Skip to content

Commit 7acf4c3

Browse files
AmitSahastraAmitSahastra
committed
Get ca from kubeconfig
1 parent 03750a9 commit 7acf4c3

File tree

1 file changed

+33
-27
lines changed

1 file changed

+33
-27
lines changed

bootstrap/eks/controllers/eksconfig_controller.go

Lines changed: 33 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -20,19 +20,18 @@ package controllers
2020
import (
2121
"bytes"
2222
"context"
23+
"encoding/base64"
2324
"fmt"
2425
"os"
2526
"time"
2627

27-
"github.com/aws/aws-sdk-go/aws"
28-
"github.com/aws/aws-sdk-go/aws/session"
29-
"github.com/aws/aws-sdk-go/service/eks"
3028
"github.com/pkg/errors"
3129
corev1 "k8s.io/api/core/v1"
3230
apierrors "k8s.io/apimachinery/pkg/api/errors"
3331
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
3432
"k8s.io/apimachinery/pkg/runtime"
3533
"k8s.io/apimachinery/pkg/types"
34+
"k8s.io/client-go/tools/clientcmd"
3635
"k8s.io/klog/v2"
3736
"k8s.io/utils/ptr"
3837
ctrl "sigs.k8s.io/controller-runtime"
@@ -45,14 +44,15 @@ import (
4544
"sigs.k8s.io/cluster-api-provider-aws/v2/bootstrap/eks/internal/userdata"
4645
ekscontrolplanev1 "sigs.k8s.io/cluster-api-provider-aws/v2/controlplane/eks/api/v1beta2"
4746
expinfrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/exp/api/v1beta2"
47+
"sigs.k8s.io/cluster-api-provider-aws/v2/feature"
4848
"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/logger"
4949
"sigs.k8s.io/cluster-api-provider-aws/v2/util/paused"
5050
clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
5151
bsutil "sigs.k8s.io/cluster-api/bootstrap/util"
5252
expclusterv1 "sigs.k8s.io/cluster-api/exp/api/v1beta1"
53-
"sigs.k8s.io/cluster-api/feature"
5453
"sigs.k8s.io/cluster-api/util"
5554
"sigs.k8s.io/cluster-api/util/conditions"
55+
kubeconfigutil "sigs.k8s.io/cluster-api/util/kubeconfig"
5656
"sigs.k8s.io/cluster-api/util/patch"
5757
"sigs.k8s.io/cluster-api/util/predicates"
5858
)
@@ -323,36 +323,22 @@ func (r *EKSConfigReconciler) joinWorker(ctx context.Context, cluster *clusterv1
323323
log.Info("Using mock CA certificate for test environment")
324324
nodeInput.CACert = "mock-ca-certificate-for-testing"
325325
} else {
326-
// Fetch CA cert from EKS API
327-
sess, err := session.NewSession(&aws.Config{Region: aws.String(controlPlane.Spec.Region)})
328-
if err != nil {
329-
log.Error(err, "Failed to create AWS session for EKS API")
330-
conditions.MarkFalse(config, eksbootstrapv1.DataSecretAvailableCondition,
331-
eksbootstrapv1.DataSecretGenerationFailedReason,
332-
clusterv1.ConditionSeverityWarning,
333-
"Failed to create AWS session: %v", err)
334-
return ctrl.Result{}, err
326+
// Fetch CA cert from KubeConfig secret
327+
// We already have the cluster object passed to this function
328+
obj := client.ObjectKey{
329+
Namespace: cluster.Namespace,
330+
Name: cluster.Name,
335331
}
336-
eksClient := eks.New(sess)
337-
describeInput := &eks.DescribeClusterInput{Name: aws.String(controlPlane.Spec.EKSClusterName)}
338-
clusterOut, err := eksClient.DescribeCluster(describeInput)
332+
ca, err := extractCAFromSecret(ctx, r.Client, obj)
339333
if err != nil {
340-
log.Error(err, "Failed to describe EKS cluster for CA cert fetch")
334+
log.Error(err, "Failed to extract CA from kubeconfig secret")
341335
conditions.MarkFalse(config, eksbootstrapv1.DataSecretAvailableCondition,
342336
eksbootstrapv1.DataSecretGenerationFailedReason,
343337
clusterv1.ConditionSeverityWarning,
344-
"Failed to describe EKS cluster: %v", err)
338+
"Failed to extract CA from kubeconfig secret: %v", err)
345339
return ctrl.Result{}, err
346-
} else if clusterOut.Cluster != nil && clusterOut.Cluster.CertificateAuthority != nil && clusterOut.Cluster.CertificateAuthority.Data != nil {
347-
nodeInput.CACert = *clusterOut.Cluster.CertificateAuthority.Data
348-
} else {
349-
log.Error(nil, "CA certificate not found in EKS cluster response")
350-
conditions.MarkFalse(config, eksbootstrapv1.DataSecretAvailableCondition,
351-
eksbootstrapv1.DataSecretGenerationFailedReason,
352-
clusterv1.ConditionSeverityWarning,
353-
"CA certificate not found in EKS cluster response")
354-
return ctrl.Result{}, fmt.Errorf("CA certificate not found in EKS cluster response")
355340
}
341+
nodeInput.CACert = ca
356342
}
357343

358344
// Get AMI ID from AWSManagedMachinePool's launch template if specified
@@ -581,3 +567,23 @@ func (r *EKSConfigReconciler) updateBootstrapSecret(ctx context.Context, secret
581567
}
582568
return false, nil
583569
}
570+
571+
func extractCAFromSecret(ctx context.Context, c client.Client, obj client.ObjectKey) (string, error) {
572+
data, err := kubeconfigutil.FromSecret(ctx, c, obj)
573+
if err != nil {
574+
return "", errors.Wrapf(err, "failed to get kubeconfig secret %s", obj.Name)
575+
}
576+
config, err := clientcmd.Load(data)
577+
if err != nil {
578+
return "", errors.Wrapf(err, "failed to parse kubeconfig data from secret %s", obj.Name)
579+
}
580+
581+
// Iterate through all clusters in the kubeconfig and use the first one with CA data
582+
for _, cluster := range config.Clusters {
583+
if len(cluster.CertificateAuthorityData) > 0 {
584+
return base64.StdEncoding.EncodeToString(cluster.CertificateAuthorityData), nil
585+
}
586+
}
587+
588+
return "", fmt.Errorf("no cluster with CA data found in kubeconfig")
589+
}

0 commit comments

Comments
 (0)