From a0fe6b094e8ae7fc046c465b955f0b6461b4bca0 Mon Sep 17 00:00:00 2001 From: John Gardiner Myers Date: Sun, 14 Nov 2021 13:17:23 -0800 Subject: [PATCH] Add create cluster flag for enabling IRSA --- cmd/kops/create_cluster.go | 5 +++++ docs/cli/kops_create_cluster.md | 1 + upup/pkg/fi/cloudup/new_cluster.go | 17 +++++++++++++++++ 3 files changed, 23 insertions(+) diff --git a/cmd/kops/create_cluster.go b/cmd/kops/create_cluster.go index 916aafd11c..2109fad912 100644 --- a/cmd/kops/create_cluster.go +++ b/cmd/kops/create_cluster.go @@ -217,6 +217,11 @@ func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command { return nil, cobra.ShellCompDirectiveNoFileComp }) } + cmd.Flags().StringVar(&options.DiscoveryStore, "discovery-store", options.DiscoveryStore, "A public location where we publish OIDC-compatible discovery information under a cluster-specific directory. Enables IRSA in AWS.") + cmd.RegisterFlagCompletionFunc("discovery-store", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + // TODO complete vfs paths + return nil, cobra.ShellCompDirectiveNoFileComp + }) cmd.Flags().StringVar(&options.CloudProvider, "cloud", options.CloudProvider, fmt.Sprintf("Cloud provider to use - %s", strings.Join(cloudup.SupportedClouds(), ", "))) cmd.RegisterFlagCompletionFunc("cloud", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { diff --git a/docs/cli/kops_create_cluster.md b/docs/cli/kops_create_cluster.md index 15a00168a8..3555b84644 100644 --- a/docs/cli/kops_create_cluster.md +++ b/docs/cli/kops_create_cluster.md @@ -77,6 +77,7 @@ kops create cluster [CLUSTER] [flags] --cloud-labels string A list of key/value pairs used to tag all instance groups (for example "Owner=John Doe,Team=Some Team"). --container-runtime string Container runtime to use: containerd, docker --disable-subnet-tags Disable automatic subnet tagging + --discovery-store string A public location where we publish OIDC-compatible discovery information under a cluster-specific directory. Enables IRSA in AWS. --dns string DNS type to use: public or private (default "Public") --dns-zone string DNS hosted zone (defaults to longest matching zone) --dry-run If true, only print the object that would be sent, without sending it. This flag can be used to create a cluster YAML or JSON manifest. diff --git a/upup/pkg/fi/cloudup/new_cluster.go b/upup/pkg/fi/cloudup/new_cluster.go index 807d154fae..5022769ecb 100644 --- a/upup/pkg/fi/cloudup/new_cluster.go +++ b/upup/pkg/fi/cloudup/new_cluster.go @@ -40,6 +40,7 @@ import ( "k8s.io/kops/upup/pkg/fi/cloudup/azure" "k8s.io/kops/upup/pkg/fi/cloudup/gce" "k8s.io/kops/upup/pkg/fi/cloudup/openstack" + "k8s.io/kops/util/pkg/vfs" ) const ( @@ -57,6 +58,8 @@ type NewClusterOptions struct { Channel string // ConfigBase is the location where we will store the configuration. It defaults to the state store. ConfigBase string + // DiscoveryStore is the location where we will store public OIDC-compatible discovery documents, under a cluster-specific directory. It defaults to not publishing discovery documents. + DiscoveryStore string // KubernetesVersion is the version of Kubernetes to deploy. It defaults to the version recommended by the channel. KubernetesVersion string // AdminAccess is the set of CIDR blocks permitted to connect to the Kubernetes API. It defaults to "0.0.0.0/0" and "::/0". @@ -252,6 +255,20 @@ func NewCluster(opt *NewClusterOptions, clientset simple.Clientset) (*NewCluster } } + if opt.DiscoveryStore != "" { + discoveryPath, err := vfs.Context.BuildVfsPath(opt.DiscoveryStore) + if err != nil { + return nil, fmt.Errorf("error building DiscoveryStore for cluster: %v", err) + } + cluster.Spec.ServiceAccountIssuerDiscovery = &api.ServiceAccountIssuerDiscoveryConfig{ + DiscoveryStore: discoveryPath.Join(cluster.Name).Path(), + } + if cluster.Spec.CloudProvider == string(api.CloudProviderAWS) { + cluster.Spec.ServiceAccountIssuerDiscovery.EnableAWSOIDCProvider = true + cluster.Spec.IAM.UseServiceAccountExternalPermissions = fi.Bool(true) + } + } + err = setupVPC(opt, &cluster) if err != nil { return nil, err