feat: add IAMRoleSelector CRD/feature (#204)

* feat: add `IAMRoleSelector` CRD/feature

Implements aws-controllers-k8s/community#2628 (mostly)

Introduces a new IAMRoleSelector CRD that enables dynamic IAM role
assignment based on namespace and resource type selectors. This feature
provides an alternative to CARM for role selection and cannot be used
simultaneously with CARM (enforced by validation).

Key components:
- New IAMRoleSelector CRD with namespace and resource type selectors
- Selector matching logic with AND between selector types, OR within arrays
- Dynamic informer-based cache for IAMRoleSelector resources
- Integration into the reconciler to override CARM role selection
- Alpha feature gate (IAMRoleSelector) defaulting to disabled

Note: ResourceTypeSelector uses schema.GroupVersionKind in the API,
which differs from the separate fields approach in the original types.
This may need adjustment based on CRD generation requirements.

* add IAMRoleSelected condition

---------

Co-authored-by: michaelhtm <98621731+michaelhtm@users.noreply.github.com>

Author: a-hilaly

apis/core/v1alpha1/conditions.go

@@ -66,6 +66,10 @@ const (
 	// "False" status indicates that the resource references failed to resolve.
 	// For Ex: When referenced resource is in terminal condition
 	ConditionTypeReferencesResolved ConditionType = "ACK.ReferencesResolved"
+	// ConditionTypeIAMRoleSelected indicates whether an IAMRoleSelector has been selected
+	// to manage the AWSResource. If none are selected, this condition will be removed
+	// and we'll use the custom role to manage the AWSResource
+	ConditionTypeIAMRoleSelected ConditionType = "ACK.IAMRoleSelected"
 )
 
 // Condition is the common struct used by all CRDs managed by ACK service

apis/core/v1alpha1/iam_role_selector.go

@@ -0,0 +1,66 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//     http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// LabelSelector is a label query over a set of resources.
+type LabelSelector struct {
+	MatchLabels map[string]string `json:"matchLabels"`
+}
+
+// IAMRoleSelectorSpec defines the desired state of IAMRoleSelector
+type NamespaceSelector struct {
+	Names         []string      `json:"names"`
+	LabelSelector LabelSelector `json:"labelSelector,omitempty"`
+}
+
+type GroupVersionKind struct {
+	Group   string `json:"group"`
+	Version string `json:"version"`
+	Kind    string `json:"kind"`
+}
+
+type IAMRoleSelectorSpec struct {
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable once set"
+	ARN                  string             `json:"arn"`
+	NamespaceSelector    NamespaceSelector  `json:"namespaceSelector,omitempty"`
+	ResourceTypeSelector []GroupVersionKind `json:"resourceTypeSelector,omitempty"`
+}
+
+type IAMRoleSelectorStatus struct{}
+
+// IAMRoleSelector is the schema for the IAMRoleSelector API.
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster
+type IAMRoleSelector struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              IAMRoleSelectorSpec   `json:"spec,omitempty"`
+	Status            IAMRoleSelectorStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+type IAMRoleSelectorList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []IAMRoleSelector `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&IAMRoleSelector{}, &IAMRoleSelectorList{})
+}

apis/core/v1alpha1/resource_metadata.go

@@ -32,4 +32,15 @@ type ResourceMetadata struct {
 	OwnerAccountID *AWSAccountID `json:"ownerAccountID"`
 	// Region is the AWS region in which the resource exists or will exist.
 	Region *AWSRegion `json:"region"`
+	// IAMRoleSelector is the selected IAMRoleSelector that is used to manage
+	// the AWS resource. This will be nil if the default controller role is used.
+	IAMRoleSelector *SelectedIAMRole `json:"iamRoleSelector,omitempty"`
+}
+
+type SelectedIAMRole struct {
+	// SelectorName is the k8s resource name of the IAMRoleSelector object
+	SelectorName    string `json:"selectorName"`
+	// ResourceVersion is the metadata.resourceVersion of the selected
+	// IAMRoleSelector object
+	ResourceVersion string `json:"resourceVersion"`
 }

apis/core/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,90 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.19.0
+  name: iamroleselectors.services.k8s.aws
+spec:
+  group: services.k8s.aws
+  names:
+    kind: IAMRoleSelector
+    listKind: IAMRoleSelectorList
+    plural: iamroleselectors
+    singular: iamroleselector
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: IAMRoleSelector is the schema for the IAMRoleSelector API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              arn:
+                type: string
+                x-kubernetes-validations:
+                - message: Value is immutable once set
+                  rule: self == oldSelf
+              namespaceSelector:
+                description: IAMRoleSelectorSpec defines the desired state of IAMRoleSelector
+                properties:
+                  labelSelector:
+                    description: LabelSelector is a label query over a set of resources.
+                    properties:
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        type: object
+                    required:
+                    - matchLabels
+                    type: object
+                  names:
+                    items:
+                      type: string
+                    type: array
+                required:
+                - names
+                type: object
+              resourceTypeSelector:
+                items:
+                  properties:
+                    group:
+                      type: string
+                    kind:
+                      type: string
+                    version:
+                      type: string
+                  required:
+                  - group
+                  - kind
+                  - version
+                  type: object
+                type: array
+            required:
+            - arn
+            type: object
+          status:
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}