From 678cdff0f43d3ae4a1d9d68a5347042f14a168a8 Mon Sep 17 00:00:00 2001 From: Nick Turner Date: Wed, 27 Jun 2018 05:20:44 +0000 Subject: [PATCH] Renamed heptio-authenticator-aws -> aws-iam-authenticator Signed-off-by: Nick Turner --- .goreleaser.yaml | 14 ++--- .travis.yml | 2 +- Dockerfile.alpine-3.6 | 8 +-- Dockerfile.alpine-3.7 | 8 +-- Dockerfile.debian-jessie | 8 +-- Dockerfile.debian-stretch | 8 +-- Dockerfile.scratch | 8 +-- Makefile | 2 +- README.md | 52 +++++++++---------- .../init.go | 4 +- .../root.go | 6 +-- .../server.go | 6 +-- .../token.go | 2 +- .../verify.go | 2 +- example.yaml | 34 ++++++------ pkg/config/certs.go | 2 +- pkg/config/kubeconfig.go | 4 +- pkg/config/types.go | 6 +-- pkg/server/server.go | 8 +-- pkg/server/server_test.go | 14 ++--- pkg/server/types.go | 4 +- pkg/token/token.go | 2 +- 22 files changed, 102 insertions(+), 102 deletions(-) rename cmd/{heptio-authenticator-aws => aws-iam-authenticator}/init.go (89%) rename cmd/{heptio-authenticator-aws => aws-iam-authenticator}/root.go (95%) rename cmd/{heptio-authenticator-aws => aws-iam-authenticator}/server.go (93%) rename cmd/{heptio-authenticator-aws => aws-iam-authenticator}/token.go (96%) rename cmd/{heptio-authenticator-aws => aws-iam-authenticator}/verify.go (96%) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 6e57d38ad..2cd1bf07e 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -2,8 +2,8 @@ project_name: authenticator builds: - - binary: heptio-authenticator-aws - main: ./cmd/heptio-authenticator-aws/ + - binary: aws-iam-authenticator + main: ./cmd/aws-iam-authenticator/ goos: - darwin - linux @@ -14,33 +14,33 @@ builds: dockers: - image: gcr.io/heptio-images/authenticator - binary: heptio-authenticator-aws + binary: aws-iam-authenticator dockerfile: Dockerfile.scratch tag_templates: - "{{ .Tag }}-scratch" - "{{ .Tag }}" latest: false - image: gcr.io/heptio-images/authenticator - binary: heptio-authenticator-aws + binary: aws-iam-authenticator dockerfile: Dockerfile.alpine-3.6 tag_templates: - "{{ .Tag }}-alpine-3.6" latest: false - image: gcr.io/heptio-images/authenticator - binary: heptio-authenticator-aws + binary: aws-iam-authenticator dockerfile: Dockerfile.alpine-3.7 tag_templates: - "{{ .Tag }}-alpine-3.7" - "{{ .Tag }}-alpine" latest: false - image: gcr.io/heptio-images/authenticator - binary: heptio-authenticator-aws + binary: aws-iam-authenticator dockerfile: Dockerfile.debian-jessie tag_templates: - "{{ .Tag }}-debian-jessie" latest: false - image: gcr.io/heptio-images/authenticator - binary: heptio-authenticator-aws + binary: aws-iam-authenticator dockerfile: Dockerfile.debian-stretch tag_templates: - "{{ .Tag }}-debian-stretch" diff --git a/.travis.yml b/.travis.yml index 14b6b7c98..039b2d921 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,5 @@ language: go -go_import_path: github.com/heptio/authenticator +go_import_path: github.com/kubernetes-sigs/aws-iam-authenticator go: - 1.9.x diff --git a/Dockerfile.alpine-3.6 b/Dockerfile.alpine-3.6 index 871c64473..091118dd9 100644 --- a/Dockerfile.alpine-3.6 +++ b/Dockerfile.alpine-3.6 @@ -13,8 +13,8 @@ # limitations under the License. FROM alpine:3.6 -RUN adduser -D -u 10000 heptio-authenticator-aws +RUN adduser -D -u 10000 aws-iam-authenticator RUN apk add --update ca-certificates -COPY heptio-authenticator-aws / -USER heptio-authenticator-aws -ENTRYPOINT ["/heptio-authenticator-aws"] +COPY aws-iam-authenticator / +USER aws-iam-authenticator +ENTRYPOINT ["/aws-iam-authenticator"] diff --git a/Dockerfile.alpine-3.7 b/Dockerfile.alpine-3.7 index 1a9608033..f99d6794b 100644 --- a/Dockerfile.alpine-3.7 +++ b/Dockerfile.alpine-3.7 @@ -13,8 +13,8 @@ # limitations under the License. FROM alpine:3.7 -RUN adduser -D -u 10000 heptio-authenticator-aws +RUN adduser -D -u 10000 aws-iam-authenticator RUN apk add --update ca-certificates -COPY heptio-authenticator-aws / -USER heptio-authenticator-aws -ENTRYPOINT ["/heptio-authenticator-aws"] +COPY aws-iam-authenticator / +USER aws-iam-authenticator +ENTRYPOINT ["/aws-iam-authenticator"] diff --git a/Dockerfile.debian-jessie b/Dockerfile.debian-jessie index f44b6c674..b6965ef2f 100644 --- a/Dockerfile.debian-jessie +++ b/Dockerfile.debian-jessie @@ -19,10 +19,10 @@ RUN adduser \ --uid 10000 \ --disabled-password \ --disabled-login \ - heptio-authenticator-aws && \ + aws-iam-authenticator && \ apt-get update && \ apt-get install -y ca-certificates && \ rm -rf /var/lib/apt/lists/* -COPY heptio-authenticator-aws / -USER heptio-authenticator-aws -ENTRYPOINT ["/heptio-authenticator-aws"] +COPY aws-iam-authenticator / +USER aws-iam-authenticator +ENTRYPOINT ["/aws-iam-authenticator"] diff --git a/Dockerfile.debian-stretch b/Dockerfile.debian-stretch index 4695556c3..1b875f683 100644 --- a/Dockerfile.debian-stretch +++ b/Dockerfile.debian-stretch @@ -19,10 +19,10 @@ RUN adduser \ --uid 10000 \ --disabled-password \ --disabled-login \ - heptio-authenticator-aws && \ + aws-iam-authenticator && \ apt-get update && \ apt-get install -y ca-certificates && \ rm -rf /var/lib/apt/lists/* -COPY heptio-authenticator-aws / -USER heptio-authenticator-aws -ENTRYPOINT ["/heptio-authenticator-aws"] +COPY aws-iam-authenticator / +USER aws-iam-authenticator +ENTRYPOINT ["/aws-iam-authenticator"] diff --git a/Dockerfile.scratch b/Dockerfile.scratch index 471a0b963..b29df78d6 100644 --- a/Dockerfile.scratch +++ b/Dockerfile.scratch @@ -13,12 +13,12 @@ # limitations under the License. FROM alpine:latest -RUN adduser -D -u 10000 heptio-authenticator-aws +RUN adduser -D -u 10000 aws-iam-authenticator RUN apk add --update ca-certificates FROM scratch COPY --from=0 /etc/passwd /etc/passwd COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ -COPY heptio-authenticator-aws / -USER heptio-authenticator-aws -ENTRYPOINT ["/heptio-authenticator-aws"] +COPY aws-iam-authenticator / +USER aws-iam-authenticator +ENTRYPOINT ["/aws-iam-authenticator"] diff --git a/Makefile b/Makefile index 00f78451c..a4378f4db 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ default: build -GITHUB_REPO ?= github.com/heptio/authenticator +GITHUB_REPO ?= github.com/kubernetes-sigs/aws-iam-authenticator GORELEASER := $(shell command -v goreleaser 2> /dev/null) .PHONY: build test format diff --git a/README.md b/README.md index 2fe44a3ac..ff554827c 100644 --- a/README.md +++ b/README.md @@ -57,26 +57,26 @@ The server is meant to run on each of your master nodes as a DaemonSet with host For a sample ConfigMap and DaemonSet configuration, see [`example.yaml`](./example.yaml). #### (Optional) Pre-generate a certificate, key, and kubeconfig -If you're building an automated installer, you can also pre-generate the certificate, key, and webhook kubeconfig files easily using `heptio-authenticator-aws init`. +If you're building an automated installer, you can also pre-generate the certificate, key, and webhook kubeconfig files easily using `aws-iam-authenticator init`. This command will generate files and place them in the configured output directories. You can run this on each master node prior to starting the API server. You could also generate them before provisioning master nodes and install them in the appropriate host paths. -If you do not pre-generate files, `heptio-authenticator-aws server` will generate them on demand. +If you do not pre-generate files, `aws-iam-authenticator server` will generate them on demand. This works but requires that you restart your Kubernetes API server after installation. ### 3. Configure your API server to talk to the server The Kubernetes API integrates with AWS IAM Authenticator for Kubernetes using a [token authentication webhook](https://kubernetes.io/docs/admin/authentication/#webhook-token-authentication). -When you run `heptio-authenticator-aws server`, it will generate a webhook configuration file and save it onto the host filesystem. +When you run `aws-iam-authenticator server`, it will generate a webhook configuration file and save it onto the host filesystem. You'll need to add a single additional flag to your API server configuration: ``` ---authentication-token-webhook-config-file=/etc/kubernetes/heptio-authenticator-aws/kubeconfig.yaml +--authentication-token-webhook-config-file=/etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml ``` On many clusters, the API server runs as a static pod. You can add