance profiles
-                              specified are not used."
-                            type: string
                         type: object
                       loadBalancers:
                         description: loadBalancers is optional configuration for configuring

config/crd/bases/infrastructure.cluster.x-k8s.io_ibmpowervsclustertemplates.yaml

@@ -158,15 +158,6 @@ type VPCResourceReference struct {
 
 // CosInstance represents IBM Cloud COS instance.
 type CosInstance struct {
-	// PresignedURLDuration defines the duration for which presigned URLs are valid.
-	//
-	// This is used to generate presigned URLs for S3 Bucket objects, which are used by
-	// control-plane and worker nodes to fetch bootstrap data.
-	//
-	// When enabled, the IAM instance profiles specified are not used.
-	// +optional
-	PresignedURLDuration *metav1.Duration `json:"presignedURLDuration,omitempty"`
-
 	// Name defines name of IBM cloud COS instance to be created.
 	// +kubebuilder:validation:MinLength:=3
 	// +kubebuilder:validation:MaxLength:=63

docs/proposal/20231109-powervs-infra-creation.md

@@ -57,3 +57,22 @@ func GetProperties() (map[string]string, error) {
 	}
 	return properties, nil
 }
+
+// GetIAMAuthenticator will get the IAM authenticator for ibmcloud.
+func GetIAMAuthenticator() (*core.IamAuthenticator, error) {
+	props, err := GetProperties()
+	if err != nil {
+		return nil, fmt.Errorf("error while fetching service properties: %w", err)
+	}
+
+	apiKey := props["APIKEY"]
+	if len(apiKey) == 0 {
+		fmt.Printf("ibmcloud api key is not provided, set %s environmental variable", "IBMCLOUD_API_KEY")
+	}
+
+	auth := &core.IamAuthenticator{
+		ApiKey: apiKey,
+	}
+
+	return auth, nil
+}

pkg/cloud/services/authenticator/authenticator.go

@@ -33,7 +33,10 @@ import (
 )
 
 // iamEndpoint represent the IAM authorisation URL.
-const iamEndpoint = "https://iam.cloud.ibm.com/identity/token"
+const (
+	iamEndpoint  = "https://iam.cloud.ibm.com/identity/token"
+	cosURLDomain = "cloud-object-storage.appdomain.cloud"
+)
 
 // Service holds the IBM Cloud Resource Controller Service specific information.
 type Service struct {
@@ -94,8 +97,7 @@ func NewService(options ServiceOptions, location, apikey, serviceInstance string
 	if options.Options == nil {
 		options.Options = &cosSession.Options{}
 	}
-	serviceEndpoint := fmt.Sprintf("s3.%s.cloud-object-storage.appdomain.cloud", location)
-
+	serviceEndpoint := fmt.Sprintf("s3.%s.%s", location, cosURLDomain)
 	// TODO(karthik-k-n): handle URL
 	options.Config = aws.Config{
 		Endpoint: &serviceEndpoint,