diff --git a/cmd/kops/integration_test.go b/cmd/kops/integration_test.go index 96cd0b494e..3c767b38ea 100644 --- a/cmd/kops/integration_test.go +++ b/cmd/kops/integration_test.go @@ -434,7 +434,6 @@ func TestAWSLBController(t *testing.T) { func TestManyAddons(t *testing.T) { newIntegrationTest("minimal.example.com", "many-addons"). - withOIDCDiscovery(). withAddons("aws-ebs-csi-driver.addons.k8s.io-k8s-1.17", "aws-load-balancer-controller.addons.k8s.io-k8s-1.9", "certmanager.io-k8s-1.16", diff --git a/tests/integration/update_cluster/many-addons/data/aws_iam_role_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/many-addons/data/aws_iam_role_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy deleted file mode 100644 index 74a8c9ccda..0000000000 --- a/tests/integration/update_cluster/many-addons/data/aws_iam_role_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy +++ /dev/null @@ -1,17 +0,0 @@ -{ - "Statement": [ - { - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "discovery.example.com/minimal.example.com:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller" - } - }, - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam::123456789012:oidc-provider/discovery.example.com/minimal.example.com" - } - } - ], - "Version": "2012-10-17" -} diff --git a/tests/integration/update_cluster/many-addons/data/aws_iam_role_dns-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/many-addons/data/aws_iam_role_dns-controller.kube-system.sa.minimal.example.com_policy deleted file mode 100644 index 2f17a8e084..0000000000 --- a/tests/integration/update_cluster/many-addons/data/aws_iam_role_dns-controller.kube-system.sa.minimal.example.com_policy +++ /dev/null @@ -1,17 +0,0 @@ -{ - "Statement": [ - { - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "discovery.example.com/minimal.example.com:sub": "system:serviceaccount:kube-system:dns-controller" - } - }, - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam::123456789012:oidc-provider/discovery.example.com/minimal.example.com" - } - } - ], - "Version": "2012-10-17" -} diff --git a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy deleted file mode 100644 index a2c587fe7d..0000000000 --- a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy +++ /dev/null @@ -1,158 +0,0 @@ -{ - "Statement": [ - { - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:DescribeVolumesModifications", - "ec2:ModifyInstanceAttribute" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/KubernetesCluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/kubernetes.io/cluster/minimal.example.com": "owned" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": "ec2:DescribeAvailabilityZones", - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:ModifyRule", - "elasticloadbalancing:DeleteRule", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "minimal.example.com" - } - }, - "Effect": "Allow", - "Resource": [ - "*" - ] - }, - { - "Action": [ - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeRules", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeListenerCertificates", - "elasticloadbalancing:CreateRule" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - } - ], - "Version": "2012-10-17" -} diff --git a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy deleted file mode 100644 index 6e706aa3a7..0000000000 --- a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy +++ /dev/null @@ -1,34 +0,0 @@ -{ - "Statement": [ - { - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets", - "route53:GetHostedZone" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" - ] - }, - { - "Action": [ - "route53:GetChange" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:route53:::change/*" - ] - }, - { - "Action": [ - "route53:ListHostedZones" - ], - "Effect": "Allow", - "Resource": [ - "*" - ] - } - ], - "Version": "2012-10-17" -} diff --git a/tests/integration/update_cluster/many-addons/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data b/tests/integration/update_cluster/many-addons/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data index 593ab94690..24c6b55eda 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data +++ b/tests/integration/update_cluster/many-addons/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data @@ -179,8 +179,8 @@ kubeAPIServer: requestheaderUsernameHeaders: - X-Remote-User securePort: 443 - serviceAccountIssuer: https://discovery.example.com/minimal.example.com - serviceAccountJWKSURI: https://discovery.example.com/minimal.example.com/openid/v1/jwks + serviceAccountIssuer: https://api.internal.minimal.example.com + serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks serviceClusterIPRange: 172.20.0.0/19 storageBackend: etcd3 kubeControllerManager: @@ -252,7 +252,7 @@ CloudProvider: aws ConfigBase: memfs://clusters.example.com/minimal.example.com InstanceGroupName: master-us-test-1a InstanceGroupRole: Master -NodeupConfigHash: elF2pwZKEmkQTctfVkBsmt8290a/elh+NffnIeyCYBQ= +NodeupConfigHash: gCnvY+OMMVnG2kuJvvo1cVae4dzUl+rcZfd5XULISEs= __EOF_KUBE_ENV diff --git a/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_cluster-completed.spec_content b/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_cluster-completed.spec_content index 7057105af4..d669d4fee1 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_cluster-completed.spec_content @@ -102,8 +102,8 @@ spec: requestheaderUsernameHeaders: - X-Remote-User securePort: 443 - serviceAccountIssuer: https://discovery.example.com/minimal.example.com - serviceAccountJWKSURI: https://discovery.example.com/minimal.example.com/openid/v1/jwks + serviceAccountIssuer: https://api.internal.minimal.example.com + serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks serviceClusterIPRange: 172.20.0.0/19 storageBackend: etcd3 kubeControllerManager: @@ -201,9 +201,6 @@ spec: nonMasqueradeCIDR: 172.20.0.0/16 podCIDR: 172.20.128.0/17 secretStore: memfs://clusters.example.com/minimal.example.com/secrets - serviceAccountIssuerDiscovery: - discoveryStore: memfs://discovery.example.com/minimal.example.com - enableAWSOIDCProvider: true serviceClusterIPRange: 172.20.0.0/19 snapshotController: enabled: true diff --git a/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_discovery.json_content b/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_discovery.json_content deleted file mode 100644 index aba05dfd1a..0000000000 --- a/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_discovery.json_content +++ /dev/null @@ -1,18 +0,0 @@ -{ -"issuer": "https://discovery.example.com/minimal.example.com", -"jwks_uri": "https://discovery.example.com/minimal.example.com/openid/v1/jwks", -"authorization_endpoint": "urn:kubernetes:programmatic_authorization", -"response_types_supported": [ -"id_token" -], -"subject_types_supported": [ -"public" -], -"id_token_signing_alg_values_supported": [ -"RS256" -], -"claims_supported": [ -"sub", -"iss" -] -} diff --git a/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_keys.json_content b/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_keys.json_content deleted file mode 100644 index ddcbc6ed75..0000000000 --- a/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_keys.json_content +++ /dev/null @@ -1,20 +0,0 @@ -{ -"keys": [ -{ -"use": "sig", -"kty": "RSA", -"kid": "3mNcULfgtWECYyZWY5ow1rOHjiRwEZHx28HQcRec3Ew", -"alg": "RS256", -"n": "2JbeF8dNwqfEKKD65aGlVs58fWkA0qZdVLKw8qATzRBJTi1nqbj2kAR4gyy_C8Mxouxva_om9d7Sq8Ka55T7-w", -"e": "AQAB" -}, -{ -"use": "sig", -"kty": "RSA", -"kid": "G-cZ10iKJqrXhR15ivI7Lg2q_cuL0zN9ouL0vF67FLc", -"alg": "RS256", -"n": "o4Tridlsf4Yz3UAiup_scSTiG_OqxkUW3Fz7zGKvVcLeYj9GEIKuzoB1VFk1nboDq4cCuGLfdzaQdCQKPIsDuw", -"e": "AQAB" -} -] -} diff --git a/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_nodeupconfig-master-us-test-1a_content b/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_nodeupconfig-master-us-test-1a_content index 6a4aa11c0c..7d0edae95e 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_nodeupconfig-master-us-test-1a_content +++ b/tests/integration/update_cluster/many-addons/data/aws_s3_bucket_object_nodeupconfig-master-us-test-1a_content @@ -38,8 +38,8 @@ APIServerConfig: requestheaderUsernameHeaders: - X-Remote-User securePort: 443 - serviceAccountIssuer: https://discovery.example.com/minimal.example.com - serviceAccountJWKSURI: https://discovery.example.com/minimal.example.com/openid/v1/jwks + serviceAccountIssuer: https://api.internal.minimal.example.com + serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks serviceClusterIPRange: 172.20.0.0/19 storageBackend: etcd3 ServiceAccountPublicKeys: | diff --git a/tests/integration/update_cluster/many-addons/in-v1alpha2.yaml b/tests/integration/update_cluster/many-addons/in-v1alpha2.yaml index d0d6621f58..8f9e0125ca 100644 --- a/tests/integration/update_cluster/many-addons/in-v1alpha2.yaml +++ b/tests/integration/update_cluster/many-addons/in-v1alpha2.yaml @@ -40,9 +40,6 @@ spec: enabled: true enableSQSTerminationDraining: false nonMasqueradeCIDR: 172.20.0.0/16 - serviceAccountIssuerDiscovery: - discoveryStore: memfs://discovery.example.com/minimal.example.com - enableAWSOIDCProvider: true snapshotController: enabled: true sshAccess: diff --git a/tests/integration/update_cluster/many-addons/kubernetes.tf b/tests/integration/update_cluster/many-addons/kubernetes.tf index 08e070087a..d398680ea6 100644 --- a/tests/integration/update_cluster/many-addons/kubernetes.tf +++ b/tests/integration/update_cluster/many-addons/kubernetes.tf @@ -245,17 +245,6 @@ resource "aws_iam_instance_profile" "nodes-minimal-example-com" { } } -resource "aws_iam_openid_connect_provider" "minimal-example-com" { - client_id_list = ["amazonaws.com"] - tags = { - "KubernetesCluster" = "minimal.example.com" - "Name" = "minimal.example.com" - "kubernetes.io/cluster/minimal.example.com" = "owned" - } - thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280", "a9d53002e97e00e043244f3d170d6f4c414104fd"] - url = "https://discovery.example.com/minimal.example.com" -} - resource "aws_iam_role" "masters-minimal-example-com" { assume_role_policy = file("${path.module}/data/aws_iam_role_masters.minimal.example.com_policy") name = "masters.minimal.example.com" @@ -498,13 +487,6 @@ resource "aws_s3_bucket_object" "cluster-completed-spec" { server_side_encryption = "AES256" } -resource "aws_s3_bucket_object" "discovery-json" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_bucket_object_discovery.json_content") - key = "discovery.example.com/minimal.example.com/.well-known/openid-configuration" - server_side_encryption = "AES256" -} - resource "aws_s3_bucket_object" "etcd-cluster-spec-events" { bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_etcd-cluster-spec-events_content") @@ -519,13 +501,6 @@ resource "aws_s3_bucket_object" "etcd-cluster-spec-main" { server_side_encryption = "AES256" } -resource "aws_s3_bucket_object" "keys-json" { - bucket = "testingBucket" - content = file("${path.module}/data/aws_s3_bucket_object_keys.json_content") - key = "discovery.example.com/minimal.example.com/openid/v1/jwks" - server_side_encryption = "AES256" -} - resource "aws_s3_bucket_object" "kops-version-txt" { bucket = "testingBucket" content = file("${path.module}/data/aws_s3_bucket_object_kops-version.txt_content")