Merge pull request #885 from Yannig/cert-manager

Enable policies for cert-manager.
eksctl-io · Jun 17, 2019 · 2bc4479 · 2bc4479
2 parents ac4e946 + 2e0924a
commit 2bc4479
Show file tree

Hide file tree

Showing 9 changed files with 115 additions and 14 deletions.
diff --git a/humans.txt b/humans.txt
@@ -43,6 +43,7 @@ Paul Maddox             @paulmaddox
 Patrick Spek            @tyil
 Martina Iglesias        @martina-if
 Alfonso Acosta          @2opremio
+Yannig Perré            @Yannig
 
 /* Thanks */
 

diff --git a/pkg/apis/eksctl.io/v1alpha5/defaults.go b/pkg/apis/eksctl.io/v1alpha5/defaults.go
@@ -65,6 +65,9 @@ func SetNodeGroupDefaults(_ int, ng *NodeGroup) error {
 	if ng.IAM.WithAddonPolicies.ExternalDNS == nil {
 		ng.IAM.WithAddonPolicies.ExternalDNS = Disabled()
 	}
+	if ng.IAM.WithAddonPolicies.CertManager == nil {
+		ng.IAM.WithAddonPolicies.CertManager = Disabled()
+	}
 	if ng.IAM.WithAddonPolicies.ALBIngress == nil {
 		ng.IAM.WithAddonPolicies.ALBIngress = Disabled()
 	}

diff --git a/pkg/apis/eksctl.io/v1alpha5/types.go b/pkg/apis/eksctl.io/v1alpha5/types.go
@@ -350,6 +350,7 @@ func (c *ClusterConfig) NewNodeGroup() *NodeGroup {
 				ImageBuilder: Disabled(),
 				AutoScaler:   Disabled(),
 				ExternalDNS:  Disabled(),
+				CertManager:  Disabled(),
 				AppMesh:      Disabled(),
 				EBS:          Disabled(),
 				FSX:          Disabled(),
@@ -471,6 +472,8 @@ type (
 		// +optional
 		ExternalDNS *bool `json:"externalDNS"`
 		// +optional
+		CertManager *bool `json:"certManager"`
+		// +optional
 		AppMesh *bool `json:"appMesh"`
 		// +optional
 		EBS *bool `json:"ebs"`

diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go
@@ -22,6 +22,9 @@ func validateNodeGroupIAM(i int, ng *NodeGroup, value, fieldName, path string) e
 		if IsEnabled(ng.IAM.WithAddonPolicies.ExternalDNS) {
 			return fmt.Errorf("%s.withAddonPolicies.externalDNS cannot be set at the same time", p)
 		}
+		if IsEnabled(ng.IAM.WithAddonPolicies.CertManager) {
+			return fmt.Errorf("%s.withAddonPolicies.certManager cannot be set at the same time", p)
+		}
 		if IsEnabled(ng.IAM.WithAddonPolicies.ImageBuilder) {
 			return fmt.Errorf("%s.imageBuilder cannot be set at the same time", p)
 		}

diff --git a/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go b/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go
diff --git a/pkg/cfn/builder/api_test.go b/pkg/cfn/builder/api_test.go
@@ -408,6 +408,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 							ImageBuilder: api.Disabled(),
 							AutoScaler:   api.Disabled(),
 							ExternalDNS:  api.Disabled(),
+							CertManager:  api.Disabled(),
 							AppMesh:      api.Disabled(),
 							EBS:          api.Disabled(),
 							FSX:          api.Disabled(),
@@ -896,6 +897,65 @@ var _ = Describe("CloudFormation template builder API", func() {
 
 	})
 
