Include CSR approver RBAC resources in its own addon separate from no…

…de-authorizer

upup/models/cloudup/resources/addons/csr-approver.addons.k8s.io/k8s-1.23.yaml

@@ -0,0 +1,27 @@
+# Approve all CSRs for the group "system:bootstrappers"
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: auto-approve-csrs-for-group
+subjects:
+- kind: Group
+  name: system:bootstrappers
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
+  apiGroup: rbac.authorization.k8s.io
+---
+# Approve renewal CSRs for the group "system:nodes"
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: auto-approve-renewals-for-nodes
+subjects:
+- kind: Group
+  name: system:nodes
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
+  apiGroup: rbac.authorization.k8s.io

upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go

@@ -432,6 +432,32 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*Addon
 		}
 	}
 
+	// RBAC resources for kube-controller-manager to automatically approve node CSRs
+	{
+		enableCSRApprover := false
+		for _, ig := range b.NodeInstanceGroups() {
+			if ig.Spec.ImageFamily != nil && ig.Spec.ImageFamily.Bottlerocket != nil {
+				enableCSRApprover = true
+				break
+			}
+		}
+		if enableCSRApprover {
+			key := "csr-approver.addons.k8s.io"
+
+			{
+				location := key + "/k8s-1.23.yaml"
+				id := "k8s-1.23"
+
+				addons.Add(&channelsapi.AddonSpec{
+					Name:     fi.String(key),
+					Selector: map[string]string{"k8s-addon": key},
+					Manifest: fi.String(location),
+					Id:       id,
+				})
+			}
+		}
+	}
+
 	{
 		// Adding the kubelet-api-admin binding: this is required when switching to webhook authorization on the kubelet
 		// docs: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/amazonvpc-containerd/manifest.yaml

@@ -25,6 +25,13 @@ spec:
     selector:
       k8s-addon: coredns.addons.k8s.io
     version: 9.99.0
+  - id: k8s-1.23
+    manifest: csr-approver.addons.k8s.io/k8s-1.23.yaml
+    manifestHash: ca20525f0e2fcc856753859dabb036a732833ebde775408910a6c582feb9b949
+    name: csr-approver.addons.k8s.io
+    selector:
+      k8s-addon: csr-approver.addons.k8s.io
+    version: 9.99.0
   - id: k8s-1.9
     manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml
     manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/amazonvpc/manifest.yaml

@@ -25,6 +25,13 @@ spec:
     selector:
       k8s-addon: coredns.addons.k8s.io
     version: 9.99.0
+  - id: k8s-1.23
+    manifest: csr-approver.addons.k8s.io/k8s-1.23.yaml
+    manifestHash: ca20525f0e2fcc856753859dabb036a732833ebde775408910a6c582feb9b949
+    name: csr-approver.addons.k8s.io
+    selector:
+      k8s-addon: csr-approver.addons.k8s.io
+    version: 9.99.0
   - id: k8s-1.9
     manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml
     manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/manifest.yaml

@@ -25,6 +25,13 @@ spec:
     selector:
       k8s-addon: coredns.addons.k8s.io
     version: 9.99.0
+  - id: k8s-1.23
+    manifest: csr-approver.addons.k8s.io/k8s-1.23.yaml
+    manifestHash: ca20525f0e2fcc856753859dabb036a732833ebde775408910a6c582feb9b949
+    name: csr-approver.addons.k8s.io
+    selector:
+      k8s-addon: csr-approver.addons.k8s.io
+    version: 9.99.0
   - id: k8s-1.9
     manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml
     manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/crd/manifest.yaml

@@ -25,6 +25,13 @@ spec:
     selector:
       k8s-addon: coredns.addons.k8s.io
     version: 9.99.0
+  - id: k8s-1.23
+    manifest: csr-approver.addons.k8s.io/k8s-1.23.yaml
+    manifestHash: ca20525f0e2fcc856753859dabb036a732833ebde775408910a6c582feb9b949
+    name: csr-approver.addons.k8s.io
+    selector:
+      k8s-addon: csr-approver.addons.k8s.io
+    version: 9.99.0
   - id: k8s-1.9
     manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml
     manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81
@@ -54,7 +61,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.12
     manifest: authentication.aws/k8s-1.12.yaml
-    manifestHash: 4e708499c4b354385fbf7c05b1ab2b811f7043c92b9e33457c7591d58d29a0ee
+    manifestHash: 17e947335cace92bb6f9e5c02756316207a3a7af8d7df60d8a3ca4b3a59763db
     name: authentication.aws
     selector:
       role.kubernetes.io/authentication: "1"

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/mappings/manifest.yaml

@@ -25,6 +25,13 @@ spec:
     selector:
       k8s-addon: coredns.addons.k8s.io
     version: 9.99.0
+  - id: k8s-1.23
+    manifest: csr-approver.addons.k8s.io/k8s-1.23.yaml
+    manifestHash: ca20525f0e2fcc856753859dabb036a732833ebde775408910a6c582feb9b949
+    name: csr-approver.addons.k8s.io
+    selector:
+      k8s-addon: csr-approver.addons.k8s.io
+    version: 9.99.0
   - id: k8s-1.9
     manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml
     manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml

