Merge pull request #9755 from WarpRat/9750

Fix backwards compatibility when backend mode isn't set
kubernetes · Aug 17, 2020 · 655c424 · 655c424
2 parents ddd8422 + 1981c56
commit 655c424
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 9 deletions.
diff --git a/docs/authentication.md b/docs/authentication.md
@@ -113,7 +113,7 @@ data:
         - system:masters
 ```
 
-It is also possible to configure alternative backend modes for aws-iam-authenticator. The `backendMode` configuration option allows defining multiple backends in a comma separated string. The mappings in these backends will be merged. When the same mapping is found in multiple backends, the first backend in the list will take precedence. If MountedFile is not included in the list of backends, no configmap is required and the [cluster-id](https://github.com/kubernetes-sigs/aws-iam-authenticator#what-is-a-cluster-id) will default to the cluster's master API DNS name. The cluster-id can be overridden by setting the `clusterID` API field. If you wish to continue using a configmap for authenticator settings other than mappings, MountedFile must be included in the backendMode list.
+It is also possible to configure alternative backend modes for aws-iam-authenticator. The `backendMode` configuration option allows defining multiple backends in a comma separated string. The mappings in these backends will be merged. When the same mapping is found in multiple backends, the first backend in the list will take precedence. If MountedFile is not included in the list of backends, no configmap is required and the [cluster-id](https://github.com/kubernetes-sigs/aws-iam-authenticator#what-is-a-cluster-id) will default to the cluster's name. The cluster-id can be overridden by setting the `clusterID` API field. If you wish to continue using a configmap for authenticator settings other than mappings, MountedFile must be included in the backendMode list.
 
 This requires an aws-iam-authenticator image >= 0.5.0 For more information see [usergroup-mappings](https://github.com/kubernetes-sigs/aws-iam-authenticator#4-create-iam-roleuser-to-kubernetes-usergroup-mappings)
 

diff --git a/upup/models/bindata.go b/upup/models/bindata.go
diff --git a/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.12.yaml.template b/upup/models/cloudup/resources/addons/authentication.aws/k8s-1.12.yaml.template
@@ -131,8 +131,8 @@ spec:
         {{- if or (not .Authentication.Aws.BackendMode) (contains "MountedFile" .Authentication.Aws.BackendMode) }}
         - --config=/etc/aws-iam-authenticator/config.yaml
         {{- end }}
-        {{- if or .Authentication.Aws.ClusterID (not (contains "MountedFile" .Authentication.Aws.BackendMode))}}
-        - --cluster-id={{ or .Authentication.Aws.ClusterID .MasterPublicName }}
+        {{- if or .Authentication.Aws.ClusterID (and .Authentication.Aws.BackendMode (not (contains "MountedFile" .Authentication.Aws.BackendMode)))}}
+        - --cluster-id={{ or .Authentication.Aws.ClusterID ClusterName }}
         {{- end }}
         - --state-dir=/var/aws-iam-authenticator
         - --kubeconfig-pregenerated=true

diff --git a/...loudup/tests/bootstrapchannelbuilder/awsiamauthenticator/authentication.aws-k8s-1.12.yaml b/...loudup/tests/bootstrapchannelbuilder/awsiamauthenticator/authentication.aws-k8s-1.12.yaml
@@ -108,10 +108,11 @@ spec:
       containers:
       - args:
         - server
-        - --cluster-id=api.minimal.example.com
+        - --config=/etc/aws-iam-authenticator/config.yaml
+        - --cluster-id=custom-cluster-ID
         - --state-dir=/var/aws-iam-authenticator
         - --kubeconfig-pregenerated=true
-        - --backend-mode=CRD
+        - --backend-mode=CRD,MountedFile
         image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.1-debian-stretch
         livenessProbe:
           httpGet:
@@ -128,6 +129,8 @@ spec:
             cpu: 10m
             memory: 20Mi
         volumeMounts:
+        - mountPath: /etc/aws-iam-authenticator/
+          name: config
         - mountPath: /var/aws-iam-authenticator/
           name: state
         - mountPath: /etc/kubernetes/aws-iam-authenticator/
@@ -143,6 +146,9 @@ spec:
       - key: CriticalAddonsOnly
         operator: Exists
       volumes:
+      - configMap:
+          name: aws-iam-authenticator
+        name: config
       - hostPath:
           path: /srv/kubernetes/aws-iam-authenticator/
         name: output

diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/cluster.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/cluster.yaml
@@ -8,7 +8,8 @@ spec:
     - manifest: s3://somebucket/example.yaml
   authentication:
     aws:
-      backendMode: CRD
+      backendMode: CRD,MountedFile
+      clusterID: custom-cluster-ID
   kubernetesApiAccess:
   - 0.0.0.0/0
   channel: stable

diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/manifest.yaml
@@ -97,7 +97,7 @@ spec:
   - id: k8s-1.12
     kubernetesVersion: '>=1.12.0'
     manifest: authentication.aws/k8s-1.12.yaml
-    manifestHash: c4f7cd3bf0b39ca7ab1b27f875da96bf5feacca9
+    manifestHash: dbfc79bb5908416ca06803461ab076b4896d0f7c
     name: authentication.aws
     selector:
       role.kubernetes.io/authentication: "1"