Remove the IAM Policy Controller

Ref: https://issues.redhat.com/browse/ACM-10859
Signed-off-by: yiraeChristineKim <[email protected]>

README.md

@@ -135,7 +135,6 @@ Other addons are:
 - ${CLUSTER_NAME}-klusterlet-addon-appmgr
 - ${CLUSTER_NAME}-klusterlet-addon-certpolicyctrl
 - ${CLUSTER_NAME}-klusterlet-addon-crds
-- ${CLUSTER_NAME}-klusterlet-addon-iampolicyctrl
 - ${CLUSTER_NAME}-klusterlet-addon-policyctrl
 - ${CLUSTER_NAME}-klusterlet-addon-search
 - ${CLUSTER_NAME}-klusterlet-addon-workmgr

deploy/crds/agent.open-cluster-management.io_v1_klusterletaddonconfig_cr.yaml

@@ -10,8 +10,6 @@ spec:
     enabled: true
   certPolicyController:
     enabled: true
-  iamPolicyController:
-    enabled: true
   policyController:
     enabled: true
   searchCollector:

deploy/image-manifest-configmap.yaml

@@ -37,7 +37,6 @@ data:
   grc_ui_tests: quay.io/stolostron/grc-ui-tests@sha256:34487b44908e4b84840ed6345a0e4dcba62c151ee814e0d2e9dd994d1a8a4061
   helloprow_go: quay.io/stolostron/helloprow-go@sha256:d860b73ce3c448be708db70b4544491a2639fac45075078ce3509e358714ccfc
   helloworld: quay.io/stolostron/helloworld@sha256:8d282d6f466e5afaa929e71db0e6224b8a3796027b7defe52b3d6cdc7dc43d07
-  iam_policy_controller: quay.io/stolostron/iam-policy-controller@sha256:22967bfed725755a36fd423c756c6257bb88f36eb3f425d0186998e2961bb2da
   insights_client: quay.io/stolostron/insights-client@sha256:d2bf383851e367936ab57ef76810247a782759313a90dab4e9ea51d8dc47e7ab
   insights_metrics: quay.io/stolostron/insights-metrics@sha256:e81351a5b06b41ef338357ddcc51f731591aa6ad52e8a9d7df34c80b5d4438b6
   klusterlet_addon_controller: quay.io/stolostron/klusterlet-addon-controller@sha256:dad60b1955da695667374f2debf81bd250eb14ec8afbae60758d38b07b8c1092

deploy/resources/managed/admin_aggregate_clusterrole.yaml

@@ -8,5 +8,5 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
 - apiGroups: ["agent.open-cluster-management.io"]
-  resources: ["applicationmanagers","certpolicycontrollers","iampolicycontrollers","policycontrollers","searchcollectors","workmanagers"]
+  resources: ["applicationmanagers","certpolicycontrollers","policycontrollers","searchcollectors","workmanagers"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

hack/hub-detach.sh

@@ -15,7 +15,6 @@ function destroyOrDetach {
   oc annotate klusterletaddonconfig -n ${CLUSTERNAME} ${CLUSTERNAME} klusterletaddonconfig-pause=true --overwrite=true
   oc delete manifestwork -n ${CLUSTERNAME} ${CLUSTERNAME}-appmgr --wait=false
   oc delete manifestwork -n ${CLUSTERNAME} ${CLUSTERNAME}-certpolicyctrl --wait=false
-  oc delete manifestwork -n ${CLUSTERNAME} ${CLUSTERNAME}-iampolicyctrl --wait=false
   oc delete manifestwork -n ${CLUSTERNAME} ${CLUSTERNAME}-policyctrl --wait=false
   oc delete manifestwork -n ${CLUSTERNAME} ${CLUSTERNAME}-search --wait=false
   oc delete manifestwork -n ${CLUSTERNAME} ${CLUSTERNAME}-workmgr --wait=false

