Add new certManager config option.

This options adds needed policies to be able to deploy a certificate manager.
eksctl-io · Jun 17, 2019 · e35dc29 · e35dc29
1 parent 68288b2
commit e35dc29
Show file tree

Hide file tree

Showing 9 changed files with 111 additions and 30 deletions.
diff --git a/pkg/apis/eksctl.io/v1alpha5/defaults.go b/pkg/apis/eksctl.io/v1alpha5/defaults.go
@@ -65,6 +65,9 @@ func SetNodeGroupDefaults(_ int, ng *NodeGroup) error {
 	if ng.IAM.WithAddonPolicies.ExternalDNS == nil {
 		ng.IAM.WithAddonPolicies.ExternalDNS = Disabled()
 	}
+	if ng.IAM.WithAddonPolicies.CertManager == nil {
+		ng.IAM.WithAddonPolicies.CertManager = Disabled()
+	}
 	if ng.IAM.WithAddonPolicies.ALBIngress == nil {
 		ng.IAM.WithAddonPolicies.ALBIngress = Disabled()
 	}

diff --git a/pkg/apis/eksctl.io/v1alpha5/types.go b/pkg/apis/eksctl.io/v1alpha5/types.go
@@ -350,6 +350,7 @@ func (c *ClusterConfig) NewNodeGroup() *NodeGroup {
 				ImageBuilder: Disabled(),
 				AutoScaler:   Disabled(),
 				ExternalDNS:  Disabled(),
+				CertManager:  Disabled(),
 				AppMesh:      Disabled(),
 				EBS:          Disabled(),
 				FSX:          Disabled(),
@@ -471,6 +472,8 @@ type (
 		// +optional
 		ExternalDNS *bool `json:"externalDNS"`
 		// +optional
+		CertManager *bool `json:"certManager"`
+		// +optional
 		AppMesh *bool `json:"appMesh"`
 		// +optional
 		EBS *bool `json:"ebs"`

diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go
@@ -22,6 +22,9 @@ func validateNodeGroupIAM(i int, ng *NodeGroup, value, fieldName, path string) e
 		if IsEnabled(ng.IAM.WithAddonPolicies.ExternalDNS) {
 			return fmt.Errorf("%s.withAddonPolicies.externalDNS cannot be set at the same time", p)
 		}
+		if IsEnabled(ng.IAM.WithAddonPolicies.CertManager) {
+			return fmt.Errorf("%s.withAddonPolicies.certManager cannot be set at the same time", p)
+		}
 		if IsEnabled(ng.IAM.WithAddonPolicies.ImageBuilder) {
 			return fmt.Errorf("%s.imageBuilder cannot be set at the same time", p)
 		}

diff --git a/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go b/pkg/apis/eksctl.io/v1alpha5/zz_generated.deepcopy.go
diff --git a/pkg/cfn/builder/api_test.go b/pkg/cfn/builder/api_test.go
@@ -408,6 +408,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 							ImageBuilder: api.Disabled(),
 							AutoScaler:   api.Disabled(),
 							ExternalDNS:  api.Disabled(),
+							CertManager:  api.Disabled(),
 							AppMesh:      api.Disabled(),
 							EBS:          api.Disabled(),
 							FSX:          api.Disabled(),
@@ -874,39 +875,83 @@ var _ = Describe("CloudFormation template builder API", func() {
 			Expect(policy2.PolicyDocument.Statement[0].Action).To(Equal([]string{
 				"route53:ListHostedZones",
 				"route53:ListResourceRecordSets",
-				"route53:ListHostedZonesByName",
 			}))
 
-			Expect(ngTemplate.Resources).To(HaveKey("PolicyExternalDNSGetChange"))
+			Expect(ngTemplate.Resources).To(HaveKey("PolicyAppMesh"))
 
-			policy3 := ngTemplate.Resources["PolicyExternalDNSGetChange"].Properties
+			policy3 := ngTemplate.Resources["PolicyAppMesh"].Properties
 
 			Expect(policy3.Roles).To(HaveLen(1))
 			isRefTo(policy3.Roles[0], "NodeInstanceRole")
 
 			Expect(policy3.PolicyDocument.Statement).To(HaveLen(1))
 			Expect(policy3.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
-			Expect(policy3.PolicyDocument.Statement[0].Resource).To(Equal("arn:aws:route53:::change/*"))
+			Expect(policy3.PolicyDocument.Statement[0].Resource).To(Equal("*"))
 			Expect(policy3.PolicyDocument.Statement[0].Action).To(Equal([]string{
-				"route53:GetChange",
+				"appmesh:*",
 			}))
 
-			Expect(ngTemplate.Resources).To(HaveKey("PolicyAppMesh"))
+			Expect(ngTemplate.Resources).ToNot(HaveKey("PolicyEBS"))
+			Expect(ngTemplate.Resources).ToNot(HaveKey("PolicyAutoScaling"))
+		})
+
+	})
+
+	Context("NodeGroupAppCertManager", func() {
+		cfg, ng := newClusterConfigAndNodegroup(true)
 
