CORS-4337: allow AWS Europe Sovereign Cloud partition

In AWS European Sovereign Cloud, ARNs begin with "arn:aws-eusc:". Thus,
we need to update the validation to allow this new format.

See https://docs.aws.eu/general/latest/gr/arns.html

Author: tthvo

config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml

@@ -30,6 +30,81 @@ tests:
               aws:
                 keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
                 region: us-east-1
+    - name: Should be able to create encrypt with KMS for AWS with aws-cn partition
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          encryption:
+            type: KMS
+            kms:
+              type: AWS
+              aws:
+                keyARN: arn:aws-cn:kms:cn-north-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
+                region: cn-north-1
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          encryption:
+            type: KMS
+            kms:
+              type: AWS
+              aws:
+                keyARN: arn:aws-cn:kms:cn-north-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
+                region: cn-north-1
+    - name: Should be able to create encrypt with KMS for AWS with aws-us-gov partition
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          encryption:
+            type: KMS
+            kms:
+              type: AWS
+              aws:
+                keyARN: arn:aws-us-gov:kms:us-gov-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
+                region: us-gov-east-1
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          encryption:
+            type: KMS
+            kms:
+              type: AWS
+              aws:
+                keyARN: arn:aws-us-gov:kms:us-gov-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
+                region: us-gov-east-1
+    - name: Should be able to create encrypt with KMS for AWS with aws-eusc partition
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          encryption:
+            type: KMS
+            kms:
+              type: AWS
+              aws:
+                keyARN: arn:aws-eusc:kms:eusc-de-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
+                region: eusc-de-east-1
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          encryption:
+            type: KMS
+            kms:
+              type: AWS
+              aws:
+                keyARN: arn:aws-eusc:kms:eusc-de-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
+                region: eusc-de-east-1
     - name: Should fail to create encrypt with KMS for AWS without region
       initial: |
         apiVersion: config.openshift.io/v1
@@ -98,7 +173,20 @@ tests:
               aws:
                 keyARN: not-a-kms-arn
                 region: us-east-1
-      expectedError: "keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
+      expectedError: "keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
+    - name: Should fail to create AWS KMS with invalid partition
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          encryption:
+            type: KMS
+            kms:
+              type: AWS
+              aws:
+                keyARN: arn:aws-invalid:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
+                region: us-east-1
+      expectedError: "keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
     - name: Should fail to create AWS KMS with empty region
       initial: |
         apiVersion: config.openshift.io/v1

config/v1/tests/dnses.config.openshift.io/AAA_ungated.yaml

@@ -29,6 +29,57 @@ tests:
             type: AWS
             aws:
               privateZoneIAMRole: arn:aws:iam::123456789012:role/foo
+    - name: Should be able to specify an AWS role ARN with aws-cn partition
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        spec:
+          platform:
+            type: AWS
+            aws:
+              privateZoneIAMRole: arn:aws-cn:iam::123456789012:role/foo
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        spec:
+          platform:
+            type: AWS
+            aws:
+              privateZoneIAMRole: arn:aws-cn:iam::123456789012:role/foo
+    - name: Should be able to specify an AWS role ARN with aws-us-gov partition
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        spec:
+          platform:
+            type: AWS
+            aws:
+              privateZoneIAMRole: arn:aws-us-gov:iam::123456789012:role/foo
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        spec:
+          platform:
+            type: AWS
+            aws:
+              privateZoneIAMRole: arn:aws-us-gov:iam::123456789012:role/foo
+    - name: Should be able to specify an AWS role ARN with aws-eusc partition
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        spec:
+          platform:
+            type: AWS
+            aws:
+              privateZoneIAMRole: arn:aws-eusc:iam::123456789012:role/foo
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        spec:
+          platform:
+            type: AWS
+            aws:
+              privateZoneIAMRole: arn:aws-eusc:iam::123456789012:role/foo
     - name: Should not be able to specify unsupported platform
       initial: |
         apiVersion: config.openshift.io/v1
@@ -50,7 +101,19 @@ tests:
             type: AWS
             aws:
               privateZoneIAMRole: arn:aws:iam:bad:123456789012:role/foo
-      expectedError: "DNS.config.openshift.io \"cluster\" is invalid: spec.platform.aws.privateZoneIAMRole: Invalid value: \"arn:aws:iam:bad:123456789012:role/foo\": spec.platform.aws.privateZoneIAMRole in body should match '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\\/.*$'"
+      expectedError: "DNS.config.openshift.io \"cluster\" is invalid: spec.platform.aws.privateZoneIAMRole: Invalid value: \"arn:aws:iam:bad:123456789012:role/foo\": spec.platform.aws.privateZoneIAMRole in body should match '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\\/.*$'"
+    - name: Should not be able to specify invalid AWS partition
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: DNS
+        metadata:
+          name: cluster
+        spec:
+          platform:
+            type: AWS
+            aws:
+              privateZoneIAMRole: arn:aws-invalid:iam::123456789012:role/foo
+      expectedError: "DNS.config.openshift.io \"cluster\" is invalid: spec.platform.aws.privateZoneIAMRole: Invalid value: \"arn:aws-invalid:iam::123456789012:role/foo\": spec.platform.aws.privateZoneIAMRole in body should match '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\\/.*$'"
     - name: Should not be able to specify different type and platform
       initial: |
         apiVersion: config.openshift.io/v1

