JWKS / IRSA: Expose public ACLs to terraform

Otherwise terraform wasn't correctly / consistently exposing these files for JWKS/IRSA/OIDC.
kubernetes · Jan 30, 2022 · 16a676f · 16a676f
1 parent d6cb497
commit 16a676f
Show file tree

Hide file tree

Showing 11 changed files with 56 additions and 24 deletions.
diff --git a/tests/integration/update_cluster/aws-lb-controller/kubernetes.tf b/tests/integration/update_cluster/aws-lb-controller/kubernetes.tf
@@ -569,6 +569,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
 }
 
 resource "aws_s3_bucket_object" "discovery-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
   key                    = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@@ -593,6 +594,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
 }
 
 resource "aws_s3_bucket_object" "keys-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
   key                    = "discovery.example.com/minimal.example.com/openid/v1/jwks"

diff --git a/tests/integration/update_cluster/digit/kubernetes.tf b/tests/integration/update_cluster/digit/kubernetes.tf
@@ -568,6 +568,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
 }
 
 resource "aws_s3_bucket_object" "discovery-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
   key                    = "discovery.example.com/123.example.com/.well-known/openid-configuration"
@@ -592,6 +593,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
 }
 
 resource "aws_s3_bucket_object" "keys-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
   key                    = "discovery.example.com/123.example.com/openid/v1/jwks"

diff --git a/tests/integration/update_cluster/external_dns_irsa/kubernetes.tf b/tests/integration/update_cluster/external_dns_irsa/kubernetes.tf
@@ -543,6 +543,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
 }
 
 resource "aws_s3_bucket_object" "discovery-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
   key                    = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@@ -567,6 +568,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
 }
 
 resource "aws_s3_bucket_object" "keys-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
   key                    = "discovery.example.com/minimal.example.com/openid/v1/jwks"

diff --git a/tests/integration/update_cluster/irsa/kubernetes.tf b/tests/integration/update_cluster/irsa/kubernetes.tf
@@ -593,6 +593,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
 }
 
 resource "aws_s3_bucket_object" "discovery-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
   key                    = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@@ -617,6 +618,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
 }
 
 resource "aws_s3_bucket_object" "keys-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
   key                    = "discovery.example.com/minimal.example.com/openid/v1/jwks"

diff --git a/tests/integration/update_cluster/karpenter/kubernetes.tf b/tests/integration/update_cluster/karpenter/kubernetes.tf
@@ -719,6 +719,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
 }
 
 resource "aws_s3_bucket_object" "discovery-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
   key                    = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@@ -743,6 +744,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
 }
 
 resource "aws_s3_bucket_object" "keys-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
   key                    = "discovery.example.com/minimal.example.com/openid/v1/jwks"

diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/kubernetes.tf b/tests/integration/update_cluster/many-addons-ccm-irsa/kubernetes.tf
@@ -673,6 +673,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
 }
 
 resource "aws_s3_bucket_object" "discovery-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
   key                    = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@@ -697,6 +698,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
 }
 
 resource "aws_s3_bucket_object" "keys-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
   key                    = "discovery.example.com/minimal.example.com/openid/v1/jwks"

diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/kubernetes.tf b/tests/integration/update_cluster/many-addons-ccm-irsa23/kubernetes.tf
@@ -647,6 +647,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
 }
 
 resource "aws_s3_bucket_object" "discovery-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
   key                    = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@@ -671,6 +672,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
 }
 
 resource "aws_s3_bucket_object" "keys-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
   key                    = "discovery.example.com/minimal.example.com/openid/v1/jwks"

diff --git a/tests/integration/update_cluster/minimal_gossip_irsa/kubernetes.tf b/tests/integration/update_cluster/minimal_gossip_irsa/kubernetes.tf
@@ -517,6 +517,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
 }
 
 resource "aws_s3_bucket_object" "discovery-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
   key                    = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@@ -541,6 +542,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
 }
 
 resource "aws_s3_bucket_object" "keys-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
   key                    = "discovery.example.com/minimal.example.com/openid/v1/jwks"

