Merge branch 'master' of github.com:bryantbiggs/aws-iam-authenticator…

… into chore/update-app-k8s-dependencies
kubernetes-sigs · Mar 20, 2024 · 4ac7942 · 4ac7942
2 parents 309922a + 2ccb5bc
commit 4ac7942
Show file tree

Hide file tree

Showing 22 changed files with 276 additions and 38 deletions.
diff --git a/.github/workflows/deps.yml b/.github/workflows/deps.yml
@@ -26,4 +26,3 @@ jobs:
         with:
           go-version-input: 1.21.5
           go-version-file: go.mod
-
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,7 @@
 aws-iam-authenticator
 
+bin
+
 /dist
 /_output
 

diff --git a/.go-version b/.go-version
@@ -0,0 +1 @@
+1.21.5
diff --git a/Dockerfile b/Dockerfile
@@ -17,6 +17,7 @@ ARG golang_image=public.ecr.aws/docker/library/golang:1.21.5
 FROM --platform=$BUILDPLATFORM $golang_image AS builder
 WORKDIR /go/src/github.com/kubernetes-sigs/aws-iam-authenticator
 COPY . .
+RUN go version
 RUN goproxy=https://goproxy.io go mod download
 ARG TARGETOS TARGETARCH
 RUN GOOS=$TARGETOS GOARCH=$TARGETARCH make bin

diff --git a/Makefile b/Makefile
@@ -102,6 +102,7 @@ image: .image-linux-$(GOARCH)
 .PHONY: .image-linux-%
 .image-linux-%:
 	docker buildx build --output=type=docker --platform linux/$* \
+		--build-arg golang_image=$(shell hack/setup-go.sh) \
 		--tag aws-iam-authenticator:$(VERSION)_$(GIT_COMMIT)_$(BUILD_DATE_STRIPPED)-linux_$* .
 
 .PHONY: goreleaser
@@ -113,8 +114,7 @@ endif
 
 .PHONY: test
 test:
-	go test -v -coverprofile=coverage.out -race $(PKG)/pkg/...
-	go tool cover -html=coverage.out -o coverage.html
+	./hack/test-unit.sh
 
 .PHONY: integration
 integration:

diff --git a/README.md b/README.md
@@ -482,7 +482,7 @@ server:
     groups:
     - system:masters
 
-  # each mapUsers entry maps an IAM role to a static username and set of groups
+  # each mapUsers entry maps an IAM user to a static username and set of groups
   mapUsers:
   # map user IAM user Alice in 000000000000 to user "alice" in group "system:masters"
   - userarn: arn:aws:iam::000000000000:user/Alice

diff --git a/go.mod b/go.mod
@@ -37,7 +37,7 @@ require (
 	github.com/go-openapi/swag v0.22.7 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.5.0 // indirect
@@ -72,7 +72,7 @@ require (
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/tools v0.16.1 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/protobuf v1.32.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.51.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

diff --git a/go.sum b/go.sum
@@ -95,8 +95,8 @@ github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
@@ -449,8 +449,8 @@ google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiq
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
-google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

diff --git a/hack/setup-go.sh b/hack/setup-go.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+# Copyright 2020 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# script to setup go version as needed
+# MUST BE RUN FROM THE REPO ROOT DIRECTORY
+
+# read go-version file unless GO_VERSION is set
+GO_VERSION="${GO_VERSION:-"$(cat .go-version)"}"
+GO_IMAGE=public.ecr.aws/docker/library/golang:$GO_VERSION
+
+# gotoolchain
+# https://go.dev/doc/toolchain
+export GOSUMDB="sum.golang.org"
+export GOTOOLCHAIN=go${GO_VERSION}
+
+# force go modules
+export GO111MODULE=on
+
+echo $GO_IMAGE
diff --git a/hack/test-integration.sh b/hack/test-integration.sh
@@ -78,6 +78,10 @@ if [[ "${CREATE_TEST_ROLE}" = "true" ]]; then
     TEST_ROLE_ARN="$(echo ${create_role_output} | jq -r '.Role.Arn')"
 fi
 
