-
Notifications
You must be signed in to change notification settings - Fork 274
/
awsiam.go
153 lines (138 loc) Β· 4.63 KB
/
awsiam.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
package framework
import (
"context"
"fmt"
"os"
"path/filepath"
"strings"
eksdv1alpha1 "github.com/aws/eks-distro-build-tooling/release/api/v1alpha1"
"github.com/aws/eks-anywhere/internal/pkg/api"
"github.com/aws/eks-anywhere/internal/pkg/awsiam"
anywherev1 "github.com/aws/eks-anywhere/pkg/api/v1alpha1"
"github.com/aws/eks-anywhere/pkg/cluster"
"github.com/aws/eks-anywhere/pkg/constants"
"github.com/aws/eks-anywhere/pkg/executables"
"github.com/aws/eks-anywhere/pkg/manifests"
"github.com/aws/eks-anywhere/pkg/version"
)
const (
AWSIamRoleArn = "T_AWS_IAM_ROLE_ARN"
)
var awsIamRequiredEnvVars = []string{
AWSIamRoleArn,
}
func RequiredAWSIamEnvVars() []string {
return awsIamRequiredEnvVars
}
func WithAWSIam() ClusterE2ETestOpt {
return func(e *ClusterE2ETest) {
checkRequiredEnvVars(e.T, awsIamRequiredEnvVars)
if e.ClusterConfig.AWSIAMConfigs == nil {
e.ClusterConfig.AWSIAMConfigs = make(map[string]*anywherev1.AWSIamConfig, 1)
}
e.ClusterConfig.AWSIAMConfigs[defaultClusterName] = api.NewAWSIamConfig(defaultClusterName,
api.WithAWSIamAWSRegion("us-west-1"),
api.WithAWSIamPartition("aws"),
api.WithAWSIamBackendMode("EKSConfigMap"),
api.WithAWSIamMapRoles(api.AddAWSIamRole(withArnFromEnv(AWSIamRoleArn), "kubernetes-admin", []string{"system:masters"})),
)
e.clusterFillers = append(e.clusterFillers,
api.WithAWSIamIdentityProviderRef(defaultClusterName),
)
}
}
func withArnFromEnv(envVar string) string {
return os.Getenv(envVar)
}
func (e *ClusterE2ETest) ValidateAWSIamAuth() {
ctx := context.Background()
e.T.Log("Downloading aws-iam-authenticator client")
err := e.downloadAwsIamAuthClient()
if err != nil {
e.T.Fatalf("Error downloading aws-iam-authenticator client: %v", err)
}
e.T.Log("Setting aws-iam-authenticator client in env PATH")
err = e.setIamAuthClientPATH()
if err != nil {
e.T.Fatalf("Error updating PATH: %v", err)
}
kubectlClient := buildLocalKubectl()
e.T.Log("Waiting for aws-iam-authenticator daemonset rollout status")
err = kubectlClient.WaitForResourceRolledout(ctx,
e.Cluster(),
"2m",
"aws-iam-authenticator",
constants.KubeSystemNamespace,
"daemonset",
)
if err != nil {
e.T.Fatalf("Error waiting aws-iam-authenticator daemonset rollout: %v", err)
}
e.T.Log("Getting pods with aws-iam-authenticator kubeconfig")
pods, err := kubectlClient.GetPods(ctx,
executables.WithAllNamespaces(),
executables.WithKubeconfig(e.iamAuthKubeconfigFilePath()),
)
if err != nil {
e.T.Fatalf("Error getting pods: %v", err)
}
if len(pods) > 0 {
e.T.Log("Successfully got pods with aws-iam-authenticator authentication")
}
}
func (e *ClusterE2ETest) downloadAwsIamAuthClient() error {
eksdRelease, err := e.getEksdReleaseManifest()
if err != nil {
return err
}
err = awsiam.DownloadAwsIamAuthClient(eksdRelease)
if err != nil {
return err
}
return nil
}
func (e *ClusterE2ETest) setIamAuthClientPATH() error {
envPath := os.Getenv("PATH")
workDir, err := os.Getwd()
if err != nil {
return fmt.Errorf("finding current working directory: %v", err)
}
iamAuthClientPath := fmt.Sprintf("%s/bin", workDir)
if strings.Contains(envPath, iamAuthClientPath) {
return nil
}
err = os.Setenv("PATH", fmt.Sprintf("%s:%s", iamAuthClientPath, envPath))
if err != nil {
return fmt.Errorf("setting %s to PATH: %v", iamAuthClientPath, err)
}
return nil
}
func (e *ClusterE2ETest) getEksdReleaseManifest() (*eksdv1alpha1.Release, error) {
c := e.ClusterConfig.Cluster
r := manifests.NewReader(newFileReader())
eksdRelease, err := r.ReadEKSD(version.Get().GitVersion, string(c.Spec.KubernetesVersion))
if err != nil {
return nil, fmt.Errorf("getting EKS-D release spec from bundle: %v", err)
}
return eksdRelease, nil
}
func (e *ClusterE2ETest) iamAuthKubeconfigFilePath() string {
return filepath.Join(e.ClusterName, fmt.Sprintf("%s-aws.kubeconfig", e.ClusterName))
}
// WithAwsIamEnvVarCheck returns a ClusterE2ETestOpt that checks for the required env vars.
func WithAwsIamEnvVarCheck() ClusterE2ETestOpt {
return func(e *ClusterE2ETest) {
checkRequiredEnvVars(e.T, awsIamRequiredEnvVars)
}
}
// WithAwsIamConfig sets aws iam in cluster config.
func WithAwsIamConfig() api.ClusterConfigFiller {
return api.JoinClusterConfigFillers(func(config *cluster.Config) {
config.AWSIAMConfigs[defaultClusterName] = api.NewAWSIamConfig(defaultClusterName,
api.WithAWSIamAWSRegion("us-west-1"),
api.WithAWSIamPartition("aws"),
api.WithAWSIamBackendMode("EKSConfigMap"),
api.WithAWSIamMapRoles(api.AddAWSIamRole(withArnFromEnv(AWSIamRoleArn), "kubernetes-admin", []string{"system:masters"})),
)
}, api.ClusterToConfigFiller(api.WithAWSIamIdentityProviderRef(defaultClusterName)))
}