-
Notifications
You must be signed in to change notification settings - Fork 1.4k
/
irsa_helper.go
65 lines (55 loc) · 2.05 KB
/
irsa_helper.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
package addons
import (
"fmt"
"github.com/weaveworks/eksctl/pkg/actions/irsa"
"github.com/weaveworks/eksctl/pkg/cfn/manager"
"github.com/pkg/errors"
api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
iamoidc "github.com/weaveworks/eksctl/pkg/iam/oidc"
)
// IRSAHelper provides methods for enabling IRSA
type IRSAHelper interface {
IsSupported() (bool, error)
CreateOrUpdate(serviceAccounts *api.ClusterIAMServiceAccount) error
}
// irsaHelper applies the annotations required for a ServiceAccount to work with IRSA
type irsaHelper struct {
oidc *iamoidc.OpenIDConnectManager
irsaManager *irsa.Manager
stackManager *manager.StackCollection
clusterName string
}
// NewIRSAHelper creates a new IRSAHelper
func NewIRSAHelper(oidc *iamoidc.OpenIDConnectManager, stackManager *manager.StackCollection, irsaManager *irsa.Manager, clusterName string) IRSAHelper {
return &irsaHelper{
oidc: oidc,
stackManager: stackManager,
irsaManager: irsaManager,
clusterName: clusterName,
}
}
// IsSupported checks whether IRSA is supported or not
func (h *irsaHelper) IsSupported() (bool, error) {
exists, err := h.oidc.CheckProviderExists()
if err != nil {
return false, errors.Wrapf(err, "error checking OIDC provider")
}
return exists, nil
}
// Create creates IRSA for the specified IAM service accounts
func (h *irsaHelper) CreateOrUpdate(sa *api.ClusterIAMServiceAccount) error {
serviceAccounts := []*api.ClusterIAMServiceAccount{sa}
stacks, err := h.stackManager.ListStacksMatching(makeIAMServiceAccountStackName(h.clusterName, sa.Namespace, sa.Name))
if err != nil {
return errors.Wrapf(err, "error checking if iamserviceaccount %s/%s exists", sa.Namespace, sa.Name)
}
if len(stacks) == 0 {
err = h.irsaManager.CreateIAMServiceAccount(serviceAccounts, false)
} else {
err = h.irsaManager.UpdateIAMServiceAccounts(serviceAccounts, false)
}
return err
}
func makeIAMServiceAccountStackName(clusterName, namespace, name string) string {
return fmt.Sprintf("eksctl-%s-addon-iamserviceaccount-%s-%s", clusterName, namespace, name)
}