From 1981c56f67a37090d1da28e2ab578bac6f9ff819 Mon Sep 17 00:00:00 2001 From: Robert Russell <23439640+WarpRat@users.noreply.github.com> Date: Fri, 14 Aug 2020 08:56:37 -0700 Subject: [PATCH] Fix backwards compatibility when backend mode isnt set --- docs/authentication.md | 2 +- upup/models/bindata.go | 4 ++-- .../addons/authentication.aws/k8s-1.12.yaml.template | 4 ++-- .../authentication.aws-k8s-1.12.yaml | 10 ++++++++-- .../awsiamauthenticator/cluster.yaml | 3 ++- .../awsiamauthenticator/manifest.yaml | 2 +- 6 files changed, 16 insertions(+), 9 deletions(-) diff --git a/docs/authentication.md b/docs/authentication.md index 2694bfdd66..9e30f70bbc 100644 --- a/docs/authentication.md +++ b/docs/authentication.md @@ -113,7 +113,7 @@ data: - system:masters ``` -It is also possible to configure alternative backend modes for aws-iam-authenticator. The `backendMode` configuration option allows defining multiple backends in a comma separated string. The mappings in these backends will be merged. When the same mapping is found in multiple backends, the first backend in the list will take precedence. If MountedFile is not included in the list of backends, no configmap is required and the [cluster-id](https://github.com/kubernetes-sigs/aws-iam-authenticator#what-is-a-cluster-id) will default to the cluster's master API DNS name. The cluster-id can be overridden by setting the `clusterID` API field. If you wish to continue using a configmap for authenticator settings other than mappings, MountedFile must be included in the backendMode list. +It is also possible to configure alternative backend modes for aws-iam-authenticator. The `backendMode` configuration option allows defining multiple backends in a comma separated string. The mappings in these backends will be merged. When the same mapping is found in multiple backends, the first backend in the list will take precedence. If MountedFile is not included in the list of backends, no configmap is required and the [cluster-id](https://github.com/kubernetes-sigs/aws-iam-authenticator#what-is-a-cluster-id) will default to the cluster's name. The cluster-id can be overridden by setting the `clusterID` API field. If you wish to continue using a configmap for authenticator settings other than mappings, MountedFile must be included in the backendMode list. This requires an aws-iam-authenticator image >= 0.5.0 For more information see [usergroup-mappings](https://github.com/kubernetes-sigs/aws-iam-authenticator#4-create-iam-roleuser-to-kubernetes-usergroup-mappings) diff --git a/upup/models/bindata.go b/upup/models/bindata.go index ae4bb1e2dc..d755f78d4d 100644 --- a/upup/models/bindata.go +++ b/upup/models/bindata.go @@ -355,8 +355,8 @@ spec: {{- if or (not .Authentication.Aws.BackendMode) (contains "MountedFile" .Authentication.Aws.BackendMode) }} - --config=/etc/aws-iam-authenticator/config.yaml {{- end }} - {{- if or .Authentication.Aws.ClusterID (not (contains "MountedFile" .Authentication.Aws.BackendMode))}} - - --cluster-id={{ or .Authentication.Aws.ClusterID .MasterPublicName }} + {{- if or .Authentication.Aws.ClusterID (and .Authentication.Aws.BackendMode (not (contains "MountedFile" .Authentication.Aws.BackendMode)))}} + - --cluster-id={{ or .Authentication.Aws.ClusterID ClusterName }} {{- end }} - --state-dir=/var/aws-iam-authenticator - --kubeconfig-pregenerated=true diff --git a/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.12.yaml.template b/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.12.yaml.template index 6f47d215d7..8bd8169a0c 100644 --- a/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.12.yaml.template +++ b/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.12.yaml.template @@ -131,8 +131,8 @@ spec: {{- if or (not .Authentication.Aws.BackendMode) (contains "MountedFile" .Authentication.Aws.BackendMode) }} - --config=/etc/aws-iam-authenticator/config.yaml {{- end }} - {{- if or .Authentication.Aws.ClusterID (not (contains "MountedFile" .Authentication.Aws.BackendMode))}} - - --cluster-id={{ or .Authentication.Aws.ClusterID .MasterPublicName }} + {{- if or .Authentication.Aws.ClusterID (and .Authentication.Aws.BackendMode (not (contains "MountedFile" .Authentication.Aws.BackendMode)))}} + - --cluster-id={{ or .Authentication.Aws.ClusterID ClusterName }} {{- end }} - --state-dir=/var/aws-iam-authenticator - --kubeconfig-pregenerated=true diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/authentication.aws-k8s-1.12.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/authentication.aws-k8s-1.12.yaml index 70253b9e6e..28c9e3ec21 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/authentication.aws-k8s-1.12.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/authentication.aws-k8s-1.12.yaml @@ -108,10 +108,11 @@ spec: containers: - args: - server - - --cluster-id=api.minimal.example.com + - --config=/etc/aws-iam-authenticator/config.yaml + - --cluster-id=custom-cluster-ID - --state-dir=/var/aws-iam-authenticator - --kubeconfig-pregenerated=true - - --backend-mode=CRD + - --backend-mode=CRD,MountedFile image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.1-debian-stretch livenessProbe: httpGet: @@ -128,6 +129,8 @@ spec: cpu: 10m memory: 20Mi volumeMounts: + - mountPath: /etc/aws-iam-authenticator/ + name: config - mountPath: /var/aws-iam-authenticator/ name: state - mountPath: /etc/kubernetes/aws-iam-authenticator/ @@ -143,6 +146,9 @@ spec: - key: CriticalAddonsOnly operator: Exists volumes: + - configMap: + name: aws-iam-authenticator + name: config - hostPath: path: /srv/kubernetes/aws-iam-authenticator/ name: output diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/cluster.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/cluster.yaml index 9c11695d57..6d9e9dd295 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/cluster.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/cluster.yaml @@ -8,7 +8,8 @@ spec: - manifest: s3://somebucket/example.yaml authentication: aws: - backendMode: CRD + backendMode: CRD,MountedFile + clusterID: custom-cluster-ID kubernetesApiAccess: - 0.0.0.0/0 channel: stable diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/manifest.yaml index e4d97945c2..31663fadbd 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/manifest.yaml @@ -97,7 +97,7 @@ spec: - id: k8s-1.12 kubernetesVersion: '>=1.12.0' manifest: authentication.aws/k8s-1.12.yaml - manifestHash: c4f7cd3bf0b39ca7ab1b27f875da96bf5feacca9 + manifestHash: dbfc79bb5908416ca06803461ab076b4896d0f7c name: authentication.aws selector: role.kubernetes.io/authentication: "1"