Add member function to cluster holding the trust relationship (#866)

* add member function to cluster holding the trust relationship

Signed-off-by: Martin Linkhorst <[email protected]>

* avoid error-returning template functions by calculating values upfront

Signed-off-by: Martin Linkhorst <[email protected]>

* exclude trust relationships for non-ready clusters

Signed-off-by: Martin Linkhorst <[email protected]>

---------

Signed-off-by: Martin Linkhorst <[email protected]>

Author: linki

api/cluster.go

@@ -5,11 +5,14 @@ import (
 	"crypto/sha1"
 	"encoding/base64"
 	"encoding/binary"
+	"encoding/json"
 	"fmt"
 	"sort"
 	"strings"
 
 	"github.com/zalando-incubator/cluster-lifecycle-manager/channel"
+	"github.com/zalando-incubator/cluster-lifecycle-manager/pkg/cluster-registry/models"
+	"github.com/zalando-incubator/cluster-lifecycle-manager/pkg/util"
 )
 
 // A provider ID is a string that identifies a cluster provider.
@@ -42,6 +45,43 @@ type Cluster struct {
 	Status                *ClusterStatus    `json:"status"                 yaml:"status"`
 	Owner                 string            `json:"owner"                  yaml:"owner"`
 	AccountName           string            `json:"account_name"           yaml:"account_name"`
+	// Local fields to hold information about the OIDC provider.
+	AccountClusters                  []*Cluster
+	OIDCProvider                     string
+	IAMRoleTrustRelationshipTemplate string
+}
+
+type AssumeRolePolicyDocument struct {
+	Version   string
+	Statement []Statement
+}
+
+type Statement struct {
+	Effect    string
+	Principal map[string]string
+	Action    string
+	Condition map[string]map[string]string `json:",omitempty"`
+}
+
+func (cluster *Cluster) InitOIDCProvider() error {
+	if cluster.Provider == ZalandoEKSProvider {
+		cluster.OIDCProvider = strings.TrimPrefix(cluster.ConfigItems["eks_oidc_issuer_url"], "https://")
+	} else {
+		hostedZone, err := util.GetHostedZone(cluster.APIServerURL)
+		if err != nil {
+			return fmt.Errorf("error while getting trust relationship for %s: %v", cluster.Alias, err)
+		}
+		cluster.OIDCProvider = fmt.Sprintf("%s.%s", cluster.LocalID, hostedZone)
+	}
+
+	trustRelationship := trustRelationship(cluster.AccountClusters)
+	trustRelationshipJSON, err := json.Marshal(trustRelationship)
+	if err != nil {
+		return fmt.Errorf("error while marshalling trust relationship for %s: %v", cluster.Alias, err)
+	}
+
+	cluster.IAMRoleTrustRelationshipTemplate = string(trustRelationshipJSON)
+	return nil
 }
 
 // Version returns the version derived from a sha1 hash of the cluster struct
@@ -210,3 +250,66 @@ func (cluster Cluster) Name() string {
 	}
 	return cluster.ID
 }
+
+func (cluster Cluster) InfrastructureAccountID() string {
+	return strings.TrimPrefix(cluster.InfrastructureAccount, "aws:")
+}
+
+func (cluster Cluster) WorkerRoleARN() string {
+	return fmt.Sprintf("arn:aws:iam::%s:role/%s-worker", cluster.InfrastructureAccountID(), cluster.LocalID)
+}
+
+func (cluster Cluster) OIDCProviderARN() string {
+	return fmt.Sprintf("arn:aws:iam::%s:oidc-provider/%s", cluster.InfrastructureAccountID(), cluster.OIDCProvider)
+}
+
+func (cluster Cluster) OIDCSubjectKey() string {
+	return fmt.Sprintf("%s:sub", cluster.OIDCProvider)
+}
+
+func trustRelationship(clusters []*Cluster) AssumeRolePolicyDocument {
+	policyDocument := AssumeRolePolicyDocument{
+		Version: "2012-10-17",
+		Statement: []Statement{
+			{
+				Effect: "Allow",
+				Principal: map[string]string{
+					"Service": "ec2.amazonaws.com",
+				},
+				Action: "sts:AssumeRole",
+			},
+		},
+	}
+
+	for _, cluster := range clusters {
+		if cluster.LifecycleStatus == models.ClusterLifecycleStatusReady {
+			policyDocument.Statement = append(policyDocument.Statement, policyStatements(cluster.WorkerRoleARN(), cluster.OIDCProviderARN(), cluster.OIDCSubjectKey())...)
+		}
+	}
+
+	return policyDocument
+}
+
+func policyStatements(workerRole string, identityProvider string, subjectKey string) []Statement {
+	return []Statement{
+		{
+			Effect: "Allow",
+			Principal: map[string]string{
+				"AWS": workerRole,
+			},
+			Action: "sts:AssumeRole",
+		},
+		{
+			Effect: "Allow",
+			Principal: map[string]string{
+				"Federated": identityProvider,
+			},
+			Action: "sts:AssumeRoleWithWebIdentity",
+			Condition: map[string]map[string]string{
+				"StringLike": {
+					subjectKey: "system:serviceaccount:${SERVICE_ACCOUNT}",
+				},
+			},
+		},
+	}
+}

