siteworxpro/aws-iam-anywhere-refresher
1
Fork 0
Code Pull Requests Actions Releases 1 Activity

cleaning up some code

Browse Source
This commit is contained in:
Ron Rise
2024-08-02 14:43:55 -04:00
parent 0f37b2806b
commit 4792d6502a
4 changed files with 111 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -124,8 +124,7 @@ data:
## Restarting Deployments ## Restarting Deployments
You can optionally restart your deployments if needed. If this isn't needed you can exclude the permissions in the role You can optionally restart your deployments if needed. Set the `RESTART_DEPLOYMENTS` environment variable to `true`. If this isn't needed you can exclude the permission in the role above and the variable.
above.
The process will list all deployments with the label `iam-role-type=aws-iam-anywhere` and restart them. The process will list all deployments with the label `iam-role-type=aws-iam-anywhere` and restart them.

19
aws_signing_helper/credentials.go
View File

@@ -5,6 +5,8 @@ import (
"encoding/base64" "encoding/base64"
"errors" "errors"
"github.com/aws/rolesanywhere-credential-helper/rolesanywhere" "github.com/aws/rolesanywhere-credential-helper/rolesanywhere"
v1 "k8s.io/api/core/v1"
v1m "k8s.io/apimachinery/pkg/apis/meta/v1"
"log" "log"
"net/http" "net/http"
"runtime" "runtime"
@@ -126,3 +128,20 @@ func GenerateCredentials(opts *CredentialsOpts, signer Signer, signatureAlgorith
} }
return credentialProcessOutput, nil return credentialProcessOutput, nil
} }
func (credentials CredentialProcessOutput) ToSecret(secretName string) *v1.Secret {
return &v1.Secret{
ObjectMeta: v1m.ObjectMeta{
Name: secretName,
Labels: map[string]string{
"managed-by": "aws-iam-anywhere-refresher",
},
},
StringData: map[string]string{
"AWS_ACCESS_KEY_ID": credentials.AccessKeyId,
"AWS_SECRET_ACCESS_KEY": credentials.SecretAccessKey,
"AWS_SESSION_TOKEN": credentials.SessionToken,
},
}
}

82
kube_client/client.go Normal file
View File

@@ -0,0 +1,82 @@
package kube_client
import (
"context"
v1a "k8s.io/api/apps/v1"
v1c "k8s.io/api/core/v1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"time"
)
type kubeClient interface {
GetSecret(namespace string, secretName string) (*v1c.Secret, error)
CreateSecret(namespace string, secret *v1c.Secret) (*v1c.Secret, error)
UpdateSecret(namespace string, secret *v1c.Secret) (*v1c.Secret, error)
ListDeployments(namespace string) (*v1a.DeploymentList, error)
RestartDeployments(namespace string, deployments *v1a.DeploymentList) error
}
type KubeClientImpl struct {
kubeClient
clientSet *kubernetes.Clientset
}
func NewKubeClient() (*KubeClientImpl, error) {
config, err := rest.InClusterConfig()
if err != nil {
return nil, err
}
client, err := kubernetes.NewForConfig(config)
if err != nil {
return nil, err
}
return &KubeClientImpl{
clientSet: client,
}, nil
}
func (k KubeClientImpl) GetSecret(namespace string, secretName string) (*v1c.Secret, error) {
secret, err := k.clientSet.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, v1.GetOptions{})
if err != nil {
return nil, err
}
return secret, nil
}
func (k KubeClientImpl) CreateSecret(namespace string, secret *v1c.Secret) (*v1c.Secret, error) {
return k.clientSet.CoreV1().Secrets(namespace).Create(context.TODO(), secret, v1.CreateOptions{})
}
func (k KubeClientImpl) UpdateSecret(namespace string, secret *v1c.Secret) (*v1c.Secret, error) {
return k.clientSet.CoreV1().Secrets(namespace).Update(context.TODO(), secret, v1.UpdateOptions{})
}
func (k KubeClientImpl) ListDeployments(namespace string) (*v1a.DeploymentList, error) {
return k.clientSet.AppsV1().Deployments(namespace).List(context.TODO(), v1.ListOptions{
LabelSelector: "iam-role-type=aws-iam-anywhere",
})
}
func (k KubeClientImpl) RestartDeployments(namespace string, deployments *v1a.DeploymentList) error {
for _, deployment := range deployments.Items {
if deployment.Spec.Template.ObjectMeta.Annotations == nil {
deployment.Spec.Template.ObjectMeta.Annotations = make(map[string]string)
}
deployment.Spec.Template.ObjectMeta.Annotations["kubectl.kubernetes.io/restartedAt"] = time.Now().Format(time.RFC3339)
_, err := k.clientSet.AppsV1().Deployments(namespace).Update(context.TODO(), &deployment, v1.UpdateOptions{})
if err != nil {
return err
}
}
return nil
}