hack/self-destruct.sh

@@ -26,7 +26,6 @@ ${KUBECTL} patch klusterlet klusterlet --type="json" -p '[{"op": "remove", "path
 component_crds=(
 	applicationmanagers.agent.open-cluster-management.io
 	certpolicycontrollers.agent.open-cluster-management.io
-	iampolicycontrollers.agent.open-cluster-management.io
 	policycontrollers.agent.open-cluster-management.io
 	searchcollectors.agent.open-cluster-management.io
 	workmanagers.agent.open-cluster-management.io

pkg/apis/agent/v1/image_utils.go

@@ -11,6 +11,7 @@ package v1
 import (
 	"context"
 	"fmt"
+
 	"github.com/stolostron/cluster-lifecycle-api/helpers/imageregistry"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -28,7 +29,6 @@ import (
 //		"addon-operator":                  "endpoint_component_operator",
 //		"coredns":                         "coredns",
 //		"deployable":                      "multicluster_operators_deployable",
-//		"iam-policy-controller":           "iam_policy_controller",
 //		"policy-controller":               "config_policy_controller",
 //		"governance-policy-spec-sync":     "governance_policy_spec_sync",
 //		"governance-policy-status-sync":   "governance_policy_status_sync",
@@ -54,7 +54,6 @@ var manifests map[string]manifest
 
 // GetImage returns the image.  for the specified component return error if information not found
 func (config *AddonAgentConfig) GetImage(component string) (imageRepository string, err error) {
-
 	m, err := getManifest(version.Version)
 	if err != nil {
 		return "", err
@@ -125,7 +124,6 @@ var MCHgvr = schema.GroupVersionResource{
 }
 
 func GetHubVersion(ctx context.Context, dynamicClient dynamic.Interface) (string, error) {
-
 	mchList, err := dynamicClient.Resource(MCHgvr).List(ctx, metav1.ListOptions{})
 	if err != nil {
 		return "", fmt.Errorf("failed to list mch. err: %v", err)

pkg/apis/agent/v1/klusterletaddonconfig_types.go

@@ -51,8 +51,8 @@ type KlusterletAddonConfigSpec struct {
 	// CertPolicyControllerConfig defines the configurations of CertPolicyController addon agent.
 	CertPolicyControllerConfig KlusterletAddonAgentConfigSpec `json:"certPolicyController"`
 
-	// IAMPolicyControllerConfig defines the configurations of IamPolicyController addon agent.
-	IAMPolicyControllerConfig KlusterletAddonAgentConfigSpec `json:"iamPolicyController"`
+	// DEPRECATED in release 2.11 and will be removed in the future since not used anymore.
+	IAMPolicyControllerConfig KlusterletAddonAgentConfigSpec `json:"iamPolicyController,omitempty"`
 }
 
 // ProxyConfig defines the global proxy env for OCP cluster

pkg/apis/agent/v1/types.go

@@ -51,7 +51,6 @@ const (
 	ApplicationAddonName     = "application-manager"
 	CertPolicyAddonName      = "cert-policy-controller"
 	ConfigPolicyAddonName    = "config-policy-controller"
-	IamPolicyAddonName       = "iam-policy-controller"
 	PolicyAddonName          = "policy-controller"
 	PolicyFrameworkAddonName = "governance-policy-framework"
 	SearchAddonName          = "search-collector"
@@ -65,18 +64,16 @@ var KlusterletAddons = map[string]bool{
 	ApplicationAddonName:     true,
 	ConfigPolicyAddonName:    true,
 	CertPolicyAddonName:      true,
-	IamPolicyAddonName:       true,
 	PolicyFrameworkAddonName: true,
 	SearchAddonName:          true,
 }
 