diff --git a/tests/integration/update_cluster/public-jwks-apiserver/kubernetes.tf b/tests/integration/update_cluster/public-jwks-apiserver/kubernetes.tf
@@ -543,6 +543,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
 }
 
 resource "aws_s3_bucket_object" "discovery-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
   key                    = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@@ -567,6 +568,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
 }
 
 resource "aws_s3_bucket_object" "keys-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
   key                    = "discovery.example.com/minimal.example.com/openid/v1/jwks"

diff --git a/tests/integration/update_cluster/vfs-said/kubernetes.tf b/tests/integration/update_cluster/vfs-said/kubernetes.tf
@@ -517,6 +517,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
 }
 
 resource "aws_s3_bucket_object" "discovery-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
   key                    = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@@ -541,6 +542,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
 }
 
 resource "aws_s3_bucket_object" "keys-json" {
+  acl                    = "public-read"
   bucket                 = "testingBucket"
   content                = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
   key                    = "discovery.example.com/minimal.example.com/openid/v1/jwks"

diff --git a/upup/pkg/fi/fitasks/managedfile.go b/upup/pkg/fi/fitasks/managedfile.go
@@ -35,10 +35,16 @@ type ManagedFile struct {
 	Name      *string
 	Lifecycle fi.Lifecycle
 
-	Base     *string
+	// Base is the root location of the store for the managed file
+	Base *string
+
+	// Location is the relative path of the managed file
 	Location *string
+
 	Contents fi.Resource
-	Public   *bool
+
+	// Public controls whether the object is world-readable
+	Public *bool
 }
 
 func (e *ManagedFile) Find(c *fi.Context) (*ManagedFile, error) {
@@ -103,6 +109,30 @@ func (s *ManagedFile) CheckChanges(a, e, changes *ManagedFile) error {
 	return nil
 }
 
+func (e *ManagedFile) getACL(c *fi.Context, p vfs.Path) (vfs.ACL, error) {
+	var acl vfs.ACL
+	if fi.BoolValue(e.Public) {
+		switch p := p.(type) {
+		case *vfs.S3Path:
+			acl = &vfs.S3Acl{
+				RequestACL: fi.String("public-read"),
+			}
+		case *vfs.MemFSPath:
+			if !p.IsClusterReadable() {
+				return nil, fmt.Errorf("the %q path is intended for use in tests", p.Path())
+			}
+			acl = &vfs.S3Acl{
+				RequestACL: fi.String("public-read"),
+			}
+		default:
+			return nil, fmt.Errorf("the %q path does not support public ACL", p.Path())
+		}
+		return acl, nil
+	}
+
+	return acls.GetACL(p, c.Cluster)
+}
+
 func (_ *ManagedFile) Render(c *fi.Context, a, e, changes *ManagedFile) error {
 	location := fi.StringValue(e.Location)
 	if location == "" {
@@ -120,27 +150,9 @@ func (_ *ManagedFile) Render(c *fi.Context, a, e, changes *ManagedFile) error {
 	}
 	p = p.Join(location)
 
-	var acl vfs.ACL
-	if fi.BoolValue(e.Public) {
-		switch p := p.(type) {
-		case *vfs.S3Path:
-			acl = &vfs.S3Acl{
-				RequestACL: fi.String("public-read"),
-			}
-		case *vfs.MemFSPath:
-			if !p.IsClusterReadable() {
-				return fmt.Errorf("the %q path is intended for use in tests", p.Path())
-			}
-			acl = nil
-		default:
-			return fmt.Errorf("the %q path does not support public ACL", p.Path())
-		}
-	} else {
-
-		acl, err = acls.GetACL(p, c.Cluster)
-		if err != nil {
-			return err
-		}
+	acl, err := e.getACL(c, p)
+	if err != nil {
+		return err
 	}
 
 	err = p.WriteFile(bytes.NewReader(data), acl)
@@ -181,7 +193,7 @@ func (f *ManagedFile) RenderTerraform(c *fi.Context, t *terraform.TerraformTarge
 	}
 	p = p.Join(location)
 
-	acl, err := acls.GetACL(p, c.Cluster)
+	acl, err := e.getACL(c, p)
 	if err != nil {
 		return err
 	}