-
Notifications
You must be signed in to change notification settings - Fork 287
/
awsiam.go
118 lines (105 loc) · 3.24 KB
/
awsiam.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
package framework
import (
"context"
"fmt"
"os"
"path/filepath"
"strings"
eksdv1alpha1 "github.com/aws/eks-distro-build-tooling/release/api/v1alpha1"
"github.com/aws/eks-anywhere/internal/pkg/api"
"github.com/aws/eks-anywhere/internal/pkg/awsiam"
"github.com/aws/eks-anywhere/pkg/executables"
"github.com/aws/eks-anywhere/pkg/files"
"github.com/aws/eks-anywhere/pkg/manifests"
"github.com/aws/eks-anywhere/pkg/version"
)
const (
AWSIamRoleArn = "T_AWS_IAM_ROLE_ARN"
)
var awsIamRequiredEnvVars = []string{
AWSIamRoleArn,
}
func RequiredAWSIamEnvVars() []string {
return awsIamRequiredEnvVars
}
func WithAWSIam() ClusterE2ETestOpt {
return func(e *ClusterE2ETest) {
checkRequiredEnvVars(e.T, awsIamRequiredEnvVars)
e.AWSIamConfig = api.NewAWSIamConfig(defaultClusterName,
api.WithAWSIamAWSRegion("us-west-1"),
api.WithAWSIamPartition("aws"),
api.WithAWSIamBackendMode("EKSConfigMap"),
api.WithAWSIamMapRoles(api.AddAWSIamRole(withArnFromEnv(AWSIamRoleArn), "kubernetes-admin", []string{"system:masters"})),
)
e.clusterFillers = append(e.clusterFillers,
api.WithAWSIamIdentityProviderRef(defaultClusterName),
)
}
}
func withArnFromEnv(envVar string) string {
return os.Getenv(envVar)
}
func (e *ClusterE2ETest) ValidateAWSIamAuth() {
ctx := context.Background()
e.T.Log("Downloading aws-iam-authenticator client")
err := e.downloadAwsIamAuthClient()
if err != nil {
e.T.Fatalf("Error downloading aws-iam-authenticator client: %v", err)
}
e.T.Log("Setting aws-iam-authenticator client in env PATH")
err = e.setIamAuthClientPATH()
if err != nil {
e.T.Fatalf("Error updating PATH: %v", err)
}
e.T.Log("Getting pods with aws-iam-authenticator kubeconfig")
kubectlClient := buildLocalKubectl()
pods, err := kubectlClient.GetPods(ctx,
executables.WithAllNamespaces(),
executables.WithKubeconfig(e.iamAuthKubeconfigFilePath()),
)
if err != nil {
e.T.Fatalf("Error getting pods: %v", err)
}
if len(pods) > 0 {
e.T.Log("Successfully got pods with aws-iam-authenticator authentication")
}
}
func (e *ClusterE2ETest) downloadAwsIamAuthClient() error {
eksdRelease, err := e.getEksdReleaseManifest()
if err != nil {
return err
}
err = awsiam.DownloadAwsIamAuthClient(eksdRelease)
if err != nil {
return err
}
return nil
}
func (e *ClusterE2ETest) setIamAuthClientPATH() error {
envPath := os.Getenv("PATH")
workDir, err := os.Getwd()
if err != nil {
return fmt.Errorf("finding current working directory: %v", err)
}
iamAuthClientPath := fmt.Sprintf("%s/bin", workDir)
if strings.Contains(envPath, iamAuthClientPath) {
return nil
}
err = os.Setenv("PATH", fmt.Sprintf("%s:%s", iamAuthClientPath, envPath))
if err != nil {
return fmt.Errorf("setting %s to PATH: %v", iamAuthClientPath, err)
}
return nil
}
func (e *ClusterE2ETest) getEksdReleaseManifest() (*eksdv1alpha1.Release, error) {
c := e.clusterConfig()
r := manifests.NewReader(files.NewReader())
eksdRelease, err := r.ReadEKSD(version.Get().GitVersion, string(c.Spec.KubernetesVersion))
if err != nil {
return nil, fmt.Errorf("getting EKS-D release spec from bundle: %v", err)
}
return eksdRelease, nil
}
func (e *ClusterE2ETest) iamAuthKubeconfigFilePath() string {
return filepath.Join(e.ClusterName, fmt.Sprintf("%s-aws.kubeconfig", e.ClusterName))
}