 // KlusterletAddonImageNames is the image key names for each addon agents in image-manifest configmap
 var KlusterletAddonImageNames = map[string][]string{
-	ApplicationAddonName:     []string{"multicluster_operators_subscription"},
-	ConfigPolicyAddonName:    []string{"config_policy_controller", "kube_rbac_proxy"},
-	CertPolicyAddonName:      []string{"cert_policy_controller"},
-	IamPolicyAddonName:       []string{"iam_policy_controller"},
-	PolicyAddonName:          []string{"config_policy_controller", "governance_policy_framework_addon"},
-	PolicyFrameworkAddonName: []string{"governance_policy_framework_addon", "kube_rbac_proxy"},
-	SearchAddonName:          []string{"search_collector"},
+	ApplicationAddonName:     {"multicluster_operators_subscription"},
+	ConfigPolicyAddonName:    {"config_policy_controller", "kube_rbac_proxy"},
+	CertPolicyAddonName:      {"cert_policy_controller"},
+	PolicyAddonName:          {"config_policy_controller", "governance_policy_framework_addon"},
+	PolicyFrameworkAddonName: {"governance_policy_framework_addon", "kube_rbac_proxy"},
+	SearchAddonName:          {"search_collector"},
 }

pkg/controller/addon/klusterlet_addon_controller.go

@@ -36,7 +36,7 @@ const (
 )
 
 var hostedAddOns = sets.NewString(agentv1.PolicyFrameworkAddonName, agentv1.ConfigPolicyAddonName,
-	agentv1.CertPolicyAddonName, agentv1.IamPolicyAddonName)
+	agentv1.CertPolicyAddonName)
 
 // globalValues is the values can be overridden by klusterletAddon-controller
 type globalValues struct {
@@ -303,11 +303,6 @@ func getProxyConfig(addonName string, config *agentv1.KlusterletAddonConfig) map
 			return nil
 		}
 		proxyPolicy = config.Spec.CertPolicyControllerConfig.ProxyPolicy
-	case agentv1.IamPolicyAddonName:
-		if !config.Spec.IAMPolicyControllerConfig.Enabled {
-			return nil
-		}
-		proxyPolicy = config.Spec.IAMPolicyControllerConfig.ProxyPolicy
 	case agentv1.ConfigPolicyAddonName, agentv1.PolicyFrameworkAddonName:
 		if !config.Spec.PolicyController.Enabled {
 			return nil
@@ -341,7 +336,8 @@ func getProxyConfig(addonName string, config *agentv1.KlusterletAddonConfig) map
 func getGlobalValues(nodeSelector map[string]string,
 	imageOverrides map[string]string,
 	addonName string,
-	config *agentv1.KlusterletAddonConfig) globalValues {
+	config *agentv1.KlusterletAddonConfig,
+) globalValues {
 	return globalValues{
 		Global: global{
 			ImageOverrides: imageOverrides,
@@ -483,8 +479,6 @@ func addonIsEnabled(addonName string, config *agentv1.KlusterletAddonConfig) boo
 		return config.Spec.PolicyController.Enabled
 	case agentv1.CertPolicyAddonName:
 		return config.Spec.CertPolicyControllerConfig.Enabled
-	case agentv1.IamPolicyAddonName:
-		return config.Spec.IAMPolicyControllerConfig.Enabled
 	case agentv1.PolicyAddonName:
 		return false //  has been deprecated
 	case agentv1.PolicyFrameworkAddonName:

