Merge pull request #32

* Add support for Externally Managed Policies
redradrat · Sep 12, 2023 · 6390f37 · 6390f37
1 parent c36129b
commit 6390f37
Show file tree

Hide file tree

Showing 13 changed files with 162 additions and 99 deletions.
diff --git a/.gitignore b/.gitignore
@@ -7,6 +7,7 @@ dist/
 *.so
 *.dylib
 bin
+aws-iam-operator
 
 # Test binary, build with `go test -c`
 *.test
@@ -24,4 +25,4 @@ bin
 *.swo
 *~
 
-**/.DS_Store
+**/.DS_Store
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -14,6 +14,7 @@ builds:
       - windows
       - darwin
     ldflags:
+      - -s -w # strip symbols, reduces binary size
       - -X main.operatorversion={{.Version}}
       - -X main.operatorbuilddate={{.Date}}
 archives:

diff --git a/api/v1beta1/group_types.go b/api/v1beta1/group_types.go
@@ -40,7 +40,7 @@ type GroupStatus struct {
 // +kubebuilder:printcolumn:name="Message",type=string,JSONPath=`.status.message`
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.state`
 // +kubebuilder:printcolumn:name="Last Sync",type=string,JSONPath=`.status.lastSyncAttempt`
-//
+
 // Group is the Schema for the roles API
 type Group struct {
 	metav1.TypeMeta   `json:",inline"`

diff --git a/api/v1beta1/policyattachment_types.go b/api/v1beta1/policyattachment_types.go
@@ -20,6 +20,9 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+// ResourceReference refrences the Policy resource to attach to another resource
+// +kubebuilder:validation:Optional
+// +optional
 type ResourceReference struct {
 
 	// +kubebuilder:validation:Required
@@ -29,6 +32,15 @@ type ResourceReference struct {
 	Namespace string `json:"namespace,omitempty"`
 }
 
+// ExternalResource is a reference to a policy ARN that is not created by the controller
+// +kubebuilder:validation:Optional
+// +optional
+type ExternalResource struct {
+
+	// +kubebuilder:validation:Required
+	ARN string `json:"arn,omitempty"`
+}
+
 type TargetType string
 
 const (
@@ -54,14 +66,18 @@ type TargetReference struct {
 // PolicyAttachmentSpec defines the desired state of PolicyAttachment
 type PolicyAttachmentSpec struct {
 
-	// +kubebuilder:validation:Required
-	//
 	// PolicyReference refrences the Policy resource to attach to another resource
+	// +kubebuilder:validation:Optional
+	// +optional
 	PolicyReference ResourceReference `json:"policy,omitempty"`
 
-	// +kubebuilder:validation:Required
-	//
+	// ExternalPolicy is a reference to a resource that is not created by the controller
+	// +kubebuilder:validation:Optional
+	// +optional
+	ExternalPolicy ExternalResource `json:"externalPolicy,omitempty"`
+
 	// Attachments holds all defined attachments
+	// +kubebuilder:validation:Required
 	TargetReference TargetReference `json:"target,omitempty"`
 }
 

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/aws-iam.redradrat.xyz_policyattachments.yaml b/config/crd/bases/aws-iam.redradrat.xyz_policyattachments.yaml
@@ -50,6 +50,13 @@ spec:
           spec:
             description: PolicyAttachmentSpec defines the desired state of PolicyAttachment
             properties:
+              externalPolicy:
+                description: ExternalPolicy is a reference to a resource that is not
+                  created by the controller
+                properties:
+                  arn:
+                    type: string
+                type: object
               policy:
                 description: PolicyReference refrences the Policy resource to attach
                   to another resource

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -106,12 +106,8 @@ rules:
   resources:
   - policyattachments
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - aws-iam.redradrat.xyz

diff --git a/controllers/group_controller.go b/controllers/group_controller.go
@@ -19,6 +19,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+
 	"github.com/go-logr/logr"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -59,7 +60,7 @@ func (r *GroupReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl
 	// Get our actual IAM Service to communicate with AWS; we don't need to continue without it
 	iamsvc, err := IAMService(r.Region)
 	if err != nil {
-		return ctrl.Result{}, errWithStatus(&group, err, r.Status(), ctx)
+		return ctrl.Result{}, errWithStatus(ctx, &group, err, r.Status())
 	}
 
