Merge pull request #616 from nnmin-aws/nnmin-rel5

cherry pick and release 0.5.18
kubernetes-sigs · Jul 27, 2023 · bc5c5cd · bc5c5cd
2 parents d444267 + 6d691f0
commit bc5c5cd
Show file tree

Hide file tree

Showing 21 changed files with 716 additions and 262 deletions.
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -0,0 +1,30 @@
+# Github Action to create a release with goreleaser
+name: Create Release
+on:
+  workflow_dispatch:
+  push:
+    # Sequence of patterns matched against refs/tags
+    tags:
+      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      -
+        name: Set up Go
+        uses: actions/setup-go@v3
+      -
+        name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/Dockerfile b/Dockerfile
@@ -17,12 +17,14 @@ ARG golang_image=public.ecr.aws/eks-distro-build-tooling/golang:1.19-gcc
 FROM --platform=$BUILDPLATFORM $golang_image AS builder
 WORKDIR /go/src/github.com/kubernetes-sigs/aws-iam-authenticator
 COPY . .
+RUN go mod download
+ARG TARGETOS TARGETARCH
 RUN GOOS=$TARGETOS GOARCH=$TARGETARCH make bin
 RUN chown 65532 _output/bin/aws-iam-authenticator
 
-FROM public.ecr.aws/eks-distro/kubernetes/go-runner:v0.9.0-eks-1-21-4 as go-runner
+FROM --platform=$TARGETPLATFORM public.ecr.aws/eks-distro/kubernetes/go-runner:v0.9.0-eks-1-21-4 as go-runner
 
-FROM $image
+FROM --platform=$TARGETPLATFORM $image
 COPY --from=go-runner /usr/local/bin/go-runner /usr/local/bin/go-runner
 COPY --from=builder /go/src/github.com/kubernetes-sigs/aws-iam-authenticator/_output/bin/aws-iam-authenticator /aws-iam-authenticator
 ENTRYPOINT ["/aws-iam-authenticator"]
diff --git a/Makefile b/Makefile
@@ -7,7 +7,6 @@ VERSION ?= $(shell $(shell pwd)/hack/get-version.sh)
 GOOS ?= $(shell go env GOOS)
 GOARCH ?= $(shell go env GOARCH)
 GOPROXY ?= $(shell go env GOPROXY)
-SOURCES := $(shell find . -name '*.go')
 GIT_COMMIT ?= $(shell git rev-parse HEAD)
 BUILD_DATE ?= $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
 BUILD_DATE_STRIPPED := $(subst -,,$(subst :,,$(BUILD_DATE)))
@@ -55,7 +54,7 @@ $(CHECKSUM_FILE): build-all-bins
 	@echo $(ALL_BIN_TARGETS)
 	$(foreach target,$(ALL_BIN_TARGETS),$(call checksum,$(target),$(CHECKSUM_FILE)))
 
-$(OUTPUT)/bin/%: $(SOURCES)
+$(OUTPUT)/bin/%:
 	GO111MODULE=on \
 		CGO_ENABLED=0 \
 		GOOS=$(GOOS) \
@@ -77,16 +76,31 @@ $(MAKE) $(OUTPUT)/bin/aws-iam-authenticator_$(VERSION)_$(1)_$(2)$(3) GOOS=$(1) G
 
 endef
 
+# Function build-image
+# Parameters:
+# 1: Target architecture
+define build-image
+$(MAKE) .image-linux-$(1)
+
+endef
+
 .PHONY: build-all-bins
 build-all-bins:
 	$(foreach arch,$(BIN_ARCH_LINUX),$(call build-bin,linux,$(arch),))
 	$(foreach arch,$(BIN_ARCH_WINDOWS),$(call build-bin,windows,$(arch),.exe))
 	$(foreach arch,$(BIN_ARCH_DARWIN),$(call build-bin,darwin,$(arch),))
 
+.PHONY: build-all-images
+build-all-images:
+	$(foreach arch,$(BIN_ARCH_LINUX),$(call build-image,$(arch)))
+
 .PHONY: image
-image:
-	docker buildx build --output=type=docker --platform linux/amd64 \
-		--tag aws-iam-authenticator:$(VERSION)_$(GIT_COMMIT)_$(BUILD_DATE_STRIPPED) .
+image: .image-linux-$(GOARCH)
+
+.PHONY: .image-linux-%
+.image-linux-%:
+	docker buildx build --output=type=docker --platform linux/$* \
+		--tag aws-iam-authenticator:$(VERSION)_$(GIT_COMMIT)_$(BUILD_DATE_STRIPPED)-linux_$* .
 
 .PHONY: goreleaser
 goreleaser:

diff --git a/cmd/aws-iam-authenticator/root.go b/cmd/aws-iam-authenticator/root.go
@@ -108,6 +108,8 @@ func getConfig() (config.Config, error) {
 		DynamicFilePath: viper.GetString("server.dynamicfilepath"),
 		//DynamicFileUserIDStrict: if true, then aws UserId from sts will be used to look up the roleMapping/userMapping; or aws IdentityArn is used
 		DynamicFileUserIDStrict: viper.GetBool("server.dynamicfileUserIDStrict"),
+		//DynamicBackendModePath: the file path containing the backend mode
+		DynamicBackendModePath: viper.GetString("server.dynamicBackendModePath"),
 	}
 	if err := viper.UnmarshalKey("server.mapRoles", &cfg.RoleMappings); err != nil {
 		return cfg, fmt.Errorf("invalid server role mappings: %v", err)

diff --git a/go.mod b/go.mod
@@ -2,6 +2,8 @@ module sigs.k8s.io/aws-iam-authenticator
 
 go 1.19
 
+replace golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 => golang.org/x/net v0.7.0
+
 require (
 	github.com/aws/aws-sdk-go v1.44.213
 	github.com/fsnotify/fsnotify v1.6.0
@@ -66,9 +68,9 @@ require (
 	golang.org/x/mod v0.6.0 // indirect
 	golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect
 	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
-	golang.org/x/sys v0.3.0 // indirect
-	golang.org/x/term v0.3.0 // indirect
-	golang.org/x/text v0.5.0 // indirect
+	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/term v0.5.0 // indirect
+	golang.org/x/text v0.7.0 // indirect
 	golang.org/x/tools v0.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect

diff --git a/go.sum b/go.sum
@@ -462,8 +462,8 @@ golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
-golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 h1:Frnccbp+ok2GkUS2tC84yAq/U9Vg+0sIO7aRL3T4Xnc=
-golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
+golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -531,13 +531,13 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
-golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
+golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -546,8 +546,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
-golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

diff --git a/hack/dev/authenticator_with_dynamicfile_mode.yaml b/hack/dev/authenticator_with_dynamicfile_mode.yaml
@@ -7,6 +7,7 @@ server:
   kubeconfig: {{AUTHENTICATOR_KUBECONFIG}}
   backendmode: [ "MountedFile", "DynamicFile" ]
   dynamicfilepath: {{AUTHENTICATOR_DYNAMICFILE_PATH}}
+  dynamicBackendModePath: {{BACKENDMODE_PATH}}
   reservedPrefixConfig:
   - backendmode: DynamicFile
     usernamePrefixReserveList:

diff --git a/hack/e2e-dynamicfile.sh b/hack/e2e-dynamicfile.sh
@@ -31,7 +31,9 @@ policies_json="${OUTPUT}/dev/authenticator/policies.json"
 allow_assume_role_policies_template="${REPO_ROOT}/hack/dev/allow_assume_role_policy.template"
 allow_assume_role_policies_json="${OUTPUT}/dev/authenticator/allow_assume_role_policy.json"
 access_entry_tmp="${OUTPUT}/dev/authenticator/access-entry/access-entries.tmp"
+access_entry_user_tmp="${OUTPUT}/dev/authenticator/access-entry/access-entries-user.tmp"
 access_entry_json="${OUTPUT}/dev/authenticator/access-entry/access-entries.json"
+backend_mode_json="${OUTPUT}/dev/authenticator/access-entry/backend-modes.json"
 client_dir="${OUTPUT}/dev/client"
 kubectl_kubeconfig="${client_dir}/kubeconfig.yaml"
 