58
main.go
View File

@@ -1,31 +1,19 @@
package main package main
import ( import (
"context"
"encoding/base64" "encoding/base64"
helper "git.s.int/rrise/aws-iam-anywhere-refresher/aws_signing_helper" helper "git.s.int/rrise/aws-iam-anywhere-refresher/aws_signing_helper"
"git.s.int/rrise/aws-iam-anywhere-refresher/cmd" "git.s.int/rrise/aws-iam-anywhere-refresher/cmd"
appConfig "git.s.int/rrise/aws-iam-anywhere-refresher/config" appConfig "git.s.int/rrise/aws-iam-anywhere-refresher/config"
v1k "k8s.io/api/core/v1" "git.s.int/rrise/aws-iam-anywhere-refresher/kube_client"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"log" "log"
"os" "os"
"time"
) )
func main() { func main() {
println("Starting credentials refresh") println("Starting credentials refresh")
config, err := rest.InClusterConfig() client, err := kube_client.NewKubeClient()
if err != nil {
println("Are you running in a cluster?")
panic(err)
}
client, err := kubernetes.NewForConfig(config)
if err != nil { if err != nil {
panic(err) panic(err)
} }
@@ -60,65 +48,35 @@ func main() {
println("Got new credentials") println("Got new credentials")
secret := &v1k.Secret{ _, err = client.GetSecret(c.Namespace(), c.Secret())
ObjectMeta: v1.ObjectMeta{
Name: c.Secret(),
Labels: map[string]string{
"managed-by": "aws-iam-anywhere-refresher",
},
},
StringData: map[string]string{
"AWS_ACCESS_KEY_ID": credentials.AccessKeyId,
"AWS_SECRET_ACCESS_KEY": credentials.SecretAccessKey,
"AWS_SESSION_TOKEN": credentials.SessionToken,
},
}
_, err = client.CoreV1().Secrets(c.Namespace()).Get(context.TODO(), c.Secret(), v1.GetOptions{})
if err != nil { if err != nil {
println(err.Error()) println(err.Error())
println("secret doesn't exist, trying to create") println("secret doesn't exist, trying to create")
create, err := client.CreateSecret(c.Namespace(), credentials.ToSecret(c.Secret()))
create, err := client.CoreV1().Secrets(c.Namespace()).Create(context.Background(), secret, v1.CreateOptions{})
if err != nil { if err != nil {
panic(err) panic(err)
} }
println("secret created") println("secret created")
println(create.CreationTimestamp.String()) println(create.CreationTimestamp.String())
} else { } else {
update, err := client.CoreV1().Secrets(c.Namespace()).Update(context.TODO(), secret, v1.UpdateOptions{}) update, err := client.UpdateSecret(c.Namespace(), credentials.ToSecret(c.Secret()))
if err != nil { if err != nil {
panic(err) panic(err)
} }
println("secret updated") println("secret updated")
println(update.CreationTimestamp.String()) println(update.CreationTimestamp.String())
} }
if c.RestartDeployments() { if c.RestartDeployments() {
println("Restarting deployments...") println("Restarting deployments...")
deployments, err := client.ListDeployments(c.Namespace())
deployments, err := client.AppsV1().Deployments(c.Namespace()).List(context.TODO(), v1.ListOptions{
LabelSelector: "iam-role-type=aws-iam-anywhere",
})
if err != nil { if err != nil {
panic(err) panic(err)
} }
for _, deployment := range deployments.Items { err = client.RestartDeployments(c.Namespace(), deployments)
println("Restarting deployment", deployment.Name)
if deployment.Spec.Template.ObjectMeta.Annotations == nil {
deployment.Spec.Template.ObjectMeta.Annotations = make(map[string]string)
}
deployment.Spec.Template.ObjectMeta.Annotations["kubectl.kubernetes.io/restartedAt"] = time.Now().Format(time.RFC3339)
_, err = client.AppsV1().Deployments(c.Namespace()).Update(context.TODO(), &deployment, v1.UpdateOptions{})
if err != nil { if err != nil {
println(err.Error()) panic(err)
}
} }
} }