pkg/controller/addon/klusterlet_addon_controller_test.go

@@ -137,7 +137,6 @@ func newKlusterletAddonConfig(clusterName string) *v1.KlusterletAddonConfig {
 			PolicyController:           v1.KlusterletAddonAgentConfigSpec{Enabled: true},
 			ApplicationManagerConfig:   v1.KlusterletAddonAgentConfigSpec{Enabled: true},
 			CertPolicyControllerConfig: v1.KlusterletAddonAgentConfigSpec{Enabled: true},
-			IAMPolicyControllerConfig:  v1.KlusterletAddonAgentConfigSpec{Enabled: true},
 		},
 	}
 }
@@ -155,7 +154,6 @@ func newKlusterletAddonConfigWithProxy(clusterName string) *v1.KlusterletAddonCo
 			PolicyController:           v1.KlusterletAddonAgentConfigSpec{Enabled: true},
 			ApplicationManagerConfig:   v1.KlusterletAddonAgentConfigSpec{Enabled: true, ProxyPolicy: v1.ProxyPolicyOCPGlobalProxy},
 			CertPolicyControllerConfig: v1.KlusterletAddonAgentConfigSpec{Enabled: true},
-			IAMPolicyControllerConfig:  v1.KlusterletAddonAgentConfigSpec{Enabled: true},
 		},
 		Status: v1.KlusterletAddonConfigStatus{
 			OCPGlobalProxy: v1.ProxyConfig{
@@ -202,8 +200,8 @@ func Test_Reconcile(t *testing.T) {
 				if err != nil {
 					t.Errorf("faild to list addons. %v", err)
 				}
-				if len(addonList.Items) != 6 {
-					t.Errorf("expected 6 addons, but got %v", len(addonList.Items))
+				if len(addonList.Items) != 5 {
+					t.Errorf("expected 5 addons, but got %v", len(addonList.Items))
 				}
 			},
 		},
@@ -222,8 +220,8 @@ func Test_Reconcile(t *testing.T) {
 				if err != nil {
 					t.Errorf("faild to list addons. %v", err)
 				}
-				if len(addonList.Items) != 6 {
-					t.Errorf("expected 6 addons, but got %v", len(addonList.Items))
+				if len(addonList.Items) != 5 {
+					t.Errorf("expected 5 addons, but got %v", len(addonList.Items))
 				}
 
 				for _, addon := range addonList.Items {
@@ -275,8 +273,8 @@ func Test_Reconcile(t *testing.T) {
 				if err != nil {
 					t.Errorf("faild to list addons. %v", err)
 				}
-				if len(addonList.Items) != 6 {
-					t.Errorf("expected 6 addons, but got %v", len(addonList.Items))
+				if len(addonList.Items) != 5 {
+					t.Errorf("expected 5 addons, but got %v", len(addonList.Items))
 				}
 				for _, addon := range addonList.Items {
 					annotations := addon.GetAnnotations()
@@ -308,8 +306,8 @@ func Test_Reconcile(t *testing.T) {
 				if err != nil {
 					t.Errorf("faild to list addons. %v", err)
 				}
-				if len(addonList.Items) != 6 {
-					t.Errorf("expected 6 addons, but got %v", len(addonList.Items))
+				if len(addonList.Items) != 5 {
+					t.Errorf("expected 5 addons, but got %v", len(addonList.Items))
 				}
 				for _, addon := range addonList.Items {
 					if addon.GetName() != v1.ApplicationAddonName {
@@ -334,7 +332,6 @@ func Test_Reconcile(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-
 			objs := []runtime.Object{}
 			if tt.managedCluster != nil {
 				objs = append(objs, tt.managedCluster)

