Skip to content

Commit

Permalink
Adapt trust policy for IAM roles to use both old and new IRSA domains (
Browse files Browse the repository at this point in the history
  • Loading branch information
Berk Dehrioglu authored Jan 5, 2024
1 parent c45c8a0 commit 8336b81
Show file tree
Hide file tree
Showing 5 changed files with 44 additions and 11 deletions.
4 changes: 3 additions & 1 deletion controllers/awsmachinetemplate_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,9 @@ func (r *AWSMachineTemplateReconciler) reconcileNormal(ctx context.Context, iamS

cloudFrontDomain := key.CloudFrontAlias(baseDomain)

err = iamService.ReconcileRolesForIRSA(accountID, cloudFrontDomain)
oldCloudFrontDomain := key.GetAdditionalIrsaDomain(awsMachineTemplate)

err = iamService.ReconcileRolesForIRSA(accountID, cloudFrontDomain, oldCloudFrontDomain)
if err != nil {
return ctrl.Result{}, errors.WithStack(err)
}
Expand Down
2 changes: 1 addition & 1 deletion controllers/awsmanagedcontrolplane_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ func (r *AWSManagedControlPlaneReconciler) Reconcile(ctx context.Context, req ct
}

iamService.SetPrincipalRoleARN(eksRoleARN)
err = iamService.ReconcileRolesForIRSA(accountID, eksOpenIdDomain)
err = iamService.ReconcileRolesForIRSA(accountID, eksOpenIdDomain, "")
if err != nil {
return ctrl.Result{}, microerror.Mask(err)
}
Expand Down
23 changes: 14 additions & 9 deletions pkg/iam/iam.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,12 +58,13 @@ type IAMService struct {
}

type Route53RoleParams struct {
EC2ServiceDomain string
AccountID string
CloudFrontDomain string
Namespace string
ServiceAccount string
PrincipalRoleARN string
EC2ServiceDomain string
AccountID string
CloudFrontDomain string
AdditionalCloudFrontDomain string
Namespace string
ServiceAccount string
PrincipalRoleARN string
}

func New(config IAMServiceConfig) (*IAMService, error) {
Expand Down Expand Up @@ -156,12 +157,12 @@ func (s *IAMService) ReconcileKiamRole() error {
return nil
}

func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain string) error {
func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain string, oldCloudFrontDomain string) error {
s.log.Info("reconciling IAM roles for IRSA")

for _, roleTypeToReconcile := range getIRSARoles() {
var params Route53RoleParams
params, err := s.generateRoute53RoleParams(roleTypeToReconcile, awsAccountID, cloudFrontDomain)
params, err := s.generateRoute53RoleParams(roleTypeToReconcile, awsAccountID, cloudFrontDomain, oldCloudFrontDomain)
if err != nil {
s.log.Error(err, "failed to generate Route53 role parameters")
return err
Expand All @@ -177,7 +178,7 @@ func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain
return nil
}

func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAccountID string, cloudFrontDomain string) (Route53RoleParams, error) {
func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAccountID string, cloudFrontDomain string, additionalCloudFrontDomain string) (Route53RoleParams, error) {
namespace := "kube-system"
serviceAccount, err := getServiceAccount(roleTypeToReconcile)
if err != nil {
Expand All @@ -193,6 +194,10 @@ func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAc
ServiceAccount: serviceAccount,
}

if additionalCloudFrontDomain != "" {
params.AdditionalCloudFrontDomain = additionalCloudFrontDomain
}

return params, nil
}

Expand Down
13 changes: 13 additions & 0 deletions pkg/iam/route53_template.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,20 @@ const trustIdentityPolicyIRSA = `{
"{{.CloudFrontDomain}}:sub": "system:serviceaccount:{{.Namespace}}:{{.ServiceAccount}}"
}
}
}{{if .AdditionalCloudFrontDomain}},
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::{{.AccountID}}:oidc-provider/{{.AdditionalCloudFrontDomain}}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"{{.AdditionalCloudFrontDomain}}:sub": "system:serviceaccount:{{.Namespace}}:{{.ServiceAccount}}"
}
}
}
{{end}}
]
}
`
Expand Down
13 changes: 13 additions & 0 deletions pkg/key/key.go
Original file line number Diff line number Diff line change
Expand Up @@ -158,3 +158,16 @@ func GetAWSAccountID(awsClusterRoleIdentity *capa.AWSClusterRoleIdentity) (strin

return a.AccountID, nil
}

func GetAdditionalIrsaDomain(o v1.Object) string {
return GetAnnotation(o, "aws.giantswarm.io/irsa-additional-domain")
}

// GetAnnotation returns the value of the specified annotation.
func GetAnnotation(o v1.Object, annotation string) string {
annotations := o.GetAnnotations()
if annotations == nil {
return ""
}
return annotations[annotation]
}

0 comments on commit 8336b81

Please sign in to comment.