iam identity provider

liqotech · Jul 15, 2021 · 06b801c · 06b801c
1 parent adbb394
commit 06b801c
Show file tree

Hide file tree

Showing 17 changed files with 536 additions and 342 deletions.
diff --git a/cmd/auth-service/main.go b/cmd/auth-service/main.go
@@ -6,9 +6,10 @@ import (
 	"path/filepath"
 	"time"
 
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 
 	authservice "github.com/liqotech/liqo/internal/auth-service"
+	identitymanager "github.com/liqotech/liqo/pkg/identityManager"
 )
 
 func main() {
@@ -22,6 +23,8 @@ func main() {
 	var keyFile string
 	var useTLS bool
 
+	var awsConfig identitymanager.AwsConfig
+
 	flag.StringVar(&namespace, "namespace", "default", "Namespace where your configs are stored.")
 	flag.StringVar(&kubeconfigPath, "kubeconfigPath",
 		filepath.Join(os.Getenv("HOME"), ".kube", "config"), "For debug purpose, set path to local kubeconfig")
@@ -31,13 +34,18 @@ func main() {
 	flag.StringVar(&keyFile, "keyFile", "/certs/key.pem", "Path to key file")
 	flag.BoolVar(&useTLS, "useTls", false, "Enable HTTPS server")
 
+	flag.StringVar(&awsConfig.AwsAccessKeyID, "awsAccessKeyId", "", "AWS IAM AccessKeyID for the Liqo User")
+	flag.StringVar(&awsConfig.AwsSecretAccessKey, "awsSecretAccessKey", "", "AWS IAM SecretAccessKey for the Liqo User")
+	flag.StringVar(&awsConfig.AwsRegion, "awsRegion", "", "AWS region where the local cluster is running")
+	flag.StringVar(&awsConfig.AwsClusterName, "awsClusterName", "", "Name of the local EKS cluster")
+
 	klog.InitFlags(nil)
 	flag.Parse()
 
 	klog.Info("Namespace: ", namespace)
 
 	authService, err := authservice.NewAuthServiceCtrl(
-		namespace, kubeconfigPath, time.Duration(resyncSeconds)*time.Second, useTLS)
+		namespace, kubeconfigPath, awsConfig, time.Duration(resyncSeconds)*time.Second, useTLS)
 	if err != nil {
 		klog.Error(err)
 		os.Exit(1)

diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/liqotech/liqo
 go 1.16
 
 require (
-	cloud.google.com/go v0.56.0 // indirect
+	github.com/aws/aws-sdk-go v1.39.4
 	github.com/clastix/capsule v0.1.0-rc2
 	github.com/containernetworking/plugins v0.8.6
 	github.com/coreos/go-iptables v0.4.5
@@ -32,13 +32,15 @@ require (
 	github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae
 	go.opencensus.io v0.23.0
 	go.uber.org/goleak v1.1.10
+	golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914 // indirect
 	golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
 	golang.org/x/tools v0.1.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20200609130330-bd2cb7843e1b
 	gomodules.xyz/jsonpatch/v2 v2.1.0
 	google.golang.org/grpc v1.33.2
 	google.golang.org/protobuf v1.26.0
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	gotest.tools v2.2.0+incompatible
 	inet.af/netaddr v0.0.0-20210313195008-843b4240e319
 	k8s.io/api v0.21.1
@@ -52,6 +54,7 @@ require (
 	k8s.io/kubernetes v1.21.0
 	k8s.io/metrics v0.21.0
 	k8s.io/utils v0.0.0-20210527160623-6fdb442a123b
+	sigs.k8s.io/aws-iam-authenticator v0.5.3
 	sigs.k8s.io/controller-runtime v0.9.0-beta.2
 )
 

diff --git a/go.sum b/go.sum
diff --git a/internal/auth-service/auth-service.go b/internal/auth-service/auth-service.go
@@ -74,7 +74,9 @@ type Controller struct {
 }
 
 // NewAuthServiceCtrl creates a new Auth Controller.
-func NewAuthServiceCtrl(namespace, kubeconfigPath string, resyncTime time.Duration, useTLS bool) (*Controller, error) {
+func NewAuthServiceCtrl(namespace, kubeconfigPath string,
+	awsConfig identitymanager.AwsConfig,
+	resyncTime time.Duration, useTLS bool) (*Controller, error) {
 	config, err := crdclient.NewKubeconfig(kubeconfigPath, &discoveryv1alpha1.GroupVersion, nil)
 	if err != nil {
 		return nil, err
@@ -114,7 +116,13 @@ func NewAuthServiceCtrl(namespace, kubeconfigPath string, resyncTime time.Durati
 	informerFactory.WaitForCacheSync(wait.NeverStop)
 
 	namespaceManager := tenantnamespace.NewTenantNamespaceManager(clientset)
-	idManager := identitymanager.NewCertificateIdentityManager(clientset, localClusterID, namespaceManager)
+
+	var idManager identitymanager.IdentityManager
+	if awsConfig.IsEmpty() {
+		idManager = identitymanager.NewCertificateIdentityManager(clientset, localClusterID, namespaceManager)
+	} else {
+		idManager = identitymanager.NewIAMIdentityManager(clientset, localClusterID, &awsConfig, namespaceManager)
+	}
 
 	return &Controller{
 		namespace:            namespace,

diff --git a/internal/auth-service/identity.go b/internal/auth-service/identity.go
@@ -89,7 +89,7 @@ func (authService *Controller) handleIdentity(
 	}
 
 	// issue certificate request
-	certificate, err := authService.identityManager.ApproveSigningRequest(
+	identityResponse, err := authService.identityManager.ApproveSigningRequest(
 		identityRequest.ClusterID, identityRequest.CertificateSigningRequest)
 	if err != nil {
 		klog.Error(err)
@@ -105,7 +105,7 @@ func (authService *Controller) handleIdentity(
 
 	// make the response to send to the remote cluster
 	response, err := auth.NewCertificateIdentityResponse(
-		namespace.Name, certificate, authService.getConfigProvider(), authService.clientset, authService.restConfig)
+		namespace.Name, &identityResponse, authService.getConfigProvider(), authService.clientset, authService.restConfig)
 	if err != nil {
 		klog.Error(err)
 		return nil, err

diff --git a/namespaceMapper.go b/namespaceMapper.go