Merge pull request #564 from nnmin-aws/nnmin-minorimp

prepare new release v0.6.4

Author: k8s-ci-robot

.goreleaser.yaml

@@ -12,6 +12,8 @@ builds:
     goarch:
       - amd64
       - arm64
+      - ppc64le
+      - s390x
     ignore:
       - goos: windows
         goarch: arm64

cloudbuild.yaml

@@ -1,15 +1,15 @@
 options:
   substitution_option: ALLOW_LOOSE
 steps:
-  - name: gcr.io/k8s-testimages/gcb-docker-gcloud
+  - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20221214-1b4dd4d69a
     entrypoint: /buildx-entrypoint
     args:
-    - build
-    - --tag=gcr.io/$PROJECT_ID/aws-iam-authenticator:$_GIT_TAG
-    - --tag=gcr.io/$PROJECT_ID/aws-iam-authenticator:latest
-    - --platform=linux/amd64,linux/arm64
-    - --output=type=registry
-    - .
+      - build
+      - --tag=gcr.io/$PROJECT_ID/aws-iam-authenticator:$_GIT_TAG
+      - --tag=gcr.io/$PROJECT_ID/aws-iam-authenticator:latest
+      - --platform=linux/amd64,linux/arm64
+      - --output=type=registry
+      - .
 substitutions:
   _GIT_TAG: '12345'
   _PULL_BASE_REF: 'master'

cmd/aws-iam-authenticator/root.go

@@ -104,6 +104,7 @@ func getConfig() (config.Config, error) {
 		EC2DescribeInstancesBurst:         viper.GetInt("server.ec2DescribeInstancesBurst"),
 		ScrubbedAWSAccounts:               viper.GetStringSlice("server.scrubbedAccounts"),
 		DynamicFilePath:                   viper.GetString("server.dynamicfilepath"),
+		DynamicFileUserIDStrict:           viper.GetBool("server.dynamicfileUserIDStrict"),
 	}
 	if err := viper.UnmarshalKey("server.mapRoles", &cfg.RoleMappings); err != nil {
 		return cfg, fmt.Errorf("invalid server role mappings: %v", err)

hack/dev/access-entries.template

@@ -5,7 +5,8 @@
       "username": "kubernetes-admin",
       "groups": [
         "system:masters"
-      ]
+      ],
+      "userid": "{{USER_ID}}"
     }
   ]
 }

hack/e2e-dynamicfile.sh

@@ -103,7 +103,8 @@ function e2e_dynamicfile(){
           echo "can't assume-role: "${AWS_TEST_ROLE}
           exit 1
   fi
-
+  USERID=$(aws sts get-caller-identity|jq -r '.UserId'|cut -d: -f1)
+  echo "userid: " $USERID
   #run kubectl cmd without adding the role into access entry
   if [ -f ${access_entry_json} ]
       then
@@ -123,6 +124,7 @@ function e2e_dynamicfile(){
 
   sed -e "s|{{AWS_ACCOUNT}}|${AWS_ACCOUNT}|g" \
       -e "s|{{AWS_TEST_ROLE}}|${AWS_TEST_ROLE}|g" \
+      -e "s|{{USER_ID}}|${USERID}|g" \
             "${access_entry_template}" > "${access_entry_tmp}"
   mv "${access_entry_tmp}"  "${access_entry_json}"
   #sleep 10 seconds to make access entry effective

hack/lib/dev-env.sh

@@ -46,6 +46,7 @@ NETWORK_NAME="${NETWORK_NAME:-authenticator-dev}"
 NETWORK_SUBNET="${NETWORK_SUBNET:-172.30.0.0/16}"
 AUTHENTICATOR_IP="${AUTHENTICATOR_IP:-172.30.0.10}"
 AUTHENTICATOR_PORT="${AUTHENTICATOR_PORT:-21362}"
+KIND_BIN="${KIND_BIN:-${OUTPUT}/bin/kind}"
 
 # Not configurable:
 authenticator_healthz_port=21363
@@ -85,16 +86,19 @@ kubectl_kubeconfig="${client_dir}/kubeconfig.yaml"
 kind_kubeconfig="${client_dir}/kind-kubeconfig.yaml"
 