the flag to `/etc/kubernetes/manifests/kube-apiserver.yaml`. -Make sure the host directory `/etc/kubernetes/heptio-authenticator-aws/` is mounted into your API server pod. +Make sure the host directory `/etc/kubernetes/aws-iam-authenticator/` is mounted into your API server pod. You may also need to restart the kubelet daemon on your master node to pick up the updated static pod definition: ``` systemctl restart kubelet.service @@ -96,7 +96,7 @@ users: user: exec: apiVersion: client.authentication.k8s.io/v1alpha1 - command: heptio-authenticator-aws + command: aws-iam-authenticator args: - "token" - "-i" @@ -109,11 +109,11 @@ users: This means the `kubeconfig` is entirely public data and can be shared across all Authenticator users. It may make sense to upload it to a trusted public location such as AWS S3. -Make sure you have the `heptio-authenticator-aws` binary installed. -You can install it with `go get -u -v github.com/heptio/authenticator/cmd/heptio-authenticator-aws`. +Make sure you have the `aws-iam-authenticator` binary installed. +You can install it with `go get -u -v github.com/kubernetes-sigs/aws-iam-authenticator/cmd/aws-iam-authenticator`. To authenticate, run `kubectl --kubeconfig /path/to/kubeconfig" [...]`. -kubectl will `exec` the `heptio-authenticator-aws` binary with the supplied params in your kubeconfig which will generate a token and pass it to the apiserver. +kubectl will `exec` the `aws-iam-authenticator` binary with the supplied params in your kubeconfig which will generate a token and pass it to the apiserver. The token is valid for 15 minutes (the shortest value AWS permits) and can be reused multiple times. You can also omit `-r ROLE_ARN` to sign the token with your existing credentials without assuming a dedicated role. @@ -125,10 +125,10 @@ Both single and HA master cluster configurations are supported. Perform the following steps to setup Authenticator on a Kops cluster: 1. Pre-generate the certificate, key, and kubeconfig and upload them to the kops state store. ``` - heptio-authenticator-aws init -i $CLUSTER_NAME + aws-iam-authenticator init -i $CLUSTER_NAME aws s3 cp cert.pem ${KOPS_STATE_STORE}/${CLUSTER_NAME}/addons/authenticator/cert.pem; aws s3 cp key.pem ${KOPS_STATE_STORE}/${CLUSTER_NAME}/addons/authenticator/key.pem; - aws s3 cp heptio-authenticator-aws.kubeconfig ${KOPS_STATE_STORE}/${CLUSTER_NAME}/addons/authenticator/kubeconfig.yaml; + aws s3 cp aws-iam-authenticator.kubeconfig ${KOPS_STATE_STORE}/${CLUSTER_NAME}/addons/authenticator/kubeconfig.yaml; ``` 2. Add the following sections to the cluster spec, either using `kops edit cluster ${CLUSTER_NAME}` or editing the manifest yaml file. Be sure to replace `KOPS_STATE_STORE` and `CLUSTER_NAME` with their appropriate values since those environment variables are not available at runtime. @@ -139,7 +139,7 @@ Perform the following steps to setup Authenticator on a Kops cluster: kind: Cluster spec: kubeAPIServer: - authenticationTokenWebhookConfigFile: /srv/kubernetes/heptio-authenticator-aws/kubeconfig.yaml + authenticationTokenWebhookConfigFile: /srv/kubernetes/aws-iam-authenticator/kubeconfig.yaml hooks: - name: kops-hook-authenticator-config.service before: @@ -150,17 +150,17 @@ Perform the following steps to setup Authenticator on a Kops cluster: Description=Download AWS Authenticator configs from S3 [Service] Type=oneshot - ExecStart=/bin/mkdir -p /srv/kubernetes/heptio-authenticator-aws - ExecStart=/usr/local/bin/aws s3 cp --recursive s3://KOPS_STATE_STORE/CLUSTER_NAME/addons/authenticator /srv/kubernetes/heptio-authenticator-aws/ + ExecStart=/bin/mkdir -p /srv/kubernetes/aws-iam-authenticator + ExecStart=/usr/local/bin/aws s3 cp --recursive s3://KOPS_STATE_STORE/CLUSTER_NAME/addons/authenticator /srv/kubernetes/aws-iam-authenticator/ ``` If using a non-default AMI that does not have the AWS CLI, replace the second ExecStart statement with ``` - ExecStart=/usr/bin/docker run --net=host --rm -v /srv/kubernetes/heptio-authenticator-aws:/srv/kubernetes/heptio-authenticator-aws quay.io/coreos/awscli@sha256:7b893bfb22ac582587798b011024f40871cd7424b9026595fd99c2b69492791d aws s3 cp --recursive