config/v1/types_dns.go

@@ -134,7 +134,7 @@ type AWSDNSSpec struct {
 	// privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing
 	// operations on the cluster's private hosted zone specified in the cluster DNS config.
 	// When left empty, no role should be assumed.
-	// +kubebuilder:validation:Pattern:=`^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$`
+	// +kubebuilder:validation:Pattern:=`^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\/.*$`
 	// +optional
 	PrivateZoneIAMRole string `json:"privateZoneIAMRole"`
 }

config/v1/types_kmsencryption.go

@@ -24,14 +24,15 @@ type KMSConfig struct {
 // AWSKMSConfig defines the KMS config specific to AWS KMS provider
 type AWSKMSConfig struct {
 	// keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
-	// The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
+	// The value must adhere to the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`, where:
+	// - `<partition>` is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc).
 	// - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
 	// - `<account_id>` is a 12-digit numeric identifier for the AWS account.
 	// - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
 	//
 	// +kubebuilder:validation:MaxLength=128
 	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:XValidation:rule="self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
+	// +kubebuilder:validation:XValidation:rule="self.matches('^arn:(aws|aws-cn|aws-us-gov|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
 	// +required
 	KeyARN string `json:"keyARN"`
 	// region specifies the AWS region where the KMS instance exists, and follows the format

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml

@@ -177,19 +177,20 @@ spec:
                           keyARN:
                             description: |-
                               keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
-                              The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
+                              The value must adhere to the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`, where:
+                              - `<partition>` is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc).
                               - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
                               - `<account_id>` is a 12-digit numeric identifier for the AWS account.
                               - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
                             maxLength: 128
                             minLength: 1
                             type: string
                             x-kubernetes-validations:
-                            - message: keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`.
+                            - message: keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`.
                                 The account ID must be a 12 digit number and the region
                                 and key ID should consist only of lowercase hexadecimal
                                 characters and hyphens (-).
-                              rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
+                              rule: self.matches('^arn:(aws|aws-cn|aws-us-gov|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
                           region:
                             description: |-
                               region specifies the AWS region where the KMS instance exists, and follows the format

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

@@ -177,19 +177,20 @@ spec:
                           keyARN:
                             description: |-
                               keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
-                              The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
+                              The value must adhere to the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`, where:
+                              - `<partition>` is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc).
                               - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
                               - `<account_id>` is a 12-digit numeric identifier for the AWS account.
                               - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
                             maxLength: 128
                             minLength: 1
                             type: string
                             x-kubernetes-validations:
-                            - message: keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`.
+                            - message: keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`.
                                 The account ID must be a 12 digit number and the region
                                 and key ID should consist only of lowercase hexadecimal
                                 characters and hyphens (-).
-                              rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
+                              rule: self.matches('^arn:(aws|aws-cn|aws-us-gov|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
                           region:
                             description: |-
                               region specifies the AWS region where the KMS instance exists, and follows the format

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses.crd.yaml

@@ -71,7 +71,7 @@ spec:
                           privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing
                           operations on the cluster's private hosted zone specified in the cluster DNS config.
                           When left empty, no role should be assumed.
-                        pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$
+                        pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\/.*$
                         type: string
                     type: object
                   type:

config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml

@@ -177,19 +177,20 @@ spec:
                           keyARN:
                             description: |-
                               keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
-                              The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
+                              The value must adhere to the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`, where:
+                              - `<partition>` is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc).
                               - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
                               - `<account_id>` is a 12-digit numeric identifier for the AWS account.
                               - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
                             maxLength: 128
                             minLength: 1
                             type: string
                             x-kubernetes-validations:
-                            - message: keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`.
+                            - message: keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`.
                                 The account ID must be a 12 digit number and the region
                                 and key ID should consist only of lowercase hexadecimal
                                 characters and hyphens (-).
-                              rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
+                              rule: self.matches('^arn:(aws|aws-cn|aws-us-gov|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
                           region:
                             description: |-
                               region specifies the AWS region where the KMS instance exists, and follows the format

config/v1/zz_generated.featuregated-crd-manifests/dnses.config.openshift.io/AAA_ungated.yaml

@@ -72,7 +72,7 @@ spec:
                           privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing
                           operations on the cluster's private hosted zone specified in the cluster DNS config.
                           When left empty, no role should be assumed.
-                        pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$
+                        pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\/.*$
                         type: string
                     type: object
                   type: