Skip to content

Commit

Permalink
feat: Allow aws access key authentication (#36)
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmoreiradj
mmoreiradj authored Nov 7, 2024
1 parent 840c6a0 commit 54de57e
Show file tree
Hide file tree
Showing 8 changed files with 144 additions and 33 deletions.
39 changes: 27 additions & 12 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,10 @@ At a given interval (default 30s) it executes the following:
```shell
./iam-eks-user-mapper \
--service-account-name <SERVICE_ACCOUNT_NAME> \
# either fill aws-role-arn or aws-access-key-id and aws-secret-access-key
--aws-role-arn <AWS_ROLE_ARN> \
--aws-access-key-id <AWS_ACCESS_KEY_ID> \
--aws-secret-access-key <AWS_SECRET_ACCESS_KEY> \
--aws-default-region <AWS_DEFAULT_REGION> \
--enable-group-user-sync <ENABLE_GROUP_USER_SYNC> \
--iam-k8s-groups <IAM_K8S_GROUPS> \
Expand All @@ -33,24 +36,30 @@ At a given interval (default 30s) it executes the following:
--verbose <VERBOSE>
```

| Parameter | Type | Default | Required | Description | Example |
|----------------------------|-----------|---------|--------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
| `service-account-name` | `String` | | `true` | Service account name to be used | `my-service-account` |
| `aws-role-arn` | `String` | | `true` | AWS role ARN to be used | `arn:aws:iam::12345678910:role/my-role` |
| `aws_default_region` | `String` | | `true` | AWS default region to be used | `eu-west-3` |
| `refresh_interval_seconds` | `Integer` | `30` | `false` | Refresh interval in seconds between two user synchronization | `120` |
| `enable_group_user_sync` | `Boolean` | `false` | `false` | Activate User Groups sync | `true` |
| `iam_k8s_groups` | `String` | `""` | `false` (`true` if `enable_group_user_sync` == `true`) | IAM groups to be mapped into Kubernetes, syntax is `<IAM_GROUP>-><KUBERNETES_GROUP>,<IAM_GROUP_2>-><KUBERNETES_GROUP_2>` | `Admins->system:masters`, `Admins->system:masters,Devops->system:devops` |
| `enable_sso` | `Boolean` | `false` | `false` | Activate SSO support to connect to the cluster | `true` |
| `iam_sso_role_arn` | `String` | `""` | `false` (`true` if `enable_sso` == `true`) | IAM SSO role ARN to be used to connect to the cluster | `"arn:aws:iam::[AWS_ACCOUNT_ID]:role/aws-reserved/sso.amazonaws.com/[AWS_REGION]/AWSReservedSSO_AdministratorAccess_53b82e109c5e2cac"` |
| `karpenter_role_arn` | `String` | `""` | `false` | Enable Karpenter role ARN | `arn:aws:iam::account_id:role/role_id` |
| `verbose` | `Boolean` | `false` | `false` | Activate verbose mode | `Admins->system:masters`, `Admins->system:masters,Devops->system:devops` |
| Parameter | Type | Default | Required | Description | Example |
| -------------------------- | --------- | ------- | ----------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------- |
| `service-account-name` | `String` | | `true` | Service account name to be used | `my-service-account` |
| `aws-role-arn` | `String` | | `true` if aws_access_key_id and aws_secret_access_key are not specified | AWS role ARN to be used | `arn:aws:iam::12345678910:role/my-role` |
| `aws_access_key_id` | `String` | | `true` if aws-role-arn is not specified | AWS Access Key ID to be used | `EXAMPLEACCESSKEYID` |
| `aws_secret_access_key` | `String` | | `true` if aws-role-arn is not specified | AWS Secret Access Key to be used | `EXAMPLESECRETACCESSKEY` |
| `aws_default_region` | `String` | | `true` | AWS default region to be used | `eu-west-3` |
| `refresh_interval_seconds` | `Integer` | `30` | `false` | Refresh interval in seconds between two user synchronization | `120` |
| `enable_group_user_sync` | `Boolean` | `false` | `false` | Activate User Groups sync | `true` |
| `iam_k8s_groups` | `String` | `""` | `false` (`true` if `enable_group_user_sync` == `true`) | IAM groups to be mapped into Kubernetes, syntax is `<IAM_GROUP>-><KUBERNETES_GROUP>,<IAM_GROUP_2>-><KUBERNETES_GROUP_2>` | `Admins->system:masters`, `Admins->system:masters,Devops->system:devops` |
| `enable_sso` | `Boolean` | `false` | `false` | Activate SSO support to connect to the cluster | `true` |
| `iam_sso_role_arn` | `String` | `""` | `false` (`true` if `enable_sso` == `true`) | IAM SSO role ARN to be used to connect to the cluster | `"arn:aws:iam::[AWS_ACCOUNT_ID]:role/aws-reserved/sso.amazonaws.com/[AWS_REGION]/AWSReservedSSO_AdministratorAccess_53b82e109c5e2cac"` |
| `karpenter_role_arn` | `String` | `""` | `false` | Enable Karpenter role ARN | `arn:aws:iam::account_id:role/role_id` |
| `verbose` | `Boolean` | `false` | `false` | Activate verbose mode | `Admins->system:masters`, `Admins->system:masters,Devops->system:devops` |

