New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update iamserviceaccount role policies #3064
Conversation
As part of moving everything into |
pkg/actions/iam/create.go
Outdated
package iam | ||
|
||
import ( | ||
api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5" | ||
"github.com/weaveworks/eksctl/pkg/ctl/cmdutils" | ||
"github.com/weaveworks/eksctl/pkg/kubernetes" | ||
) | ||
|
||
func (a *Manager) CreateIAMServiceAccount(iamServiceAccounts []*api.ClusterIAMServiceAccount, plan bool) error { | ||
taskTree := a.stackManager.NewTasksToCreateIAMServiceAccounts(iamServiceAccounts, a.oidcManager, kubernetes.NewCachedClientSet(a.clientSet)) | ||
taskTree.PlanMode = plan | ||
|
||
err := doTasks(taskTree) | ||
|
||
cmdutils.LogPlanModeWarning(plan && len(iamServiceAccounts) > 0) | ||
|
||
return err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've left this here for now, if folks want me to remove this small refactor and put it into the refactor PR let me know.
cd0a5e4
to
30085ac
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 馃憤
|
||
func doTasks(taskTree *tasks.TaskTree) error { | ||
logger.Info(taskTree.Describe()) | ||
if errs := taskTree.DoAllSync(); len(errs) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm doesn't this exist in some form in the tasks package?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I couldn't see anything 馃
func (t *updateIAMServiceAccountTask) Do(errorCh chan error) error { | ||
stackName := makeIAMServiceAccountStackName(t.clusterName, t.sa.Namespace, t.sa.Name) | ||
go func() { | ||
errorCh <- nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see this is done elsewhere in the code with tasks, is this necessary? I'm assuming something won't make progress but I feel like functions should be EITHER only returning synchronous errors OR only sending errors over a channel. Making a note to myself
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I was unsure regarding this too. I don't know why we have two ways of returning errors, I understand that we need the channel for when the Do
sends off a go routine and returns, but when its just a single process it could just return the err down the channel anyway, removing the need for the returning error
completely
is this necessary
I believe we have to otherwise it will block?
pkg/actions/iam/update.go
Outdated
} | ||
|
||
var templateBody manager.TemplateBody = template | ||
taskTree := UpdateIAMServiceAccountTask(a.clusterName, iamServiceAccount, a.stackManager, templateBody) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couldn't this whole loop body be done async inside the task?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the top part of the loop that checks if the SA exists should remain here to ensure it gets checked when --approve
is false
. Your right though the resource set part can get moved, I will move it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see above
ac117e6
to
e5dcda9
Compare
|
||
if len(stacks) == 0 { | ||
logger.Info("Cannot update IAMServiceAccount %s/%s as it does not exist", iamServiceAccount.Namespace, iamServiceAccount.Name) | ||
nonExistingSAs = append(nonExistingSAs, fmt.Sprintf("%s/%s", iamServiceAccount.Namespace, iamServiceAccount.Name)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't this be handled by the exclude/include filters?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't spot that we used filtering for on second thought the filtering code looks to be a bit more complicated than needed, here we only care about stacks that exist and were listed, we don't need a more robust exclude/include functionality. I also like this business logic sitting herecreate
iamserviceaccount, I'll update it so we use that here too
e5dcda9
to
698ef53
Compare
aea472b
to
8fc8dcb
Compare
moving into seperate PR This reverts commit 329a3ac.
8fc8dcb
to
47c3b30
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 馃帀
Co-authored-by: Chetan Patwal <cPu1@users.noreply.github.com>
Co-authored-by: Chetan Patwal <cPu1@users.noreply.github.com>
c0faf7c
to
8dfe824
Compare
12586e0
to
f303006
Compare
Description
Adds support for updating the policies to an existing IAMServiceAccount.
The implementation flow is very similar to create, but rather than creating a stack & service account it just applys a change set to the existing stack.
Related issue: #1497
Checklist
README.md
, or theuserdocs
directory)area/nodegroup
), target version (e.g.version/0.12.0
) and kind (e.g.kind/improvement
)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 馃く