*: add user/role subcommands

[gyuho]

aws-iam-authenticator add
add IAM entity to an existing aws auth configmap

Usage:
  aws-iam-authenticator add [command]

Available Commands:
  role        add a role entity to aws auth configmap
  user        add a user entity to aws auth configmap

Flags:
  -h, --help                        help for add
      --kubeconfig string           kubeconfig file path, if empty, it loads the default config
      --kubeconfig-context string   kubeconfig context, if empty, it uses the default context
      --master-url string           kube-apiserver URL for creating Kubernetes client
      --prompt                      'false' to disable prompt' (default true)

Use "aws-iam-authenticator add [command] --help" for more information about a command.

aws-iam-authenticator add user -h
add a user entity to aws auth configmap

Usage:
  aws-iam-authenticator add user [flags]

Flags:
      --groups strings    A new user groups
  -h, --help              help for user
      --userarn string    A new user ARN
      --username string   A new user name

Global Flags:
  -i, --cluster-id ID                 Specify the cluster ID, a unique-per-cluster identifier for your aws-iam-authenticator installation.
  -c, --config filename               Load configuration from filename
      --feature-gates mapStringBool   A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
                                      AllAlpha=true|false (ALPHA - default=false)
                                      IAMIdentityMappingCRD=true|false (ALPHA - default=false)
      --kubeconfig string             kubeconfig file path, if empty, it loads the default config
      --kubeconfig-context string     kubeconfig context, if empty, it uses the default context
  -l, --log-format string             Specify log format to use when logging to stderr [text or json] (default "text")
      --master-url string             kube-apiserver URL for creating Kubernetes client
      --prompt                        'false' to disable prompt' (default true

aws-iam-authenticator add role -h
add a role entity to aws auth configmap

Usage:
  aws-iam-authenticator add role [flags]

Flags:
      --groups strings    A new role groups
  -h, --help              help for role
      --rolearn string    A new role ARN
      --username string   A new user name

Global Flags:
  -i, --cluster-id ID                 Specify the cluster ID, a unique-per-cluster identifier for your aws-iam-authenticator installation.
  -c, --config filename               Load configuration from filename
      --feature-gates mapStringBool   A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
                                      AllAlpha=true|false (ALPHA - default=false)
                                      IAMIdentityMappingCRD=true|false (ALPHA - default=false)
      --kubeconfig string             kubeconfig file path, if empty, it loads the default config
      --kubeconfig-context string     kubeconfig context, if empty, it uses the default context
  -l, --log-format string             Specify log format to use when logging to stderr [text or json] (default "text")
      --master-url string             kube-apiserver URL for creating Kubernetes client
      --prompt                        'false' to disable prompt' (default true)

aws-iam-authenticator \
add --kubeconfig ${KUBECONFIG} --prompt=true \
user \
--userarn="arn:aws:iam::607362164682:user/test" \
--username=test \
--groups=system:masters

✔ Yes, let's add "add userarn arn:aws:iam::607362164682:user/test, username test, groups [system: masters]"!

updated configmap:

data:
  mapRoles: |
    - rolearn: arn:aws:iam::123:role/eks-2021061306-greenfa8mksv-ng-role
      username: system:node:{{EC2PrivateDNSName}}
      groups:
      - system:bootstrappers
      - system:nodes
  mapUsers: |
    - userarn: arn:aws:iam::123:user/test
      username: test
      groups:
      - system:masters

aws-iam-authenticator \
add \
--kubeconfig ${KUBECONFIG} \
--prompt=true \
role \
--rolearn arn:aws:iam::123:role/test \
--username=test \
--groups system:bootstrappers,system:nodes

✔ Yes, let's add "add rolearn arn:aws:iam::123:role/test, username test, groups [system:bootstrappers system:nodes]"!

updated configmap:

data:
  mapRoles: |
    - rolearn: arn:aws:iam::123:role/eks-2021061306-greenfa8mksv-ng-role
      username: system:node:{{EC2PrivateDNSName}}
      groups:
      - system:bootstrappers
      - system:nodes
    - rolearn: arn:aws:iam::123:role/test
      username: test
      groups:
      - system:bootstrappers
      - system:nodes
  mapUsers: |
    - userarn: arn:aws:iam::123:user/test
      username: test
      groups:
      - system:masters

aws-iam-authenticator \
add role \
--rolearn arn:aws:iam::123:role/test \
--username=test \
--groups system:bootstrappers,system:nodes

cannot add duplicate role ARN "arn:aws:iam::123:role/test"

[nckturner]

Can we be more explicit in the description that makes it clear this is currently only supported for the configmap backend. i.e. "Note: this does not currently support the CRD and file backends." or something.

[nckturner]

@wongma7 had the idea that this would benefit from a dry-run mode, which I think is a great idea, but we can add it in a follow-on PR to get this merged, since its been sitting around for a while (and that way someone else can take it up as well if you don't have time).

/lgtm

[nckturner]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gyuho, nckturner

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [nckturner]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment