Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add IRSA Support to Self Managed Clusters #4094

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+2,012 −252
Open

Add IRSA Support to Self Managed Clusters #4094

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
29896f2
adding IRSA functionality through an OIDC provider using an s3 bucket
luthermonson May 26, 2023
ea2869e
applied a small number of refactorings as I read through the code
Skarlso Oct 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions api/v1beta1/awscluster_conversion.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package v1beta1

import (
apiconversion "k8s.io/apimachinery/pkg/conversion"
"sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
infrav2 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
utilconversion "sigs.k8s.io/cluster-api/util/conversion"
"sigs.k8s.io/controller-runtime/pkg/conversion"
Expand Down Expand Up @@ -50,6 +51,8 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
dst.Status.Bastion.PlacementGroupName = restored.Status.Bastion.PlacementGroupName
}
dst.Spec.Partition = restored.Spec.Partition
dst.Spec.AssociateOIDCProvider = restored.Spec.AssociateOIDCProvider
dst.Status.OIDCProvider = restored.Status.OIDCProvider

for role, sg := range restored.Status.Network.SecurityGroups {
dst.Status.Network.SecurityGroups[role] = sg
Expand Down Expand Up @@ -170,3 +173,7 @@ func (r *AWSClusterList) ConvertFrom(srcRaw conversion.Hub) error {
func Convert_v1beta2_SubnetSpec_To_v1beta1_SubnetSpec(in *infrav2.SubnetSpec, out *SubnetSpec, s apiconversion.Scope) error {
return autoConvert_v1beta2_SubnetSpec_To_v1beta1_SubnetSpec(in, out, s)
}

func Convert_v1beta2_AWSClusterStatus_To_v1beta1_AWSClusterStatus(in *v1beta2.AWSClusterStatus, out *AWSClusterStatus, scope apiconversion.Scope) error {
return autoConvert_v1beta2_AWSClusterStatus_To_v1beta1_AWSClusterStatus(in, out, scope)
}
19 changes: 9 additions & 10 deletions api/v1beta1/conversion_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,8 @@ package v1beta1
import (
"testing"

. "github.com/onsi/gomega"

fuzz "github.com/google/gofuzz"
. "github.com/onsi/gomega"
"k8s.io/apimachinery/pkg/api/apitesting/fuzzer"
"k8s.io/apimachinery/pkg/runtime"
runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
Expand All @@ -38,7 +37,7 @@ func fuzzFuncs(_ runtimeserializer.CodecFactory) []interface{} {

func AWSMachineFuzzer(obj *AWSMachine, c fuzz.Continue) {
c.FuzzNoCustom(obj)

// AWSMachine.Spec.FailureDomain, AWSMachine.Spec.Subnet.ARN and AWSMachine.Spec.AdditionalSecurityGroups.ARN has been removed in v1beta2, so setting it to nil in order to avoid v1beta1 --> v1beta2 --> v1beta1 round trip errors.
if obj.Spec.Subnet != nil {
obj.Spec.Subnet.ARN = nil
Expand All @@ -54,7 +53,7 @@ func AWSMachineFuzzer(obj *AWSMachine, c fuzz.Continue) {

func AWSMachineTemplateFuzzer(obj *AWSMachineTemplate, c fuzz.Continue) {
c.FuzzNoCustom(obj)

// AWSMachineTemplate.Spec.Template.Spec.FailureDomain, AWSMachineTemplate.Spec.Template.Spec.Subnet.ARN and AWSMachineTemplate.Spec.Template.Spec.AdditionalSecurityGroups.ARN has been removed in v1beta2, so setting it to nil in order to avoid v1beta1 --> v1beta2 --> v1beta round trip errors.
if obj.Spec.Template.Spec.Subnet != nil {
obj.Spec.Template.Spec.Subnet.ARN = nil
Expand All @@ -81,16 +80,16 @@ func TestFuzzyConversion(t *testing.T) {
}))

t.Run("for AWSMachine", utilconversion.FuzzTestFunc(utilconversion.FuzzTestFuncInput{
Scheme: scheme,
Hub: &v1beta2.AWSMachine{},
Spoke: &AWSMachine{},
Scheme: scheme,
Hub: &v1beta2.AWSMachine{},
Spoke: &AWSMachine{},
FuzzerFuncs: []fuzzer.FuzzerFuncs{fuzzFuncs},
}))

t.Run("for AWSMachineTemplate", utilconversion.FuzzTestFunc(utilconversion.FuzzTestFuncInput{
Scheme: scheme,
Hub: &v1beta2.AWSMachineTemplate{},
Spoke: &AWSMachineTemplate{},
Scheme: scheme,
Hub: &v1beta2.AWSMachineTemplate{},
Spoke: &AWSMachineTemplate{},
FuzzerFuncs: []fuzzer.FuzzerFuncs{fuzzFuncs},
}))

Expand Down
8 changes: 0 additions & 8 deletions api/v1beta1/s3bucket.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@ import (
"net"