 	// new group instance
@@ -68,7 +69,7 @@ func (r *GroupReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl
 	if group.Status.ARN != "" {
 		parsedArn, err := aws.ARNify(group.Status.ARN)
 		if err != nil {
-			return ctrl.Result{}, errWithStatus(&group, fmt.Errorf("ARN in Group status is not valid/parsable"), r.Status(), ctx)
+			return ctrl.Result{}, errWithStatus(ctx, &group, fmt.Errorf("ARN in Group status is not valid/parsable"), r.Status())
 		}
 		ins = iam.NewExistingGroupInstance(groupName, parsedArn[len(parsedArn)-1])
 	} else {
@@ -104,7 +105,7 @@ func (r *GroupReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl
 			// delete the actual AWS Object and pass the cleanup function
 			statusUpdater, err := DeleteAWSObject(iamsvc, ins, cleanupFunc)
 			// we got a StatusUpdater function returned... let's execute it
-			statusUpdater(ins, &group, ctx, r.Status(), log)
+			statusUpdater(ctx, ins, &group, r.Status(), log)
 			if err != nil {
 				// we had an error during AWS Object deletion... so we return here to retry
 				log.Error(err, "unable to delete Group")
@@ -130,7 +131,7 @@ func (r *GroupReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl
 	if group.Status.ARN != "" {
 		// Delete the actual AWS Object and pass the cleanup function
 		statusWriter, err := DeleteAWSObject(iamsvc, ins, cleanupFunc)
-		statusWriter(ins, &group, ctx, r.Status(), log)
+		statusWriter(ctx, ins, &group, r.Status(), log)
 		if err != nil {
 			// we had an error during AWS Object deletion... so we return here to retry
 			log.Error(err, "error while deleting Group during reconciliation")
@@ -139,7 +140,7 @@ func (r *GroupReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl
 	}
 
 	statusWriter, err := CreateAWSObject(iamsvc, ins, DoNothingPreFunc)
-	statusWriter(ins, &group, ctx, r.Status(), log)
+	statusWriter(ctx, ins, &group, r.Status(), log)
 	if err != nil {
 		log.Error(err, "error while creating Group during reconciliation")
 		return ctrl.Result{}, err
@@ -151,23 +152,23 @@ func (r *GroupReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl
 		userObj := iamv1beta1.User{}
 		r.Client.Get(ctx, client.ObjectKey{Name: user.Name, Namespace: user.Namespace}, &userObj)
 		if err != nil {
-			return ctrl.Result{}, errWithStatus(&group, err, r.Status(), ctx)
+			return ctrl.Result{}, errWithStatus(ctx, &group, err, r.Status())
 		}
 
 		// Err if ARN is not available in the user obj
 		if userObj.Status.ARN == "" {
-			return ctrl.Result{}, errWithStatus(&group, fmt.Errorf("referenced user resource '%s/%s' has not yet been created", user.Namespace, user.Name), r.Status(), ctx)
+			return ctrl.Result{}, errWithStatus(ctx, &group, fmt.Errorf("referenced user resource '%s/%s' has not yet been created", user.Namespace, user.Name), r.Status())
 		}
 
 		// parse the user arn
 		parsedArn, err := aws.ARNify(userObj.Status.ARN)
 		if err != nil {
-			return ctrl.Result{}, errWithStatus(&group, fmt.Errorf("ARN in referenced User status is not valid/parsable"), r.Status(), ctx)
+			return ctrl.Result{}, errWithStatus(ctx, &group, fmt.Errorf("ARN in referenced User status is not valid/parsable"), r.Status())
 		}
 
 		// Now add the user to our Group Instance
 		if err = ins.AddUser(iamsvc, parsedArn[len(parsedArn)-1]); err != nil {
-			return ctrl.Result{}, errWithStatus(&group, err, r.Status(), ctx)
+			return ctrl.Result{}, errWithStatus(ctx, &group, err, r.Status())
 		}
 	}
 
@@ -195,7 +196,7 @@ func groupCleanup(r *GroupReconciler, ctx context.Context, group iamv1beta1.Grou
 		for _, att := range attachments.Items {
 			if att.Spec.TargetReference.Type == iamv1beta1.GroupTargetType {
 				if att.Spec.TargetReference.Name == group.Name && att.Spec.TargetReference.Namespace == group.Namespace {
-					err := fmt.Errorf(fmt.Sprintf("cannot delete Group due to existing PolicyAttachment '%s/%s'", att.Name, att.Namespace))
+					err := fmt.Errorf("cannot delete Group due to existing PolicyAttachment '%s/%s'", att.Name, att.Namespace)
 					return err
 				}
 			}

diff --git a/controllers/helpers.go b/controllers/helpers.go
@@ -94,7 +94,7 @@ func ignoreDoesNotExistError(err error) error {
 
 func DoNothingPreFunc() error { return nil }
 
-func errWithStatus(obj AWSObjectStatusResource, err error, sw client.StatusWriter, ctx context.Context) error {
+func errWithStatus(ctx context.Context, obj AWSObjectStatusResource, err error, sw client.StatusWriter) error {
 	origerr := err
 	obj.GetStatus().Message = origerr.Error()
 	obj.GetStatus().State = iamv1beta1.ErrorSyncState
@@ -115,10 +115,10 @@ func IAMService(region string) (*awsiam.IAM, error) {
 	return iam.Client(session), nil
 }
 
