Try to find and verify existing OIDC providers before we try to create a new one

codablock · Skarlso · commit 99e516ec7380 · 2022-09-29T06:48:37.000+02:00
When moving clusters between management clusters, ControlPlane.Status.OIDCProvider.ARN
is lost. The new management cluster must then pickup the already existing
cluster, as otherwise it tries to create the same provider again and then
fails.
diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go
@@ -361,6 +361,7 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument {
 		statement = append(statement, iamv1.StatementEntry{
 			Action: iamv1.Actions{
 				"iam:ListOpenIDConnectProviders",
+				"iam:GetOpenIDConnectProvider",
 				"iam:CreateOpenIDConnectProvider",
 				"iam:AddClientIDToOpenIDConnectProvider",
 				"iam:UpdateOpenIDConnectProviderThumbprint",
diff --git a/pkg/cloud/services/eks/iam/iam.go b/pkg/cloud/services/eks/iam/iam.go
@@ -20,6 +20,7 @@ import (
 	"crypto/sha1"
 	"encoding/hex"
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/url"
 
@@ -434,6 +435,44 @@ func (s *IAMService) CreateOIDCProvider(cluster *eks.Cluster) (string, error) {
 	return *provider.OpenIDConnectProviderArn, nil
 }
 
+// FindAndVerifyOIDCProvider will try to find an OIDC provider. It will return an error if the found provider does not
+// match the cluster spec.
+func (s *IAMService) FindAndVerifyOIDCProvider(cluster *eks.Cluster) (string, error) {
+	issuerURL, err := url.Parse(*cluster.Identity.Oidc.Issuer)
+	if err != nil {
+		return "", err
+	}
+	if issuerURL.Scheme != "https" {
+		return "", errors.Errorf("invalid scheme for issuer URL %s", issuerURL.String())
+	}
+
+	thumbprint, err := fetchRootCAThumbprint(issuerURL.String())
+	if err != nil {
+		return "", err
+	}
+	output, err := s.IAMClient.ListOpenIDConnectProviders(&iam.ListOpenIDConnectProvidersInput{})
+	if err != nil {
+		return "", errors.Wrap(err, "error listing providers")
+	}
+	for _, r := range output.OpenIDConnectProviderList {
+		provider, err := s.IAMClient.GetOpenIDConnectProvider(&iam.GetOpenIDConnectProviderInput{OpenIDConnectProviderArn: r.Arn})
+		if err != nil {
+			return "", errors.Wrap(err, "error getting provider")
+		}
+		if fmt.Sprintf("https://%s", *provider.Url) != issuerURL.String() {
+			continue
+		}
+		if len(provider.ThumbprintList) != 1 || *provider.ThumbprintList[0] != thumbprint {
+			return "", errors.Wrap(err, "found provider with matching issuerURL but with non-matching thumbprint")
+		}
+		if len(provider.ClientIDList) != 1 || *provider.ClientIDList[0] != stsAWSAudience {
+			return "", errors.Wrap(err, "found provider with matching issuerURL but with non-matching clientID")
+		}
+		return *r.Arn, nil
+	}
+	return "", nil
+}
+
 func fetchRootCAThumbprint(issuerURL string) (string, error) {
 	response, err := http.Get(issuerURL)
 	if err != nil {
diff --git a/pkg/cloud/services/eks/oidc.go b/pkg/cloud/services/eks/oidc.go
@@ -52,10 +52,18 @@ func (s *Service) reconcileOIDCProvider(cluster *eks.Cluster) error {
 	}
 
 	s.scope.Info("Reconciling EKS OIDC Provider", "cluster-name", cluster.Name)
-	oidcProvider, err := s.CreateOIDCProvider(cluster)
+
+	oidcProvider, err := s.FindAndVerifyOIDCProvider(cluster)
 	if err != nil {
-		return errors.Wrap(err, "failed to create OIDC provider")
+		return errors.Wrap(err, "failed to reconcile OIDC provider")
+	}
+	if oidcProvider == "" {
+		oidcProvider, err = s.CreateOIDCProvider(cluster)
+		if err != nil {
+			return errors.Wrap(err, "failed to create OIDC provider")
+		}
 	}
+
 	s.scope.ControlPlane.Status.OIDCProvider.ARN = oidcProvider
 
 	policy, err := converters.IAMPolicyDocumentToJSON(s.buildOIDCTrustPolicy())
