From ad1ffc0422316a7f344a1cf3f0c49a17b17c3335 Mon Sep 17 00:00:00 2001 From: Will <30413278+wcrum@users.noreply.github.com> Date: Thu, 14 Mar 2024 10:52:22 -0600 Subject: [PATCH] fix: remove previous roles and users --- pkg/cloud/services/iamauth/configmap.go | 38 +++++++++++++++++++++++++ pkg/cloud/services/iamauth/crd.go | 20 +++++++++++++ pkg/cloud/services/iamauth/iamauth.go | 4 +++ pkg/cloud/services/iamauth/reconcile.go | 15 ++++------ 4 files changed, 67 insertions(+), 10 deletions(-) diff --git a/pkg/cloud/services/iamauth/configmap.go b/pkg/cloud/services/iamauth/configmap.go index 7c5963aafe..77b92c9f53 100644 --- a/pkg/cloud/services/iamauth/configmap.go +++ b/pkg/cloud/services/iamauth/configmap.go @@ -88,6 +88,44 @@ func (b *configMapBackend) MapUser(mapping ekscontrolplanev1.UserMapping) error return b.saveAuthConfig(authConfig) } +func (b *configMapBackend) MapUsers(mappings []ekscontrolplanev1.UserMapping) error { + for _, mapping := range mappings { + if errs := mapping.Validate(); errs != nil { + return kerrors.NewAggregate(errs) + } + } + + authConfig, err := b.getAuthConfig() + if err != nil { + return fmt.Errorf("getting auth config: %w", err) + } + + authConfig.UserMappings = []ekscontrolplanev1.UserMapping{} + + authConfig.UserMappings = append(authConfig.UserMappings, mappings...) + + return b.saveAuthConfig(authConfig) +} + +func (b *configMapBackend) MapRoles(mappings []ekscontrolplanev1.RoleMapping) error { + for _, mapping := range mappings { + if errs := mapping.Validate(); errs != nil { + return kerrors.NewAggregate(errs) + } + } + + authConfig, err := b.getAuthConfig() + if err != nil { + return fmt.Errorf("getting auth config: %w", err) + } + + authConfig.RoleMappings = []ekscontrolplanev1.RoleMapping{} + + authConfig.RoleMappings = append(authConfig.RoleMappings, mappings...) + + return b.saveAuthConfig(authConfig) +} + func (b *configMapBackend) getAuthConfig() (*ekscontrolplanev1.IAMAuthenticatorConfig, error) { ctx := context.Background() diff --git a/pkg/cloud/services/iamauth/crd.go b/pkg/cloud/services/iamauth/crd.go index 15c105b71b..902ee88ba3 100644 --- a/pkg/cloud/services/iamauth/crd.go +++ b/pkg/cloud/services/iamauth/crd.go @@ -104,6 +104,26 @@ func (b *crdBackend) MapUser(mapping ekscontrolplanev1.UserMapping) error { return b.client.Create(ctx, iamMapping) } +func (b *crdBackend) MapRoles(mappings []ekscontrolplanev1.RoleMapping) error { + for _, mapping := range mappings { + if err := b.MapRole(mapping); err != nil { + return err + } + } + + return nil +} + +func (b *crdBackend) MapUsers(mappings []ekscontrolplanev1.UserMapping) error { + for _, mapping := range mappings { + if err := b.MapUser(mapping); err != nil { + return err + } + } + + return nil +} + func roleMappingMatchesIAMMap(mapping ekscontrolplanev1.RoleMapping, iamMapping *iamauthv1.IAMIdentityMapping) bool { if mapping.RoleARN != iamMapping.Spec.ARN { return false diff --git a/pkg/cloud/services/iamauth/iamauth.go b/pkg/cloud/services/iamauth/iamauth.go index 6410b31bfc..655a0ca6a6 100644 --- a/pkg/cloud/services/iamauth/iamauth.go +++ b/pkg/cloud/services/iamauth/iamauth.go @@ -38,6 +38,10 @@ type AuthenticatorBackend interface { MapRole(mapping ekscontrolplanev1.RoleMapping) error // MapUser is used to map a user ARN to a user and set of groups MapUser(mapping ekscontrolplanev1.UserMapping) error + // MapUsers is used to set multiple user ARN to a users and groups + MapUsers(mapping []ekscontrolplanev1.UserMapping) error + // MapRoles is used to set multiple role ARN to a users and groups + MapRoles(mapping []ekscontrolplanev1.RoleMapping) error } // BackendType is a type that represents the different aws-iam-authenticator backends. diff --git a/pkg/cloud/services/iamauth/reconcile.go b/pkg/cloud/services/iamauth/reconcile.go index 3f53e74b4d..767cc3dd50 100644 --- a/pkg/cloud/services/iamauth/reconcile.go +++ b/pkg/cloud/services/iamauth/reconcile.go @@ -63,18 +63,13 @@ func (s *Service) ReconcileIAMAuthenticator(ctx context.Context) error { s.scope.V(2).Info("Mapping additional IAM roles and users") iamCfg := s.scope.IAMAuthConfig() - for _, roleMapping := range iamCfg.RoleMappings { - s.scope.V(2).Info("Mapping IAM role", "iam-role", roleMapping.RoleARN, "user", roleMapping.UserName) - if err := authBackend.MapRole(roleMapping); err != nil { - return fmt.Errorf("mapping iam role: %w", err) - } + + if err := authBackend.MapRoles(iamCfg.RoleMappings); err != nil { + return fmt.Errorf("mapping iam role: %w", err) } - for _, userMapping := range iamCfg.UserMappings { - s.scope.V(2).Info("Mapping IAM user", "iam-user", userMapping.UserARN, "user", userMapping.UserName) - if err := authBackend.MapUser(userMapping); err != nil { - return fmt.Errorf("mapping iam user: %w", err) - } + if err := authBackend.MapUsers(iamCfg.UserMappings); err != nil { + return fmt.Errorf("mapping iam user: %w", err) } s.scope.Info("Reconciled aws-iam-authenticator configuration", "cluster-name", s.scope.KubernetesClusterName())