-
Notifications
You must be signed in to change notification settings - Fork 142
Expand file tree
/
Copy pathaws-auth.go
More file actions
104 lines (83 loc) · 2.77 KB
/
aws-auth.go
File metadata and controls
104 lines (83 loc) · 2.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
package aws
import (
"context"
"fmt"
"log"
"gopkg.in/yaml.v3"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
)
type RoleMapping struct {
RoleArn string `yaml:"rolearn"`
Username string `yaml:"username"`
Groups []string `yaml:"groups"`
}
func EnsureAwsAuthRole(ctx context.Context, clientset kubernetes.Interface, roleMapping RoleMapping) error {
cm, err := clientset.CoreV1().ConfigMaps("kube-system").Get(ctx, "aws-auth", metav1.GetOptions{})
if err != nil {
return fmt.Errorf("failed to get aws-auth ConfigMap: %w", err)
}
var roles []RoleMapping
if mapRoles, ok := cm.Data["mapRoles"]; ok {
if err = yaml.Unmarshal([]byte(mapRoles), &roles); err != nil {
return fmt.Errorf("failed to parse mapRoles: %w", err)
}
} else {
roles = make([]RoleMapping, 0, 1)
}
for _, role := range roles {
if role.RoleArn == roleMapping.RoleArn {
log.Printf("Role %s already exists in aws-auth ConfigMap.", roleMapping.RoleArn)
return nil
}
}
roles = append(roles, roleMapping)
updated, err := yaml.Marshal(roles)
if err != nil {
return fmt.Errorf("failed to marshal updated mapRoles: %w", err)
}
cm.Data["mapRoles"] = string(updated)
if _, err := clientset.CoreV1().ConfigMaps("kube-system").Update(ctx, cm, metav1.UpdateOptions{}); err != nil {
return fmt.Errorf("failed to update aws-auth ConfigMap: %w", err)
}
log.Printf("Added role %s to aws-auth ConfigMap.", roleMapping.RoleArn)
return nil
}
func RemoveAwsAuthRole(ctx context.Context, clientset kubernetes.Interface, roleArn string) error {
cm, err := clientset.CoreV1().ConfigMaps("kube-system").Get(ctx, "aws-auth", metav1.GetOptions{})
if err != nil {
return fmt.Errorf("failed to get aws-auth ConfigMap: %w", err)
}
var roles []RoleMapping
if mapRoles, ok := cm.Data["mapRoles"]; ok {
if err = yaml.Unmarshal([]byte(mapRoles), &roles); err != nil {
return fmt.Errorf("failed to parse mapRoles: %w", err)
}
} else {
log.Printf("No mapRoles found in aws-auth ConfigMap, skipping role removal.")
return nil
}
found := false
updatedRoles := make([]RoleMapping, 0, len(roles))
for _, role := range roles {
if role.RoleArn == roleArn {
found = true
continue
}
updatedRoles = append(updatedRoles, role)
}
if !found {
log.Printf("Role %s not found in aws-auth ConfigMap, skipping removal.", roleArn)
return nil
}
updated, err := yaml.Marshal(updatedRoles)
if err != nil {
return fmt.Errorf("failed to marshal updated mapRoles: %w", err)
}
cm.Data["mapRoles"] = string(updated)
if _, err := clientset.CoreV1().ConfigMaps("kube-system").Update(ctx, cm, metav1.UpdateOptions{}); err != nil {
return fmt.Errorf("failed to update aws-auth ConfigMap: %w", err)
}
log.Printf("Removed role %s from aws-auth ConfigMap.", roleArn)
return nil
}