adding code to patch config map

pkg/registration/hub/managedcluster/controller.go

@@ -212,7 +212,7 @@ func (c *managedClusterController) sync(ctx context.Context, syncCtx factory.Syn
 			errs = append(errs, err)
 		}
 
-		err = c.approver.CreateIAMRolesAndPolicies(ctx, managedCluster)
+		err = c.approver.CreateIAMRolesAndPolicies(ctx, managedCluster , c.kubeClient)
 		if err != nil {
 			fmt.Println("Failed to create IAM roles and policies for aws irsa", err)
 			errs = append(errs, err)

pkg/registration/register/aws_irsa/approver.go

@@ -3,9 +3,12 @@ package aws_irsa
 import (
 	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
 	"github.com/aws/aws-sdk-go-v2/service/eks/types"
 	"html/template"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
 	"log"
 	"strings"
 
@@ -40,7 +43,7 @@ func (a *AwsIrsaApprover) Run(ctx context.Context, workers int) {
 // Cleanup is run when the cluster is deleting or hubAcceptClient is set false
 
 // CreateIAMRolesAndPolicies implements register.Approver.
-func (a *AwsIrsaApprover) CreateIAMRolesAndPolicies(ctx context.Context, cluster *clusterv1.ManagedCluster) error {
+func (a *AwsIrsaApprover) CreateIAMRolesAndPolicies(ctx context.Context, cluster *clusterv1.ManagedCluster, kubeclient kubernetes.Interface  ) error {
 
 	//Creating config for aws
 	cfg, err := config.LoadDefaultConfig(context.TODO())
@@ -58,15 +61,21 @@ func (a *AwsIrsaApprover) CreateIAMRolesAndPolicies(ctx context.Context, cluster
 	})
 
 	if describeClusterOutput.Cluster.AccessConfig.AuthenticationMode == types.AuthenticationModeConfigMap {
-			//patch configmap
+		err = patchAuthConfigMapForAWSIRSA(principalArn, managedClusterName,kubeclient )
+		if err != nil {
+			fmt.Println("Failed to update aws-auth configmap for aws irsa", err)
+			return err
+		}
 	} else {
-		err =	createAccessEntriesForAWSIRSA(ctx, eksClient, principalArn, hubclusterName , managedClusterName)
+		err = createAccessEntriesForAWSIRSA(ctx, eksClient, principalArn, hubclusterName , managedClusterName)
+		if err != nil {
+			fmt.Println("Failed to create Access Entries for aws irsa", err)
+		}
 	}
 	if err != nil {
-		fmt.Println("Failed to create IAM roles, policies and access entry for aws irsa", err)
-		log.Fatal(err)
+		fmt.Println("Failed to create IAM roles, policies and access entry/aws-auth configmap for aws irsa", err)
+		return err
 	}
-
 	return nil
 }
 
@@ -243,24 +252,53 @@ func getPolicyArnByName(client *iam.Client, policyName string) (string, error) {
 
 
 func createAccessEntriesForAWSIRSA(ctx context.Context,eksClient *eks.Client , principalArn string , hubClusterName string , managedClusterName string) error {
+	params := &eks.CreateAccessEntryInput{
+		ClusterName:      aws.String(hubClusterName),
+		PrincipalArn:     aws.String(principalArn),
+		Username:         aws.String(managedClusterName),
+		KubernetesGroups: []string{"open-cluster-management:" + managedClusterName},
+		}
 
-params := &eks.CreateAccessEntryInput{
-	ClusterName:      aws.String(hubClusterName),
-	PrincipalArn:     aws.String(principalArn),
-	Username:         aws.String(managedClusterName),
-	KubernetesGroups: []string{"open-cluster-management:" + managedClusterName},
+	createAccessEntryOutput, err := eksClient.CreateAccessEntry(ctx, params)
+	if err != nil {
+		if !(strings.Contains(err.Error(), "EntityAlreadyExists")) {
+		log.Printf("Failed to create Access entry for the managed cluster  %v because of %v\n", managedClusterName, err)
+		return err
+		} else {
+		log.Printf("Ignore Access entry creation error as entity already exists")
+		}
 	}
+	fmt.Printf("Access entry created successfully: %s\n", *createAccessEntryOutput.AccessEntry.AccessEntryArn)
+	return nil
+}
 
-createAccessEntryOutput, err := eksClient.CreateAccessEntry(ctx, params)
-if err != nil {
-	if !(strings.Contains(err.Error(), "EntityAlreadyExists")) {
-	log.Printf("Failed to create Access entry for the managed cluster  %v because of %v\n", managedClusterName, err)
-	return err
-	} else {
-	log.Printf("Ignore Access entry creation error as entity already exists")
+func patchAuthConfigMapForAWSIRSA( principalArn string, managedClusterName string, kubeclient kubernetes.Interface) error {
+	configMap, err := kubeclient.CoreV1().ConfigMaps("kube-system").Get(context.TODO(), "aws-auth", metav1.GetOptions{})
+	if err != nil {
+		log.Printf("Could not get config map aws-auth in the namespace aws-auth configmap")
+		return err
 	}
-}
-fmt.Printf("Access entry created successfully: %s\n", *createAccessEntryOutput.AccessEntry.AccessEntryArn)
-return nil
-}
 
