-
Notifications
You must be signed in to change notification settings - Fork 286
/
awsiamconfig.go
133 lines (113 loc) Β· 3.42 KB
/
awsiamconfig.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
package v1alpha1
import (
"fmt"
"github.com/aws/eks-anywhere/pkg/logger"
)
const (
AWSIamConfigKind = "AWSIamConfig"
eksConfigMap = "EKSConfigMap"
mountedFile = "MountedFile"
DefaultAWSIamConfigPartition = "aws"
)
func GetAndValidateAWSIamConfig(fileName string, refName string, clusterConfig *Cluster) (*AWSIamConfig, error) {
config, err := getAWSIamConfig(fileName)
if err != nil {
return nil, err
}
config.SetDefaults()
if err = validateAWSIamConfig(config); err != nil {
return nil, err
}
if err = validateAWSIamRefName(config, refName); err != nil {
return nil, err
}
if err = validateAWSIamNamespace(config, clusterConfig); err != nil {
return nil, err
}
return config, nil
}
func getAWSIamConfig(fileName string) (*AWSIamConfig, error) {
var config AWSIamConfig
err := ParseClusterConfig(fileName, &config)
if err != nil {
return nil, err
}
// If the name is empty, we can assume that they didn't configure their AWS IAM configuration, so return nil
if config.Name == "" {
return nil, nil
}
return &config, nil
}
func validateAWSIamConfig(config *AWSIamConfig) error {
if config == nil {
return nil
}
if config.Spec.AWSRegion == "" {
return fmt.Errorf("AWSIamConfig AWSRegion is a required field")
}
if len(config.Spec.BackendMode) == 0 {
return fmt.Errorf("AWSIamConfig BackendMode is a required field")
}
for _, backendMode := range config.Spec.BackendMode {
if backendMode == eksConfigMap && len(config.Spec.MapRoles) == 0 && len(config.Spec.MapUsers) == 0 {
logger.Info("Warning: AWS IAM Authenticator mapRoles and mapUsers specification is empty. Please be aware this will prevent aws-iam-authenticator from mapping IAM roles to users/groups on the cluster with backendMode EKSConfigMap")
}
if backendMode == mountedFile {
return fmt.Errorf("AWSIamConfig BackendMode does not support %s backend", mountedFile)
}
}
if err := validateMapRoles(config.Spec.MapRoles); err != nil {
return err
}
if err := validateMapUsers(config.Spec.MapUsers); err != nil {
return err
}
return nil
}
func validateMapRoles(mapRoles []MapRoles) error {
for _, role := range mapRoles {
if role.RoleARN == "" {
return fmt.Errorf("AWSIamConfig MapRoles RoleARN is required")
}
if role.Username == "" {
return fmt.Errorf("AWSIamConfig MapRoles Username is required")
}
}
return nil
}
func validateMapUsers(mapUsers []MapUsers) error {
for _, user := range mapUsers {
if user.UserARN == "" {
return fmt.Errorf("AWSIamConfig MapUsers UserARN is required")
}
if user.Username == "" {
return fmt.Errorf("AWSIamConfig MapUsers Username is required")
}
}
return nil
}
func validateAWSIamRefName(config *AWSIamConfig, refName string) error {
if config == nil {
return nil
}
if config.Name != refName {
return fmt.Errorf("AWSIamConfig retrieved with name %s does not match name (%s) specified in "+
"identityProviderRefs", config.Name, refName)
}
return nil
}
func validateAWSIamNamespace(config *AWSIamConfig, clusterConfig *Cluster) error {
if config == nil {
return nil
}
if config.Namespace != clusterConfig.Namespace {
return fmt.Errorf("AWSIamConfig and Cluster objects must have the same namespace specified")
}
return nil
}
func setDefaultAWSIamPartition(config *AWSIamConfig) {
if config.Spec.Partition == "" {
config.Spec.Partition = DefaultAWSIamConfigPartition
logger.V(1).Info("AWSIamConfig Partition is empty. Using default partition 'aws'")
}
}