Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[beta.2] service-account should be generated for kubectl aws plugins #92

Closed
abelanger5 opened this issue Oct 26, 2020 · 0 comments
Closed

[beta.2] service-account should be generated for kubectl aws plugins #92

abelanger5 opened this issue Oct 26, 2020 · 0 comments
Assignees
@abelanger5
Labels
server Something's wrong with the Go server
Projects
Porter Roadmap
Milestone
Beta 2 Release

Comments

@abelanger5
Copy link
Contributor

abelanger5 commented Oct 26, 2020
edited

To connect with an EKS cluster in an out-of-cluster configuration, we will have to generate a bearer token that can be passed as part of the request to the EKS instance. The solution here is based on the following sources: [1], [2].

  1. Create an AWS IAM user named porter-dashboard. Get the credentials for this IAM user and create a new Porter service account that will use these credentials.

  2. Query the aws-auth ConfigMap in the Amazon EKS cluster that provides the mappings between IAM principals (roles/users) and Kubernetes subjects (Users/Groups). If the ConfigMap does not contain a mapping between the IAM user porter-dashboard and the correct Kubernetes subject, update the ConfigMap.

Note: this will grant the Porter service account the same level of access as the admin user, which we have enforced in other kubectl auth plugin implementations.

  1. During runtime, query the user model to retrieve a token, if one was previously generated. If this token is expired, perform steps 4-6. Otherwise, go to step 7.

  2. During runtime, configure the AWS Golang SDK to use a custom Config and create a session using this config.

  3. During runtime, use the NewGenerator function exposed by the aws-iam-authenticator to create an object that can generate the token.

  4. Use the generator. GetWithOptions method to generate a token, and save this token

  5. Use the given token as a bearer token:

restConfigs := &rest.Config{
  Host:        aws.StringValue(cluster.Endpoint),
  BearerToken: tok.Token,
  TLSClientConfig: rest.TLSClientConfig{
   CAData: ca,
  },
 }
@abelanger5 abelanger5 self-assigned this Oct 26, 2020
@abelanger5 abelanger5 added the server Something's wrong with the Go server label Oct 26, 2020
@abelanger5 abelanger5 added this to To do in Porter Roadmap via automation Oct 26, 2020
@abelanger5 abelanger5 added this to the Beta 2 Release milestone Oct 26, 2020
@abelanger5 abelanger5 mentioned this issue Oct 26, 2020
Closed
4 tasks
Porter Roadmap automation moved this from To do to Done Nov 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abelanger5 abelanger5

Labels
server Something's wrong with the Go server
Projects
No open projects
Porter Roadmap
Done
Milestone
Beta 2 Release
Development

No branches or pull requests
1 participant
@abelanger5