Update iamserviceaccount role policies #3064
Conversation
|
As part of moving everything into |
pkg/actions/iam/create.go
Outdated
| package iam | ||
|
|
||
| import ( | ||
| api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5" | ||
| "github.com/weaveworks/eksctl/pkg/ctl/cmdutils" | ||
| "github.com/weaveworks/eksctl/pkg/kubernetes" | ||
| ) | ||
|
|
||
| func (a *Manager) CreateIAMServiceAccount(iamServiceAccounts []*api.ClusterIAMServiceAccount, plan bool) error { | ||
| taskTree := a.stackManager.NewTasksToCreateIAMServiceAccounts(iamServiceAccounts, a.oidcManager, kubernetes.NewCachedClientSet(a.clientSet)) | ||
| taskTree.PlanMode = plan | ||
|
|
||
| err := doTasks(taskTree) | ||
|
|
||
| cmdutils.LogPlanModeWarning(plan && len(iamServiceAccounts) > 0) | ||
|
|
||
| return err | ||
| } |
There was a problem hiding this comment.
I've left this here for now, if folks want me to remove this small refactor and put it into the refactor PR let me know.
aclevername
force-pushed
the
update-iam
branch
from
cd0a5e4
to
30085ac
Compare
|
|
||
| func doTasks(taskTree *tasks.TaskTree) error { | ||
| logger.Info(taskTree.Describe()) | ||
| if errs := taskTree.DoAllSync(); len(errs) > 0 { |
There was a problem hiding this comment.
hmm doesn't this exist in some form in the tasks package?
There was a problem hiding this comment.
I couldn't see anything 馃
| func (t *updateIAMServiceAccountTask) Do(errorCh chan error) error { | ||
| stackName := makeIAMServiceAccountStackName(t.clusterName, t.sa.Namespace, t.sa.Name) | ||
| go func() { | ||
| errorCh <- nil |
There was a problem hiding this comment.
I see this is done elsewhere in the code with tasks, is this necessary? I'm assuming something won't make progress but I feel like functions should be EITHER only returning synchronous errors OR only sending errors over a channel. Making a note to myself
There was a problem hiding this comment.
Yeah I was unsure regarding this too. I don't know why we have two ways of returning errors, I understand that we need the channel for when the Do sends off a go routine and returns, but when its just a single process it could just return the err down the channel anyway, removing the need for the returning error completely
is this necessary
I believe we have to otherwise it will block?
pkg/actions/iam/update.go
Outdated
| } | ||
|
|
||
| var templateBody manager.TemplateBody = template | ||
| taskTree := UpdateIAMServiceAccountTask(a.clusterName, iamServiceAccount, a.stackManager, templateBody) |
There was a problem hiding this comment.
Couldn't this whole loop body be done async inside the task?
There was a problem hiding this comment.
I think the top part of the loop that checks if the SA exists should remain here to ensure it gets checked when --approve is false. Your right though the resource set part can get moved, I will move it.
aclevername
force-pushed
the
update-iam
branch
from
ac117e6
to
e5dcda9
Compare
|
|
||
| if len(stacks) == 0 { | ||
| logger.Info("Cannot update IAMServiceAccount %s/%s as it does not exist", iamServiceAccount.Namespace, iamServiceAccount.Name) | ||
| nonExistingSAs = append(nonExistingSAs, fmt.Sprintf("%s/%s", iamServiceAccount.Namespace, iamServiceAccount.Name)) |
There was a problem hiding this comment.
shouldn't this be handled by the exclude/include filters?
There was a problem hiding this comment.
I didn't spot that we used filtering for on second thought the filtering code looks to be a bit more complicated than needed, here we only care about stacks that exist and were listed, we don't need a more robust exclude/include functionality. I also like this business logic sitting herecreate iamserviceaccount, I'll update it so we use that here too
aclevername
force-pushed
the
update-iam
branch
from
e5dcda9
to
698ef53
Compare
aclevername
force-pushed
the
update-iam
branch
from
aea472b
to
8fc8dcb
Compare
moving into seperate PR This reverts commit 329a3ac.
aclevername
force-pushed
the
update-iam
branch
from
8fc8dcb
to
47c3b30
Compare
Co-authored-by: Chetan Patwal <cPu1@users.noreply.github.com>
Co-authored-by: Chetan Patwal <cPu1@users.noreply.github.com>
aclevername
force-pushed
the
update-iam
branch
from
c0faf7c
to
8dfe824
Compare
aclevername
force-pushed
the
update-iam
branch
from
12586e0
to
f303006
Compare
Description
Adds support for updating the policies to an existing IAMServiceAccount.
The implementation flow is very similar to create, but rather than creating a stack & service account it just applys a change set to the existing stack.
Related issue: #1497
Checklist
README.md, or theuserdocsdirectory)area/nodegroup), target version (e.g.version/0.12.0) and kind (e.g.kind/improvement)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 馃く