✨ Add AWS IAM support #677
Conversation
suvaanshkumar
force-pushed
the
aws-irsa
branch
from
8bc341b to
21e55ff
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #677 +/- ##
==========================================
- Coverage 63.72% 63.37% -0.35%
==========================================
Files 182 185 +3
Lines 17611 17765 +154
==========================================
+ Hits 11222 11258 +36
- Misses 5460 5576 +116
- Partials 929 931 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
@dtclxy64 @suvaanshkumar could you please take a look at the merge conflict and rebase? I think you could try deleting the following, based on the PR #658 |
|
@dtclxy64 thanks for the rebase. It's now failing at the DCO check and |
suvaanshkumar
force-pushed
the
aws-irsa
branch
7 times, most recently
from
28a0f25 to
3838d5e
Compare
|
All the PR checks seem to be ok now. Great job @dtclxy64 and @suvaanshkumar /assign @qiujian16 |
Signed-off-by: EmilyL <[email protected]>
| @@ -74,6 +76,10 @@ func (o *SpokeAgentOptions) AddFlags(fs *pflag.FlagSet) { | |||
| "the value of --cluster-signing-duration command-line flag of the kube-controller-manager will be used.") | |||
| fs.StringToStringVar(&o.ClusterAnnotations, "cluster-annotations", o.ClusterAnnotations, `the annotations with the reserve | |||
| prefix "agent.open-cluster-management.io" set on ManagedCluster when creating only, other actors can update it afterwards.`) | |||
| fs.StringVar(&o.RegistrationAuth, "registration-auth", o.RegistrationAuth, | |||
There was a problem hiding this comment.
I think we should have a drivers Options and we just need to AddFlags here?
There was a problem hiding this comment.
@qiujian16 We are currently using the registration-auth flag to determine the type of registerDriver to set up. See lines 199-202 in pkg/registration/spoke/spokeagent.go.
Are you suggesting that we should add another flag to capture the type of the registration driver as well?
There was a problem hiding this comment.
the flag name is fine. I think you could put all these flags adding func to the register directory with a new Option struct. And the code here just to call driverOptions.AddFlags(fs), but this is not outstanding. We could do code restructure as a followup.
| ) | ||
|
|
||
| const ( | ||
| // TLSKeyFile is the name of tls key file in kubeconfigSecret |
There was a problem hiding this comment.
nit you would not need these files. This are only for mtls
There was a problem hiding this comment.
These constants are currently referenced by the BuildKubeConfigFromTemplate function in the aws-irso.go, the implementation is just a placeholder for now, so we'll remove these constants in one of the upcoming PRs once we have the function fully implemented for the AWSIRSADriver.
There was a problem hiding this comment.
Add a //TODO here so we do not forget to remove these later.
| @@ -421,6 +421,9 @@ type TestCert struct { | |||
| Key []byte | |||
| } | |||
|
|
|||
| type TestIrsaRequest struct { | |||
| } | |||
There was a problem hiding this comment.
might add some TODO or comment here, I am not quite sure why this is added.
There was a problem hiding this comment.
We are using the struct in aws_irsa_test.go on lines 38 and 64, which is setting up a test irsa driver for each test case.
There was a problem hiding this comment.
I see, I think we could add a //TODO here so we will not forget the followup task later :)
| @@ -158,3 +159,12 @@ func IsCSRSupported(nativeClient kubernetes.Interface) (bool, bool, error) { | |||
| } | |||
| return v1CSRSupported, v1beta1CSRSupported, nil | |||
| } | |||
|
|
|||
| func IsEksArnWellFormed(eksArn string) bool { | |||
There was a problem hiding this comment.
add some comment for this func, it will be easier to understand what is the format for the arn.
pkg/registration/spoke/spokeagent.go
Outdated
| @@ -54,7 +59,8 @@ type SpokeAgentConfig struct { | |||
|
|
|||
| internalHubConfigValidFunc wait.ConditionWithContextFunc | |||
|
|
|||
| hubKubeConfigChecker *hubKubeConfigHealthChecker | |||
| hubKubeConfigChecker *hubKubeConfigHealthChecker | |||
| bootstrapKubeconfigEventHandler *bootstrapKubeconfigEventHandler | |||
There was a problem hiding this comment.
why this is added? I did not see where it is used
There was a problem hiding this comment.
We got the change from the main branch which was introduced as part of PR #630, but we see in the latest main branch, it's no longer used. We removed it to match the main branch as requested.
…d from the NewSpokeAgentConfig function based on code review comments. Signed-off-by: Suvaansh <[email protected]>
…mple EKS ARN. Signed-off-by: Suvaansh <[email protected]> Signed-off-by: Emily Li <[email protected]>
suvaanshkumar
force-pushed
the
aws-irsa
branch
from
375462f to
2e2bd19
Compare
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: qiujian16, suvaanshkumar The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit 67b4f1a
into
open-cluster-management-io:main
Summary
The PR adds changes for AWS IAM based authentication support for Open Cluster Management (OCM) for Amazon EKS clusters. This change updates the Klusterletconfig object by adding the registration driver for awsirsa when the value of registration-auth flag is set as awsirsa from clusteradm join command.
Related issue(s)
Fixes #