Merge pull request #59 from ninhomilton/Beekeeper-auth_migration_to-irsa

ninhomilton · web-flow · commit 42b78ad247f9 · 2024-06-07T14:31:20.000-05:00
Beekeeper auth migration to irsa
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [5.0.1] - 2024-06-05
+### Changed
+- Change kiam auth method to irsa for metadata cleanup, path cleanup and scheduler apiary
+
 ## [5.0.1] - 2024-05-14
 ### Changed
 - Change provider version for kubernetes to 2.13.0 
diff --git a/common.tf b/common.tf
@@ -19,6 +19,7 @@ locals {
   spring_application_json_key = "SPRING_APPLICATION_JSON"
 }
 
+data "aws_caller_identity" "current" {}
 data "aws_iam_account_alias" "current" {}
 
 data "aws_vpc" "vpc" {
diff --git a/k8s-metadata-cleanup-iam.tf b/k8s-metadata-cleanup-iam.tf
@@ -24,9 +24,14 @@ resource "aws_iam_role" "beekeeper_k8s_role_metadata_cleanup_iam" {
       "Sid": "",
       "Effect": "Allow",
       "Principal": {
-        "AWS": "${var.k8s_kiam_role_arn}"
+        "Federated": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${var.oidc_provider}"
       },
-      "Action": "sts:AssumeRole"
+      "Action": "sts:AssumeRoleWithWebIdentity",
+       "Condition": {
+         "StringEquals": {
+           "${var.oidc_provider}:sub": "system:serviceaccount:${var.k8s_namespace}:${local.metadata_cleanup_full_name}"
+         }
+       }
     }
   ]
 }
diff --git a/k8s-metadata-cleanup.tf b/k8s-metadata-cleanup.tf
@@ -38,14 +38,15 @@ resource "kubernetes_deployment_v1" "beekeeper_metadata_cleanup" {
       metadata {
         labels = local.metadata_cleanup_label_name_instance
         annotations = {
-          "iam.amazonaws.com/role" = aws_iam_role.beekeeper_k8s_role_metadata_cleanup_iam[count.index].arn
           "prometheus.io/scrape" : var.prometheus_enabled
           "prometheus.io/port" : var.k8s_metadata_cleanup_port
           "prometheus.io/path" : "/actuator/prometheus"
         }
       }
 
       spec {
+        service_account_name            = kubernetes_service_account_v1.beekeeper_metadata_cleanup.metadata.0.name
+        automount_service_account_token = true
         container {
           name              = local.metadata_cleanup_full_name
           image             = "${var.metadata_cleanup_docker_image}:${var.metadata_cleanup_docker_image_version}"
@@ -132,3 +133,29 @@ resource "kubernetes_service" "beekeeper_metadata_cleanup" {
     type     = "ClusterIP"
   }
 }
+
+resource "kubernetes_service_account_v1" "beekeeper_metadata_cleanup" {
+  metadata {
+    name        = local.metadata_cleanup_full_name
+    namespace   = var.k8s_namespace
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.beekeeper_k8s_role_metadata_cleanup_iam[0].arn
+    }
+  }
+}
+
+resource "kubernetes_secret_v1" "beekeeper_metadata_cleanup" {
+  metadata {
+    name        = local.metadata_cleanup_full_name
+    namespace   = var.k8s_namespace
+    annotations = {
+      "kubernetes.io/service-account.name" = local.metadata_cleanup_full_name
+      "kubernetes.io/service-account.namespace" = var.k8s_namespace
+    }
+  }
+  type = "kubernetes.io/service-account-token"
+
+  depends_on = [
+    kubernetes_service_account_v1.beekeeper_metadata_cleanup
+  ]
+}
diff --git a/k8s-path-cleanup-iam.tf b/k8s-path-cleanup-iam.tf
@@ -24,9 +24,14 @@ resource "aws_iam_role" "beekeeper_k8s_role_path_cleanup_iam" {
       "Sid": "",
       "Effect": "Allow",
       "Principal": {
-        "AWS": "${var.k8s_kiam_role_arn}"
+        "Federated": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${var.oidc_provider}"
       },
-      "Action": "sts:AssumeRole"
+       "Action": "sts:AssumeRoleWithWebIdentity",
+       "Condition": {
+         "StringEquals": {
+           "${var.oidc_provider}:sub": "system:serviceaccount:${var.k8s_namespace}:${local.path_cleanup_full_name}"
+         }
+       }
     }
   ]
 }
diff --git a/k8s-path-cleanup.tf b/k8s-path-cleanup.tf
@@ -38,14 +38,15 @@ resource "kubernetes_deployment_v1" "beekeeper_path_cleanup" {
       metadata {
         labels = local.path_cleanup_label_name_instance
         annotations = {
-          "iam.amazonaws.com/role" = aws_iam_role.beekeeper_k8s_role_path_cleanup_iam[count.index].arn
           "prometheus.io/scrape" : var.prometheus_enabled
           "prometheus.io/port" : var.k8s_path_cleanup_port
           "prometheus.io/path" : "/actuator/prometheus"
         }
       }
 
