From 019fb7d35df54578ecb04d777738776e3b9aa3f6 Mon Sep 17 00:00:00 2001 From: John Gardiner Myers Date: Sun, 14 Nov 2021 13:17:23 -0800 Subject: [PATCH] Add create cluster flag for enabling IRSA --- cmd/kops/create_cluster.go | 5 +++++ docs/cli/kops_create_cluster.md | 1 + docs/releases/1.23-NOTES.md | 3 +++ upup/pkg/fi/cloudup/new_cluster.go | 17 +++++++++++++++++ 4 files changed, 26 insertions(+) diff --git a/cmd/kops/create_cluster.go b/cmd/kops/create_cluster.go index 4c83ec1e00..3947e46949 100644 --- a/cmd/kops/create_cluster.go +++ b/cmd/kops/create_cluster.go @@ -219,6 +219,11 @@ func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command { return nil, cobra.ShellCompDirectiveNoFileComp }) } + cmd.Flags().StringVar(&options.DiscoveryStore, "discovery-store", options.DiscoveryStore, "A public location where we publish OIDC-compatible discovery information under a cluster-specific directory. Enables IRSA in AWS.") + cmd.RegisterFlagCompletionFunc("discovery-store", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + // TODO complete vfs paths + return nil, cobra.ShellCompDirectiveNoFileComp + }) var validClouds []string { diff --git a/docs/cli/kops_create_cluster.md b/docs/cli/kops_create_cluster.md index 47d85e11c8..ce78b5a0ce 100644 --- a/docs/cli/kops_create_cluster.md +++ b/docs/cli/kops_create_cluster.md @@ -77,6 +77,7 @@ kops create cluster [CLUSTER] [flags] --cloud-labels string A list of key/value pairs used to tag all instance groups (for example "Owner=John Doe,Team=Some Team"). --container-runtime string Container runtime to use: containerd, docker --disable-subnet-tags Disable automatic subnet tagging + --discovery-store string A public location where we publish OIDC-compatible discovery information under a cluster-specific directory. Enables IRSA in AWS. --dns string DNS type to use: public or private (default "Public") --dns-zone string DNS hosted zone (defaults to longest matching zone) --dry-run If true, only print the object that would be sent, without sending it. This flag can be used to create a cluster YAML or JSON manifest. diff --git a/docs/releases/1.23-NOTES.md b/docs/releases/1.23-NOTES.md index 9d982aba71..7719742e1a 100644 --- a/docs/releases/1.23-NOTES.md +++ b/docs/releases/1.23-NOTES.md @@ -44,6 +44,9 @@ This is a document to gather the release notes prior to the release. # Other changes of note +* The `kops create cluster` command has a new `--discovery-store` flag for specifying a public store for the OIDC-compatible discovery documents. +If this flag is used in AWS, it will enable IRSA. + * If `externalDns.provider` is `external-dns`, then `externalDns.watchIngress` will now default to `true`. # Full change list since 1.22.0 release diff --git a/upup/pkg/fi/cloudup/new_cluster.go b/upup/pkg/fi/cloudup/new_cluster.go index eca5056f2b..5b712c79f4 100644 --- a/upup/pkg/fi/cloudup/new_cluster.go +++ b/upup/pkg/fi/cloudup/new_cluster.go @@ -40,6 +40,7 @@ import ( "k8s.io/kops/upup/pkg/fi/cloudup/azure" "k8s.io/kops/upup/pkg/fi/cloudup/gce" "k8s.io/kops/upup/pkg/fi/cloudup/openstack" + "k8s.io/kops/util/pkg/vfs" ) const ( @@ -57,6 +58,8 @@ type NewClusterOptions struct { Channel string // ConfigBase is the location where we will store the configuration. It defaults to the state store. ConfigBase string + // DiscoveryStore is the location where we will store public OIDC-compatible discovery documents, under a cluster-specific directory. It defaults to not publishing discovery documents. + DiscoveryStore string // KubernetesVersion is the version of Kubernetes to deploy. It defaults to the version recommended by the channel. KubernetesVersion string // AdminAccess is the set of CIDR blocks permitted to connect to the Kubernetes API. It defaults to "0.0.0.0/0" and "::/0". @@ -255,6 +258,20 @@ func NewCluster(opt *NewClusterOptions, clientset simple.Clientset) (*NewCluster } } + if opt.DiscoveryStore != "" { + discoveryPath, err := vfs.Context.BuildVfsPath(opt.DiscoveryStore) + if err != nil { + return nil, fmt.Errorf("error building DiscoveryStore for cluster: %v", err) + } + cluster.Spec.ServiceAccountIssuerDiscovery = &api.ServiceAccountIssuerDiscoveryConfig{ + DiscoveryStore: discoveryPath.Join(cluster.Name).Path(), + } + if cluster.Spec.CloudProvider == string(api.CloudProviderAWS) { + cluster.Spec.ServiceAccountIssuerDiscovery.EnableAWSOIDCProvider = true + cluster.Spec.IAM.UseServiceAccountExternalPermissions = fi.Bool(true) + } + } + err = setupVPC(opt, &cluster) if err != nil { return nil, err