-
Notifications
You must be signed in to change notification settings - Fork 277
/
oidc.go
110 lines (98 loc) 路 2.71 KB
/
oidc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
package framework
import (
"context"
"net/url"
"os"
"path"
"github.com/aws/eks-anywhere/internal/pkg/api"
"github.com/aws/eks-anywhere/internal/pkg/oidc"
"github.com/aws/eks-anywhere/pkg/executables"
)
const (
OIDCIssuerUrlVar = "T_OIDC_ISSUER_URL"
OIDCClientIdVar = "T_OIDC_CLIENT_ID"
OIDCKidVar = "T_OIDC_KID"
OIDCKeyFileVar = "T_OIDC_KEY_FILE"
)
var oidcRequiredEnvVars = []string{
OIDCIssuerUrlVar,
OIDCClientIdVar,
OIDCKidVar,
OIDCKeyFileVar,
}
func WithOIDC() ClusterE2ETestOpt {
return func(e *ClusterE2ETest) {
checkRequiredEnvVars(e.T, oidcRequiredEnvVars)
e.OIDCConfig = api.NewOIDCConfig(defaultClusterName,
api.WithOIDCRequiredClaims("kubernetesAccess", "true"),
api.WithOIDCGroupsPrefix("s3-oidc:"),
api.WithOIDCGroupsClaim("groups"),
api.WithOIDCUsernamePrefix("s3-oidc:"),
api.WithOIDCUsernameClaim("email"),
api.WithStringFromEnvVarOIDCConfig(OIDCIssuerUrlVar, api.WithOIDCIssuerUrl),
api.WithStringFromEnvVarOIDCConfig(OIDCClientIdVar, api.WithOIDCClientId),
)
e.clusterFillers = append(e.clusterFillers,
api.WithOIDCIdentityProviderRef(defaultClusterName),
)
}
}
func (e *ClusterE2ETest) ValidateOIDC() {
ctx := context.Background()
cluster := e.cluster()
e.T.Log("Creating roles for OIDC")
err := e.KubectlClient.ApplyKubeSpecFromBytes(ctx, cluster, oidcRoles)
if err != nil {
e.T.Errorf("Error applying roles for oids: %v", err)
return
}
issuerUrl, err := url.Parse(os.Getenv(OIDCIssuerUrlVar))
if err != nil {
e.T.Errorf("Error parsing oidc issuer url: %v", err)
return
}
kid := os.Getenv(OIDCKidVar)
keyFile := os.Getenv(OIDCKeyFileVar)
e.T.Log("Generating OIDC JWT token")
jwt, err := oidc.NewJWT(
path.Join(issuerUrl.Host, issuerUrl.Path),
kid,
keyFile,
oidc.WithEmail("oidcuser@aws.com"),
oidc.WithGroup("developers"),
oidc.WithRole("dev"),
oidc.WithKubernetesAccess(true),
oidc.WithAudience(kid),
)
if err != nil {
e.T.Errorf("Error generating JWT token for oidc: %v", err)
return
}
apiServerUrl, err := e.KubectlClient.GetApiServerUrl(ctx, cluster)
if err != nil {
e.T.Errorf("Error getting api server url: %v", err)
return
}
e.T.Log("Getting pods with OIDC token")
_, err = e.KubectlClient.GetPods(
ctx,
executables.WithServer(apiServerUrl),
executables.WithToken(jwt),
executables.WithSkipTLSVerify(),
executables.WithAllNamespaces(),
)
if err != nil {
e.T.Errorf("Error getting pods: %v", err)
}
e.T.Log("Getting deployments with OIDC token")
_, err = e.KubectlClient.GetDeployments(
ctx,
executables.WithServer(apiServerUrl),
executables.WithToken(jwt),
executables.WithSkipTLSVerify(),
executables.WithAllNamespaces(),
)
if err != nil {
e.T.Errorf("Error getting deployments: %v", err)
}
}