s3://KOPS_STATE_STORE/CLUSTER_NAME/addons/authenticator /srv/kubernetes/heptio-authenticator-aws/ + ExecStart=/usr/bin/docker run --net=host --rm -v /srv/kubernetes/aws-iam-authenticator:/srv/kubernetes/aws-iam-authenticator quay.io/coreos/awscli@sha256:7b893bfb22ac582587798b011024f40871cd7424b9026595fd99c2b69492791d aws s3 cp --recursive s3://KOPS_STATE_STORE/CLUSTER_NAME/addons/authenticator /srv/kubernetes/aws-iam-authenticator/ ``` 3. Apply the changes with `kops update cluster ${CLUSTER_NAME}`. If the cluster already exists, roll the cluster with `kops rolling-update cluster ${CLUSTER_NAME}` in order to recreate the master nodes. -4. Update the Authenticator DaemonSet's state and output volumes to both use `/srv/kubernetes/heptio-authenticator-aws/` for their `hostPath`s. +4. Update the Authenticator DaemonSet's state and output volumes to both use `/srv/kubernetes/aws-iam-authenticator/` for their `hostPath`s. 5. Apply the DaemonSet and ConfigMap resource manifests to launch the Authenticator server on the cluster. *Note:* Certain Kops commands will overwrite the `ExecCredential` in kubeconfig so it may need to be restored manually. See [kubernetes/kops#5051](https://github.com/kubernetes/kops/issues/5051) for more information. @@ -170,11 +170,11 @@ Perform the following steps to setup Authenticator on a Kops cluster: It works using the AWS [`sts:GetCallerIdentity`](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html) API endpoint. This endpoint returns information about whatever AWS IAM credentials you use to connect to it. -#### Client side (`heptio-authenticator-aws token`) +#### Client side (`aws-iam-authenticator token`) We use this API in a somewhat unusual way by having the Authenticator client generate and pre-sign a request to the endpoint. We serialize that request into a token that can pass through the Kubernetes authentication system. -#### Server side (`heptio-authenticator-aws server`) +#### Server side (`aws-iam-authenticator server`) The token is passed through the Kubernetes API server and into the Authenticator server's `/authenticate` endpoint via a webhook configuration. The Authenticator server validates all the parameters of the pre-signed request to make sure nothing looks funny. It then submits the request to the real `https://sts.amazonaws.com` server, which validates the client's HMAC signature and returns information about the user. @@ -194,17 +194,17 @@ Some good choices are: The [Vault documentation](https://www.vaultproject.io/docs/auth/aws.html#iam-auth-method) also explains this attack (see `X-Vault-AWS-IAM-Server-ID`). ## Specifying Credentials & Using AWS Profiles -Credentials can be specified for use with `heptio-authenticator-aws` via any of the methods available to the +Credentials can be specified for use with `aws-iam-authenticator` via any of the methods available to the [AWS SDK for Go](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials). This includes specifying AWS credentials with enviroment variables or by utilizing a credentials file. -AWS [named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html) are supported by `heptio-authenticator-aws` +AWS [named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html) are supported by `aws-iam-authenticator` via the `AWS_PROFILE` environment variable. For example, to authenticate with credentials specified in the _dev_ profile the `AWS_PROFILE` can be exported or specified explictly (e.g., `AWS_PROFILE=dev kubectl get all`). If no `AWS_PROFILE` is set, the _default_ profile is used. The `AWS_PROFILE` can also be specified directly in the kubeconfig file [as part of the `exec` flow](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration). For example, to specify -that credentials from the _dev_ named profile should always be used by `heptio-authenticator-aws`, your kubeconfig would include an `env` +that credentials from the _dev_ named profile should always be used by `aws-iam-authenticator`, your kubeconfig would include an `env` key thats sets the profile: ```yaml @@ -227,7 +227,7 @@ users: user: exec: apiVersion: client.authentication.k8s.io/v1alpha1 - command: heptio-authenticator-aws + command: aws-iam-authenticator env: - name: "AWS_PROFILE" value: "dev" @@ -245,7 +245,7 @@ take precedence over what's already set in your environment. If your client fails with an error like `could not get token: AccessDenied [...]