-type StatusUpdater func(ins aws.Instance, obj AWSObjectStatusResource, ctx context.Context, sw client.StatusWriter, log logr.Logger)
+type StatusUpdater func(ctx context.Context, ins aws.Instance, obj AWSObjectStatusResource, sw client.StatusWriter, log logr.Logger)
 
 func SuccessStatusUpdater() StatusUpdater {
-	return func(ins aws.Instance, obj AWSObjectStatusResource, ctx context.Context, sw client.StatusWriter, log logr.Logger) {
+	return func(ctx context.Context, ins aws.Instance, obj AWSObjectStatusResource, sw client.StatusWriter, log logr.Logger) {
 		obj.GetStatus().ARN = ins.ARN().String()
 		obj.GetStatus().Message = "Succesfully reconciled"
 		obj.GetStatus().State = iamv1beta1.OkSyncState
@@ -132,7 +132,7 @@ func SuccessStatusUpdater() StatusUpdater {
 }
 
 func ErrorStatusUpdater(reason string) StatusUpdater {
-	return func(ins aws.Instance, obj AWSObjectStatusResource, ctx context.Context, sw client.StatusWriter, log logr.Logger) {
+	return func(ctx context.Context, ins aws.Instance, obj AWSObjectStatusResource, sw client.StatusWriter, log logr.Logger) {
 		obj.GetStatus().Message = reason
 		obj.GetStatus().State = iamv1beta1.ErrorSyncState
 		obj.GetStatus().LastSyncAttempt = time.Now().Format(time.RFC822Z)
@@ -144,5 +144,5 @@ func ErrorStatusUpdater(reason string) StatusUpdater {
 	}
 }
 
-func DoNothingStatusUpdater(ins aws.Instance, obj AWSObjectStatusResource, ctx context.Context, sw client.StatusWriter, log logr.Logger) {
+func DoNothingStatusUpdater(ctx context.Context, ins aws.Instance, obj AWSObjectStatusResource, sw client.StatusWriter, log logr.Logger) {
 }
diff --git a/controllers/policy_controller.go b/controllers/policy_controller.go
@@ -96,7 +96,7 @@ func (r *PolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 			policy.ObjectMeta.Finalizers = append(policy.ObjectMeta.Finalizers, policiesFinalizer)
 			if err := r.Update(context.Background(), &policy); err != nil {
 				log.Error(err, "unable to register finalizer for Policy")
-				return ctrl.Result{}, errWithStatus(&policy, err, r.Status(), ctx)
+				return ctrl.Result{}, errWithStatus(ctx, &policy, err, r.Status())
 			}
 		}
 	} else {
@@ -105,7 +105,7 @@ func (r *PolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 
 			// delete the actual AWS Object and pass the cleanup function
 			statusWriter, err := DeleteAWSObject(iamsvc, ins, cleanupFunc)
-			statusWriter(ins, &policy, ctx, r.Status(), log)
+			statusWriter(ctx, ins, &policy, r.Status(), log)
 			if err != nil {
 				// we had an error during AWS Object deletion... so we return here to retry
 				log.Error(err, "unable to delete Policy")
@@ -128,14 +128,14 @@ func (r *PolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 
 	// if there is already an ARN in our status, then we update the object
 	statusWriter, err := CreateAWSObject(iamsvc, ins, DoNothingPreFunc)
-	statusWriter(ins, &policy, ctx, r.Status(), log)
+	statusWriter(ctx, ins, &policy, r.Status(), log)
 	if err != nil {
 		// If already exists, we just update the status
 		if aerr, ok := err.(awserr.Error); ok {
 			if aerr.Code() == awsiam.ErrCodeEntityAlreadyExistsException {
 				// Update the actual AWS Object and pass the DoNothing function
 				statusWriter, err := UpdateAWSObject(iamsvc, ins, DoNothingPreFunc)
-				statusWriter(ins, &policy, ctx, r.Status(), log)
+				statusWriter(ctx, ins, &policy, r.Status(), log)
 				if err != nil {
 					// we had an error during AWS Object update... so we return here to retry
 					log.Error(err, "error while updating Policy during reconciliation")
@@ -172,7 +172,7 @@ func policyCleanup(r *PolicyReconciler, ctx context.Context, policy *iamv1beta1.
 		}
 		for _, att := range attachments.Items {
 			if att.Spec.PolicyReference.Name == policy.Name && att.Spec.PolicyReference.Namespace == policy.Namespace {
-				err := fmt.Errorf(fmt.Sprintf("cannot delete policy due to existing PolicyAttachment '%s/%s'", att.Name, att.Namespace))
+				err := fmt.Errorf("cannot delete policy due to existing PolicyAttachment '%s/%s'", att.Name, att.Namespace)
 				return err
 			}
 		}