+	Context("NodeGroupAppCertManager", func() {
+		cfg, ng := newClusterConfigAndNodegroup(true)
+
+		ng.IAM.WithAddonPolicies.CertManager = api.Enabled()
+
+		build(cfg, "eksctl-test-cert-manager-cluster", ng)
+
+		roundtrip()
+
+		It("should have correct policies", func() {
+			Expect(ngTemplate.Resources).ToNot(BeEmpty())
+
+			Expect(ngTemplate.Resources).To(HaveKey("PolicyCertManagerChangeSet"))
+
+			policy1 := ngTemplate.Resources["PolicyCertManagerChangeSet"].Properties
+
+			Expect(policy1.Roles).To(HaveLen(1))
+			isRefTo(policy1.Roles[0], "NodeInstanceRole")
+
+			Expect(policy1.PolicyDocument.Statement).To(HaveLen(1))
+			Expect(policy1.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
+			Expect(policy1.PolicyDocument.Statement[0].Resource).To(Equal("arn:aws:route53:::hostedzone/*"))
+			Expect(policy1.PolicyDocument.Statement[0].Action).To(Equal([]string{
+				"route53:ChangeResourceRecordSets",
+			}))
+
+			Expect(ngTemplate.Resources).To(HaveKey("PolicyCertManagerHostedZones"))
+
+			policy2 := ngTemplate.Resources["PolicyCertManagerHostedZones"].Properties
+
+			Expect(policy2.Roles).To(HaveLen(1))
+			isRefTo(policy2.Roles[0], "NodeInstanceRole")
+
+			Expect(policy2.PolicyDocument.Statement).To(HaveLen(1))
+			Expect(policy2.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
+			Expect(policy2.PolicyDocument.Statement[0].Resource).To(Equal("*"))
+			Expect(policy2.PolicyDocument.Statement[0].Action).To(Equal([]string{
+				"route53:ListHostedZones",
+				"route53:ListResourceRecordSets",
+				"route53:ListHostedZonesByName",
+			}))
+
+			Expect(ngTemplate.Resources).To(HaveKey("PolicyCertManagerGetChange"))
+
+			policy3 := ngTemplate.Resources["PolicyCertManagerGetChange"].Properties
+
+			Expect(policy3.Roles).To(HaveLen(1))
+			isRefTo(policy3.Roles[0], "NodeInstanceRole")
+
+			Expect(policy3.PolicyDocument.Statement).To(HaveLen(1))
+			Expect(policy3.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
+			Expect(policy3.PolicyDocument.Statement[0].Resource).To(Equal("arn:aws:route53:::change/*"))
+			Expect(policy3.PolicyDocument.Statement[0].Action).To(Equal([]string{
+				"route53:GetChange",
+			}))
+		})
+
+	})
+
 	Context("NodeGroupALBIngress", func() {
 		cfg, ng := newClusterConfigAndNodegroup(true)
 

diff --git a/pkg/cfn/builder/iam.go b/pkg/cfn/builder/iam.go
@@ -203,7 +203,25 @@ func (n *NodeGroupResourceSet) addResourcesForIAM() {
 		)
 	}
 
-	if api.IsEnabled(n.spec.IAM.WithAddonPolicies.ExternalDNS) {
+	if api.IsEnabled(n.spec.IAM.WithAddonPolicies.CertManager) {
+		n.rs.attachAllowPolicy("PolicyCertManagerChangeSet", refIR, "arn:aws:route53:::hostedzone/*",
+			[]string{
+				"route53:ChangeResourceRecordSets",
+			},
+		)
+		n.rs.attachAllowPolicy("PolicyCertManagerHostedZones", refIR, "*",
+			[]string{
+				"route53:ListHostedZones",
+				"route53:ListResourceRecordSets",
+				"route53:ListHostedZonesByName",
+			},
+		)
+		n.rs.attachAllowPolicy("PolicyCertManagerGetChange", refIR, "arn:aws:route53:::change/*",
+			[]string{
+				"route53:GetChange",
+			},
+		)
+	} else if api.IsEnabled(n.spec.IAM.WithAddonPolicies.ExternalDNS) {
 		n.rs.attachAllowPolicy("PolicyExternalDNSChangeSet", refIR, "arn:aws:route53:::hostedzone/*",
 			[]string{
 				"route53:ChangeResourceRecordSets",
@@ -217,6 +235,7 @@ func (n *NodeGroupResourceSet) addResourcesForIAM() {
 		)
 	}
 
