Merge pull request #564 from nnmin-aws/nnmin-minorimp

prepare new release v0.6.4

.goreleaser.yaml

@@ -12,6 +12,8 @@ builds:
     goarch:
       - amd64
       - arm64
+      - ppc64le
+      - s390x
     ignore:
       - goos: windows
         goarch: arm64

cloudbuild.yaml

@@ -1,15 +1,15 @@
 options:
   substitution_option: ALLOW_LOOSE
 steps:
-  - name: gcr.io/k8s-testimages/gcb-docker-gcloud
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20221214-1b4dd4d69a
     entrypoint: /buildx-entrypoint
     args:
-    - build
-    - --tag=gcr.io/$PROJECT_ID/aws-iam-authenticator:$_GIT_TAG
-    - --tag=gcr.io/$PROJECT_ID/aws-iam-authenticator:latest
-    - --platform=linux/amd64,linux/arm64
-    - --output=type=registry
-    - .
+      - build
+      - --tag=gcr.io/$PROJECT_ID/aws-iam-authenticator:$_GIT_TAG
+      - --tag=gcr.io/$PROJECT_ID/aws-iam-authenticator:latest
+      - --platform=linux/amd64,linux/arm64
+      - --output=type=registry
+      - .
 substitutions:
   _GIT_TAG: '12345'
   _PULL_BASE_REF: 'master'

cmd/aws-iam-authenticator/root.go

@@ -104,6 +104,7 @@ func getConfig() (config.Config, error) {
 		EC2DescribeInstancesBurst:         viper.GetInt("server.ec2DescribeInstancesBurst"),
 		ScrubbedAWSAccounts:               viper.GetStringSlice("server.scrubbedAccounts"),
 		DynamicFilePath:                   viper.GetString("server.dynamicfilepath"),
+		DynamicFileUserIDStrict:           viper.GetBool("server.dynamicfileUserIDStrict"),
 	}
 	if err := viper.UnmarshalKey("server.mapRoles", &cfg.RoleMappings); err != nil {
 		return cfg, fmt.Errorf("invalid server role mappings: %v", err)

hack/dev/access-entries.template

@@ -5,7 +5,8 @@
       "username": "kubernetes-admin",
       "groups": [
         "system:masters"
-      ]
+      ],
+      "userid": "{{USER_ID}}"
     }
   ]
 }

hack/e2e-dynamicfile.sh

@@ -103,7 +103,8 @@ function e2e_dynamicfile(){
           echo "can't assume-role: "${AWS_TEST_ROLE}
           exit 1
   fi
-
+  USERID=$(aws sts get-caller-identity|jq -r '.UserId'|cut -d: -f1)
+  echo "userid: " $USERID
   #run kubectl cmd without adding the role into access entry
   if [ -f ${access_entry_json} ]
       then
@@ -123,6 +124,7 @@ function e2e_dynamicfile(){
 
   sed -e "s|{{AWS_ACCOUNT}}|${AWS_ACCOUNT}|g" \
       -e "s|{{AWS_TEST_ROLE}}|${AWS_TEST_ROLE}|g" \
+      -e "s|{{USER_ID}}|${USERID}|g" \
             "${access_entry_template}" > "${access_entry_tmp}"
   mv "${access_entry_tmp}"  "${access_entry_json}"
   #sleep 10 seconds to make access entry effective

hack/lib/dev-env.sh

@@ -46,6 +46,7 @@ NETWORK_NAME="${NETWORK_NAME:-authenticator-dev}"
 NETWORK_SUBNET="${NETWORK_SUBNET:-172.30.0.0/16}"
 AUTHENTICATOR_IP="${AUTHENTICATOR_IP:-172.30.0.10}"
 AUTHENTICATOR_PORT="${AUTHENTICATOR_PORT:-21362}"
+KIND_BIN="${KIND_BIN:-${OUTPUT}/bin/kind}"
 
 # Not configurable:
 authenticator_healthz_port=21363
@@ -85,16 +86,19 @@ kubectl_kubeconfig="${client_dir}/kubeconfig.yaml"
 kind_kubeconfig="${client_dir}/kind-kubeconfig.yaml"
 
 function install_kind() {
-  if [[ "$OSTYPE" == "darwin"* ]]; then
-      # for Intel Macs
-      [ $(uname -m) = x86_64 ]&& curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-darwin-amd64
-      # for M1 / ARM Macs
-      [ $(uname -m) = arm64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-darwin-arm64
-  else
-      curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-linux-amd64
-  fi
-  chmod +x ./kind
-  command -v ./kind >/dev/null 2>&1 || { echo >&2 "kind is required but it's not installed.  Aborting."; exit 1; }
+    if ! [[ -f "${KIND_BIN}" ]]; then
+        if [[ "$OSTYPE" == "darwin"* ]]; then
+            # for Intel Macs
+            [ $(uname -m) = x86_64 ]&& curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-darwin-amd64
+            # for M1 / ARM Macs
+            [ $(uname -m) = arm64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-darwin-arm64
+        else
+            curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-linux-amd64
+        fi
+        chmod +x ./kind
+        mv ./kind "${KIND_BIN}"
+    fi
+    command -v "${KIND_BIN}" >/dev/null 2>&1 || { echo >&2 "kind is required but it's not installed.  Aborting."; exit 1; }
 }
 
