From ff79e646d943ca11459f4a92bade0dbd6a5a05eb Mon Sep 17 00:00:00 2001 From: Daniel Jensen Date: Wed, 30 Jan 2019 15:15:08 -0800 Subject: [PATCH 1/5] Add EKS support --- Dockerfile | 5 +++++ README.md | 2 ++ assets/common.sh | 49 +++++++++++++++++++++++++++++++++++++++++++++--- 3 files changed, 53 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 052d057..ddbb8b4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,11 @@ LABEL maintainer "mario.siegenthaler@linkyard.ch" RUN apk add --update --upgrade --no-cache jq bash curl ARG KUBERNETES_VERSION=1.11.3 +ARG AWS_IAM_AUTHENTICATOR_VERSION=0.3.0 + +RUN curl -L -o /usr/local/bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.3.0/heptio-authenticator-aws_${AWS_IAM_AUTHENTICATOR_VERSION}_linux_amd64 && \ + chmod +x /usr/local/bin/aws-iam-authenticator + RUN curl -L -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl; \ chmod +x /usr/local/bin/kubectl diff --git a/README.md b/README.md index 52dbdd9..1b779df 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,8 @@ resource_types: * `cluster_url`: *Required.* URL to Kubernetes Master API service * `cluster_ca`: *Optional.* Base64 encoded PEM. Required if `cluster_url` is https. +* `use_aws_iam_authenticator`: *Optional.* If true, the aws_iam_authenticator, required for connecting with EKS, is used. +* `aws_eks_cluster_name`: *Optional.* the AWS EKS cluster name, required when use_aws_iam_authenticator is true. * `token`: *Optional.* Bearer token for Kubernetes. This, 'token_path' or `admin_key`/`admin_cert` are required if `cluster_url` is https. * `admin_key`: *Optional.* Base64 encoded PEM. Required if `cluster_url` is https and no `token` or 'token_path' is provided. * `admin_cert`: *Optional.* Base64 encoded PEM. Required if `cluster_url` is https and no `token` or 'token_path' is provided. diff --git a/assets/common.sh b/assets/common.sh index 34f915b..61a503a 100644 --- a/assets/common.sh +++ b/assets/common.sh @@ -1,6 +1,48 @@ #!/bin/bash set -e +generate_aws_kubeconfig() { + # Optional. Use the AWS EKS authenticator + local use_aws_iam_authenticator + use_aws_iam_authenticator="$(jq -r '.source.use_aws_iam_authenticator // ""' < "$payload")" + local aws_eks_cluster_name + aws_eks_cluster_name="$(jq -r '.source.aws_eks_cluster_name // ""' < "$payload")" + if [[ "$use_aws_iam_authenticator" == "true" ]]; then + if [ -z "$aws_eks_cluster_name" ]; then + echo 'You must specify aws_eks_cluster_name when using aws_iam_authenticator.' + exit 1 + fi + local kubeconfig_file_aws + kubeconfig_file_aws="$(mktemp "$TMPDIR/kubernetes-resource-kubeconfig-aws.XXXXXX")" + cat < "$kubeconfig_file_aws" +users: +- name: admin + user: + exec: + apiVersion: client.authentication.k8s.io/v1alpha1 + args: + - token + - -i + - ${aws_eks_cluster_name} + command: aws-iam-authenticator + env: null +EOF + # Merge two kubeconfig files + local tmpfile + tmpfile="$(mktemp)" + local kubeconfig_file + kubeconfig_file="/root/.kube/config" + #kubectl config view --flatten > "$tmpfile" + KUBECONFIG="$kubeconfig_file:$kubeconfig_file_aws" kubectl config view --flatten > "$tmpfile" + cat "$tmpfile" + + #remove old user data before merging + kubectl config unset users + + cat "$tmpfile" > $kubeconfig_file + fi +} + setup_kubernetes() { payload=$1 source=$2 @@ -17,17 +59,20 @@ setup_kubernetes() { admin_cert=$(jq -r '.source.admin_cert // ""' < $payload) token=$(jq -r '.source.token // ""' < $payload) token_path=$(jq -r '.params.token_path // ""' < $payload) + use_aws_iam_authenticator="$(jq -r '.source.use_aws_iam_authenticator // ""' < "$payload")" + mkdir -p /root/.kube ca_path="/root/.kube/ca.pem" echo "$cluster_ca" | base64 -d > $ca_path kubectl config set-cluster default --server=$cluster_url --certificate-authority=$ca_path - if [ -f "$source/$token_path" ]; then kubectl config set-credentials admin --token=$(cat $source/$token_path) elif [ ! -z "$token" ]; then kubectl config set-credentials admin --token=$token + elif [ ! -z "$use_aws_iam_authenticator" ]; then + generate_aws_kubeconfig else key_path="/root/.kube/key.pem" cert_path="/root/.kube/cert.pem" @@ -35,13 +80,11 @@ setup_kubernetes() { echo "$admin_cert" | base64 -d > $cert_path kubectl config set-credentials admin --client-certificate=$cert_path --client-key=$key_path fi - kubectl config set-context default --cluster=default --user=admin else kubectl config set-cluster default --server=$cluster_url kubectl config set-context default --cluster=default fi - kubectl config use-context default kubectl version } From a7445bb4aebc3bdb9897dc409dde9114f038a1b4 Mon Sep 17 00:00:00 2001 From: Daniel Jensen Date: Wed, 30 Jan 2019 15:18:28 -0800 Subject: [PATCH 2/5] iam authenticator version should be set via var --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ddbb8b4..4673713 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ RUN apk add --update --upgrade --no-cache jq bash curl ARG KUBERNETES_VERSION=1.11.3 ARG AWS_IAM_AUTHENTICATOR_VERSION=0.3.0 -RUN curl -L -o /usr/local/bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.3.0/heptio-authenticator-aws_${AWS_IAM_AUTHENTICATOR_VERSION}_linux_amd64 && \ +RUN curl -L -o /usr/local/bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v${AWS_IAM_AUTHENTICATOR_VERSION}/heptio-authenticator-aws_${AWS_IAM_AUTHENTICATOR_VERSION}_linux_amd64 && \ chmod +x /usr/local/bin/aws-iam-authenticator RUN curl -L -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl; \ From d562bbb1a240b9eb76d9987f1d3a97ad397e1a13 Mon Sep 17 00:00:00 2001 From: Daniel Jensen Date: Wed, 30 Jan 2019 15:46:46 -0800 Subject: [PATCH 3/5] fix conflicts --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4673713..f65a3d4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,9 @@ -FROM linkyard/docker-helm:2.11.0 +FROM linkyard/docker-helm:2.12.2 LABEL maintainer "mario.siegenthaler@linkyard.ch" RUN apk add --update --upgrade --no-cache jq bash curl -ARG KUBERNETES_VERSION=1.11.3 +ARG KUBERNETES_VERSION=1.11.6 ARG AWS_IAM_AUTHENTICATOR_VERSION=0.3.0 RUN curl -L -o /usr/local/bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v${AWS_IAM_AUTHENTICATOR_VERSION}/heptio-authenticator-aws_${AWS_IAM_AUTHENTICATOR_VERSION}_linux_amd64 && \ From 5c81e786e9bc0d6e4dae46aa8837b40e8c96799c Mon Sep 17 00:00:00 2001 From: Daniel Jensen Date: Wed, 30 Jan 2019 15:54:38 -0800 Subject: [PATCH 4/5] fix Dockerfile --- Dockerfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Dockerfile b/Dockerfile index 4360404..42ab71b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,11 @@ LABEL maintainer "mario.siegenthaler@linkyard.ch" RUN apk add --update --upgrade --no-cache jq bash curl ARG KUBERNETES_VERSION=1.11.6 +ARG AWS_IAM_AUTHENTICATOR_VERSION=0.3.0 + +RUN curl -L -o /usr/local/bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v${AWS_IAM_AUTHENTICATOR_VERSION}/heptio-authenticator-aws_${AWS_IAM_AUTHENTICATOR_VERSION}_linux_amd64 && \ + chmod +x /usr/local/bin/aws-iam-authenticator + RUN curl -L -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl; \ chmod +x /usr/local/bin/kubectl From b3c710ebb3b816fab1a0d52dce5222ad0674cf59 Mon Sep 17 00:00:00 2001 From: Daniel Jensen Date: Thu, 31 Jan 2019 17:26:54 -0800 Subject: [PATCH 5/5] kubectl aws config should not be in output --- assets/common.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/assets/common.sh b/assets/common.sh index 61a503a..217cad4 100644 --- a/assets/common.sh +++ b/assets/common.sh @@ -34,7 +34,6 @@ EOF kubeconfig_file="/root/.kube/config" #kubectl config view --flatten > "$tmpfile" KUBECONFIG="$kubeconfig_file:$kubeconfig_file_aws" kubectl config view --flatten > "$tmpfile" - cat "$tmpfile" #remove old user data before merging kubectl config unset users