-			policy4 := ngTemplate.Resources["PolicyAppMesh"].Properties
+		ng.IAM.WithAddonPolicies.CertManager = api.Enabled()
 
-			Expect(policy4.Roles).To(HaveLen(1))
-			isRefTo(policy4.Roles[0], "NodeInstanceRole")
+		build(cfg, "eksctl-test-cert-manager-cluster", ng)
 
-			Expect(policy4.PolicyDocument.Statement).To(HaveLen(1))
-			Expect(policy4.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
-			Expect(policy4.PolicyDocument.Statement[0].Resource).To(Equal("*"))
-			Expect(policy4.PolicyDocument.Statement[0].Action).To(Equal([]string{
-				"appmesh:*",
+		roundtrip()
+
+		It("should have correct policies", func() {
+			Expect(ngTemplate.Resources).ToNot(BeEmpty())
+
+			Expect(ngTemplate.Resources).To(HaveKey("PolicyExternalDNSChangeSet"))
+
+			policy1 := ngTemplate.Resources["PolicyExternalDNSChangeSet"].Properties
+
+			Expect(policy1.Roles).To(HaveLen(1))
+			isRefTo(policy1.Roles[0], "NodeInstanceRole")
+
+			Expect(policy1.PolicyDocument.Statement).To(HaveLen(1))
+			Expect(policy1.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
+			Expect(policy1.PolicyDocument.Statement[0].Resource).To(Equal("arn:aws:route53:::hostedzone/*"))
+			Expect(policy1.PolicyDocument.Statement[0].Action).To(Equal([]string{
+				"route53:ChangeResourceRecordSets",
 			}))
 
-			Expect(ngTemplate.Resources).ToNot(HaveKey("PolicyEBS"))
-			Expect(ngTemplate.Resources).ToNot(HaveKey("PolicyAutoScaling"))
+			Expect(ngTemplate.Resources).To(HaveKey("PolicyExternalDNSHostedZones"))
+
+			policy2 := ngTemplate.Resources["PolicyExternalDNSHostedZones"].Properties
+
+			Expect(policy2.Roles).To(HaveLen(1))
+			isRefTo(policy2.Roles[0], "NodeInstanceRole")
+
+			Expect(policy2.PolicyDocument.Statement).To(HaveLen(1))
+			Expect(policy2.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
+			Expect(policy2.PolicyDocument.Statement[0].Resource).To(Equal("*"))
+			Expect(policy2.PolicyDocument.Statement[0].Action).To(Equal([]string{
+				"route53:ListHostedZones",
+				"route53:ListResourceRecordSets",
+				"route53:ListHostedZonesByName",
+			}))
+
+			Expect(ngTemplate.Resources).To(HaveKey("PolicyExternalDNSGetChange"))
+
+			policy3 := ngTemplate.Resources["PolicyExternalDNSGetChange"].Properties
+
+			Expect(policy3.Roles).To(HaveLen(1))
+			isRefTo(policy3.Roles[0], "NodeInstanceRole")
+
+			Expect(policy3.PolicyDocument.Statement).To(HaveLen(1))
+			Expect(policy3.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
+			Expect(policy3.PolicyDocument.Statement[0].Resource).To(Equal("arn:aws:route53:::change/*"))
+			Expect(policy3.PolicyDocument.Statement[0].Action).To(Equal([]string{
+				"route53:GetChange",
+			}))
 		})
 
 	})

diff --git a/pkg/cfn/builder/iam.go b/pkg/cfn/builder/iam.go
@@ -203,7 +203,7 @@ func (n *NodeGroupResourceSet) addResourcesForIAM() {
 		)
 	}
 
-	if api.IsEnabled(n.spec.IAM.WithAddonPolicies.ExternalDNS) {
+	if api.IsEnabled(n.spec.IAM.WithAddonPolicies.CertManager) {
 		n.rs.attachAllowPolicy("PolicyExternalDNSChangeSet", refIR, "arn:aws:route53:::hostedzone/*",
 			[]string{
 				"route53:ChangeResourceRecordSets",
@@ -221,8 +221,21 @@ func (n *NodeGroupResourceSet) addResourcesForIAM() {
 				"route53:GetChange",
 			},
 		)
+	} else if api.IsEnabled(n.spec.IAM.WithAddonPolicies.ExternalDNS) {
+		n.rs.attachAllowPolicy("PolicyExternalDNSChangeSet", refIR, "arn:aws:route53:::hostedzone/*",
+			[]string{
+				"route53:ChangeResourceRecordSets",
+			},
+		)
+		n.rs.attachAllowPolicy("PolicyExternalDNSHostedZones", refIR, "*",
+			[]string{
+				"route53:ListHostedZones",
+				"route53:ListResourceRecordSets",
+			},
+		)
 	}
 