 function create_network() {
@@ -234,11 +238,11 @@ function write_kubectl_kubeconfig() {
 
 function create_kind_cluster() {
     export KIND_EXPERIMENTAL_DOCKER_NETWORK="${NETWORK_NAME}"
-    ./kind create cluster \
+    "${KIND_BIN}" create cluster \
         --config "${kind_config_host_dir}/env.yaml" \
         --kubeconfig "${kind_kubeconfig}"
 }
 
 function delete_kind_cluster() {
-    ./kind delete cluster --name "${CLUSTER_NAME}"
-}
+    "${KIND_BIN}" delete cluster --name "${CLUSTER_NAME}"
+}

hack/start-dev-env.sh

@@ -45,6 +45,7 @@ fi
 
 source "${REPO_ROOT}/hack/lib/dev-env.sh"
 
+install_kind
 create_network
 write_authenticator_config
 start_authenticator

pkg/config/types.go

@@ -52,7 +52,10 @@ type RoleMapping struct {
 
 	// Groups is a list of Kubernetes groups this role will authenticate
 	// as (e.g., `system:masters`). Each group name can include placeholders.
-	Groups []string `json:"groups"`
+	Groups []string `json:"groups" yaml:"groups"`
+
+	// UserId is the AWS PrincipalId of the role. (e.g., "ABCXSOTJDDV").
+	UserId string `json:"userid,omitempty" yaml:"userid,omitempty"`
 }
 
 // UserMapping is a static mapping of a single AWS User ARN to a
@@ -65,7 +68,10 @@ type UserMapping struct {
 	Username string `json:"username"`
 
 	// Groups is a list of Kubernetes groups this role will authenticate as (e.g., `system:masters`)
-	Groups []string `json:"groups"`
+	Groups []string `json:"groups" yaml:"groups"`
+
+	// UserId is the AWS PrincipalId of the user. (e.g., "ABCXSOTJDDV").
+	UserId string `json:"userid,omitempty" yaml:"userid,omitempty"`
 }
 
 // Config specifies the configuration for a aws-iam-authenticator server
@@ -144,4 +150,6 @@ type Config struct {
 	EC2DescribeInstancesBurst int
 	//Dynamic File Path for DynamicFile BackendMode
 	DynamicFilePath string
+	//use UserId for mapping, IdentityArn is not used any more when DynamicFileUserIDStrict=true
+	DynamicFileUserIDStrict bool
 }

pkg/mapper/configmap/mapper.go

@@ -1,6 +1,7 @@
 package configmap
 
 import (
+	"sigs.k8s.io/aws-iam-authenticator/pkg/token"
 	"strings"
 
 	"sigs.k8s.io/aws-iam-authenticator/pkg/config"
@@ -30,8 +31,8 @@ func (m *ConfigMapMapper) Start(stopCh <-chan struct{}) error {
 	return nil
 }
 
-func (m *ConfigMapMapper) Map(canonicalARN string) (*config.IdentityMapping, error) {
-	canonicalARN = strings.ToLower(canonicalARN)
+func (m *ConfigMapMapper) Map(identity *token.Identity) (*config.IdentityMapping, error) {
+	canonicalARN := strings.ToLower(identity.CanonicalARN)
 
 	rm, err := m.RoleMapping(canonicalARN)
 	// TODO: Check for non Role/UserNotFound errors

pkg/mapper/crd/mapper.go

@@ -2,6 +2,7 @@ package crd
 
 import (
 	"fmt"
+	"sigs.k8s.io/aws-iam-authenticator/pkg/token"
 	"strings"
 	"time"
 
@@ -86,8 +87,8 @@ func (m *CRDMapper) Start(stopCh <-chan struct{}) error {
 	return nil
 }
 