pkg/controller/managedcluster/managed_cluster_controller.go

@@ -153,7 +153,6 @@ func hostedKAC(clusterName string) *kacv1.KlusterletAddonConfig {
 			ClusterNamespace:           clusterName,
 			ApplicationManagerConfig:   kacv1.KlusterletAddonAgentConfigSpec{Enabled: false},
 			CertPolicyControllerConfig: kacv1.KlusterletAddonAgentConfigSpec{Enabled: false},
-			IAMPolicyControllerConfig:  kacv1.KlusterletAddonAgentConfigSpec{Enabled: false},
 			PolicyController:           kacv1.KlusterletAddonAgentConfigSpec{Enabled: true},
 			SearchCollectorConfig:      kacv1.KlusterletAddonAgentConfigSpec{Enabled: false},
 		},
@@ -172,7 +171,6 @@ func clusterClaimKAC(clusterName string) *kacv1.KlusterletAddonConfig {
 			ClusterLabels:              map[string]string{"vendor": "OpenShift"}, // Required for object to be created
 			ApplicationManagerConfig:   kacv1.KlusterletAddonAgentConfigSpec{Enabled: true},
 			CertPolicyControllerConfig: kacv1.KlusterletAddonAgentConfigSpec{Enabled: true},
-			IAMPolicyControllerConfig:  kacv1.KlusterletAddonAgentConfigSpec{Enabled: true},
 			PolicyController:           kacv1.KlusterletAddonAgentConfigSpec{Enabled: true},
 			SearchCollectorConfig:      kacv1.KlusterletAddonAgentConfigSpec{Enabled: true},
 		},
@@ -190,7 +188,6 @@ func hypershiftKAC(clusterName string) *kacv1.KlusterletAddonConfig {
 			ClusterNamespace:           clusterName,
 			ApplicationManagerConfig:   kacv1.KlusterletAddonAgentConfigSpec{Enabled: false},
 			CertPolicyControllerConfig: kacv1.KlusterletAddonAgentConfigSpec{Enabled: true},
-			IAMPolicyControllerConfig:  kacv1.KlusterletAddonAgentConfigSpec{Enabled: true},
 			PolicyController:           kacv1.KlusterletAddonAgentConfigSpec{Enabled: true},
 			SearchCollectorConfig:      kacv1.KlusterletAddonAgentConfigSpec{Enabled: false},
 		},
@@ -208,7 +205,6 @@ func defaultKAC(clusterName string) *kacv1.KlusterletAddonConfig {
 			ClusterNamespace:           clusterName,
 			ApplicationManagerConfig:   kacv1.KlusterletAddonAgentConfigSpec{Enabled: true},
 			CertPolicyControllerConfig: kacv1.KlusterletAddonAgentConfigSpec{Enabled: true},
-			IAMPolicyControllerConfig:  kacv1.KlusterletAddonAgentConfigSpec{Enabled: true},
 			PolicyController:           kacv1.KlusterletAddonAgentConfigSpec{Enabled: true},
 			SearchCollectorConfig:      kacv1.KlusterletAddonAgentConfigSpec{Enabled: false},
 		},

pkg/controller/managedcluster/managed_cluster_controller_test.go

@@ -69,7 +69,7 @@ func TestReconcileManagedCluster(t *testing.T) {
 				}
 
 				if kac.Spec.ApplicationManagerConfig.Enabled || kac.Spec.CertPolicyControllerConfig.Enabled ||
-					kac.Spec.IAMPolicyControllerConfig.Enabled || kac.Spec.SearchCollectorConfig.Enabled {
+					kac.Spec.SearchCollectorConfig.Enabled {
 					t.Errorf("expected other add-ons are disabled, but some of them is enabled")
 				}
 			},

test/e2e/e2e_suite_test.go

@@ -165,9 +165,6 @@ func newKlusterletAddonConfig(managedClusterName string) *agentv1.KlusterletAddo
 			CertPolicyControllerConfig: agentv1.KlusterletAddonAgentConfigSpec{
 				Enabled: true,
 			},
-			IAMPolicyControllerConfig: agentv1.KlusterletAddonAgentConfigSpec{
-				Enabled: true,
-			},
 			PolicyController: agentv1.KlusterletAddonAgentConfigSpec{
 				Enabled: true,
 			},

