add role assumption option

giantswarm · Oct 2, 2024 · 39e0e5e · 39e0e5e
1 parent c28f620
commit 39e0e5e
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add optional `--role-arn` flag to specify the role ARN to assume when interacting with Route53.
+
 ## [0.9.2] - 2024-08-26
 
 ### Added

diff --git a/controllers/cluster_controller.go b/controllers/cluster_controller.go
@@ -44,6 +44,7 @@ type ClusterReconciler struct {
 
 	BaseDomain        string
 	ManagementCluster string
+	RoleArn           string
 	StaticBastionIP   string
 }
 
@@ -92,6 +93,7 @@ func (r *ClusterReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 		Cluster:               cluster,
 		InfrastructureCluster: infraCluster,
 		ManagementCluster:     r.ManagementCluster,
+		RoleArn:               r.RoleArn,
 		StaticBastionIP:       r.StaticBastionIP,
 	})
 	if err != nil {

diff --git a/helm/dns-operator-route53/templates/deployment.yaml b/helm/dns-operator-route53/templates/deployment.yaml
@@ -39,6 +39,9 @@ spec:
         - --enable-leader-election
         - --base-domain={{ .Values.baseDomain }}
         - --management-cluster={{ .Values.managementCluster }}
+        {{ if .Values.roleARN -}}
+        - --role-arn={{ .Values.roleARN }}
+        {{- end }}
         {{ if .Values.staticBastionIP -}}
         - --static-bastion-ip={{ .Values.staticBastionIP }}
         {{- end }}

diff --git a/helm/dns-operator-route53/values.yaml b/helm/dns-operator-route53/values.yaml
@@ -32,6 +32,9 @@ baseDomain: ""
 # Name of management cluster. Used in comments of DNS records to track WC->MC relation.
 managementCluster: ""
 
+# Role ARN to assume for AWS API calls
+roleARN: ""
+
 # IP address of bastion machine for all clusters
 staticBastionIP: ""
 

diff --git a/main.go b/main.go
@@ -52,6 +52,7 @@ func main() {
 		enableLeaderElection bool
 		managementCluster    string
 		metricsAddr          string
+		roleArn              string
 		staticBastionIP      string
 	)
 
@@ -62,6 +63,7 @@ func main() {
 
 	flag.StringVar(&baseDomain, "base-domain", "", "Domain for which to create the DNS entries, e.g. customer.gigantic.io.")
 	flag.StringVar(&managementCluster, "management-cluster", "", "Name of the management cluster.")
+	flag.StringVar(&roleArn, "role-arn", "", "ARN of the role to assume for the AWS API calls.")
 	flag.StringVar(&staticBastionIP, "static-bastion-ip", "", "IP address of static bastion machine for all clusters.")
 
 	flag.Parse()
@@ -93,6 +95,7 @@ func main() {
 		Client:            mgr.GetClient(),
 		BaseDomain:        baseDomain,
 		ManagementCluster: managementCluster,
+		RoleArn:           roleArn,
 		StaticBastionIP:   staticBastionIP,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Cluster")

diff --git a/pkg/cloud/scope/cluster.go b/pkg/cloud/scope/cluster.go
@@ -4,8 +4,11 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/aws/aws-sdk-go/aws"
 	awsclient "github.com/aws/aws-sdk-go/aws/client"
+	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/sts"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/rest"
 	capi "sigs.k8s.io/cluster-api/api/v1beta1"
@@ -31,6 +34,7 @@ type ClusterScopeParams struct {
 	Cluster               *capi.Cluster
 	InfrastructureCluster *unstructured.Unstructured
 	ManagementCluster     string
+	RoleArn               string
 	StaticBastionIP       string
 }
 
@@ -50,9 +54,36 @@ func NewClusterScope(ctx context.Context, params ClusterScopeParams) (*ClusterSc
 		return nil, microerror.Mask(err)
 	}
 
-	return &ClusterScope{
-		session: awsSession,
+	if params.RoleArn != "" {
+		// Assume Role
+		stsSvc := sts.New(awsSession)
+
+		assumeRoleOutput, err := stsSvc.AssumeRole(&sts.AssumeRoleInput{
+			RoleArn:         aws.String(params.RoleArn),
+			RoleSessionName: aws.String("MyClusterOperatorSession"),
+		})
+		if err != nil {
+			return nil, microerror.Mask(err)
+		}
 
+		// Use the temporary credentials from the AssumeRole response
+		creds := credentials.NewStaticCredentials(
+			*assumeRoleOutput.Credentials.AccessKeyId,
+			*assumeRoleOutput.Credentials.SecretAccessKey,
+			*assumeRoleOutput.Credentials.SessionToken,
+		)
+
+		// Create a new session with the assumed role credentials
+		awsSession, err = session.NewSession(&aws.Config{
+			Credentials: creds,
+		})
+		if err != nil {
+			return nil, microerror.Mask(err)
+		}
+	}
+
+	return &ClusterScope{
+		session:           awsSession,
 		baseDomain:        params.BaseDomain,
 		cluster:           params.Cluster,
 		infraCluster:      params.InfrastructureCluster,