kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Migrate IAM EC2 Service generation to aws-sdk-go-v2

This commit is contained in:
Peter Rifel 2024-04-18 20:37:11 -04:00
parent f92efdf016
commit dc1aa0d3b4
No known key found for this signature in database
2 changed files with 26 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
pkg/model/awsmodel/iam.go
View File

@ -17,12 +17,14 @@ limitations under the License.
package awsmodel package awsmodel
import ( import (
"context"
"fmt" "fmt"
"sort" "sort"
"strings" "strings"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/ec2"
awsiam "github.com/aws/aws-sdk-go-v2/service/iam" awsiam "github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go/aws/endpoints"
"k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/types"
"k8s.io/klog/v2" "k8s.io/klog/v2"
"k8s.io/kops/pkg/apis/kops" "k8s.io/kops/pkg/apis/kops"
@ -404,15 +406,21 @@ func (b *IAMModelBuilder) buildPolicy(policyString string) (*iam.Policy, error)
// IAMServiceEC2 returns the name of the IAM service for EC2 in the current region. // IAMServiceEC2 returns the name of the IAM service for EC2 in the current region.
// It is ec2.amazonaws.com in the default aws partition, but different in other isolated/custom partitions // It is ec2.amazonaws.com in the default aws partition, but different in other isolated/custom partitions
func IAMServiceEC2(region string) string { func IAMServiceEC2(region string) (string, error) {
partitions := endpoints.DefaultPartitions() ctx := context.TODO()
for _, p := range partitions { resolver := ec2.NewDefaultEndpointResolverV2()
if _, ok := p.Regions()[region]; ok { ep, err := resolver.ResolveEndpoint(ctx, ec2.EndpointParameters{Region: aws.String(region)})
ep := "ec2." + p.DNSSuffix() if err != nil {
return ep return "", fmt.Errorf("failed to resolve endpoint: %v", err)
} }
if ep.URI.Host != "" {
// Remove the region from the hostname. Examples:
// ec2.us-east-1.amazonaws.com -> ec2.amazonaws.com
// ec2.cn-west-1.amazonaws.com.cn -> ec2.amazonaws.com.cn
// ec2.us-gov-west-1.amazonaws.com -> ec2.amazonaws.com
return strings.ReplaceAll(ep.URI.Host, fmt.Sprintf("%v.", region), ""), nil
} }
return "ec2.amazonaws.com" return "ec2.amazonaws.com", nil
} }
func formatAWSIAMStatement(accountId, partition, oidcProvider, namespace, name string) (*iam.Statement, error) { func formatAWSIAMStatement(accountId, partition, oidcProvider, namespace, name string) (*iam.Statement, error) {
@ -466,7 +474,11 @@ func (b *IAMModelBuilder) buildAWSIAMRolePolicy(role iam.Subject) (fi.Resource,
} else { } else {
// We don't generate using json.Marshal here, it would create whitespace changes in the policy for existing clusters. // We don't generate using json.Marshal here, it would create whitespace changes in the policy for existing clusters.
policy = strings.ReplaceAll(NodeRolePolicyTemplate, "{{ IAMServiceEC2 }}", IAMServiceEC2(b.Region)) ec2Service, err := IAMServiceEC2(b.Region)
if err != nil {
return nil, err
}
policy = strings.ReplaceAll(NodeRolePolicyTemplate, "{{ IAMServiceEC2 }}", ec2Service)
} }
return fi.NewStringResource(policy), nil return fi.NewStringResource(policy), nil

5
pkg/model/awsmodel/iam_test.go
View File

@ -34,7 +34,10 @@ func TestIAMServiceEC2(t *testing.T) {
} }
for region, expect := range expectations { for region, expect := range expectations {
principal := IAMServiceEC2(region) principal, err := IAMServiceEC2(region)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if principal != expect { if principal != expect {
t.Errorf("expected %s for %s, but received %s", expect, region, principal) t.Errorf("expected %s for %s, but received %s", expect, region, principal)
} }