"k8s.io/apimachinery/pkg/util/validation/field"

"sigs.k8s.io/cluster-api-provider-aws/v2/feature"
)

// Validate validates S3Bucket fields.
Expand All @@ -37,12 +35,6 @@ func (b *S3Bucket) Validate() []*field.Error {
errs = append(errs, field.Required(field.NewPath("spec", "s3Bucket", "name"), "can't be empty"))
}

// Feature gate is not enabled but ignition is enabled then send a forbidden error.
if !feature.Gates.Enabled(feature.BootstrapFormatIgnition) {
errs = append(errs, field.Forbidden(field.NewPath("spec", "s3Bucket"),
"can be set only if the BootstrapFormatIgnition feature gate is enabled"))
}

if b.ControlPlaneIAMInstanceProfile == "" {
errs = append(errs,
field.Required(field.NewPath("spec", "s3Bucket", "controlPlaneIAMInstanceProfiles"), "can't be empty"))
Expand Down
17 changes: 7 additions & 10 deletions api/v1beta1/zz_generated.conversion.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 13 additions & 2 deletions api/v1beta2/awscluster_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,11 +96,18 @@ type AWSClusterSpec struct {
IdentityRef *AWSIdentityReference `json:"identityRef,omitempty"`

// S3Bucket contains options to configure a supporting S3 bucket for this
// cluster - currently used for nodes requiring Ignition
// cluster - Used for nodes requiring Ignition
// (https://coreos.github.io/ignition/) for bootstrapping (requires
// BootstrapFormatIgnition feature flag to be enabled).
// BootstrapFormatIgnition feature flag to be enabled) and for storing OIDC endpoint
// certificates for use with IRSA
// +optional
S3Bucket *S3Bucket `json:"s3Bucket,omitempty"`

// AssociateOIDCProvider can be enabled to automatically create an identity
// provider and install the pod identity webhook from AWS for use with IRSA.
// This will only work if the S3Bucket is configured properly.
// +kubebuilder:default=false
AssociateOIDCProvider bool `json:"associateOIDCProvider,omitempty"`
}

// AWSIdentityKind defines allowed AWS identity types.
Expand Down Expand Up @@ -255,6 +262,10 @@ type AWSClusterStatus struct {
FailureDomains clusterv1.FailureDomains `json:"failureDomains,omitempty"`
Bastion *Instance `json:"bastion,omitempty"`
Conditions clusterv1.Conditions `json:"conditions,omitempty"`

// OIDCProvider holds the status of the identity provider for this cluster
// +optional
OIDCProvider OIDCProviderStatus `json:"oidcProvider,omitempty"`
}

type S3Bucket struct {
Expand Down
8 changes: 8 additions & 0 deletions api/v1beta2/conditions_consts.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,3 +173,11 @@ const (
// S3BucketFailedReason is used when any errors occur during reconciliation of an S3 bucket.
S3BucketFailedReason = "S3BucketCreationFailed"
)

const (
// OIDCProviderReadyCondition indicates that the OIDC provider has been created successfully.
OIDCProviderReadyCondition = "OIDCProviderCreated"

// OIDCProviderReconciliationFailedReason is used if we can't reconcile the OIDC provider.
OIDCProviderReconciliationFailedReason = "OIDCProviderReconciliationFailed"
)
8 changes: 8 additions & 0 deletions api/v1beta2/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -407,3 +407,11 @@ const (
// AmazonLinuxGPU is the AmazonLinux GPU AMI type.
AmazonLinuxGPU EKSAMILookupType = "AmazonLinuxGPU"
)

// OIDCProviderStatus holds the status of the AWS OIDC identity provider.
type OIDCProviderStatus struct {
// ARN holds the ARN of the provider
ARN string `json:"arn,omitempty"`
// TrustPolicy contains the boilerplate IAM trust policy to use for IRSA
TrustPolicy string `json:"trustPolicy,omitempty"`
}
16 changes: 16 additions & 0 deletions api/v1beta2/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,11 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
"ec2:DeleteLaunchTemplateVersions",
"ec2:DescribeKeyPairs",
"ec2:ModifyInstanceMetadataOptions",
"iam:CreateOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"iam:ListOpenIDConnectProviders",
"iam:GetOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider",
},
},
{
Expand Down Expand Up @@ -284,6 +289,9 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
"s3:DeleteObject",
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
"s3:PutBucketOwnershipControls",
"s3:PutObjectAcl",
"s3:PutBucketPublicAccessBlock",
},
})
}
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
5 changes: 5 additions & 0 deletions cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,11 @@ Resources:
- ec2:DeleteLaunchTemplateVersions
- ec2:DescribeKeyPairs
- ec2:ModifyInstanceMetadataOptions
- iam:CreateOpenIDConnectProvider
- iam:DeleteOpenIDConnectProvider
- iam:ListOpenIDConnectProviders
- iam:GetOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Effect: Allow
Resource:
- '*'
Expand Down
Loading