 function install_kind() {
-  if [[ "$OSTYPE" == "darwin"* ]]; then
-      # for Intel Macs
-      [ $(uname -m) = x86_64 ]&& curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-darwin-amd64
-      # for M1 / ARM Macs
-      [ $(uname -m) = arm64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-darwin-arm64
-  else
-      curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-linux-amd64
-  fi
-  chmod +x ./kind
-  command -v ./kind >/dev/null 2>&1 || { echo >&2 "kind is required but it's not installed.  Aborting."; exit 1; }
+    if ! [[ -f "${KIND_BIN}" ]]; then
+        if [[ "$OSTYPE" == "darwin"* ]]; then
+            # for Intel Macs
+            [ $(uname -m) = x86_64 ]&& curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-darwin-amd64
+            # for M1 / ARM Macs
+            [ $(uname -m) = arm64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-darwin-arm64
+        else
+            curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.17.0/kind-linux-amd64
+        fi
+        chmod +x ./kind
+        mv ./kind "${KIND_BIN}"
+    fi
+    command -v "${KIND_BIN}" >/dev/null 2>&1 || { echo >&2 "kind is required but it's not installed.  Aborting."; exit 1; }
 }
 
 function create_network() {
@@ -234,11 +238,11 @@ function write_kubectl_kubeconfig() {
 
 function create_kind_cluster() {
     export KIND_EXPERIMENTAL_DOCKER_NETWORK="${NETWORK_NAME}"
-    ./kind create cluster \
+    "${KIND_BIN}" create cluster \
         --config "${kind_config_host_dir}/env.yaml" \
         --kubeconfig "${kind_kubeconfig}"
 }
 
 function delete_kind_cluster() {
-    ./kind delete cluster --name "${CLUSTER_NAME}"
-}
+    "${KIND_BIN}" delete cluster --name "${CLUSTER_NAME}"
+}

hack/start-dev-env.sh

@@ -45,6 +45,7 @@ fi
 
 source "${REPO_ROOT}/hack/lib/dev-env.sh"
 
+install_kind
 create_network
 write_authenticator_config
 start_authenticator

pkg/config/types.go

@@ -52,7 +52,10 @@ type RoleMapping struct {
 
 	// Groups is a list of Kubernetes groups this role will authenticate
 	// as (e.g., `system:masters`). Each group name can include placeholders.
-	Groups []string `json:"groups"`
+	Groups []string `json:"groups" yaml:"groups"`
+
+	// UserId is the AWS PrincipalId of the role. (e.g., "ABCXSOTJDDV").
+	UserId string `json:"userid,omitempty" yaml:"userid,omitempty"`
 }
 
 // UserMapping is a static mapping of a single AWS User ARN to a
@@ -65,7 +68,10 @@ type UserMapping struct {
 	Username string `json:"username"`
 
 	// Groups is a list of Kubernetes groups this role will authenticate as (e.g., `system:masters`)
-	Groups []string `json:"groups"`
+	Groups []string `json:"groups" yaml:"groups"`
+
+	// UserId is the AWS PrincipalId of the user. (e.g., "ABCXSOTJDDV").
+	UserId string `json:"userid,omitempty" yaml:"userid,omitempty"`
 }
 
 // Config specifies the configuration for a aws-iam-authenticator server
@@ -144,4 +150,6 @@ type Config struct {
 	EC2DescribeInstancesBurst int
 	//Dynamic File Path for DynamicFile BackendMode
 	DynamicFilePath string
+	//use UserId for mapping, IdentityArn is not used any more when DynamicFileUserIDStrict=true
+	DynamicFileUserIDStrict bool
 }

pkg/mapper/configmap/mapper.go

@@ -1,6 +1,7 @@
 package configmap
 
 import (
+	"sigs.k8s.io/aws-iam-authenticator/pkg/token"
 	"strings"
 
 	"sigs.k8s.io/aws-iam-authenticator/pkg/config"
@@ -30,8 +31,8 @@ func (m *ConfigMapMapper) Start(stopCh <-chan struct{}) error {
 	return nil
 }
 
-func (m *ConfigMapMapper) Map(canonicalARN string) (*config.IdentityMapping, error) {
-	canonicalARN = strings.ToLower(canonicalARN)
+func (m *ConfigMapMapper) Map(identity *token.Identity) (*config.IdentityMapping, error) {
+	canonicalARN := strings.ToLower(identity.CanonicalARN)
 
 	rm, err := m.RoleMapping(canonicalARN)
 	// TODO: Check for non Role/UserNotFound errors

pkg/mapper/crd/mapper.go

@@ -2,6 +2,7 @@ package crd
 
 import (
 	"fmt"
+	"sigs.k8s.io/aws-iam-authenticator/pkg/token"
 	"strings"
 	"time"
 
@@ -86,8 +87,8 @@ func (m *CRDMapper) Start(stopCh <-chan struct{}) error {
 	return nil
 }
 
-func (m *CRDMapper) Map(canonicalARN string) (*config.IdentityMapping, error) {
-	canonicalARN = strings.ToLower(canonicalARN)
+func (m *CRDMapper) Map(identity *token.Identity) (*config.IdentityMapping, error) {
+	canonicalARN := strings.ToLower(identity.CanonicalARN)
 
 	var iamidentity *iamauthenticatorv1alpha1.IAMIdentityMapping
 	var ok bool