From 16a676ffb3a388f3d7f1e68df6dc1f8b98b46161 Mon Sep 17 00:00:00 2001 From: justinsb Date: Sun, 30 Jan 2022 14:57:15 -0500 Subject: [PATCH] JWKS / IRSA: Expose public ACLs to terraform Otherwise terraform wasn't correctly / consistently exposing these files for JWKS/IRSA/OIDC. --- .../aws-lb-controller/kubernetes.tf | 2 + .../update_cluster/digit/kubernetes.tf | 2 + .../external_dns_irsa/kubernetes.tf | 2 + .../update_cluster/irsa/kubernetes.tf | 2 + .../update_cluster/karpenter/kubernetes.tf | 2 + .../many-addons-ccm-irsa/kubernetes.tf | 2 + .../many-addons-ccm-irsa23/kubernetes.tf | 2 + .../minimal_gossip_irsa/kubernetes.tf | 2 + .../public-jwks-apiserver/kubernetes.tf | 2 + .../update_cluster/vfs-said/kubernetes.tf | 2 + upup/pkg/fi/fitasks/managedfile.go | 60 +++++++++++-------- 11 files changed, 56 insertions(+), 24 deletions(-) diff --git a/tests/integration/update_cluster/aws-lb-controller/kubernetes.tf b/tests/integration/update_cluster/aws-lb-controller/kubernetes.tf index fce6d91133e8f..68a351f916b18 100644 --- a/tests/integration/update_cluster/aws-lb-controller/kubernetes.tf +++ b/tests/integration/update_cluster/aws-lb-controller/kubernetes.tf @@ -569,6 +569,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" { } resource "aws_s3_bucket_object" "discovery-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content") key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration" @@ -593,6 +594,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" { } resource "aws_s3_bucket_object" "keys-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content") key = "discovery.example.com/minimal.example.com/openid/v1/jwks" diff --git a/tests/integration/update_cluster/digit/kubernetes.tf b/tests/integration/update_cluster/digit/kubernetes.tf index f935a90e05c24..67de5ae1e8afe 100644 --- a/tests/integration/update_cluster/digit/kubernetes.tf +++ b/tests/integration/update_cluster/digit/kubernetes.tf @@ -568,6 +568,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" { } resource "aws_s3_bucket_object" "discovery-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content") key = "discovery.example.com/123.example.com/.well-known/openid-configuration" @@ -592,6 +593,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" { } resource "aws_s3_bucket_object" "keys-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content") key = "discovery.example.com/123.example.com/openid/v1/jwks" diff --git a/tests/integration/update_cluster/external_dns_irsa/kubernetes.tf b/tests/integration/update_cluster/external_dns_irsa/kubernetes.tf index cbd126e976a16..cc0cfb16694b9 100644 --- a/tests/integration/update_cluster/external_dns_irsa/kubernetes.tf +++ b/tests/integration/update_cluster/external_dns_irsa/kubernetes.tf @@ -543,6 +543,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" { } resource "aws_s3_bucket_object" "discovery-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content") key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration" @@ -567,6 +568,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" { } resource "aws_s3_bucket_object" "keys-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content") key = "discovery.example.com/minimal.example.com/openid/v1/jwks" diff --git a/tests/integration/update_cluster/irsa/kubernetes.tf b/tests/integration/update_cluster/irsa/kubernetes.tf index 08fd02ed54dbc..362b47261f112 100644 --- a/tests/integration/update_cluster/irsa/kubernetes.tf +++ b/tests/integration/update_cluster/irsa/kubernetes.tf @@ -593,6 +593,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" { } resource "aws_s3_bucket_object" "discovery-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content") key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration" @@ -617,6 +618,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" { } resource "aws_s3_bucket_object" "keys-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content") key = "discovery.example.com/minimal.example.com/openid/v1/jwks" diff --git a/tests/integration/update_cluster/karpenter/kubernetes.tf b/tests/integration/update_cluster/karpenter/kubernetes.tf index f1140f6104f73..099bf8da4d9a5 100644 --- a/tests/integration/update_cluster/karpenter/kubernetes.tf +++ b/tests/integration/update_cluster/karpenter/kubernetes.tf @@ -719,6 +719,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" { } resource "aws_s3_bucket_object" "discovery-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content") key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration" @@ -743,6 +744,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" { } resource "aws_s3_bucket_object" "keys-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content") key = "discovery.example.com/minimal.example.com/openid/v1/jwks" diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/kubernetes.tf b/tests/integration/update_cluster/many-addons-ccm-irsa/kubernetes.tf index c8eda8bc5063f..545b630429b1e 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/kubernetes.tf +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/kubernetes.tf @@ -673,6 +673,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" { } resource "aws_s3_bucket_object" "discovery-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content") key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration" @@ -697,6 +698,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" { } resource "aws_s3_bucket_object" "keys-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content") key = "discovery.example.com/minimal.example.com/openid/v1/jwks" diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa23/kubernetes.tf