**Note:** Either `aws_role_arn` or `aws_access_key_id` and `aws_secret_access_key` must be provided. Both cannot be provided at the same time.

All parameters can be set as environment variables as well:

```shell
SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME> \
AWS_ROLE_ARN=<AWS_ROLE_ARN> \
AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID> \
AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY> \
AWS_DEFAULT_REGION=<AWS_DEFAULT_REGION> \
ENABLE_GROUP_USER_SYNC=<ENABLE_GROUP_USER_SYNC> \
IAM_K8S_GROUPS=<IAM_K8S_GROUPS> \
Expand Down Expand Up @@ -81,7 +90,13 @@ refreshIntervalSeconds: <REFRESH_INTERVAL_SECONDS>

aws:
defaultRegion: <AWS_DEFAULT_REGION>
# either fill roleArn or accessKeyId and secretAccessKey or existingSecretName
roleArn: <AWS_ROLE_ARN>
# if you want to use an existing secret, set the name here
# it must contain AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
existingSecretName: <AWS_SECRET_NAME>
accessKeyId: <AWS_ACCESS_KEY_ID>
secretAccessKey: <AWS_SECRET_ACCESS_KEY>

# Repository for the image is there
# https://github.com/Qovery/iam-eks-user-mapper
Expand Down
7 changes: 7 additions & 0 deletions charts/iam-eks-user-mapper/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,3 +60,10 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

{{/*
Name of the secret
*/}}
{{- define "iam-eks-user.aws.secretName" -}}
{{- default (include "iam-eks-user.fullname" .) .Values.aws.existingSecretName }}
{{- end }}
13 changes: 12 additions & 1 deletion charts/iam-eks-user-mapper/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: kube-system
name: {{ include "iam-eks-user.fullname" . }}
labels:
{{- include "iam-eks-user.labels" . | nindent 4 }}
Expand Down Expand Up @@ -46,6 +45,18 @@ spec:
- name: "KARPENTER_ROLE_ARN"
value: "{{ .Values.karpenter.iamKarpenterRoleArn }}"
{{ end }}
- name: "AWS_ACCESS_KEY_ID"
valueFrom:
secretKeyRef:
name: {{ include "iam-eks-user.aws.secretName" . }}
key: AWS_ACCESS_KEY_ID
- name: "AWS_SECRET_ACCESS_KEY"
valueFrom:
secretKeyRef:
name: {{ include "iam-eks-user.aws.secretName" . }}
key: AWS_SECRET_ACCESS_KEY
- name: AWS_DEFAULT_REGION
value: "{{ .Values.aws.defaultRegion }}"
resources:
{{- toYaml .Values.resources | nindent 12 }}
command:
Expand Down
5 changes: 3 additions & 2 deletions charts/iam-eks-user-mapper/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,9 @@ apiVersion: v1
metadata:
name: {{ .Values.serviceAccount.name }}
namespace: kube-system
{{- if .Values.serviceAccount.annotations }}
annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
---
kind: Role
Expand Down
16 changes: 16 additions & 0 deletions charts/iam-eks-user-mapper/templates/secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if and .Values.aws.accessKeyId .Values.aws.secretAccessKey }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "iam-eks-user.aws.secretName" . }}
namespace: kube-system
labels:
{{- include "iam-eks-user.labels" . | nindent 4 }}
{{- with .Values.extraLabels }}
{{ toYaml . | indent 4 }}
{{- end }}
type: Opaque
data:
AWS_ACCESS_KEY_ID: {{ .Values.aws.accessKeyId | b64enc | quote }}
AWS_SECRET_ACCESS_KEY: {{ .Values.aws.secretAccessKey | b64enc | quote }}
{{- end }}
8 changes: 8 additions & 0 deletions charts/iam-eks-user-mapper/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,14 @@ groupUsersSync:
enabled: false
iamK8sGroups: "" # "group1,group2"

aws:
# if you want to use an existing secret, set the name here
# it must contain AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
existingSecretName: ""
accessKeyId: ""
secretAccessKey: ""
defaultRegion: "us-west-1"

sso:
enabled: false
iamSSORoleArn: "" # "arn:aws:iam::[AWS_ACCOUNT_ID]:role/aws-reserved/sso.amazonaws.com/[AWS_REGION]/AWSReservedSSO_AdministratorAccess_53b82e109c5e2cac"
Expand Down
38 changes: 30 additions & 8 deletions src/config.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,30 @@ pub enum ConfigurationError {
pub struct Credentials {
pub region: Region,
pub _service_account_name: String,
pub _role_arn: RoleArn,
pub _credentials_mode: CredentialsMode,
}

#[derive(Clone)]
pub enum CredentialsMode {
RoleBased {
_aws_role_arn: RoleArn,
},
AccessKeyBased {
_aws_access_key_id: String,
_aws_secret_access_key: String,
},
}

impl Credentials {
pub fn new(region: Region, service_account_name: String, role_arn: RoleArn) -> Self {
Self {
pub fn new(
region: Region,
service_account_name: String,
credentials_mode: CredentialsMode,
) -> Credentials {
Credentials {
region,
_service_account_name: service_account_name,
_role_arn: role_arn,
_credentials_mode: credentials_mode,
}
}
}
Expand Down Expand Up @@ -193,7 +208,8 @@ impl Config {
mod tests {
use crate::aws::iam::IamGroup;
use crate::config::{
Config, ConfigurationError, Credentials, IamK8sGroup, KarpenterRoleConfig, SSORoleConfig,
Config, ConfigurationError, Credentials, CredentialsMode, IamK8sGroup, KarpenterRoleConfig,
SSORoleConfig,
};
use crate::kubernetes::{IamArn, KubernetesGroupName};
use std::str::FromStr;
Expand Down Expand Up @@ -294,7 +310,9 @@ mod tests {
Credentials::new(
"whatever".to_string(),
"whatever".to_string(),
"whatever".to_string(),
CredentialsMode::RoleBased {
_aws_role_arn: "whatever".to_string(),
},
),
Duration::from_secs(60),
false,
Expand Down Expand Up @@ -334,7 +352,9 @@ mod tests {
Credentials::new(
"whatever".to_string(),
"whatever".to_string(),
"whatever".to_string(),
CredentialsMode::RoleBased {
_aws_role_arn: "whatever".to_string(),
},
),
Duration::from_secs(60),
false,
Expand All @@ -357,7 +377,9 @@ mod tests {
Credentials::new(
"whatever".to_string(),
"whatever".to_string(),
"whatever".to_string(),
CredentialsMode::RoleBased {
_aws_role_arn: "whatever".to_string(),
},
),
Duration::from_secs(60),
false,
Expand Down
Loading

0 comments on commit 54de57e

Please sign in to comment.