@@ -56,6 +58,13 @@ function e2e_mountfile() {
 }
 
 function e2e_dynamicfile_username_prefix_enforce(){
+cat << EOF > ${backend_mode_json}
+{
+  "backendMode": "MountedFile DynamicFile"
+}
+EOF
+
+  sleep 20
   set +e
   RoleOutput=$(aws iam get-role --role-name ${USERNAME_TEST_ROLE} 2>/dev/null)
 
@@ -112,8 +121,8 @@ function e2e_dynamicfile_username_prefix_enforce(){
   sed -e "s|{{AWS_ACCOUNT}}|${AWS_ACCOUNT}|g" \
       -e "s|{{USERNAME_TEST_ROLE}}|${USERNAME_TEST_ROLE}|g" \
       -e "s|{{USER_ID}}|${USERID}|g" \
-            "${access_entry_username_prefix_template}" > "${access_entry_tmp}"
-  mv "${access_entry_tmp}"  "${access_entry_json}"
+            "${access_entry_username_prefix_template}" > "${access_entry_user_tmp}"
+  mv "${access_entry_user_tmp}"  "${access_entry_json}"
   #sleep 10 seconds to make access entry effective
   sleep 10
   set +e
@@ -128,6 +137,12 @@ function e2e_dynamicfile_username_prefix_enforce(){
 }
 
 function e2e_dynamicfile(){
+cat << EOF > "${backend_mode_json}"
+{
+  "backendMode": "MountedFile DynamicFile"
+}
+EOF
+  sleep 20
   set +e
   RoleOutput=$(aws iam get-role --role-name authenticator-dev-cluster-testrole 2>/dev/null)
 
@@ -216,14 +231,79 @@ function e2e_dynamicfile(){
   unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
 }
 
-echo "start end to end testing for mountfile mode"
-e2e_mountfile
-echo "starting end to end testing for dynamicfile mode"
-e2e_dynamicfile
-echo "starting end to end testing for dynamicfile mode with username prefix"
-e2e_dynamicfile_username_prefix_enforce
+function e2e_dynamic_backend_mode(){
+
+  # set backend mode to MOUNTEDFILE only
+  sed -e "s|{{AWS_ACCOUNT}}|${AWS_ACCOUNT}|g" \
+      -e "s|{{AWS_TEST_ROLE}}|${AWS_TEST_ROLE}|g" \
+      -e "s|{{USER_ID}}|${USERID}|g" \
+            "${access_entry_template}" > "${access_entry_tmp}"
+  mv "${access_entry_tmp}"  "${access_entry_json}"
+cat << EOF > "${backend_mode_json}"
+{
+  "backendMode": "MountedFile"
+}
+EOF
+  sleep 20
+
+  set -e
+  OUT=$(aws sts assume-role --role-arn arn:aws:iam::${AWS_ACCOUNT}:role/${AWS_TEST_ROLE} --role-session-name aaa);\
+  export AWS_ACCESS_KEY_ID=$(echo $OUT | jq -r '.Credentials''.AccessKeyId');\
+  export AWS_SECRET_ACCESS_KEY=$(echo $OUT | jq -r '.Credentials''.SecretAccessKey');\
+  export AWS_SESSION_TOKEN=$(echo $OUT | jq -r '.Credentials''.SessionToken');
+
+  OUT=$(aws sts get-caller-identity)
+  echo "current role: "$OUT
+  if [ -z "$OUT" ]
+      then
+          echo "can't assume-role: ""${AWS_TEST_ROLE}"
+          exit 1
+  fi
 
+  set +e
+  OUT=$(kubectl --kubeconfig=${kubectl_kubeconfig} --context="test-authenticator" get nodes 2>/var/tmp/err.txt)
+  echo $OUT
+  if grep -q "Unauthorized" "/var/tmp/err.txt"; then
+      echo -n ""
+  else
+      echo "end to end testing for dynamic backend mode failed"
+      exit 1
+  fi
 