+
 	if api.IsEnabled(n.spec.IAM.WithAddonPolicies.AppMesh) {
 		n.rs.attachAllowPolicy("PolicyAppMesh", refIR, "*",
 			[]string{

diff --git a/pkg/ctl/cmdutils/configfile.go b/pkg/ctl/cmdutils/configfile.go
@@ -134,6 +134,7 @@ func NewCreateClusterLoader(rc *ResourceCmd, ngFilter *NodeGroupFilter) ClusterC
 		"node-zones",
 		"asg-access",
 		"external-dns-access",
+		"cert-manager-access",
 		"full-ecr-access",
 		"storage-class",
 		"vpc-private-subnets",
@@ -210,6 +211,7 @@ func NewCreateNodeGroupLoader(rc *ResourceCmd, ngFilter *NodeGroupFilter) Cluste
 		"node-zones",
 		"asg-access",
 		"external-dns-access",
+		"cert-manager-access",
 		"full-ecr-access",
 	)
 

diff --git a/pkg/ctl/cmdutils/nodegroup_filter_test.go b/pkg/ctl/cmdutils/nodegroup_filter_test.go
@@ -340,6 +340,7 @@ const expected = `
 			  		"imageBuilder": false,
 			  		"autoScaler": false,
 			  		"externalDNS": false,
+			  		"certManager": false,
 			  		"appMesh": false,
 			  		"ebs": false,
 			  		"fsx": false,
@@ -377,6 +378,7 @@ const expected = `
 			  		"imageBuilder": false,
 			  		"autoScaler": false,
 			  		"externalDNS": false,
+			  		"certManager": false,
 			  		"appMesh": false,
 			  		"ebs": false,
 			  		"fsx": false,
@@ -412,6 +414,7 @@ const expected = `
 			  	"imageBuilder": false,
 			  	"autoScaler": false,
 			  	"externalDNS": false,
+			  	"certManager": false,
 			  	"appMesh": false,
 			  	"ebs": false,
 			  	"fsx": false,
@@ -448,6 +451,7 @@ const expected = `
 			  	  "imageBuilder": false,
 			  	  "autoScaler": false,
 			  	  "externalDNS": false,
+			  	  "certManager": false,
 			  	  "appMesh": false,
 			  	  "ebs": false,
 			  	  "fsx": false,
@@ -486,6 +490,7 @@ const expected = `
 			  	  "imageBuilder": false,
 			  	  "autoScaler": false,
 			  	  "externalDNS": false,
+			  	  "certManager": false,
 			  	  "appMesh": false,
 			  	  "ebs": false,
 			  	  "fsx": false,
@@ -525,6 +530,7 @@ const expected = `
 			  	  "imageBuilder": false,
 			  	  "autoScaler": false,
 			  	  "externalDNS": false,
+			  	  "certManager": false,
 			  	  "appMesh": false,
 			  	  "ebs": false,
 			  	  "fsx": false,

diff --git a/site/content/usage/09-iam-policies.md b/site/content/usage/09-iam-policies.md
@@ -14,25 +14,26 @@ nodeGroups:
     desiredCapacity: 1
     iam:
       withAddonPolicies:
-        imageBuilder: true        
-        autoScaler: true        
-        externalDNS: true        
-        appMesh: true        
-        ebs: true        
-        fsx: true        
-        efs: true        
-        albIngress: true        
-        xRay: true        
-        cloudWatch: true        
+        imageBuilder: true
+        autoScaler: true
+        externalDNS: true
+        certManager: true
+        appMesh: true
+        ebs: true
+        fsx: true
+        efs: true
+        albIngress: true
+        xRay: true
+        cloudWatch: true
 ```
 ### Image Builder Policy
 
-The `imageBuilder` policy allows for full ECR (Elastic Container Registry) access. This is useful for building, for 
+The `imageBuilder` policy allows for full ECR (Elastic Container Registry) access. This is useful for building, for
 example, a CI server that needs to push images to ECR.
 
 ### EBS Policy
 
-The `ebs` policy enables the new EBS CSI (Elastic Block Store Container Storage Interface) driver. 
+The `ebs` policy enables the new EBS CSI (Elastic Block Store Container Storage Interface) driver.
 
 [comment]: <> (TODO: One section per addon and brief explanation of what it is )
 
@@ -71,7 +72,7 @@ nodeGroups:
         autoScaler: true
         imageBuilder: true
 ```
-*Important*: if a nodegroup includes the `attachPolicyARNs` it must also include the default node policies, like in 
+*Important*: if a nodegroup includes the `attachPolicyARNs` it must also include the default node policies, like in
 this example (`AmazonEKSWorkerNodePolicy` and `AmazonEKS_CNI_Policy`).
 
 [comment]: <> (TODO find better example and explain more)