+ Added fargate profile mapping to hard-coded IGNORED_CM_IDENTITIES

pfrejlich · pfrejlich · commit 415700e5d3b1 · 2023-03-14T13:13:28.000+02:00
+ Fixed incorrect dictionary access (failed some tests)
- Removed IGNORED_CM_IDENTITIES env variable from the auth-operator spec
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -17,7 +17,7 @@ repos:
       - id: pretty-format-json
       - id: trailing-whitespace
 -   repo: https://github.com/psf/black
-    rev: 21.5b2
+    rev: "23.1.0"
     hooks:
       - id: black
 -   repo: https://github.com/pre-commit/mirrors-mypy
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -0,0 +1,16 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Python: Current File",
+      "type": "python",
+      "request": "launch",
+      "program": "${file}",
+      "console": "integratedTerminal",
+      "justMyCode": true,
+      "env": {
+        "_PYTEST_RAISE": "1"
+      }
+    }
+  ]
+}
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -0,0 +1,7 @@
+{
+    "python.testing.pytestArgs": [
+        "tests"
+    ],
+    "python.testing.unittestEnabled": false,
+    "python.testing.pytestEnabled": true
+}
diff --git a/conftest.py b/conftest.py
@@ -0,0 +1,18 @@
+import sys
+import pytest
+
+def is_debugging():
+    if 'debugpy' in sys.modules:
+        return True
+    return False
+
+
+# enable_stop_on_exceptions if the debugger is running during a test
+if is_debugging():
+    @pytest.hookimpl(tryfirst=True)
+    def pytest_exception_interact(call):
+        raise call.excinfo.value
+
+    @pytest.hookimpl(tryfirst=True)
+    def pytest_internalerror(excinfo):
+        raise excinfo.value
diff --git a/kubernetes/auth-operator.yaml b/kubernetes/auth-operator.yaml
@@ -29,9 +29,6 @@ spec:
           image: dcodetech/aws_auth_eks_crd:1.1.8
           imagePullPolicy: IfNotPresent
           name: operator
-          env:
-            - name: IGNORED_CM_IDENTITIES
-              value: "system:node:{{SessionName}},system:node:{{EC2PrivateDNSName}}"
           ports:
           - containerPort: 8080
             protocol: TCP
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -28,6 +28,9 @@ pytest-cov = "^2.12.1"
 PyYAML = "^5.4.1"
 vulture = "^2.3"
 
+[tool.poetry.group.dev.dependencies]
+autopep8 = "^2.0.2"
+
 [tool.pylint]
 [tool.pylint.message_control]
 disable = [
diff --git a/src/kubernetes_operator/iam_mapping.py b/src/kubernetes_operator/iam_mapping.py
@@ -34,8 +34,8 @@
 # Allow some mappings in the aws-auth ConfigMap to exist without being defined
 # in a IamIdentityMapping object.
 IGNORED_CM_IDENTITIES = [
-    # EKS worker nodes
-    # "system:node:{{EC2PrivateDNSName}}",
+    # Fargate profile mapping
+    "system:node:{{SessionName}}",
 ]
 
 
@@ -49,7 +49,7 @@ async def update_mapping(old, new, diff, **_) -> None:
     await delete_mapping(old["spec"])
     await create_mapping(new["spec"], diff)
 
-# @kopf.on.update(GROUP, VERSION, PLURAL)
+
 @kopf.on.create(GROUP, VERSION, PLURAL)
 async def create_mapping(spec: dict, diff: list, **_) -> None:
     """Create/update an identity mapping in the aws-auth configmap with the corresponding IamIdentityMapping.
@@ -223,11 +223,11 @@ def ensure_identity(identity: dict, identity_list: list) -> list:
 
     for i, existing_identity in enumerate(identity_list):
         # Handle existing identity
-        if "rolearn" in existing_identity and existing_identity["rolearn"] == identity["rolearn"]:
+        if "rolearn" in existing_identity and existing_identity.get("rolearn") == identity.get("rolearn"):
             identity_list[i] = identity
             return identity_list
-        
-        if "userarn" in existing_identity and existing_identity["userarn"] == identity["userarn"]:
+
+        if "userarn" in existing_identity and existing_identity.get("userarn") == identity.get("userarn"):
             identity_list[i] = identity
             return identity_list
 
@@ -245,11 +245,11 @@ def delete_identity(identity: dict, identity_list: list) -> list:
     """
 
     for i, existing_user in enumerate(identity_list):
-        if "rolearn" in existing_user and existing_user["rolearn"] == identity["rolearn"]:
+        if "rolearn" in existing_user and existing_user.get("rolearn") == identity.get("rolearn"):
             del identity_list[i]
             return identity_list
 
-        if "userarn" in existing_user and existing_user["userarn"] == identity["userarn"]:
+        if "userarn" in existing_user and existing_user.get("userarn") == identity.get("userarn"):
             del identity_list[i]
             return identity_list
 
diff --git a/tests/kubernetes_operator/test_iam_mapping.py b/tests/kubernetes_operator/test_iam_mapping.py
@@ -32,7 +32,13 @@
     "userarn": "arn:aws:iam::000000000000:role/dev-infra-us-east-000000000000000000000000000",
     "username": "system:node:{{EC2PrivateDNSName}}",
 }
+SPEC_FARGATE_PROFILE_ROLE_TO_IGNORE = {
+    "groups": ["system:bootstrappers", "system:nodes"],
+    "rolearn": "arn:aws:iam::000000000000:role/dev-infra-us-east-000000000000000000000000000",
+    "username": "system:node:{{SessionName}}",
+}
 
+EMPTY_DATA = {"mapRoles": yaml.safe_dump([]), "mapUsers": yaml.safe_dump([])}
 DATA = {"mapRoles": yaml.safe_dump([SPEC_CSEC_ADMIN]), "mapUsers": yaml.safe_dump([SPEC_USER_JOHNDOE])}
 DATA_MISSING_MAPUSERS = {"mapRoles": yaml.safe_dump([SPEC_CSEC_ADMIN])}
 DATA_MISSING_MAPROLES = {"mapUsers": yaml.safe_dump([SPEC_USER_JOHNDOE])}
@@ -185,9 +191,12 @@ def test_check_synchronization_no_diff(api_client, custom_objects_api):
     custom_objects_api.list_cluster_custom_object.assert_called_with(GROUP, VERSION, PLURAL)
 
 
+@patch.dict(
+    environ, {"IGNORED_CM_IDENTITIES": f"{SPEC_USER_SYSTEM_NODE_TO_IGNORE.get('username')}"}
+)
 def test_check_synchronization_no_diff_with_ignored_identity(api_client, custom_objects_api):
     data = {
-        "mapRoles": yaml.safe_dump([SPEC_CSEC_ADMIN, SPEC_USER_SYSTEM_NODE_TO_IGNORE]),
+        "mapRoles": yaml.safe_dump([SPEC_CSEC_ADMIN, SPEC_USER_SYSTEM_NODE_TO_IGNORE, SPEC_FARGATE_PROFILE_ROLE_TO_IGNORE]),
         "mapUsers": yaml.safe_dump([SPEC_USER_JOHNDOE]),
     }
     configmap_with_ignore_mapping = client.V1ConfigMap(
@@ -201,7 +210,8 @@ def test_check_synchronization_no_diff_with_ignored_identity(api_client, custom_
 
 
 @patch.dict(
-    environ, {"IGNORED_CM_IDENTITIES": f"{SPEC_USER_MARK.get('username')},{SPEC_CSEC_MAINTENANCE.get('username')}"}
+    environ, {
+        "IGNORED_CM_IDENTITIES": f"{SPEC_USER_MARK.get('username')},{SPEC_CSEC_MAINTENANCE.get('username')},{SPEC_USER_SYSTEM_NODE_TO_IGNORE.get('username')}"}
 )
 def test_check_synchronization_no_diff_with_ignored_identity_env(api_client, custom_objects_api):
     data = {