api/cluster_test.go

@@ -8,8 +8,10 @@ import (
 	"testing"
 
 	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/zalando-incubator/cluster-lifecycle-manager/channel"
+	"github.com/zalando-incubator/cluster-lifecycle-manager/pkg/cluster-registry/models"
 )
 
 func fieldNames(value interface{}) ([]string, error) {
@@ -83,7 +85,8 @@ func TestVersion(t *testing.T) {
 	require.NoError(t, err)
 
 	for _, field := range fields {
-		if field == "Alias" || field == "NodePools" || field == "Owner" || field == "AccountName" || field == "Status" {
+		switch field {
+		case "Alias", "NodePools", "Owner", "AccountName", "AccountClusters", "OIDCProvider", "IAMRoleTrustRelationshipTemplate", "Status":
 			continue
 		}
 
@@ -134,3 +137,111 @@ func TestName(t *testing.T) {
 
 	require.Equal(t, cluster.LocalID, cluster.Name())
 }
+
+func TestInfrastructureAccountID(t *testing.T) {
+	cluster := &Cluster{InfrastructureAccount: "aws:123456789012"}
+	assert.Equal(t, "123456789012", cluster.InfrastructureAccountID())
+}
+func TestWorkerRoleARN(t *testing.T) {
+	cluster := &Cluster{InfrastructureAccount: "aws:123456789012", LocalID: "kube-1"}
+	assert.Equal(t, "arn:aws:iam::123456789012:role/kube-1-worker", cluster.WorkerRoleARN())
+}
+
+func TestOIDCProvider(t *testing.T) {
+	cluster := &Cluster{
+		Provider:     ZalandoAWSProvider,
+		LocalID:      "kube-1",
+		APIServerURL: "https://kube-1.example.zalan.do",
+	}
+	err := cluster.InitOIDCProvider()
+	require.NoError(t, err)
+
+	assert.Equal(t, "kube-1.example.zalan.do", cluster.OIDCProvider)
+
+	cluster = &Cluster{
+		Provider: ZalandoEKSProvider,
+		ConfigItems: map[string]string{
+			"eks_oidc_issuer_url": "https://oidc.eks.eu-central-1.amazonaws.com/id/11112222333344445555666677778888",
+		},
+	}
+	err = cluster.InitOIDCProvider()
+	require.NoError(t, err)
+
+	assert.Equal(t, "oidc.eks.eu-central-1.amazonaws.com/id/11112222333344445555666677778888", cluster.OIDCProvider)
+}
+
+func TestOIDCProviderARN(t *testing.T) {
+	cluster := &Cluster{
+		InfrastructureAccount: "aws:123456789012",
+		OIDCProvider:          "kube-1.example.zalan.do",
+	}
+	assert.Equal(t, "arn:aws:iam::123456789012:oidc-provider/kube-1.example.zalan.do", cluster.OIDCProviderARN())
+}
+
+func TestOIDCSubjectKey(t *testing.T) {
+	cluster := &Cluster{OIDCProvider: "kube-1.example.zalan.do"}
+	assert.Equal(t, "kube-1.example.zalan.do:sub", cluster.OIDCSubjectKey())
+}
+
+func TestIAMRoleTrustRelationshipTemplate(t *testing.T) {
+	legacyCluster := &Cluster{
+		Provider:              ZalandoAWSProvider,
+		LocalID:               "kube-1",
+		InfrastructureAccount: "aws:123456789012",
+		APIServerURL:          "https://kube-1.example.zalan.do",
+		LifecycleStatus:       models.ClusterLifecycleStatusReady,
+	}
+	legacyCluster.AccountClusters = []*Cluster{legacyCluster}
+	err := legacyCluster.InitOIDCProvider()
+	require.NoError(t, err)
+
+	legacyTrustRelationship := `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"},{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:role/kube-1-worker"},"Action":"sts:AssumeRole"},{"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::123456789012:oidc-provider/kube-1.example.zalan.do"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"kube-1.example.zalan.do:sub":"system:serviceaccount:${SERVICE_ACCOUNT}"}}}]}`