b/tests/integration/update_cluster/many-addons-ccm-irsa23/kubernetes.tf index 4635a79e6321e..2b3983ea16d80 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa23/kubernetes.tf +++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/kubernetes.tf @@ -647,6 +647,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" { } resource "aws_s3_bucket_object" "discovery-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content") key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration" @@ -671,6 +672,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" { } resource "aws_s3_bucket_object" "keys-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content") key = "discovery.example.com/minimal.example.com/openid/v1/jwks" diff --git a/tests/integration/update_cluster/minimal_gossip_irsa/kubernetes.tf b/tests/integration/update_cluster/minimal_gossip_irsa/kubernetes.tf index 5620fd2b14afe..e5f6c176aeb0b 100644 --- a/tests/integration/update_cluster/minimal_gossip_irsa/kubernetes.tf +++ b/tests/integration/update_cluster/minimal_gossip_irsa/kubernetes.tf @@ -517,6 +517,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" { } resource "aws_s3_bucket_object" "discovery-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content") key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration" @@ -541,6 +542,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" { } resource "aws_s3_bucket_object" "keys-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content") key = "discovery.example.com/minimal.example.com/openid/v1/jwks" diff --git a/tests/integration/update_cluster/public-jwks-apiserver/kubernetes.tf b/tests/integration/update_cluster/public-jwks-apiserver/kubernetes.tf index 067d5ca90a2ce..d587c0455b7b0 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/kubernetes.tf +++ b/tests/integration/update_cluster/public-jwks-apiserver/kubernetes.tf @@ -543,6 +543,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" { } resource "aws_s3_bucket_object" "discovery-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content") key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration" @@ -567,6 +568,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" { } resource "aws_s3_bucket_object" "keys-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content") key = "discovery.example.com/minimal.example.com/openid/v1/jwks" diff --git a/tests/integration/update_cluster/vfs-said/kubernetes.tf b/tests/integration/update_cluster/vfs-said/kubernetes.tf index fe3cd54cbe721..1ecaac69796e1 100644 --- a/tests/integration/update_cluster/vfs-said/kubernetes.tf +++ b/tests/integration/update_cluster/vfs-said/kubernetes.tf @@ -517,6 +517,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" { } resource "aws_s3_bucket_object" "discovery-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content") key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration" @@ -541,6 +542,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" { } resource "aws_s3_bucket_object" "keys-json" { + acl = "public-read" bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content") key = "discovery.example.com/minimal.example.com/openid/v1/jwks" diff --git a/upup/pkg/fi/fitasks/managedfile.go b/upup/pkg/fi/fitasks/managedfile.go index 8fa8abebe1294..45a3439df5afe 100644 --- a/upup/pkg/fi/fitasks/managedfile.go +++ b/upup/pkg/fi/fitasks/managedfile.go @@ -35,10 +35,16 @@ type ManagedFile struct { Name *string Lifecycle fi.Lifecycle - Base *string + // Base is the root location of the store for the managed file + Base *string + + // Location is the relative path of the managed file Location *string + Contents fi.Resource - Public *bool + + // Public controls whether the object is world-readable + Public *bool } func (e *ManagedFile) Find(c *fi.Context) (*ManagedFile, error) { @@ -103,6 +109,30 @@ func (s *ManagedFile) CheckChanges(a, e, changes *ManagedFile) error { return nil } +func (e *ManagedFile) getACL(c *fi.Context, p vfs.Path) (vfs.ACL, error) { + var acl vfs.ACL + if fi.BoolValue(e.Public) { + switch p := p.(type) { + case *vfs.S3Path: + acl = &vfs.S3Acl{ + RequestACL: fi.String("public-read"), + } + case *vfs.MemFSPath: + if !p.IsClusterReadable() { + return nil, fmt.Errorf("the %q path is intended for use in tests", p.Path()) + } + acl = &vfs.S3Acl{ + RequestACL: fi.String("public-read"), + } + default: + return nil, fmt.Errorf("the %q path does not support public ACL", p.Path()) + } + return acl, nil + } + + return acls.GetACL(p, c.Cluster) +} + func (_ *ManagedFile) Render(c *fi.Context, a, e, changes *ManagedFile) error { location := fi.StringValue(e.Location) if location == "" { @@ -120,27 +150,9 @@ func (_ *ManagedFile) Render(c *fi.Context, a, e, changes *ManagedFile) error { } p = p.Join(location) - var acl vfs.ACL - if fi.BoolValue(e.Public) { - switch p := p.(type) { - case *vfs.S3Path: - acl = &vfs.S3Acl{ - RequestACL: fi.String("public-read"), - } - case *vfs.MemFSPath: - if !p.IsClusterReadable() { - return fmt.Errorf("the %q path is intended for use in tests", p.Path()) - } - acl = nil - default: - return fmt.Errorf("the %q path does not support public ACL", p.Path()) - } - } else { - - acl, err = acls.GetACL(p, c.Cluster) - if err != nil { - return err - } + acl, err := e.getACL(c, p) + if err != nil { + return err } err = p.WriteFile(bytes.NewReader(data), acl) @@ -181,7 +193,7 @@ func (f *ManagedFile) RenderTerraform(c *fi.Context, t *terraform.TerraformTarge } p = p.Join(location) - acl, err := acls.GetACL(p, c.Cluster) + acl, err := e.getACL(c, p) if err != nil { return err }