Add a new template variable {{EC2PrivateDNSName}} #65
Conversation
There was a problem hiding this comment.
Overall I like this approach better. It allows for more extensiblity and limits the number of mapping types to deal with.
Just a couple minor comments. None of them are blockers to me. If you don't want to make the change to handle malformed usernames in the PR please create an issue.
pkg/server/server.go
Outdated
| template = strings.Replace(template, "{{SessionName}}", sessionName, -1) | ||
| return template | ||
|
|
There was a problem hiding this comment.
Since usernames must be DNS-1123 compliant should we have a final check to ensure the rendered template is valid and return an error if it is not? For instance if I accidentally put in {{AccountId}} instead of {{AccountID}} it will not get replaced and we will return an invalid username to k8s.
pkg/server/server.go
Outdated
| } | ||
| } | ||
| if privateDNSName == "" { | ||
| return "", errors.New(fmt.Sprintf("failed to find node %s", id)) |
There was a problem hiding this comment.
You can use fmt.Errorf here.
| return template, nil | ||
| } | ||
|
|
||
| type EC2Provider interface { |
There was a problem hiding this comment.
This can be local scope.
|
Also can we open two issues
|
pkg/server/server.go
Outdated
|
|
||
| // Private DNS requires EC2 API call | ||
| if strings.Contains(template, "{{EC2PrivateDNSName}}") { | ||
| re := regexp.MustCompile("^i-(\\w{8}|\\w{17})$") |
There was a problem hiding this comment.
I've seen (^i-(\w{8}|\w{17})$)|(^mi-\w{17}$) used elsewhere. EC2 apparently also has managed instances for hybrid environments with "mi-" id prefix. Not sure if these should be allowed or not (are they covered by getPrivateDNSName?).
There was a problem hiding this comment.
@dbenhur Let's open a issue for this. I think it requires more investigation to make sure there are no other side effects we aren't thinking about.
@nckturner Add the sign-off and I think this is good to go.
There was a problem hiding this comment.
Cool, will rebase and sign off.
There was a problem hiding this comment.
I think it'd also be fine to do minimal validation here and just trust that ec2:DescribeInstances is going to return an appropriate error if the instance ID is invalid.
We could also stick this regex in a global var instanceIDPattern = regexp.MustCompile(...) so we only compile once at init.
nckturner
force-pushed
the
kubelet-username-templatized
branch
from
5ad7b14 to
00bca85
Compare
README.md
Outdated
| @@ -173,6 +173,9 @@ server: | |||
| # output `path` where a generated webhook kubeconfig will be stored. | |||
| generateKubeconfig: /etc/kubernetes/heptio-authenticator-aws.kubeconfig # (default) | |||
|
|
|||
| # role to assume before querying EC2 API in order to discover metadata like EC2 private DNS Name | |||
| defaultEC2DescribeInstancesRoleARN: arn:aws:iam::000000000000:role/DescribeInstancesRole | |||
There was a problem hiding this comment.
Nit: the "default" part here is slightly confusing to me. Maybe something like serverAssumeRoleARN?
There was a problem hiding this comment.
Ah, default is incorrect now. I like having EC2DescribeInstances in the name though, as I think it helps differentiate it from the other references to roles. How about serverEC2DescribeInstancesRoleARN?
pkg/config/constants.go
Outdated
| @@ -29,4 +29,7 @@ const ( | |||
|
|
|||
| // certLifetime is the lifetime of the CA certificate (100 years) | |||
| certLifetime = time.Hour * 24 * 365 * 100 | |||
|
|
|||
| // nodeNamePrefix is the username prefix that the apiserver expects of kubelet | |||
| NodeNamePrefix = "system:node:" | |||
There was a problem hiding this comment.
This is no longer needed as far as I can tell.
pkg/server/server.go
Outdated
| groups = append(groups, group) | ||
| } | ||
| return username, groups, nil | ||
| } else if userMapping, exists := h.lowercaseUserMap[arn]; exists { |
There was a problem hiding this comment.
Nit: these else if clauses could now be plain if clauses since we return early at the end of each one.
pkg/server/server.go
Outdated
|
|
||
| // Private DNS requires EC2 API call | ||
| if strings.Contains(template, "{{EC2PrivateDNSName}}") { | ||
| re := regexp.MustCompile("^i-(\\w{8}|\\w{17})$") |
There was a problem hiding this comment.
I think it'd also be fine to do minimal validation here and just trust that ec2:DescribeInstances is going to return an appropriate error if the instance ID is invalid.
We could also stick this regex in a global var instanceIDPattern = regexp.MustCompile(...) so we only compile once at init.
pkg/server/server.go
Outdated
| template = strings.Replace(template, "{{SessionName}}", sessionName, -1) | ||
| return template | ||
| re := regexp.MustCompile("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*") |
There was a problem hiding this comment.
Same note here re: using a global var dns1123Pattern = regexp.MustCompile(...) compiled at init.
nckturner
force-pushed
the
kubelet-username-templatized
branch
from
14d4f73 to
30b4923
Compare
…te DNS
- kubelet reports itself as system:node:<aws-private-dns>
- modifies authenticator to be able to discover an ec2 instance's private dns
and use it for the node name when {{EC2PrivateDNSName}} is used in the
template username
- allows a role to be specified in the config file to assume for the describe
instances call, in case it is in a separate account.
Signed-off-by: Nick Turner <nic@amazon.com>
nckturner
force-pushed
the
kubelet-username-templatized
branch
from
30b4923 to
9e6702c
Compare
|
Squashed review commit. |
system:node:<aws-private-dns>and use it for the node name when {{EC2PrivateDNSName}} is used in the
template username
instances call, in case it is in a separate account.
Fixes: #57
Alternative to: #61
Signed-off-by: Nick Turner nic@amazon.com