This repository has been archived by the owner on Dec 5, 2022. It is now read-only.
forked from kubernetes-sigs/aws-iam-authenticator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mapper.go
121 lines (99 loc) · 3.56 KB
/
mapper.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package crd
import (
"fmt"
"strings"
"time"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/tools/clientcmd"
"github.com/LF-Certification/aws-iam-authenticator/pkg/config"
"github.com/LF-Certification/aws-iam-authenticator/pkg/mapper"
iamauthenticatorv1alpha1 "github.com/LF-Certification/aws-iam-authenticator/pkg/mapper/crd/apis/iamauthenticator/v1alpha1"
"github.com/LF-Certification/aws-iam-authenticator/pkg/mapper/crd/controller"
clientset "github.com/LF-Certification/aws-iam-authenticator/pkg/mapper/crd/generated/clientset/versioned"
informers "github.com/LF-Certification/aws-iam-authenticator/pkg/mapper/crd/generated/informers/externalversions"
)
type CRDMapper struct {
*controller.Controller
// iamInformerFactory is an informer factory that must be Started
iamInformerFactory informers.SharedInformerFactory
// iamMappingsSynced is a function to get if the informers have synced
iamMappingsSynced cache.InformerSynced
// iamMappingsIndex is a custom indexer which allows for indexing on canonical arns
iamMappingsIndex cache.Indexer
}
var _ mapper.Mapper = &CRDMapper{}
func NewCRDMapper(cfg config.Config) (*CRDMapper, error) {
var err error
var k8sconfig *rest.Config
var kubeClient kubernetes.Interface
var iamClient clientset.Interface
var iamInformerFactory informers.SharedInformerFactory
if cfg.Master != "" || cfg.Kubeconfig != "" {
k8sconfig, err = clientcmd.BuildConfigFromFlags(cfg.Master, cfg.Kubeconfig)
} else {
k8sconfig, err = rest.InClusterConfig()
}
if err != nil {
return nil, fmt.Errorf("can't create kubernetes config: %v", err)
}
kubeClient, err = kubernetes.NewForConfig(k8sconfig)
if err != nil {
return nil, fmt.Errorf("can't create kubernetes client: %v", err)
}
iamClient, err = clientset.NewForConfig(k8sconfig)
if err != nil {
return nil, fmt.Errorf("can't create authenticator client: %v", err)
}
iamInformerFactory = informers.NewSharedInformerFactory(iamClient, time.Second*36000)
iamMappingInformer := iamInformerFactory.Iamauthenticator().V1alpha1().IAMIdentityMappings()
iamMappingsSynced := iamMappingInformer.Informer().HasSynced
iamMappingsIndex := iamMappingInformer.Informer().GetIndexer()
ctrl := controller.New(kubeClient, iamClient, iamMappingInformer)
return &CRDMapper{ctrl, iamInformerFactory, iamMappingsSynced, iamMappingsIndex}, nil
}
func NewCRDMapperWithIndexer(iamMappingsIndex cache.Indexer) *CRDMapper {
return &CRDMapper{iamMappingsIndex: iamMappingsIndex}
}
func (m *CRDMapper) Name() string {
return mapper.ModeCRD
}
func (m *CRDMapper) Start(stopCh <-chan struct{}) error {
m.iamInformerFactory.Start(stopCh)
go func() {
// Run starts worker goroutines and blocks
if err := m.Controller.Run(2, stopCh); err != nil {
panic(err)
}
}()
return nil
}
func (m *CRDMapper) Map(canonicalARN string) (*config.IdentityMapping, error) {
canonicalARN = strings.ToLower(canonicalARN)
var iamidentity *iamauthenticatorv1alpha1.IAMIdentityMapping
var ok bool
objects, err := m.iamMappingsIndex.ByIndex("canonicalARN", canonicalARN)
if err != nil {
return nil, err
}
if len(objects) > 0 {
for _, obj := range objects {
iamidentity, ok = obj.(*iamauthenticatorv1alpha1.IAMIdentityMapping)
if ok {
break
}
}
if iamidentity != nil {
return &config.IdentityMapping{
IdentityARN: canonicalARN,
Username: iamidentity.Spec.Username,
Groups: iamidentity.Spec.Groups,
}, nil
}
}
return nil, mapper.ErrNotMapped
}
func (m *CRDMapper) IsAccountAllowed(accountID string) bool {
return false
}