kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13166 from justinsb/irsa_acls_with_terraform 

JWKS / IRSA: Expose public ACLs to terraform
This commit is contained in:
Kubernetes Prow Robot 2022-01-30 23:54:23 -08:00 committed by GitHub
parent 8533a57940 16a676ffb3
commit 46c2dd7479
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 56 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tests/integration/update_cluster/aws-lb-controller/kubernetes.tf
View File

@ -569,6 +569,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
}
resource "aws_s3_bucket_object" "discovery-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@ -593,6 +594,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
}
resource "aws_s3_bucket_object" "keys-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
key = "discovery.example.com/minimal.example.com/openid/v1/jwks"

2
tests/integration/update_cluster/digit/kubernetes.tf
View File

@ -568,6 +568,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
}
resource "aws_s3_bucket_object" "discovery-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
key = "discovery.example.com/123.example.com/.well-known/openid-configuration"
@ -592,6 +593,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
}
resource "aws_s3_bucket_object" "keys-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
key = "discovery.example.com/123.example.com/openid/v1/jwks"

2
tests/integration/update_cluster/external_dns_irsa/kubernetes.tf
View File

@ -543,6 +543,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
}
resource "aws_s3_bucket_object" "discovery-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@ -567,6 +568,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
}
resource "aws_s3_bucket_object" "keys-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
key = "discovery.example.com/minimal.example.com/openid/v1/jwks"

2
tests/integration/update_cluster/irsa/kubernetes.tf
View File

@ -593,6 +593,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
}
resource "aws_s3_bucket_object" "discovery-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@ -617,6 +618,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
}
resource "aws_s3_bucket_object" "keys-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
key = "discovery.example.com/minimal.example.com/openid/v1/jwks"

2
tests/integration/update_cluster/karpenter/kubernetes.tf
View File

@ -719,6 +719,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
}
resource "aws_s3_bucket_object" "discovery-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@ -743,6 +744,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
}
resource "aws_s3_bucket_object" "keys-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
key = "discovery.example.com/minimal.example.com/openid/v1/jwks"

2
tests/integration/update_cluster/many-addons-ccm-irsa/kubernetes.tf
View File

@ -673,6 +673,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
}
resource "aws_s3_bucket_object" "discovery-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@ -697,6 +698,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
}
resource "aws_s3_bucket_object" "keys-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
key = "discovery.example.com/minimal.example.com/openid/v1/jwks"

2
tests/integration/update_cluster/many-addons-ccm-irsa23/kubernetes.tf
View File

@ -647,6 +647,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
}
resource "aws_s3_bucket_object" "discovery-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@ -671,6 +672,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
}
resource "aws_s3_bucket_object" "keys-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
key = "discovery.example.com/minimal.example.com/openid/v1/jwks"

2
tests/integration/update_cluster/minimal_gossip_irsa/kubernetes.tf
View File

@ -517,6 +517,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
}
resource "aws_s3_bucket_object" "discovery-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@ -541,6 +542,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
}
resource "aws_s3_bucket_object" "keys-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
key = "discovery.example.com/minimal.example.com/openid/v1/jwks"

2
tests/integration/update_cluster/public-jwks-apiserver/kubernetes.tf
View File

@ -543,6 +543,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
}
resource "aws_s3_bucket_object" "discovery-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@ -567,6 +568,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
}
resource "aws_s3_bucket_object" "keys-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
key = "discovery.example.com/minimal.example.com/openid/v1/jwks"

2
tests/integration/update_cluster/vfs-said/kubernetes.tf
View File

@ -517,6 +517,7 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" {
}
resource "aws_s3_bucket_object" "discovery-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content")
key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration"
@ -541,6 +542,7 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" {
}
resource "aws_s3_bucket_object" "keys-json" {
acl = "public-read"
bucket = "testingBucket"
content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content")
key = "discovery.example.com/minimal.example.com/openid/v1/jwks"

60
upup/pkg/fi/fitasks/managedfile.go
View File

@ -35,10 +35,16 @@ type ManagedFile struct {
Name *string
Lifecycle fi.Lifecycle
Base *string
// Base is the root location of the store for the managed file
Base *string
// Location is the relative path of the managed file
Location *string
Contents fi.Resource
Public *bool
// Public controls whether the object is world-readable
Public *bool
}
func (e *ManagedFile) Find(c *fi.Context) (*ManagedFile, error) {
@ -103,6 +109,30 @@ func (s *ManagedFile) CheckChanges(a, e, changes *ManagedFile) error {
return nil
}
func (e *ManagedFile) getACL(c *fi.Context, p vfs.Path) (vfs.ACL, error) {
var acl vfs.ACL
if fi.BoolValue(e.Public) {
switch p := p.(type) {
case *vfs.S3Path:
acl = &vfs.S3Acl{
RequestACL: fi.String("public-read"),
}
case *vfs.MemFSPath:
if !p.IsClusterReadable() {
return nil, fmt.Errorf("the %q path is intended for use in tests", p.Path())
}
acl = &vfs.S3Acl{
RequestACL: fi.String("public-read"),
}
default:
return nil, fmt.Errorf("the %q path does not support public ACL", p.Path())
}
return acl, nil
}
return acls.GetACL(p, c.Cluster)
}
func (_ *ManagedFile) Render(c *fi.Context, a, e, changes *ManagedFile) error {
location := fi.StringValue(e.Location)
if location == "" {
@ -120,27 +150,9 @@ func (_ *ManagedFile) Render(c *fi.Context, a, e, changes *ManagedFile) error {
}
p = p.Join(location)
var acl vfs.ACL
if fi.BoolValue(e.Public) {
switch p := p.(type) {
case *vfs.S3Path:
acl = &vfs.S3Acl{
RequestACL: fi.String("public-read"),
}
case *vfs.MemFSPath:
if !p.IsClusterReadable() {
return fmt.Errorf("the %q path is intended for use in tests", p.Path())
}
acl = nil
default:
return fmt.Errorf("the %q path does not support public ACL", p.Path())
}
} else {
acl, err = acls.GetACL(p, c.Cluster)
if err != nil {
return err
}
acl, err := e.getACL(c, p)
if err != nil {
return err
}
err = p.WriteFile(bytes.NewReader(data), acl)
@ -181,7 +193,7 @@ func (f *ManagedFile) RenderTerraform(c *fi.Context, t *terraform.TerraformTarge
}
p = p.Join(location)
acl, err := acls.GetACL(p, c.Cluster)
acl, err := e.getACL(c, p)
if err != nil {
return err
}