+	assert.Equal(t, legacyTrustRelationship, legacyCluster.IAMRoleTrustRelationshipTemplate)
+
+	eksCluster := &Cluster{
+		Provider:              ZalandoEKSProvider,
+		LocalID:               "teapot-euc1",
+		InfrastructureAccount: "aws:123456789012",
+		ConfigItems: map[string]string{
+			"eks_oidc_issuer_url": "https://oidc.eks.eu-central-1.amazonaws.com/id/11112222333344445555666677778888",
+		},
+		LifecycleStatus: models.ClusterLifecycleStatusReady,
+	}
+	eksCluster.AccountClusters = []*Cluster{eksCluster}
+	err = eksCluster.InitOIDCProvider()
+	require.NoError(t, err)
+
+	eksTrustRelationship := `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"},{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:role/teapot-euc1-worker"},"Action":"sts:AssumeRole"},{"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::123456789012:oidc-provider/oidc.eks.eu-central-1.amazonaws.com/id/11112222333344445555666677778888"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"oidc.eks.eu-central-1.amazonaws.com/id/11112222333344445555666677778888:sub":"system:serviceaccount:${SERVICE_ACCOUNT}"}}}]}`
+	assert.Equal(t, eksTrustRelationship, eksCluster.IAMRoleTrustRelationshipTemplate)
+
+	combinedAccountClusters := []*Cluster{legacyCluster, eksCluster}
+	combinedTrustRelationship := `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"},{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:role/kube-1-worker"},"Action":"sts:AssumeRole"},{"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::123456789012:oidc-provider/kube-1.example.zalan.do"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"kube-1.example.zalan.do:sub":"system:serviceaccount:${SERVICE_ACCOUNT}"}}},{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:role/teapot-euc1-worker"},"Action":"sts:AssumeRole"},{"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::123456789012:oidc-provider/oidc.eks.eu-central-1.amazonaws.com/id/11112222333344445555666677778888"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"oidc.eks.eu-central-1.amazonaws.com/id/11112222333344445555666677778888:sub":"system:serviceaccount:${SERVICE_ACCOUNT}"}}}]}`
+
+	legacyCluster.AccountClusters = combinedAccountClusters
+	err = legacyCluster.InitOIDCProvider()
+	require.NoError(t, err)
+
+	assert.Equal(t, combinedTrustRelationship, legacyCluster.IAMRoleTrustRelationshipTemplate)
+
+	eksCluster.AccountClusters = combinedAccountClusters
+	err = eksCluster.InitOIDCProvider()
+	require.NoError(t, err)
+
+	assert.Equal(t, combinedTrustRelationship, eksCluster.IAMRoleTrustRelationshipTemplate)
+
+	withDecommissionedClusters := append(combinedAccountClusters, &Cluster{
+		LifecycleStatus: models.ClusterLifecycleStatusDecommissioned,
+	})
+
+	legacyCluster.AccountClusters = withDecommissionedClusters
+	err = legacyCluster.InitOIDCProvider()
+	require.NoError(t, err)
+
+	assert.Equal(t, combinedTrustRelationship, legacyCluster.IAMRoleTrustRelationshipTemplate)
+
+	eksCluster.AccountClusters = withDecommissionedClusters
+	err = eksCluster.InitOIDCProvider()
+	require.NoError(t, err)
+
+	assert.Equal(t, combinedTrustRelationship, eksCluster.IAMRoleTrustRelationshipTemplate)
+}

provisioner/hack.go renamed to pkg/util/hosted_zone.go

@@ -1,21 +1,21 @@
-package provisioner
+package util
 
 import (
 	"fmt"
 	"net/url"
 	"strings"
 )
 