`, you can try assuming the role with the AWS CLI directly: ```sh -# AWS CLI version of `heptio-authenticator-aws token -r arn:aws:iam::ACCOUNT:role/ROLE`: +# AWS CLI version of `aws-iam-authenticator token -r arn:aws:iam::ACCOUNT:role/ROLE`: $ aws sts assume-role --role-arn arn:aws:iam::ACCOUNT:role/ROLE --role-session-name test ``` @@ -267,7 +267,7 @@ They can share the same exact configuration file, since there are no secrets sto # a unique-per-cluster identifier to prevent replay attacks (see above) clusterID: my-dev-cluster.example.com -# default IAM role to assume for `heptio-authenticator-aws token` +# default IAM role to assume for `aws-iam-authenticator token` defaultRole: arn:aws:iam::000000000000:role/KubernetesAdmin # server listener configuration @@ -276,10 +276,10 @@ server: port: 21362 # (default) # state directory for generated TLS certificate and private keys - stateDir: /var/heptio-authenticator-aws # (default) + stateDir: /var/aws-iam-authenticator # (default) # output `path` where a generated webhook kubeconfig will be stored. - generateKubeconfig: /etc/kubernetes/heptio-authenticator-aws.kubeconfig # (default) + generateKubeconfig: /etc/kubernetes/aws-iam-authenticator.kubeconfig # (default) # role to assume before querying EC2 API in order to discover metadata like EC2 private DNS Name ec2DescribeInstancesRoleARN: arn:aws:iam::000000000000:role/DescribeInstancesRole diff --git a/cmd/heptio-authenticator-aws/init.go b/cmd/aws-iam-authenticator/init.go similarity index 89% rename from cmd/heptio-authenticator-aws/init.go rename to cmd/aws-iam-authenticator/init.go index a6efdcf94..f1501bf15 100644 --- a/cmd/heptio-authenticator-aws/init.go +++ b/cmd/aws-iam-authenticator/init.go @@ -36,7 +36,7 @@ var initCmd = &cobra.Command{ } localCfg := cfg - localCfg.GenerateKubeconfigPath = "heptio-authenticator-aws.kubeconfig" + localCfg.GenerateKubeconfigPath = "aws-iam-authenticator.kubeconfig" localCfg.StateDir = "./" err = localCfg.GenerateFiles() @@ -48,7 +48,7 @@ var initCmd = &cobra.Command{ logrus.Infof("copy %s to %s on kubernetes master node(s)", localCfg.CertPath(), cfg.CertPath()) logrus.Infof("copy %s to %s on kubernetes master node(s)", localCfg.KeyPath(), cfg.KeyPath()) logrus.Infof("copy %s to %s on kubernetes master node(s)", localCfg.GenerateKubeconfigPath, cfg.GenerateKubeconfigPath) - logrus.Infof("configure your apiserver with `--authentication-token-webhook-config-file=%s` to enable authentication with heptio-authenticator-aws", cfg.GenerateKubeconfigPath) + logrus.Infof("configure your apiserver with `--authentication-token-webhook-config-file=%s` to enable authentication with aws-iam-authenticator", cfg.GenerateKubeconfigPath) }, } diff --git a/cmd/heptio-authenticator-aws/root.go b/cmd/aws-iam-authenticator/root.go similarity index 95% rename from cmd/heptio-authenticator-aws/root.go rename to cmd/aws-iam-authenticator/root.go index e86055f58..31dec2e2b 100644 --- a/cmd/heptio-authenticator-aws/root.go +++ b/cmd/aws-iam-authenticator/root.go @@ -21,7 +21,7 @@ import ( "fmt" "os" - "github.com/heptio/authenticator/pkg/config" + "github.com/kubernetes-sigs/aws-iam-authenticator/pkg/config" "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -31,7 +31,7 @@ import ( var cfgFile string var rootCmd = &cobra.Command{ - Use: "heptio-authenticator-aws", + Use: "aws-iam-authenticator", Short: "A tool to authenticate to Kubernetes using AWS IAM credentials", } @@ -56,7 +56,7 @@ func init() { "cluster-id", "i", "", - "Specify the cluster `ID`, a unique-per-cluster identifier for your heptio-authenticator-aws installation.", + "Specify the cluster `ID`, a unique-per-cluster identifier for your aws-iam-authenticator installation.", ) viper.BindPFlag("clusterID", rootCmd.PersistentFlags().Lookup("cluster-id")) viper.BindEnv("clusterID", "KUBERNETES_AWS_AUTHENTICATOR_CLUSTER_ID") diff --git a/cmd/heptio-authenticator-aws/server.go