Add create cluster flag for enabling IRSA

cmd/kops/create_cluster.go

@@ -219,6 +219,11 @@ func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command {
 			return nil, cobra.ShellCompDirectiveNoFileComp
 		})
 	}
+	cmd.Flags().StringVar(&options.DiscoveryStore, "discovery-store", options.DiscoveryStore, "A public location where we publish OIDC-compatible discovery information under a cluster-specific directory. Enables IRSA in AWS.")
+	cmd.RegisterFlagCompletionFunc("discovery-store", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		// TODO complete vfs paths
+		return nil, cobra.ShellCompDirectiveNoFileComp
+	})
 
 	var validClouds []string
 	{

docs/cli/kops_create_cluster.md

@@ -77,6 +77,7 @@ kops create cluster [CLUSTER] [flags]
       --cloud-labels string              A list of key/value pairs used to tag all instance groups (for example "Owner=John Doe,Team=Some Team").
       --container-runtime string         Container runtime to use: containerd, docker
       --disable-subnet-tags              Disable automatic subnet tagging
+      --discovery-store string           A public location where we publish OIDC-compatible discovery information under a cluster-specific directory. Enables IRSA in AWS.
       --dns string                       DNS type to use: public or private (default "Public")
       --dns-zone string                  DNS hosted zone (defaults to longest matching zone)
       --dry-run                          If true, only print the object that would be sent, without sending it. This flag can be used to create a cluster YAML or JSON manifest.

docs/releases/1.23-NOTES.md

@@ -44,6 +44,9 @@ This is a document to gather the release notes prior to the release.
 
 # Other changes of note
 
+* The `kops create cluster` command has a new `--discovery-store` flag for specifying a public store for the OIDC-compatible discovery documents.
+If this flag is used in AWS, it will enable IRSA.
+
 * If `externalDns.provider` is `external-dns`, then `externalDns.watchIngress` will now default to `true`.
 
 # Full change list since 1.22.0 release

upup/pkg/fi/cloudup/new_cluster.go

@@ -40,6 +40,7 @@ import (
 	"k8s.io/kops/upup/pkg/fi/cloudup/azure"
 	"k8s.io/kops/upup/pkg/fi/cloudup/gce"
 	"k8s.io/kops/upup/pkg/fi/cloudup/openstack"
+	"k8s.io/kops/util/pkg/vfs"
 )
 
 const (
@@ -57,6 +58,8 @@ type NewClusterOptions struct {
 	Channel string
 	// ConfigBase is the location where we will store the configuration. It defaults to the state store.
 	ConfigBase string
+	// DiscoveryStore is the location where we will store public OIDC-compatible discovery documents, under a cluster-specific directory. It defaults to not publishing discovery documents.
+	DiscoveryStore string
 	// KubernetesVersion is the version of Kubernetes to deploy. It defaults to the version recommended by the channel.
 	KubernetesVersion string
 	// AdminAccess is the set of CIDR blocks permitted to connect to the Kubernetes API. It defaults to "0.0.0.0/0" and "::/0".
@@ -255,6 +258,20 @@ func NewCluster(opt *NewClusterOptions, clientset simple.Clientset) (*NewCluster
 		}
 	}
 
+	if opt.DiscoveryStore != "" {
+		discoveryPath, err := vfs.Context.BuildVfsPath(opt.DiscoveryStore)
+		if err != nil {
+			return nil, fmt.Errorf("error building DiscoveryStore for cluster: %v", err)
+		}
+		cluster.Spec.ServiceAccountIssuerDiscovery = &api.ServiceAccountIssuerDiscoveryConfig{
+			DiscoveryStore: discoveryPath.Join(cluster.Name).Path(),
+		}
+		if cluster.Spec.CloudProvider == string(api.CloudProviderAWS) {
+			cluster.Spec.ServiceAccountIssuerDiscovery.EnableAWSOIDCProvider = true
+			cluster.Spec.IAM.UseServiceAccountExternalPermissions = fi.Bool(true)
+		}
+	}
+
 	err = setupVPC(opt, &cluster)
 	if err != nil {
 		return nil, err