-// getHostedZone gets derrive hosted zone from an APIServerURL.
-func getHostedZone(APIServerURL string) (string, error) {
-	url, err := url.Parse(APIServerURL)
+// GetHostedZone gets the hosted zone from an APIServerURL.
+func GetHostedZone(apiServerURL string) (string, error) {
+	url, err := url.Parse(apiServerURL)
 	if err != nil {
 		return "", err
 	}
 
 	split := strings.Split(url.Host, ".")
 	if len(split) < 2 {
-		return "", fmt.Errorf("can't derive hosted zone from URL %s", APIServerURL)
+		return "", fmt.Errorf("can't derive hosted zone from URL %s", apiServerURL)
 	}
 
 	return strings.Join(split[1:], "."), nil

provisioner/clusterpy.go

@@ -24,6 +24,7 @@ import (
 	"github.com/zalando-incubator/cluster-lifecycle-manager/pkg/decrypter"
 	"github.com/zalando-incubator/cluster-lifecycle-manager/pkg/kubernetes"
 	"github.com/zalando-incubator/cluster-lifecycle-manager/pkg/updatestrategy"
+	"github.com/zalando-incubator/cluster-lifecycle-manager/pkg/util"
 	"github.com/zalando-incubator/cluster-lifecycle-manager/pkg/util/command"
 	"github.com/zalando-incubator/kube-ingress-aws-controller/certs"
 	"golang.org/x/oauth2"
@@ -246,7 +247,7 @@ func (p *clusterpyProvisioner) provision(
 	}
 
 	// TODO: should this be done like this or via a config item?
-	hostedZone, err := getHostedZone(cluster.APIServerURL)
+	hostedZone, err := util.GetHostedZone(cluster.APIServerURL)
 	if err != nil {
 		return err
 	}
@@ -339,6 +340,10 @@ func (p *clusterpyProvisioner) provision(
 		}
 	}
 
+	if err := cluster.InitOIDCProvider(); err != nil {
+		return err
+	}
+
 	// TODO: having it this late means late feedback on invalid manifests
 	manifests, err := renderManifests(
 		channelConfig,

provisioner/template_test.go

@@ -1623,3 +1623,42 @@ func TestClusterName(t *testing.T) {
 		})
 	}
 }
+
+func TestClusterOIDCProvider(t *testing.T) {
+	for _, tc := range []struct {
+		name     string
+		cluster  api.Cluster
+		input    string
+		expected string
+	}{
+		{
+			name: "zalando-aws cluster",
+			cluster: api.Cluster{
+				Provider:     api.ZalandoAWSProvider,
+				LocalID:      "kube-1",
+				APIServerURL: "https://kube-1.example.zalan.do",
+			},
+			expected: "kube-1.example.zalan.do",
+			input:    `{{ .Values.data.cluster.OIDCProvider }}`,
+		},
+		{
+			name: "zalando-eks cluster",
+			cluster: api.Cluster{
+				Provider: api.ZalandoEKSProvider,
+				ConfigItems: map[string]string{
+					"eks_oidc_issuer_url": "https://oidc.eks.eu-central-1.amazonaws.com/id/11112222333344445555666677778888",
+				},
+			},
+			expected: "oidc.eks.eu-central-1.amazonaws.com/id/11112222333344445555666677778888",
+			input:    `{{ .Values.data.cluster.OIDCProvider }}`,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			err := tc.cluster.InitOIDCProvider()
+			require.NoError(t, err)
+			result, err := renderSingle(t, tc.input, map[string]interface{}{"cluster": tc.cluster})
+			require.NoError(t, err)
+			require.EqualValues(t, tc.expected, result)
+		})
+	}
+}

registry/file.go

@@ -38,6 +38,8 @@ func (r *fileRegistry) ListClusters(_ Filter) ([]*api.Cluster, error) {
 		return nil, err
 	}
 
+	clustersByAccount := map[string][]*api.Cluster{}
+
 	for _, cluster := range fileClusters.Clusters {
 		for _, nodePool := range cluster.NodePools {
 			if nodePool.Profile == "worker-karpenter" && len(nodePool.InstanceTypes) == 0 {
@@ -49,6 +51,13 @@ func (r *fileRegistry) ListClusters(_ Filter) ([]*api.Cluster, error) {
 			}
 			nodePool.InstanceType = nodePool.InstanceTypes[0]
 		}
+		clustersByAccount[cluster.InfrastructureAccount] = append(clustersByAccount[cluster.InfrastructureAccount], cluster)
+	}
+	for _, cluster := range fileClusters.Clusters {
+		cluster.AccountClusters = clustersByAccount[cluster.InfrastructureAccount]
+		if err := cluster.InitOIDCProvider(); err != nil {
+			return nil, err
+		}
 	}
 
 	return fileClusters.Clusters, nil