+  # set backend mode to MOUNTEDFILE,DYNAMICFILE
+cat << EOF > "${backend_mode_json}"
+{
+  "backendMode": "MountedFile DynamicFile"
+}
+EOF
+  sleep 20
 
+  OUT=$(aws sts get-caller-identity)
+  echo "current role: "$OUT
+  if [ -z "$OUT" ]
+      then
+          echo "can't assume-role: ""${AWS_TEST_ROLE}"
+          exit 1
+  fi
 
+  OUT=$(kubectl --kubeconfig=${kubectl_kubeconfig} --context="test-authenticator" get nodes|grep Ready)
+  if [ ! -z "$OUT" ]
+      then
+          echo $OUT
+          echo "end to end testing for dynamic backend mode succeeded"
 
+      else
+          echo "end to end testing for dynamic backend mode failed"
+          exit 1
+  fi
+  unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+}
+
+echo "start end to end testing for mountfile mode"
+e2e_mountfile
+echo "starting end to end testing for dynamicfile mode"
+e2e_dynamicfile
+echo "starting end to end testing for dynamic backend mode"
+e2e_dynamic_backend_mode
+echo "starting end to end testing for dynamicfile mode with username prefix"
+e2e_dynamicfile_username_prefix_enforce
diff --git a/hack/lib/dev-env.sh b/hack/lib/dev-env.sh
@@ -67,6 +67,7 @@ authenticator_dynamicfile_host_path="${OUTPUT}/dev/authenticator/access-entry"
 authenticator_access_entry_host_file="${authenticator_dynamicfile_host_path}/access-entries.json"
 authenticator_dynamicfile_dest_path="/var/authenticator/access-entry"
 authenticator_access_entry_dest_file="${authenticator_dynamicfile_dest_path}/access-entries.json"
+authenticator_backend_mode_dest_file="${authenticator_dynamicfile_dest_path}/backend-modes.json"
 authenticator_config_dest_dir="/etc/authenticator"
 authenticator_export_dest_dir="/var/authenticator/export"
 authenticator_state_dest_dir="/var/authenticator/state"
@@ -145,6 +146,7 @@ function write_authenticator_with_dynamicfile_mode_config() {
         -e "s|{{AUTHENTICATOR_IP}}|${AUTHENTICATOR_IP}|g" \
         -e "s|{{CLUSTER_NAME}}|${CLUSTER_NAME}|g" \
         -e "s|{{AUTHENTICATOR_DYNAMICFILE_PATH}}|${authenticator_access_entry_dest_file}|g" \
+        -e "s|{{BACKENDMODE_PATH}}|${authenticator_backend_mode_dest_file}|g" \
         "${authenticator_dynamicfile_mode_config_template}" > "${authenticator_dynamicfile_mode_config}"
     cat "${authenticator_dynamicfile_mode_config}"
     cp "${authenticator_access_entry_template}" "${authenticator_access_entry_host_file}"
@@ -200,7 +202,6 @@ function start_authenticator_with_dynamicfile() {
         --publish ${authenticator_healthz_port}:${authenticator_healthz_port} \
         --publish ${AUTHENTICATOR_PORT}:${AUTHENTICATOR_PORT} \
         --env AWS_REGION="us-west-2" \
-        --rm \
         "${AUTHENTICATOR_IMAGE}" \
         server \
         --config "${authenticator_config_dest_dir}/authenticator_dynamicfile_mode.yaml"

diff --git a/pkg/config/types.go b/pkg/config/types.go
@@ -154,6 +154,8 @@ type Config struct {
 	DynamicFileUserIDStrict bool
 	// ReservedPrefixConfig defines reserved username prefixes for each backend
 	ReservedPrefixConfig map[string]ReservedPrefixConfig
+	// Dynamic File Path for BackendMode
+	DynamicBackendModePath string
 }
 
 type ReservedPrefixConfig struct {