-func (m *CRDMapper) Map(canonicalARN string) (*config.IdentityMapping, error) {
-	canonicalARN = strings.ToLower(canonicalARN)
+func (m *CRDMapper) Map(identity *token.Identity) (*config.IdentityMapping, error) {
+	canonicalARN := strings.ToLower(identity.CanonicalARN)
 
 	var iamidentity *iamauthenticatorv1alpha1.IAMIdentityMapping
 	var ok bool

pkg/mapper/dynamicfile/dynamicfile.go

@@ -4,25 +4,25 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"os"
-	"strings"
-	"sync"
-	"time"
-
 	"github.com/fsnotify/fsnotify"
 	"github.com/sirupsen/logrus"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"os"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/arn"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/config"
+	"strings"
+	"sync"
+	"time"
 )
 
 type DynamicFileMapStore struct {
 	mutex sync.RWMutex
 	users map[string]config.UserMapping
 	roles map[string]config.RoleMapping
 	// Used as set.
-	awsAccounts map[string]interface{}
-	filename    string
+	awsAccounts  map[string]interface{}
+	filename     string
+	userIDStrict bool
 }
 
 type DynamicFileData struct {
@@ -66,7 +66,7 @@ func (m *DynamicFileMapStore) loadDynamicFile() error {
 	}
 	logrus.Infof("LoadDynamicFile: %v is available. loading", m.filename)
 	// load the initial file content into memory
-	userMappings, roleMappings, awsAccounts, err := ParseMap(m.filename)
+	userMappings, roleMappings, awsAccounts, err := ParseMap(m)
 	if err != nil {
 		logrus.Errorf("LoadDynamicFile: There was an error parsing the dynamic file: %+v. Map is not updated. Please correct dynamic file", err)
 		return err
@@ -76,9 +76,10 @@ func (m *DynamicFileMapStore) loadDynamicFile() error {
 	return nil
 }
 
-func NewDynamicFileMapStore(filename string) (*DynamicFileMapStore, error) {
+func NewDynamicFileMapStore(cfg config.Config) (*DynamicFileMapStore, error) {
 	ms := DynamicFileMapStore{}
-	ms.filename = filename
+	ms.filename = cfg.DynamicFilePath
+	ms.userIDStrict = cfg.DynamicFileUserIDStrict
 	return &ms, nil
 }
 
@@ -127,11 +128,11 @@ func (m *DynamicFileMapStore) startLoadDynamicFile(stopCh <-chan struct{}) {
 	}, time.Second, stopCh)
 }
 
-func ParseMap(filename string) (userMappings []config.UserMapping, roleMappings []config.RoleMapping, awsAccounts []string, err error) {
+func ParseMap(m *DynamicFileMapStore) (userMappings []config.UserMapping, roleMappings []config.RoleMapping, awsAccounts []string, err error) {
 	errs := make([]error, 0)
 	userMappings = make([]config.UserMapping, 0)
 	roleMappings = make([]config.RoleMapping, 0)
-
+	filename := m.filename
 	dynamicContent, err := os.ReadFile(filename)
 	if err != nil {
 		logrus.Errorf("ParseMap: could not read from dynamic file")
@@ -149,16 +150,24 @@ func ParseMap(filename string) (userMappings []config.UserMapping, roleMappings
 	}
 
 	for _, userMapping := range dynamicFileData.UserMappings {
-		if userMapping.UserARN == "" {
-			errs = append(errs, fmt.Errorf("Value for userarn must be supplied"))
+		key := userMapping.UserARN
+		if m.userIDStrict {
+			key = userMapping.UserId
+		}
+		if key == "" {
+			errs = append(errs, fmt.Errorf("Value for userarn or userid(if dynamicfileUserIDStrict = true) must be supplied"))
 		} else {
 			userMappings = append(userMappings, userMapping)
 		}
 	}
 
 	for _, roleMapping := range dynamicFileData.RoleMappings {
-		if roleMapping.RoleARN == "" {
-			errs = append(errs, fmt.Errorf("Value for rolearn must be supplied"))
+		key := roleMapping.RoleARN
+		if m.userIDStrict {
+			key = roleMapping.UserId
+		}
+		if key == "" {
+			errs = append(errs, fmt.Errorf("Value for rolearn or userid(if dynamicfileUserIDStrict = true) must be supplied"))
 		} else {
 			roleMappings = append(roleMappings, roleMapping)
 		}
@@ -184,12 +193,18 @@ func (ms *DynamicFileMapStore) saveMap(
 	ms.awsAccounts = make(map[string]interface{})
 
 	for _, user := range userMappings {
-		canonicalizedARN, _ := arn.Canonicalize(strings.ToLower(user.UserARN))
-		ms.users[canonicalizedARN] = user
+		key, _ := arn.Canonicalize(strings.ToLower(user.UserARN))
+		if ms.userIDStrict {
+			key = user.UserId
+		}
+		ms.users[key] = user
 	}
 	for _, role := range roleMappings {
-		canonicalizedARN, _ := arn.Canonicalize(strings.ToLower(role.RoleARN))
-		ms.roles[canonicalizedARN] = role
+		key, _ := arn.Canonicalize(strings.ToLower(role.RoleARN))
+		if ms.userIDStrict {
+			key = role.UserId
+		}
+		ms.roles[key] = role
 	}
 	for _, awsAccount := range awsAccounts {
 		ms.awsAccounts[awsAccount] = nil