b/cmd/aws-iam-authenticator/server.go similarity index 93% rename from cmd/heptio-authenticator-aws/server.go rename to cmd/aws-iam-authenticator/server.go index b71ab2ae5..b9005b9e7 100644 --- a/cmd/heptio-authenticator-aws/server.go +++ b/cmd/aws-iam-authenticator/server.go @@ -17,7 +17,7 @@ limitations under the License. package main import ( - "github.com/heptio/authenticator/pkg/server" + "github.com/kubernetes-sigs/aws-iam-authenticator/pkg/server" "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -47,7 +47,7 @@ func init() { viper.SetDefault("server.port", DefaultPort) serverCmd.Flags().String("generate-kubeconfig", - "/etc/kubernetes/heptio-authenticator-aws/kubeconfig.yaml", + "/etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml", "Output `path` where a generated webhook kubeconfig (for `--authentication-token-webhook-config-file`) will be stored (should be a hostPath mount).") viper.BindPFlag("server.generateKubeconfig", serverCmd.Flags().Lookup("generate-kubeconfig")) @@ -57,7 +57,7 @@ func init() { viper.BindPFlag("server.kubeconfigPregenerated", serverCmd.Flags().Lookup("kubeconfig-pregenerated")) serverCmd.Flags().String("state-dir", - "/var/heptio-authenticator-aws", + "/var/aws-iam-authenticator", "State `directory` for generated certificate and private key (should be a hostPath mount).") viper.BindPFlag("server.stateDir", serverCmd.Flags().Lookup("state-dir")) diff --git a/cmd/heptio-authenticator-aws/token.go b/cmd/aws-iam-authenticator/token.go similarity index 96% rename from cmd/heptio-authenticator-aws/token.go rename to cmd/aws-iam-authenticator/token.go index fc651b306..5766adfde 100644 --- a/cmd/heptio-authenticator-aws/token.go +++ b/cmd/aws-iam-authenticator/token.go @@ -20,7 +20,7 @@ import ( "fmt" "os" - "github.com/heptio/authenticator/pkg/token" + "github.com/kubernetes-sigs/aws-iam-authenticator/pkg/token" "github.com/spf13/cobra" "github.com/spf13/viper" diff --git a/cmd/heptio-authenticator-aws/verify.go b/cmd/aws-iam-authenticator/verify.go similarity index 96% rename from cmd/heptio-authenticator-aws/verify.go rename to cmd/aws-iam-authenticator/verify.go index 705aa0ba9..3436b8566 100644 --- a/cmd/heptio-authenticator-aws/verify.go +++ b/cmd/aws-iam-authenticator/verify.go @@ -20,7 +20,7 @@ import ( "fmt" "os" - "github.com/heptio/authenticator/pkg/token" + "github.com/kubernetes-sigs/aws-iam-authenticator/pkg/token" "github.com/spf13/cobra" "github.com/spf13/viper" diff --git a/example.yaml b/example.yaml index 43ed3c3a2..78902cb0c 100644 --- a/example.yaml +++ b/example.yaml @@ -23,9 +23,9 @@ apiVersion: v1 kind: ConfigMap metadata: namespace: kube-system - name: heptio-authenticator-aws + name: aws-iam-authenticator labels: - k8s-app: heptio-authenticator-aws + k8s-app: aws-iam-authenticator data: config.yaml: | # a unique-per-cluster identifier to prevent replay attacks @@ -77,9 +77,9 @@ apiVersion: extensions/v1beta1 kind: DaemonSet metadata: namespace: kube-system - name: heptio-authenticator-aws + name: aws-iam-authenticator labels: - k8s-app: heptio-authenticator-aws + k8s-app: aws-iam-authenticator spec: updateStrategy: type: RollingUpdate @@ -88,7 +88,7 @@ spec: annotations: scheduler.alpha.kubernetes.io/critical-pod: "" labels: - k8s-app: heptio-authenticator-aws + k8s-app: aws-iam-authenticator spec: # run on the host network (don't depend on CNI) hostNetwork: true @@ -102,18 +102,18 @@ spec: - key: CriticalAddonsOnly operator: Exists - # run `heptio-authenticator-aws server` with three volumes - # - config (mounted from the ConfigMap at /etc/heptio-authenticator-aws/config.yaml) + # run `aws-iam-authenticator server` with three volumes + # - config (mounted from the ConfigMap at /etc/aws-iam-authenticator/config.yaml) # - state (persisted TLS certificate and keys, mounted from the host) # - output (output kubeconfig to plug into your apiserver configuration, mounted from the host) containers: - - name: heptio-authenticator-aws + - name: aws-iam-authenticator image: gcr.io/heptio-images/authenticator:v0.1.0 args: - server - - --config=/etc/heptio-authenticator-aws/config.yaml - - --state-dir=/var/heptio-authenticator-aws - - --generate-kubeconfig=/etc/kubernetes/heptio-authenticator-aws/kubeconfig.yaml + - --config=/etc/aws-iam-authenticator/config.yaml + - --state-dir=/var/aws-iam-authenticator + - --generate-kubeconfig=/etc/kubernetes/aws-iam-authenticator/kubeconfig.yaml resources: requests: @@ -125,20 +125,20 @@ spec: volumeMounts: - name: config - mountPath: /etc/heptio-authenticator-aws/ + mountPath: /etc/aws-iam-authenticator/ - name: state - mountPath: /var/heptio-authenticator-aws/ + mountPath: /var/aws-iam-authenticator/ - name: output - mountPath: /etc/kubernetes/heptio-authenticator-aws/ + mountPath: /etc/kubernetes/aws-iam-authenticator/ volumes: - name: config configMap: - name: heptio-authenticator-aws + name: aws-iam-authenticator - name: output hostPath: - path: /etc/kubernetes/heptio-authenticator-aws/ + path: /etc/kubernetes/aws-iam-authenticator/ - name: state hostPath: - path: /var/heptio-authenticator-aws/ + path: /var/aws-iam-authenticator/ diff --git a/pkg/config/certs.go b/pkg/config/certs.go index 7aa73d499..d1618435d 100644 --- a/pkg/config/certs.go +++ b/pkg/config/certs.go @@ -129,7 +129,7 @@ func selfSignCertificate() ([]byte, []byte, error) { template := x509.Certificate{ SerialNumber: serialNumber, Subject: pkix.Name{ - CommonName: "heptio-authenticator-aws", + CommonName: "aws-iam-authenticator", }, NotBefore: notBefore, NotAfter: notAfter, diff --git a/pkg/config/kubeconfig.go b/pkg/config/kubeconfig.go index 96d08d224..373588b7a 100644 --- a/pkg/config/kubeconfig.go +++ b/pkg/config/kubeconfig.go @@ -25,7 +25,7 @@ var webhookKubeconfigTemplate = template.Must( template.New("kubeconfig").Option("missingkey=error").Parse(` # clusters refers to the remote service. clusters: - - name: heptio-authenticator-aws + - name: aws-iam-authenticator cluster: certificate-authority-data: {{.CertificateAuthorityBase64}} server: {{.ServerURL}} @@ -38,7 +38,7 @@ current-context: webhook contexts: - name: webhook context: - cluster: heptio-authenticator-aws + cluster: aws-iam-authenticator user: apiserver `)) diff --git a/pkg/config/types.go b/pkg/config/types.go index 47b05096c..627c9dcd5 100644 --- a/pkg/config/types.go +++ b/pkg/config/types.go @@ -56,10 +56,10 @@ type UserMapping struct { Groups []string } -// Config specifies the configuration for a heptio-authenticator-aws server +// Config specifies the configuration for a aws-iam-authenticator server type Config struct { // ClusterID is a unique-per-cluster identifier for your - // heptio-authenticator-aws installation. + // aws-iam-authenticator installation. ClusterID string // KubeconfigPregenerated is set to `true` when a webhook kubeconfig is @@ -95,7 +95,7 @@ type Config struct { // ServerEC2DescribeInstancesRoleARN is an optional AWS Resource Name for an IAM Role to be assumed // before calling ec2:DescribeInstances to determine the private DNS of the calling kubelet (EC2 Instance). - // If nil, defaults to using the IAM Role attached to the instance where heptio-authenticator-aws is + // If nil, defaults to using the IAM Role attached to the instance where aws-iam-authenticator is // running. ServerEC2DescribeInstancesRoleARN string } diff --git a/pkg/server/server.go b/pkg/server/server.go index 6e6c79e43..f7fff3c0a 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -28,9 +28,9 @@ import ( "sync" "time" - "github.com/heptio/authenticator/pkg/arn" - "github.com/heptio/authenticator/pkg/config" - "github.com/heptio/authenticator/pkg/token" + "github.com/kubernetes-sigs/aws-iam-authenticator/pkg/arn" + "github.com/kubernetes-sigs/aws-iam-authenticator/pkg/config" + "github.com/kubernetes-sigs/aws-iam-authenticator/pkg/token" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" @@ -268,7 +268,7 @@ func (h *handler) authenticateEndpoint(w http.ResponseWriter, req *http.Request) } // use a prefixed UID that includes the AWS account ID and AWS user ID ("AROAAAAAAAAAAAAAAAAAA") - uid := fmt.Sprintf("heptio-authenticator-aws:%s:%s", identity.AccountID, identity.UserID) + uid := fmt.Sprintf("aws-iam-authenticator:%s:%s", identity.AccountID, identity.UserID) // the token is valid and the role is mapped, return success! log.WithFields(logrus.Fields{ diff --git