Documentation
¶
Index ¶
- func AddOrUpdateBucketPermissions(ctx context.Context, cfg aws.Config, permissionName string, s3Actions []string, ...) error
- func AddOrUpdateCrossAccountSecretReadPermissions(ctx context.Context, cfg aws.Config, secretName string, ...) error
- func ApplyManifests(ctx context.Context, kubeClient *RetryableClient, manifestYamlsCombined string) (d diag.Diagnostics)
- func DescribeKubeCluster(ctx context.Context, dp awsconfig.AWSDataplane, cfg aws.Config) (cluster *types.Cluster, err error)
- func GetARNForCPService(ctx context.Context, cfg aws.Config, cc awsconfig.ClusterConfiguration, ...) string
- func GetARNForService(ctx context.Context, cfg aws.Config, cc awsconfig.ClusterConfiguration, ...) string
- func GetAwsConfig(ctx context.Context, dp awsconfig.AWSDataplane) (cfg aws.Config, d diag.Diagnostics)
- func GetKubeClientSets(ctx context.Context, cfg aws.Config, dp awsconfig.AWSDataplane) (clientSet *kubernetes.Clientset, err error)
- func GetKubeClusterName(ctx context.Context, dp awsconfig.AWSDataplane) (name string, err error)
- func GetKubeConfig(ctx context.Context, dp awsconfig.AWSDataplane, cfg aws.Config) (kubeConfig []byte, err error)
- func LogError(ctx context.Context, d diag.Diagnostics, summary string, err error) diag.Diagnostics
- func RemoveBucketPermissions(ctx context.Context, cfg aws.Config, ...) error
- func RemoveKmsKeyPermission(ctx context.Context, cfg aws.Config, permissionName, kmsKeyArn string, ...) error
- func RenderAndApplyTemplate(ctx context.Context, kubeClient *RetryableClient, name string, ...) (d diag.Diagnostics)
- func ResetKubeClientCache()
- func UpdateCrossAccountEcrReadPermissions(ctx context.Context, cfg aws.Config, repositoryName, permissionName string, ...) error
- func UpdateEmptyOIDCRoleTrustPolicy(ctx context.Context, cfg aws.Config, issuerID, roleName string) error
- func UpdateKmsKeyPermission(ctx context.Context, cfg aws.Config, permissionName string, ...) error
- type RetryableClient
- func (r *RetryableClient) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error
- func (r *RetryableClient) Delete(ctx context.Context, obj client.Object, opts ...client.DeleteOption) error
- func (r *RetryableClient) DeleteAllOf(ctx context.Context, obj client.Object, opts ...client.DeleteAllOfOption) error
- func (r *RetryableClient) Get(ctx context.Context, key k8stypes.NamespacedName, obj client.Object, ...) error
- func (r *RetryableClient) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error
- func (r *RetryableClient) Patch(ctx context.Context, obj client.Object, patch client.Patch, ...) error
- func (r *RetryableClient) Update(ctx context.Context, obj client.Object, opts ...client.UpdateOption) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddOrUpdateBucketPermissions ¶
func AddOrUpdateBucketPermissions(ctx context.Context, cfg aws.Config, permissionName string, s3Actions []string, s3ResourcePrefix string, kmsActions []string, bucketName, bucketRegion, bucketEndpoint string, allowedPrincipals []string) error
AddOrUpdateBucketPermissions AWS s3 utiltity functions to update S3 bucket policy statement with a statement block without impacting other statements this helps in adding tenant specific permission to a management plane bucket Important !!! Pass a unique permissionName to ensure that a specific permission will not impact any other existing permission permissionName should be compliant with AWS StatementId (Sid) field without special characters or spaces
example kmsActions for general s3 Get and Put include following
"kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey"
Example s3Actions for read include following ¶
s3:GetObject* s3:ListBucket
Example s3ResourcePrefix can be * to allow all resources in bucket or can be a tenant specific prefix (e.g. using unique infra id) to restrict access