test/e2e/globalproxy_test.go

@@ -73,8 +73,8 @@ var _ = Describe("globalProxy test", func() {
 				if err != nil {
 					return err
 				}
-				if len(addonList.Items) != 6 {
-					return fmt.Errorf("expected 6 addons, but got %v", len(addonList.Items))
+				if len(addonList.Items) != 5 {
+					return fmt.Errorf("expected 5 addons, but got %v", len(addonList.Items))
 				}
 				return nil
 			}, 60*time.Second, 5*time.Second).ShouldNot(HaveOccurred())
@@ -120,8 +120,8 @@ var _ = Describe("globalProxy test", func() {
 				if err != nil {
 					return err
 				}
-				if len(addonList.Items) != 6 {
-					return fmt.Errorf("expected 6 addons, but got %v", len(addonList.Items))
+				if len(addonList.Items) != 5 {
+					return fmt.Errorf("expected 5 addons, but got %v", len(addonList.Items))
 				}
 				return nil
 			}, 60*time.Second, 5*time.Second).ShouldNot(HaveOccurred())

test/e2e/klusterletaddonconfig_test.go

@@ -36,7 +36,7 @@ var _ = Describe("klusterletAddonConfig test", func() {
 		})
 
 		It("test klusterletAddonConfig create", func() {
-			testKACCreate(managedClusterName, 4)
+			testKACCreate(managedClusterName, 3)
 		})
 	})
 
@@ -57,7 +57,7 @@ var _ = Describe("klusterletAddonConfig test", func() {
 		})
 
 		It("test klusterletAddonConfig create", func() {
-			testKACCreate(managedClusterName, 6)
+			testKACCreate(managedClusterName, 5)
 		})
 	})
 
@@ -78,7 +78,7 @@ var _ = Describe("klusterletAddonConfig test", func() {
 		})
 
 		It("test klusterletAddonConfig create", func() {
-			testKACCreate(managedClusterName, 5)
+			testKACCreate(managedClusterName, 4)
 		})
 	})
 })

test/e2e/managedclusteraddon_test.go

@@ -55,12 +55,11 @@ var _ = Describe("managedClusterAddon test", func() {
 					if err != nil {
 						return err
 					}
-					if len(addonList.Items) != 6 {
-						return fmt.Errorf("expected 6 addons, but got %v", len(addonList.Items))
+					if len(addonList.Items) != 5 {
+						return fmt.Errorf("expected 5 addons, but got %v", len(addonList.Items))
 					}
 					return nil
 				}, 60*time.Second, 5*time.Second).ShouldNot(HaveOccurred())
-
 			})
 
 			By("disable addons", func() {
@@ -78,7 +77,6 @@ var _ = Describe("managedClusterAddon test", func() {
 					}
 					return nil
 				}, 60*time.Second, 5*time.Second).ShouldNot(HaveOccurred())
-
 			})
 
 			By("check if the enabled addons are installed", func() {
@@ -88,12 +86,11 @@ var _ = Describe("managedClusterAddon test", func() {
 					if err != nil {
 						return err
 					}
-					if len(addonList.Items) != 3 {
-						return fmt.Errorf("expected 3 addons, but got %v", len(addonList.Items))
+					if len(addonList.Items) != 2 {
+						return fmt.Errorf("expected 2 addons, but got %v", len(addonList.Items))
 					}
 					return nil
 				}, 60*time.Second, 5*time.Second).ShouldNot(HaveOccurred())
-
 			})
 
 			var changedAddonName string
@@ -162,7 +159,6 @@ var _ = Describe("managedClusterAddon test", func() {
 				Expect(addonConfig.Spec.PolicyController.Enabled).Should(BeTrue())
 				Expect(addonConfig.Spec.ApplicationManagerConfig.Enabled).Should(BeFalse())
 				Expect(addonConfig.Spec.CertPolicyControllerConfig.Enabled).Should(BeFalse())
-				Expect(addonConfig.Spec.IAMPolicyControllerConfig.Enabled).Should(BeFalse())
 				Expect(addonConfig.Spec.SearchCollectorConfig.Enabled).Should(BeFalse())
 			})
 

test/e2e/resources/klusterletaddonconfig_cr.yaml

@@ -14,5 +14,3 @@ spec:
     enabled: true
   certPolicyController:
     enabled: true
-  iamPolicyController:
-    enabled: true