a/pkg/server/server_test.go b/pkg/server/server_test.go index 9ef5318da..e3899e81c 100644 --- a/pkg/server/server_test.go +++ b/pkg/server/server_test.go @@ -13,8 +13,8 @@ import ( authenticationv1beta1 "k8s.io/api/authentication/v1beta1" - "github.com/heptio/authenticator/pkg/config" - "github.com/heptio/authenticator/pkg/token" + "github.com/kubernetes-sigs/aws-iam-authenticator/pkg/config" + "github.com/kubernetes-sigs/aws-iam-authenticator/pkg/token" "github.com/prometheus/client_golang/prometheus" ) @@ -289,7 +289,7 @@ func TestAuthenticateVerifierRoleMapping(t *testing.T) { if resp.Code != http.StatusOK { t.Errorf("Expected status code %d, was %d", http.StatusOK, resp.Code) } - verifyAuthResult(t, resp, tokenReview("TestUser", "heptio-authenticator-aws:0123456789012:Test", []string{"sys:admin", "listers"})) + verifyAuthResult(t, resp, tokenReview("TestUser", "aws-iam-authenticator:0123456789012:Test", []string{"sys:admin", "listers"})) validateMetrics(t, validateOpts{success: 1}) } @@ -323,7 +323,7 @@ func TestAuthenticateVerifierUserMapping(t *testing.T) { if resp.Code != http.StatusOK { t.Errorf("Expected status code %d, was %d", http.StatusOK, resp.Code) } - verifyAuthResult(t, resp, tokenReview("TestUser", "heptio-authenticator-aws:0123456789012:Test", []string{"sys:admin", "listers"})) + verifyAuthResult(t, resp, tokenReview("TestUser", "aws-iam-authenticator:0123456789012:Test", []string{"sys:admin", "listers"})) validateMetrics(t, validateOpts{success: 1}) } @@ -353,7 +353,7 @@ func TestAuthenticateVerifierAccountMappingForUser(t *testing.T) { if resp.Code != http.StatusOK { t.Errorf("Expected status code %d, was %d", http.StatusOK, resp.Code) } - verifyAuthResult(t, resp, tokenReview("arn:aws:iam::0123456789012:user/Test", "heptio-authenticator-aws:0123456789012:Test", nil)) + verifyAuthResult(t, resp, tokenReview("arn:aws:iam::0123456789012:user/Test", "aws-iam-authenticator:0123456789012:Test", nil)) validateMetrics(t, validateOpts{success: 1}) } @@ -383,7 +383,7 @@ func TestAuthenticateVerifierAccountMappingForRole(t *testing.T) { if resp.Code != http.StatusOK { t.Errorf("Expected status code %d, was %d", http.StatusOK, resp.Code) } - verifyAuthResult(t, resp, tokenReview("arn:aws:iam::0123456789012:role/Test", "heptio-authenticator-aws:0123456789012:Test", nil)) + verifyAuthResult(t, resp, tokenReview("arn:aws:iam::0123456789012:role/Test", "aws-iam-authenticator:0123456789012:Test", nil)) validateMetrics(t, validateOpts{success: 1}) } @@ -418,7 +418,7 @@ func TestAuthenticateVerifierNodeMapping(t *testing.T) { if resp.Code != http.StatusOK { t.Errorf("Expected status code %d, was %d", http.StatusOK, resp.Code) } - verifyAuthResult(t, resp, tokenReview("system:node:ip-172-31-27-14", "heptio-authenticator-aws:0123456789012:TestNodeRole", []string{"system:nodes", "system:bootstrappers"})) + verifyAuthResult(t, resp, tokenReview("system:node:ip-172-31-27-14", "aws-iam-authenticator:0123456789012:TestNodeRole", []string{"system:nodes", "system:bootstrappers"})) validateMetrics(t, validateOpts{success: 1}) } diff --git a/pkg/server/types.go b/pkg/server/types.go index b32ca38e1..e18f6243d 100644 --- a/pkg/server/types.go +++ b/pkg/server/types.go @@ -17,11 +17,11 @@ limitations under the License. package server import ( - "github.com/heptio/authenticator/pkg/config" + "github.com/kubernetes-sigs/aws-iam-authenticator/pkg/config" ) // Server for the authentication webhook. type Server struct { - // Config is the whole configuration of heptio-authenticator-aws used for valid keys and certs, kubeconfig, and so on + // Config is the whole configuration of aws-iam-authenticator used for valid keys and certs, kubeconfig, and so on config.Config } diff --git a/pkg/token/token.go b/pkg/token/token.go index 992438216..a1e7d703c 100644 --- a/pkg/token/token.go +++ b/pkg/token/token.go @@ -32,7 +32,7 @@ import ( "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/sts" - "github.com/heptio/authenticator/pkg/arn" + "github.com/kubernetes-sigs/aws-iam-authenticator/pkg/arn" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" clientauthv1alpha1 "k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1" )