Support team-id annotation

[zicongmei]

Issue #, if available: aws-controllers-k8s/community#2031

Description of changes:

Add support of team-id annotation in the namespace. Each team-id can associate with a different AWS Role ARN. So that the controller can have different roles for different namespaces. It can help fine grained permission when different teams and users are using the same controller.

Changes:

• On top of Create a seperated CARM map from accounts #143
• Add a team-id annotation
• If both team-id and owner-account-id exist. It will take the team-id and ignore owner-account-id.

Sample usage:

apiVersion: v1
kind: ConfigMap
metadata:
  name: ack-carm-map
  namespace: ack-system
data:
  owner-account-id/111111111111: arn:aws:iam::111111111111:role/s3FullAccess
  team-id/team-a:  'arn:aws:arn:aws:iam::123456789012:role/read-only'
---
apiVersion: v1
kind: Namespace
metadata:
  name: team
  annotations:
    services.k8s.aws/team-id: "team-a"
---
apiVersion: v1
kind: Namespace
metadata:
  name: account
  annotations:
    services.k8s.aws/owner-account-id: "111111111111"
---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[ack-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: zicongmei
Once this PR has been reviewed and has the lgtm label, please assign jljaco for approval by writing /assign @jljaco in a comment. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ack-prow]

Hi @zicongmei. Thanks for your PR.

I'm waiting for a aws-controllers-k8s member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[zicongmei]

/ok-to-test

[ack-prow]

@zicongmei: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[a-hilaly]

/ok-to-test

[a-hilaly]

/retest

[a-hilaly]

/retest

[zicongmei]

/retest

[zicongmei]

/retest

[zicongmei]

/retest

[zicongmei]

/retest

[zicongmei]

/ok-to-test

[a-hilaly]

This is great, thank you so much @zicongmei ! I left few comments and thoughts below

[a-hilaly]

Just taking notes.. during the refactor we will need to use lowerCamelCase variable names

[a-hilaly]

The separation of concerns implemented here is a good approach. However, I have a minor concern about spinning up two shared informers, watching the same exact kind (ConfigMap).. This could result in redundant watch operations essentially retrieving the same information (data).

Additionally, I think that using two separate informers can potentially result in delays when updating the caches for teamID and an ownerAccountID. If one cache gets updated before the other, there's a risk that the logic for picking up either the teamID or ownerAccountID may get impacted until both caches are fully synced

[a-hilaly]

What are your thoughts on using a single "cache" object (`CARMCache) to store both the teamIDs and accountIDs?

[zicongmei]

I like the idea of a single map. We can separate that from this PR.

[a-hilaly]

Should we move the AWS AccountID and ARN parsing logic to level closer to the CARMCache layer? the issue with handling errors here is that it's tricky properly patch the CRs conditions and trigger a proper requeue.
Second thoughts, i think this needs to be part of the refactor PR.

[a-hilaly]

I just realized that we're adding a new map to watch here. It's a little different from what we've imagined initially but I like it... It's definitely better than combining accountIDs and teamIDs in the same ConfigMap...