@@ -32,6 +32,13 @@ spec:
     selector:
       k8s-addon: rbac.addons.k8s.io
     version: 9.99.0
+  - id: k8s-1.23
+    manifest: csr-approver.addons.k8s.io/k8s-1.23.yaml
+    manifestHash: ca20525f0e2fcc856753859dabb036a732833ebde775408910a6c582feb9b949
+    name: csr-approver.addons.k8s.io
+    selector:
+      k8s-addon: csr-approver.addons.k8s.io
+    version: 9.99.0
   - id: k8s-1.9
     manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml
     manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/coredns/manifest.yaml

@@ -25,6 +25,13 @@ spec:
     selector:
       k8s-addon: coredns.addons.k8s.io
     version: 9.99.0
+  - id: k8s-1.23
+    manifest: csr-approver.addons.k8s.io/k8s-1.23.yaml
+    manifestHash: ca20525f0e2fcc856753859dabb036a732833ebde775408910a6c582feb9b949
+    name: csr-approver.addons.k8s.io
+    selector:
+      k8s-addon: csr-approver.addons.k8s.io
+    version: 9.99.0
   - id: k8s-1.9
     manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml
     manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/insecure-1.18/manifest.yaml

@@ -32,6 +32,13 @@ spec:
     selector:
       k8s-addon: rbac.addons.k8s.io
     version: 9.99.0
+  - id: k8s-1.23
+    manifest: csr-approver.addons.k8s.io/k8s-1.23.yaml
+    manifestHash: ca20525f0e2fcc856753859dabb036a732833ebde775408910a6c582feb9b949
+    name: csr-approver.addons.k8s.io
+    selector:
+      k8s-addon: csr-approver.addons.k8s.io
+    version: 9.99.0
   - id: k8s-1.9
     manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml
     manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/insecure-1.19/manifest.yaml

@@ -25,6 +25,13 @@ spec:
     selector:
       k8s-addon: kube-dns.addons.k8s.io
     version: 9.99.0
+  - id: k8s-1.23
+    manifest: csr-approver.addons.k8s.io/k8s-1.23.yaml
+    manifestHash: ca20525f0e2fcc856753859dabb036a732833ebde775408910a6c582feb9b949
+    name: csr-approver.addons.k8s.io
+    selector:
+      k8s-addon: csr-approver.addons.k8s.io
+    version: 9.99.0
   - id: k8s-1.9
     manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml
     manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/secure-1.18/manifest.yaml

@@ -32,6 +32,13 @@ spec:
     selector:
       k8s-addon: rbac.addons.k8s.io
     version: 9.99.0
+  - id: k8s-1.23
+    manifest: csr-approver.addons.k8s.io/k8s-1.23.yaml
+    manifestHash: ca20525f0e2fcc856753859dabb036a732833ebde775408910a6c582feb9b949
+    name: csr-approver.addons.k8s.io
+    selector:
+      k8s-addon: csr-approver.addons.k8s.io
+    version: 9.99.0
   - id: k8s-1.9
     manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml
     manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/secure-1.19/manifest.yaml

@@ -25,6 +25,13 @@ spec:
     selector:
       k8s-addon: kube-dns.addons.k8s.io
     version: 9.99.0
+  - id: k8s-1.23
+    manifest: csr-approver.addons.k8s.io/k8s-1.23.yaml
+    manifestHash: ca20525f0e2fcc856753859dabb036a732833ebde775408910a6c582feb9b949
+    name: csr-approver.addons.k8s.io
+    selector:
+      k8s-addon: csr-approver.addons.k8s.io
+    version: 9.99.0
   - id: k8s-1.9
     manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml
     manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/service-account-iam/manifest.yaml

@@ -25,6 +25,13 @@ spec:
     selector:
       k8s-addon: coredns.addons.k8s.io
     version: 9.99.0
+  - id: k8s-1.23
+    manifest: csr-approver.addons.k8s.io/k8s-1.23.yaml
+    manifestHash: ca20525f0e2fcc856753859dabb036a732833ebde775408910a6c582feb9b949
+    name: csr-approver.addons.k8s.io
+    selector:
+      k8s-addon: csr-approver.addons.k8s.io
+    version: 9.99.0
   - id: k8s-1.9
     manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml
     manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/manifest.yaml

@@ -25,6 +25,13 @@ spec:
     selector:
       k8s-addon: coredns.addons.k8s.io
     version: 9.99.0
+  - id: k8s-1.23
+    manifest: csr-approver.addons.k8s.io/k8s-1.23.yaml
+    manifestHash: ca20525f0e2fcc856753859dabb036a732833ebde775408910a6c582feb9b949
+    name: csr-approver.addons.k8s.io
+    selector:
+      k8s-addon: csr-approver.addons.k8s.io
+    version: 9.99.0
   - id: k8s-1.9
     manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml
     manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/weave/manifest.yaml

@@ -25,6 +25,13 @@ spec:
     selector:
       k8s-addon: coredns.addons.k8s.io
     version: 9.99.0
+  - id: k8s-1.23
+    manifest: csr-approver.addons.k8s.io/k8s-1.23.yaml
+    manifestHash: ca20525f0e2fcc856753859dabb036a732833ebde775408910a6c582feb9b949
+    name: csr-approver.addons.k8s.io
+    selector:
+      k8s-addon: csr-approver.addons.k8s.io
+    version: 9.99.0
   - id: k8s-1.9
     manifest: kubelet-api.rbac.addons.k8s.io/k8s-1.9.yaml
     manifestHash: 01c120e887bd98d82ef57983ad58a0b22bc85efb48108092a24c4b82e4c9ea81