sigs.k8s.io/cluster-api-provider-aws@v1.5.5/controlplane/eks/api/v1alpha4/types.go (about) 1 /* 2 Copyright 2021 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1alpha4 18 19 import ( 20 "fmt" 21 22 "github.com/aws/aws-sdk-go/service/eks" 23 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 24 25 infrav1alpha4 "sigs.k8s.io/cluster-api-provider-aws/api/v1alpha4" 26 iamv1 "sigs.k8s.io/cluster-api-provider-aws/iam/api/v1beta1" 27 ) 28 29 // ControlPlaneLoggingSpec defines what EKS control plane logs that should be enabled. 30 type ControlPlaneLoggingSpec struct { 31 // APIServer indicates if the Kubernetes API Server log (kube-apiserver) shoulkd be enabled 32 // +kubebuilder:default=false 33 APIServer bool `json:"apiServer"` 34 // Audit indicates if the Kubernetes API audit log should be enabled 35 // +kubebuilder:default=false 36 Audit bool `json:"audit"` 37 // Authenticator indicates if the iam authenticator log should be enabled 38 // +kubebuilder:default=false 39 Authenticator bool `json:"authenticator"` 40 // ControllerManager indicates if the controller manager (kube-controller-manager) log should be enabled 41 // +kubebuilder:default=false 42 ControllerManager bool `json:"controllerManager"` 43 // Scheduler indicates if the Kubernetes scheduler (kube-scheduler) log should be enabled 44 // +kubebuilder:default=false 45 Scheduler bool `json:"scheduler"` 46 } 47 48 // IsLogEnabled returns true if the log is enabled. 49 func (s *ControlPlaneLoggingSpec) IsLogEnabled(logName string) bool { 50 if s == nil { 51 return false 52 } 53 54 switch logName { 55 case eks.LogTypeApi: 56 return s.APIServer 57 case eks.LogTypeAudit: 58 return s.Audit 59 case eks.LogTypeAuthenticator: 60 return s.Authenticator 61 case eks.LogTypeControllerManager: 62 return s.ControllerManager 63 case eks.LogTypeScheduler: 64 return s.Scheduler 65 default: 66 return false 67 } 68 } 69 70 // EKSTokenMethod defines the method for obtaining a client token to use when connecting to EKS. 71 type EKSTokenMethod string 72 73 var ( 74 // EKSTokenMethodIAMAuthenticator indicates that IAM autenticator will be used to get a token. 75 EKSTokenMethodIAMAuthenticator = EKSTokenMethod("iam-authenticator") 76 77 // EKSTokenMethodAWSCli indicates that the AWS CLI will be used to get a token 78 // Version 1.16.156 or greater is required of the AWS CLI. 79 EKSTokenMethodAWSCli = EKSTokenMethod("aws-cli") 80 ) 81 82 var ( 83 // DefaultEKSControlPlaneRole is the name of the default IAM role to use for the EKS control plane 84 // if no other role is supplied in the spec and if iam role creation is not enabled. The default 85 // can be created using clusterawsadm or created manually. 86 DefaultEKSControlPlaneRole = fmt.Sprintf("eks-controlplane%s", iamv1.DefaultNameSuffix) 87 ) 88 89 // IAMAuthenticatorConfig represents an aws-iam-authenticator configuration. 90 type IAMAuthenticatorConfig struct { 91 // RoleMappings is a list of role mappings 92 // +optional 93 RoleMappings []RoleMapping `json:"mapRoles,omitempty"` 94 // UserMappings is a list of user mappings 95 // +optional 96 UserMappings []UserMapping `json:"mapUsers,omitempty"` 97 } 98 99 // KubernetesMapping represents the kubernetes RBAC mapping. 100 type KubernetesMapping struct { 101 // UserName is a kubernetes RBAC user subject 102 UserName string `json:"username"` 103 // Groups is a list of kubernetes RBAC groups 104 Groups []string `json:"groups"` 105 } 106 107 // RoleMapping represents a mapping from a IAM role to Kubernetes users and groups 108 type RoleMapping struct { 109 // RoleARN is the AWS ARN for the role to map 110 // +kubebuilder:validation:MinLength:=31 111 RoleARN string `json:"rolearn"` 112 // KubernetesMapping holds the RBAC details for the mapping 113 KubernetesMapping `json:",inline"` 114 } 115 116 // UserMapping represents a mapping from an IAM user to Kubernetes users and groups 117 type UserMapping struct { 118 // UserARN is the AWS ARN for the user to map 119 // +kubebuilder:validation:MinLength:=31 120 UserARN string `json:"userarn"` 121 // KubernetesMapping holds the RBAC details for the mapping 122 KubernetesMapping `json:",inline"` 123 } 124 125 // Addon represents a EKS addon 126 type Addon struct { 127 // Name is the name of the addon 128 // +kubebuilder:validation:MinLength:=2 129 // +kubebuilder:validation:Required 130 Name string `json:"name"` 131 // Version is the version of the addon to use 132 Version string `json:"version"` 133 // ConflictResolution is used to declare what should happen if there 134 // are parameter conflicts. Defaults to none 135 // +kubebuilder:default=none 136 // +kubebuilder:validation:Enum=overwrite;none 137 ConflictResolution *AddonResolution `json:"conflictResolution,omitempty"` 138 // ServiceAccountRoleArn is the ARN of an IAM role to bind to the addons service account 139 // +optional 140 ServiceAccountRoleArn *string `json:"serviceAccountRoleARN,omitempty"` 141 } 142 143 // AddonResolution defines the method for resolving parameter conflicts. 144 type AddonResolution string 145 146 var ( 147 // AddonResolutionOverwrite indicates that if there are parameter conflicts then 148 // resolution will be accomplished via overwriting. 149 AddonResolutionOverwrite = AddonResolution("overwrite") 150 151 // AddonResolutionNone indicates that if there are parameter conflicts then 152 // resolution will not be done and an error will be reported. 153 AddonResolutionNone = AddonResolution("none") 154 ) 155 156 // AddonStatus defines the status for an addon. 