func AddOrUpdateCrossAccountSecretReadPermissions ¶
func AddOrUpdateCrossAccountSecretReadPermissions(ctx context.Context, cfg aws.Config, secretName string, permissionName, allowedPrincipals []string) error
add or update a secret permissions for list of cross account principals Important !!! pass a unique permissionName to avoid updates to other kms key policy (e.g. add a tenant id in the permissionName) note this function updates both secret permissions as well as associated kms key arn permissions Also, note that it will fully update/overwrite the secret resource permissions for cross account access using the list of allowedPrincipals with read access The kms key associated with the secret is updated such that it retains any other permissions present in the key policy, i.e. kms key could be a shared key
func ApplyManifests ¶
func ApplyManifests(ctx context.Context, kubeClient *RetryableClient, manifestYamlsCombined string) (d diag.Diagnostics)
func DescribeKubeCluster ¶
func GetARNForCPService ¶
func GetARNForService ¶
func GetAwsConfig ¶
func GetAwsConfig(ctx context.Context, dp awsconfig.AWSDataplane) (cfg aws.Config, d diag.Diagnostics)
func GetKubeClientSets ¶ added in v1.6.2
func GetKubeClientSets(ctx context.Context, cfg aws.Config, dp awsconfig.AWSDataplane) (clientSet *kubernetes.Clientset, err error)
func GetKubeClusterName ¶
func GetKubeConfig ¶
func LogError ¶
func LogError(ctx context.Context, d diag.Diagnostics, summary string, err error) diag.Diagnostics
func RemoveBucketPermissions ¶
func RemoveKmsKeyPermission ¶
func RenderAndApplyTemplate ¶
func RenderAndApplyTemplate(ctx context.Context, kubeClient *RetryableClient, name string, templateData []byte, data map[string]string) (d diag.Diagnostics)
func ResetKubeClientCache ¶ added in v1.7.2
func ResetKubeClientCache()
ResetKubeClientCache resets the kube client cache to force creation of new clients with fresh tokens
func UpdateEmptyOIDCRoleTrustPolicy ¶
func UpdateEmptyOIDCRoleTrustPolicy(ctx context.Context, cfg aws.Config, issuerID, roleName string) error
Update EMPTYOIDC IRSA role cluster issuer ids: When we bootstrap a dataplane within account/iamroles we do not have EKS OIDC available (as eks is not yet provisioned). as a workaround if eks is not available when applying account role (i.e. first time) the terraform set assume role policy document to EMPTYOIDC. The account layer can be re-applied after applying eks layer to udpate IRSA OIDC, but to avoid re-apply step, we can also scan for IRSA specific roles to see if EMPTYOIDC is present in policy and update these to the EKS OIDC the update is done only if EMPTYOIDC is detected and needs a replacement
Types ¶
type RetryableClient ¶
func GetKubeClient ¶
func GetKubeClient(ctx context.Context, cfg aws.Config, dp awsconfig.AWSDataplane) (rClient *RetryableClient, err error)
func (*RetryableClient) Create ¶
func (r *RetryableClient) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error
func (*RetryableClient) Delete ¶
func (r *RetryableClient) Delete(ctx context.Context, obj client.Object, opts ...client.DeleteOption) error
func (*RetryableClient) DeleteAllOf ¶
func (r *RetryableClient) DeleteAllOf(ctx context.Context, obj client.Object, opts ...client.DeleteAllOfOption) error
func (*RetryableClient) Get ¶
func (r *RetryableClient) Get(ctx context.Context, key k8stypes.NamespacedName, obj client.Object, opts ...client.GetOption) error
func (*RetryableClient) List ¶
func (r *RetryableClient) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error
func (*RetryableClient) Patch ¶
func (r *RetryableClient) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error
func (*RetryableClient) Update ¶
func (r *RetryableClient) Update(ctx context.Context, obj client.Object, opts ...client.UpdateOption) error
Source Files