+	var mapRoles []map[string]string
+	err = json.Unmarshal([]byte(configMap.Data["mapRoles"]), &mapRoles);
+	if err != nil {
+		log.Printf("Failed to unmarshal mapRoles: %v", err)
+		return err
+	}
+
+	newRole := map[string]string{
+		"rolearn":  principalArn,
+		"groups":   "system:open-cluster-management:"+managedClusterName,
+	}
+	mapRoles = append(mapRoles, newRole)
+	jsonMap,err := json.Marshal(mapRoles)
+	configMap.Data["mapRoles"] =  string(jsonMap)
+
+	_, err = kubeclient.CoreV1().ConfigMaps("kube-system").Update(context.TODO(),configMap , metav1.UpdateOptions{})
+	if err!=nil{
+		log.Printf("Failed to update aws-auth configmap", err)
+		return err
+	}
+	log.Printf("Aws-auth configmap updated.")
+	return nil
+}

pkg/registration/register/aws_irsa/approver_test.go

@@ -365,13 +365,12 @@ func TestCreateIAMRolesAndPoliciesForAWSIRSA(t *testing.T) {
 			}
 
 			iamClient := iam.NewFromConfig(cfg)
-			eksClient := eks.NewFromConfig(cfg)
 			HubClusterArn := "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster"
 
 			managedCluster := testinghelpers.NewManagedCluster()
 			managedCluster.Annotations = tt.managedClusterAnnotations
 
-			err = CreateIAMRolesPoliciesAndAccessEntryForAWSIRSA(tt.args.ctx, HubClusterArn, managedCluster, iamClient, eksClient)
+			_,_,_,err = CreateIAMRolesPoliciesForAWSIRSA(tt.args.ctx, HubClusterArn, managedCluster, iamClient)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("error = %#v, wantErr %#v", err, tt.wantErr)
 				return

pkg/registration/register/common.go

@@ -3,6 +3,7 @@ package register
 import (
 	"context"
 	"fmt"
+	"k8s.io/client-go/kubernetes"
 	"os"
 	"reflect"
 
@@ -158,10 +159,10 @@ func (a *AggregatedApprover) Cleanup(ctx context.Context, cluster *clusterv1.Man
 }
 
 // CreateIAMRolesAndPolicies implements Approver.
-func (a *AggregatedApprover) CreateIAMRolesAndPolicies(ctx context.Context, cluster *clusterv1.ManagedCluster) error {
+func (a *AggregatedApprover) CreateIAMRolesAndPolicies(ctx context.Context, cluster *clusterv1.ManagedCluster ,kubeclient kubernetes.Interface) error {
 	var errs []error
 	for _, approver := range a.approvers {
-		if err := approver.CreateIAMRolesAndPolicies(ctx, cluster); err != nil {
+		if err := approver.CreateIAMRolesAndPolicies(ctx, cluster, kubeclient); err != nil {
 			errs = append(errs, err)
 		}
 	}
@@ -183,7 +184,7 @@ func (a *NoopApprover) Cleanup(_ context.Context, _ *clusterv1.ManagedCluster) e
 	return nil
 }
 
-func (a *NoopApprover) CreateIAMRolesAndPolicies(ctx context.Context, cluster *clusterv1.ManagedCluster) error {
+func (a *NoopApprover) CreateIAMRolesAndPolicies(ctx context.Context, cluster *clusterv1.ManagedCluster , kubeclient kubernetes.Interface) error {
 	return nil
 }
 

pkg/registration/register/csr/approver.go

@@ -168,7 +168,7 @@ func (c *CSRApprover) Cleanup(_ context.Context, _ *clusterv1.ManagedCluster) er
 	return nil
 }
 
-func (c *CSRApprover) CreateIAMRolesAndPolicies(ctx context.Context, cluster *clusterv1.ManagedCluster) error {
+func (c *CSRApprover) CreateIAMRolesAndPolicies(ctx context.Context, cluster *clusterv1.ManagedCluster, kubeclient kubernetes.Interface ) error {
 	//noop
 	return nil
 }

pkg/registration/register/interface.go

@@ -2,11 +2,11 @@ package register
 
 import (
 	"context"
-
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/operator/events"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/tools/cache"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
@@ -89,5 +89,5 @@ type Approver interface {
 
 	// CreateIAMRole is executed when hubAcceptClient in ManagedCluster is set to true. The hub controller creates the
 	// required IAM roles for the spoke to be able to access resources on the hub cluster.
-	CreateIAMRolesAndPolicies(ctx context.Context, cluster *clusterv1.ManagedCluster) error
+	CreateIAMRolesAndPolicies(ctx context.Context, cluster *clusterv1.ManagedCluster , kubeclient kubernetes.Interface) error
 }