Skip to content

Commit 867499a

Browse files
k0dak0da
committed
Use kubeconfig secret to fetch cluster CA
Signed-off-by: Dinar Valeev <[email protected]>
1 parent b379dcc commit 867499a

File tree

1 file changed

+39
-25
lines changed

1 file changed

+39
-25
lines changed

bootstrap/eks/controllers/eksconfig_controller.go

Lines changed: 39 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -20,19 +20,18 @@ package controllers
2020
import (
2121
"bytes"
2222
"context"
23+
"encoding/base64"
2324
"fmt"
2425
"os"
2526
"time"
2627

27-
"github.com/aws/aws-sdk-go/aws"
28-
"github.com/aws/aws-sdk-go/aws/session"
29-
"github.com/aws/aws-sdk-go/service/eks"
3028
"github.com/pkg/errors"
3129
corev1 "k8s.io/api/core/v1"
3230
apierrors "k8s.io/apimachinery/pkg/api/errors"
3331
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
3432
"k8s.io/apimachinery/pkg/runtime"
3533
"k8s.io/apimachinery/pkg/types"
34+
"k8s.io/client-go/tools/clientcmd"
3635
"k8s.io/klog/v2"
3736
"k8s.io/utils/ptr"
3837
ctrl "sigs.k8s.io/controller-runtime"
@@ -53,6 +52,7 @@ import (
5352
"sigs.k8s.io/cluster-api/util"
5453
"sigs.k8s.io/cluster-api/util/annotations"
5554
"sigs.k8s.io/cluster-api/util/conditions"
55+
kubeconfigutil "sigs.k8s.io/cluster-api/util/kubeconfig"
5656
"sigs.k8s.io/cluster-api/util/patch"
5757
"sigs.k8s.io/cluster-api/util/predicates"
5858
)
@@ -324,36 +324,25 @@ func (r *EKSConfigReconciler) joinWorker(ctx context.Context, cluster *clusterv1
324324
log.Info("Using mock CA certificate for test environment")
325325
nodeInput.CACert = "mock-ca-certificate-for-testing"
326326
} else {
327-
// Fetch CA cert from EKS API
328-
sess, err := session.NewSession(&aws.Config{Region: aws.String(controlPlane.Spec.Region)})
327+
// Fetch CA cert from KubeConfig secrtet
328+
capiOwner, err := extractClusterOwner(&config.ObjectMeta)
329329
if err != nil {
330-
log.Error(err, "Failed to create AWS session for EKS API")
331-
conditions.MarkFalse(config, eksbootstrapv1.DataSecretAvailableCondition,
332-
eksbootstrapv1.DataSecretGenerationFailedReason,
333-
clusterv1.ConditionSeverityWarning,
334-
"Failed to create AWS session: %v", err)
335-
return ctrl.Result{}, err
330+
return ctrl.Result{}, errors.Wrap(err, "failed to extract cluster owner from EKSConfig metadata")
331+
}
332+
obj := client.ObjectKey{
333+
Namespace: config.Namespace,
334+
Name: capiOwner,
336335
}
337-
eksClient := eks.New(sess)
338-
describeInput := &eks.DescribeClusterInput{Name: aws.String(controlPlane.Spec.EKSClusterName)}
339-
clusterOut, err := eksClient.DescribeCluster(describeInput)
336+
ca, err := extractCAFromSecret(ctx, r.Client, obj)
340337
if err != nil {
341-
log.Error(err, "Failed to describe EKS cluster for CA cert fetch")
338+
log.Error(err, "Failed to extract CA from kubeconfig secret")
342339
conditions.MarkFalse(config, eksbootstrapv1.DataSecretAvailableCondition,
343340
eksbootstrapv1.DataSecretGenerationFailedReason,
344341
clusterv1.ConditionSeverityWarning,
345-
"Failed to describe EKS cluster: %v", err)
342+
"Failed to extract CA from kubeconfig secret: %v", err)
346343
return ctrl.Result{}, err
347-
} else if clusterOut.Cluster != nil && clusterOut.Cluster.CertificateAuthority != nil && clusterOut.Cluster.CertificateAuthority.Data != nil {
348-
nodeInput.CACert = *clusterOut.Cluster.CertificateAuthority.Data
349-
} else {
350-
log.Error(nil, "CA certificate not found in EKS cluster response")
351-
conditions.MarkFalse(config, eksbootstrapv1.DataSecretAvailableCondition,
352-
eksbootstrapv1.DataSecretGenerationFailedReason,
353-
clusterv1.ConditionSeverityWarning,
354-
"CA certificate not found in EKS cluster response")
355-
return ctrl.Result{}, fmt.Errorf("CA certificate not found in EKS cluster response")
356344
}
345+
nodeInput.CACert = ca
357346
}
358347

359348
// Get AMI ID from AWSManagedMachinePool's launch template if specified
@@ -405,6 +394,31 @@ func (r *EKSConfigReconciler) joinWorker(ctx context.Context, cluster *clusterv1
405394
return ctrl.Result{}, nil
406395
}
407396

397+
func extractClusterOwner(meta *metav1.ObjectMeta) (string, error) {
398+
for _, owner := range meta.OwnerReferences {
399+
if owner.Kind == "Cluster" {
400+
return owner.Name, nil
401+
}
402+
}
403+
return "", fmt.Errorf("no Cluster owner found in metadata")
404+
}
405+
406+
func extractCAFromSecret(ctx context.Context, c client.Client, obj client.ObjectKey) (string, error) {
407+
data, err := kubeconfigutil.FromSecret(ctx, c, obj)
408+
if err != nil {
409+
return "", errors.Wrapf(err, "failed to get kubeconfig secret %s", obj.Name)
410+
}
411+
config, err := clientcmd.Load(data)
412+
if err != nil {
413+
return "", errors.Wrapf(err, "failed to parse kubeconfig data from secret %s", obj.Name)
414+
}
415+
cluster, ok := config.Clusters[obj.Name]
416+
if !ok {
417+
return "", fmt.Errorf("cluster %q not found", obj.Name)
418+
}
419+
return base64.StdEncoding.EncodeToString(cluster.CertificateAuthorityData), nil
420+
}
421+
408422
func (r *EKSConfigReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, option controller.Options) error {
409423
b := ctrl.NewControllerManagedBy(mgr).
410424
For(&eksbootstrapv1.EKSConfig{}).

0 commit comments

Comments
 (0)