+
 	if api.IsEnabled(n.spec.IAM.WithAddonPolicies.AppMesh) {
 		n.rs.attachAllowPolicy("PolicyAppMesh", refIR, "*",
 			[]string{

diff --git a/pkg/ctl/cmdutils/nodegroup_filter_test.go b/pkg/ctl/cmdutils/nodegroup_filter_test.go
@@ -340,6 +340,7 @@ const expected = `
 			  		"imageBuilder": false,
 			  		"autoScaler": false,
 			  		"externalDNS": false,
+			  		"certManager": false,
 			  		"appMesh": false,
 			  		"ebs": false,
 			  		"fsx": false,
@@ -377,6 +378,7 @@ const expected = `
 			  		"imageBuilder": false,
 			  		"autoScaler": false,
 			  		"externalDNS": false,
+			  		"certManager": false,
 			  		"appMesh": false,
 			  		"ebs": false,
 			  		"fsx": false,
@@ -412,6 +414,7 @@ const expected = `
 			  	"imageBuilder": false,
 			  	"autoScaler": false,
 			  	"externalDNS": false,
+			  	"certManager": false,
 			  	"appMesh": false,
 			  	"ebs": false,
 			  	"fsx": false,
@@ -448,6 +451,7 @@ const expected = `
 			  	  "imageBuilder": false,
 			  	  "autoScaler": false,
 			  	  "externalDNS": false,
+			  	  "certManager": false,
 			  	  "appMesh": false,
 			  	  "ebs": false,
 			  	  "fsx": false,
@@ -486,6 +490,7 @@ const expected = `
 			  	  "imageBuilder": false,
 			  	  "autoScaler": false,
 			  	  "externalDNS": false,
+			  	  "certManager": false,
 			  	  "appMesh": false,
 			  	  "ebs": false,
 			  	  "fsx": false,
@@ -525,6 +530,7 @@ const expected = `
 			  	  "imageBuilder": false,
 			  	  "autoScaler": false,
 			  	  "externalDNS": false,
+			  	  "certManager": false,
 			  	  "appMesh": false,
 			  	  "ebs": false,
 			  	  "fsx": false,

diff --git a/site/content/usage/09-iam-policies.md b/site/content/usage/09-iam-policies.md
@@ -14,25 +14,26 @@ nodeGroups:
     desiredCapacity: 1
     iam:
       withAddonPolicies:
-        imageBuilder: true        
-        autoScaler: true        
-        externalDNS: true        
-        appMesh: true        
-        ebs: true        
-        fsx: true        
-        efs: true        
-        albIngress: true        
-        xRay: true        
-        cloudWatch: true        
+        imageBuilder: true
+        autoScaler: true
+        externalDNS: true
+        certManager: true
+        appMesh: true
+        ebs: true
+        fsx: true
+        efs: true
+        albIngress: true
+        xRay: true
+        cloudWatch: true
 ```
 ### Image Builder Policy
 
-The `imageBuilder` policy allows for full ECR (Elastic Container Registry) access. This is useful for building, for 
+The `imageBuilder` policy allows for full ECR (Elastic Container Registry) access. This is useful for building, for
 example, a CI server that needs to push images to ECR.
 
 ### EBS Policy
 
-The `ebs` policy enables the new EBS CSI (Elastic Block Store Container Storage Interface) driver. 
+The `ebs` policy enables the new EBS CSI (Elastic Block Store Container Storage Interface) driver.
 
 [comment]: <> (TODO: One section per addon and brief explanation of what it is )
 
@@ -71,7 +72,7 @@ nodeGroups:
         autoScaler: true
         imageBuilder: true
 ```
-*Important*: if a nodegroup includes the `attachPolicyARNs` it must also include the default node policies, like in 
+*Important*: if a nodegroup includes the `attachPolicyARNs` it must also include the default node policies, like in
 this example (`AmazonEKSWorkerNodePolicy` and `AmazonEKS_CNI_Policy`).
 
 [comment]: <> (TODO find better example and explain more)