       spec {
+        service_account_name            = kubernetes_service_account_v1.beekeeper_path_cleanup.metadata.0.name
+        automount_service_account_token = true
         container {
           name              = local.path_cleanup_full_name
           image             = "${var.path_cleanup_docker_image}:${var.path_cleanup_docker_image_version}"
@@ -133,3 +134,29 @@ resource "kubernetes_service" "beekeeper_path_cleanup" {
     type     = "ClusterIP"
   }
 }
+
+resource "kubernetes_service_account_v1" "beekeeper_path_cleanup" {
+  metadata {
+    name        = local.path_cleanup_full_name
+    namespace   = var.k8s_namespace
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.beekeeper_k8s_role_path_cleanup_iam[0].arn
+    }
+  }
+}
+
+resource "kubernetes_secret_v1" "beekeeper_path_cleanup" {
+  metadata {
+    name        = local.path_cleanup_full_name
+    namespace   = var.k8s_namespace
+    annotations = {
+      "kubernetes.io/service-account.name" = local.path_cleanup_full_name
+      "kubernetes.io/service-account.namespace" = var.k8s_namespace
+    }
+  }
+  type = "kubernetes.io/service-account-token"
+
+  depends_on = [
+    kubernetes_service_account_v1.beekeeper_path_cleanup
+  ]
+}
diff --git a/k8s-scheduler-apiary-iam.tf b/k8s-scheduler-apiary-iam.tf
@@ -24,9 +24,14 @@ resource "aws_iam_role" "beekeeper_k8s_role_scheduler_apiary_iam" {
       "Sid": "",
       "Effect": "Allow",
       "Principal": {
-        "AWS": "${var.k8s_kiam_role_arn}"
+        "Federated": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${var.oidc_provider}"
       },
-      "Action": "sts:AssumeRole"
+      "Action": "sts:AssumeRoleWithWebIdentity",
+       "Condition": {
+         "StringEquals": {
+           "${var.oidc_provider}:sub": "system:serviceaccount:${var.k8s_namespace}:${local.scheduler_apiary_full_name}"
+         }
+       }
     }
   ]
 }
diff --git a/k8s-scheduler-apiary.tf b/k8s-scheduler-apiary.tf
@@ -38,14 +38,15 @@ resource "kubernetes_deployment_v1" "beekeeper_scheduler_apiary" {
       metadata {
         labels = local.scheduler_apiary_label_name_instance
         annotations = {
-          "iam.amazonaws.com/role" = aws_iam_role.beekeeper_k8s_role_scheduler_apiary_iam[count.index].arn
           "prometheus.io/scrape" : var.prometheus_enabled
           "prometheus.io/port" : var.k8s_scheduler_apiary_port
           "prometheus.io/path" : "/actuator/prometheus"
         }
       }
 
       spec {
+        service_account_name            = kubernetes_service_account_v1.beekeeper_scheduler_apiary.metadata.0.name
+        automount_service_account_token = true
         container {
           name              = local.scheduler_apiary_full_name
           image             = "${var.scheduler_apiary_docker_image}:${var.scheduler_apiary_docker_image_version}"
@@ -130,3 +131,29 @@ resource "kubernetes_service" "beekeeper_scheduler_apiary" {
     type     = "ClusterIP"
   }
 }
+
+resource "kubernetes_service_account_v1" "beekeeper_scheduler_apiary" {
+  metadata {
+    name        = local.scheduler_apiary_full_name
+    namespace   = var.k8s_namespace
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.beekeeper_k8s_role_scheduler_apiary_iam[0].arn
+    }
+  }
+}
+
+resource "kubernetes_secret_v1" "beekeeper_scheduler_apiary" {
+  metadata {
+    name        = local.scheduler_apiary_full_name
+    namespace   = var.k8s_namespace
+    annotations = {
+      "kubernetes.io/service-account.name" = local.scheduler_apiary_full_name
+      "kubernetes.io/service-account.namespace" = var.k8s_namespace
+    }
+  }
+  type = "kubernetes.io/service-account-token"
+
+  depends_on = [
+    kubernetes_service_account_v1.beekeeper_scheduler_apiary
+  ]
+}
diff --git a/variables.tf b/variables.tf
@@ -333,6 +333,12 @@ variable "k8s_kiam_role_arn" {
   type        = string
 }
 
+variable "oidc_provider" {
+  description = "EKS cluster OIDC provider name, required for configuring IAM using IRSA."
+  type        = string
+  default     = ""
+}
+
 variable "k8s_db_password_secret" {
   description = "Name of the Kubernetes secret that would store the db password for beekeeper."
   default     = "beekeeper-db-password"

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ locals {`
`19`	`19`	`spring_application_json_key = "SPRING_APPLICATION_JSON"`
`20`	`20`	`}`
`21`	`21`
	`22`	`+data "aws_caller_identity" "current" {}`
`22`	`23`	`data "aws_iam_account_alias" "current" {}`
`23`	`24`
`24`	`25`	`data "aws_vpc" "vpc" {`
Original file line number	Diff line number	Diff line change
`@@ -24,9 +24,14 @@ resource "aws_iam_role" "beekeeper_k8s_role_metadata_cleanup_iam" {`
`24`	`24`	`"Sid": "",`
`25`	`25`	`"Effect": "Allow",`
`26`	`26`	`"Principal": {`
`27`		`- "AWS": "${var.k8s_kiam_role_arn}"`
	`27`	`+ "Federated": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${var.oidc_provider}"`
`28`	`28`	`},`
`29`		`- "Action": "sts:AssumeRole"`
	`29`	`+ "Action": "sts:AssumeRoleWithWebIdentity",`
	`30`	`+ "Condition": {`
	`31`	`+ "StringEquals": {`
	`32`	`+ "${var.oidc_provider}:sub": "system:serviceaccount:${var.k8s_namespace}:${local.metadata_cleanup_full_name}"`
	`33`	`+ }`
	`34`	`+ }`
`30`	`35`	`}`
`31`	`36`	`]`
`32`	`37`	`}`