Skip to content

Commit 99e516e

Browse files
codablockSkarlso
authored andcommitted
Try to find and verify existing OIDC providers before we try to create a new one
When moving clusters between management clusters, ControlPlane.Status.OIDCProvider.ARN is lost. The new management cluster must then pickup the already existing cluster, as otherwise it tries to create the same provider again and then fails.
1 parent 13c0c2e commit 99e516e

File tree

3 files changed

+50
-2
lines changed

3 files changed

+50
-2
lines changed

cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -361,6 +361,7 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument {
361361
statement = append(statement, iamv1.StatementEntry{
362362
Action: iamv1.Actions{
363363
"iam:ListOpenIDConnectProviders",
364+
"iam:GetOpenIDConnectProvider",
364365
"iam:CreateOpenIDConnectProvider",
365366
"iam:AddClientIDToOpenIDConnectProvider",
366367
"iam:UpdateOpenIDConnectProviderThumbprint",

pkg/cloud/services/eks/iam/iam.go

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ import (
2020
"crypto/sha1"
2121
"encoding/hex"
2222
"encoding/json"
23+
"fmt"
2324
"net/http"
2425
"net/url"
2526

@@ -434,6 +435,44 @@ func (s *IAMService) CreateOIDCProvider(cluster *eks.Cluster) (string, error) {
434435
return *provider.OpenIDConnectProviderArn, nil
435436
}
436437

438+
// FindAndVerifyOIDCProvider will try to find an OIDC provider. It will return an error if the found provider does not
439+
// match the cluster spec.
440+
func (s *IAMService) FindAndVerifyOIDCProvider(cluster *eks.Cluster) (string, error) {
441+
issuerURL, err := url.Parse(*cluster.Identity.Oidc.Issuer)
442+
if err != nil {
443+
return "", err
444+
}
445+
if issuerURL.Scheme != "https" {
446+
return "", errors.Errorf("invalid scheme for issuer URL %s", issuerURL.String())
447+
}
448+
449+
thumbprint, err := fetchRootCAThumbprint(issuerURL.String())
450+
if err != nil {
451+
return "", err
452+
}
453+
output, err := s.IAMClient.ListOpenIDConnectProviders(&iam.ListOpenIDConnectProvidersInput{})
454+
if err != nil {
455+
return "", errors.Wrap(err, "error listing providers")
456+
}
457+
for _, r := range output.OpenIDConnectProviderList {
458+
provider, err := s.IAMClient.GetOpenIDConnectProvider(&iam.GetOpenIDConnectProviderInput{OpenIDConnectProviderArn: r.Arn})
459+
if err != nil {
460+
return "", errors.Wrap(err, "error getting provider")
461+
}
462+
if fmt.Sprintf("https://%s", *provider.Url) != issuerURL.String() {
463+
continue
464+
}
465+
if len(provider.ThumbprintList) != 1 || *provider.ThumbprintList[0] != thumbprint {
466+
return "", errors.Wrap(err, "found provider with matching issuerURL but with non-matching thumbprint")
467+
}
468+
if len(provider.ClientIDList) != 1 || *provider.ClientIDList[0] != stsAWSAudience {
469+
return "", errors.Wrap(err, "found provider with matching issuerURL but with non-matching clientID")
470+
}
471+
return *r.Arn, nil
472+
}
473+
return "", nil
474+
}
475+
437476
func fetchRootCAThumbprint(issuerURL string) (string, error) {
438477
response, err := http.Get(issuerURL)
439478
if err != nil {

pkg/cloud/services/eks/oidc.go

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -52,10 +52,18 @@ func (s *Service) reconcileOIDCProvider(cluster *eks.Cluster) error {
5252
}
5353

5454
s.scope.Info("Reconciling EKS OIDC Provider", "cluster-name", cluster.Name)
55-
oidcProvider, err := s.CreateOIDCProvider(cluster)
55+
56+
oidcProvider, err := s.FindAndVerifyOIDCProvider(cluster)
5657
if err != nil {
57-
return errors.Wrap(err, "failed to create OIDC provider")
58+
return errors.Wrap(err, "failed to reconcile OIDC provider")
59+
}
60+
if oidcProvider == "" {
61+
oidcProvider, err = s.CreateOIDCProvider(cluster)
62+
if err != nil {
63+
return errors.Wrap(err, "failed to create OIDC provider")
64+
}
5865
}
66+
5967
s.scope.ControlPlane.Status.OIDCProvider.ARN = oidcProvider
6068

6169
policy, err := converters.IAMPolicyDocumentToJSON(s.buildOIDCTrustPolicy())

0 commit comments

Comments
 (0)