157 type AddonStatus string 158 159 var ( 160 // AddonStatusCreating is a status to indicate the addon is creating. 161 AddonStatusCreating = "creating" 162 163 // AddonStatusActive is a status to indicate the addon is active. 164 AddonStatusActive = "active" 165 166 // AddonStatusCreateFailed is a status to indicate the addon failed creation. 167 AddonStatusCreateFailed = "create_failed" 168 169 // AddonStatusUpdating is a status to indicate the addon is updating. 170 AddonStatusUpdating = "updating" 171 172 // AddonStatusDeleting is a status to indicate the addon is deleting. 173 AddonStatusDeleting = "deleting" 174 175 // AddonStatusDeleteFailed is a status to indicate the addon failed deletion. 176 AddonStatusDeleteFailed = "delete_failed" 177 178 // AddonStatusDegraded is a status to indicate the addon is in a degraded state. 179 AddonStatusDegraded = "degraded" 180 ) 181 182 // AddonState represents the state of an addon 183 type AddonState struct { 184 // Name is the name of the addon 185 Name string `json:"name"` 186 // Version is the version of the addon to use 187 Version string `json:"version"` 188 // ARN is the AWS ARN of the addon 189 ARN string `json:"arn"` 190 // ServiceAccountRoleArn is the ARN of the IAM role used for the service account 191 ServiceAccountRoleArn *string `json:"serviceAccountRoleARN,omitempty"` 192 // CreatedAt is the date and time the addon was created at 193 CreatedAt metav1.Time `json:"createdAt,omitempty"` 194 // ModifiedAt is the date and time the addon was last modified 195 ModifiedAt metav1.Time `json:"modifiedAt,omitempty"` 196 // Status is the status of the addon 197 Status *string `json:"status,omitempty"` 198 // Issues is a list of issue associated with the addon 199 Issues []AddonIssue `json:"issues,omitempty"` 200 } 201 202 // AddonIssue represents an issue with an addon 203 type AddonIssue struct { 204 // Code is the issue code 205 Code *string `json:"code,omitempty"` 206 // Message is the textual description of the issue 207 Message *string `json:"message,omitempty"` 208 // ResourceIDs is a list of resource ids for the issue 209 ResourceIDs []string `json:"resourceIds,omitempty"` 210 } 211 212 const ( 213 // SecurityGroupCluster is the security group for communication between EKS 214 // control plane and managed node groups. 215 SecurityGroupCluster = infrav1alpha4.SecurityGroupRole("cluster") 216 ) 217 218 type OIDCIdentityProviderConfig struct { 219 220 // This is also known as audience. The ID for the client application that makes 221 // authentication requests to the OpenID identity provider. 222 // +kubebuilder:validation:Required 223 ClientID string `json:"clientId,omitempty"` 224 225 // The JWT claim that the provider uses to return your groups. 226 // +optional 227 GroupsClaim *string `json:"groupsClaim,omitempty"` 228 229 // The prefix that is prepended to group claims to prevent clashes with existing 230 // names (such as system: groups). For example, the valueoidc: will create group 231 // names like oidc:engineering and oidc:infra. 232 // +optional 233 GroupsPrefix *string `json:"groupsPrefix,omitempty"` 234 235 // The name of the OIDC provider configuration. 236 // 237 // IdentityProviderConfigName is a required field 238 // +kubebuilder:validation:Required 239 IdentityProviderConfigName string `json:"identityProviderConfigName,omitempty"` 240 241 // The URL of the OpenID identity provider that allows the API server to discover 242 // public signing keys for verifying tokens. The URL must begin with https:// 243 // and should correspond to the iss claim in the provider's OIDC ID tokens. 244 // Per the OIDC standard, path components are allowed but query parameters are 245 // not. Typically the URL consists of only a hostname, like https://server.example.org 246 // or https://example.com. This URL should point to the level below .well-known/openid-configuration 247 // and must be publicly accessible over the internet. 248 // 249 // +kubebuilder:validation:Required 250 IssuerURL string `json:"issuerUrl,omitempty"` 251 252 // The key value pairs that describe required claims in the identity token. 253 // If set, each claim is verified to be present in the token with a matching 254 // value. For the maximum number of claims that you can require, see Amazon 255 // EKS service quotas (https://docs.aws.amazon.com/eks/latest/userguide/service-quotas.html) 256 // in the Amazon EKS User Guide. 257 // +optional 258 RequiredClaims map[string]string `json:"requiredClaims,omitempty"` 259 260 // The JSON Web Token (JWT) claim to use as the username. The default is sub, 261 // which is expected to be a unique identifier of the end user. You can choose 262 // other claims, such as email or name, depending on the OpenID identity provider. 263 // Claims other than email are prefixed with the issuer URL to prevent naming 264 // clashes with other plug-ins. 265 // +optional 266 UsernameClaim *string `json:"usernameClaim,omitempty"` 267 268 // The prefix that is prepended to username claims to prevent clashes with existing 269 // names. If you do not provide this field, and username is a value other than 270 // email, the prefix defaults to issuerurl#. You can use the value - to disable 271 // all prefixing. 272 // +optional 273 UsernamePrefix *string `json:"usernamePrefix,omitempty"` 274 275 // tags to apply to oidc identity provider association 276 // +optional 277 Tags infrav1alpha4.Tags `json:"tags,omitempty"` 278 }