+source hack/setup-go.sh
+
+go version
+
 make clean
 make bin
 

diff --git a/hack/test-unit.sh b/hack/test-unit.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+# Copyright 2016 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+# cd to the repo root and setup go
+REPO_ROOT="$(cd "$( dirname "${BASH_SOURCE[0]}" )"/.. &> /dev/null && pwd)"
+
+source hack/setup-go.sh
+
+pushd ${REPO_ROOT}
+
+go version
+go test -v -coverprofile=coverage.out -race sigs.k8s.io/aws-iam-authenticator/pkg/...
+go tool cover -html=coverage.out -o coverage.html
+popd
diff --git a/pkg/fileutil/util.go b/pkg/fileutil/util.go
@@ -1,7 +1,9 @@
 package fileutil
 
 import (
+	"fmt"
 	"os"
+	"strconv"
 	"time"
 
 	"github.com/fsnotify/fsnotify"
@@ -104,3 +106,18 @@ func StartLoadDynamicFile(filename string, callBack FileChangeCallBack, stopCh <
 		}
 	}, time.Second, stopCh)
 }
+
+func CalculateTimeDeltaFromUnixInSeconds(from string) (int64, error) {
+	startTime, err := strconv.ParseInt(from, 10, 64)
+	if err != nil {
+		return 0, fmt.Errorf("failed to parse 'startTime' string: %v", err)
+	}
+
+	endTime := time.Now().Unix()
+
+	if startTime > endTime {
+		return 0, fmt.Errorf("start timestamp is after end timestamp")
+	}
+
+	return endTime - startTime, nil
+}
diff --git a/pkg/fileutil/util_test.go b/pkg/fileutil/util_test.go
@@ -2,6 +2,7 @@ package fileutil
 
 import (
 	"os"
+	"strconv"
 	"sync"
 	"testing"
 	"time"
@@ -122,3 +123,57 @@ func TestDeleteDynamicFile(t *testing.T) {
 	}
 	testA.mutex.Unlock()
 }
+
+func TestCalculateTimeDeltaFromUnixInSeconds(t *testing.T) {
+	type args struct {
+		startTime string
+	}
+	cases := []struct {
+		input  args
+		errexp bool
+		sleep  bool
+	}{
+		{
+			args{"1706648530"},
+			false,
+			false,
+		},
+		{
+			args{"1706648520"},
+			false,
+			false,
+		},
+		{
+			args{"foo"},
+			true,
+			false,
+		},
+		{
+			args{"2706648520"},
+			true,
+			false,
+		},
+		{
+			args{strconv.FormatInt(time.Now().Unix(), 10)},
+			false,
+			true,
+		},
+	}
+
+	for _, c := range cases {
+		if c.sleep {
+			time.Sleep(1 * time.Second)
+		}
+
+		out, err := CalculateTimeDeltaFromUnixInSeconds(c.input.startTime)
+		if !c.errexp && err != nil {
+			t.Errorf("Did not expect error but got err: %v", err)
+		} else if c.errexp && err == nil {
+			t.Error("Expected error but got nil")
+		}
+
+		if !c.errexp && out < 1 {
+			t.Errorf("Returned an invalid value: %d", out)
+		}
+	}
+}
diff --git a/pkg/mapper/dynamicfile/dynamicfile.go b/pkg/mapper/dynamicfile/dynamicfile.go
@@ -10,6 +10,8 @@ import (
 	"sigs.k8s.io/aws-iam-authenticator/pkg/arn"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/config"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/errutil"
+	"sigs.k8s.io/aws-iam-authenticator/pkg/fileutil"
+	"sigs.k8s.io/aws-iam-authenticator/pkg/metrics"
 )
 
 type DynamicFileMapStore struct {
@@ -21,13 +23,18 @@ type DynamicFileMapStore struct {
 	filename                  string
 	userIDStrict              bool
 	usernamePrefixReserveList []string
+
+	dynamicFileInitDone bool
 }
 
 type DynamicFileData struct {
+	// Time that the object takes from update time to load time
+	LastUpdatedDateTime string `json:"LastUpdatedDateTime"`
+	// Version is the version number of the update
+	Version string `json:"Version"`
 	// RoleMappings is a list of mappings from AWS IAM Role to
 	// Kubernetes username + groups.
 	RoleMappings []config.RoleMapping `json:"mapRoles"`
-
 	// UserMappings is a list of mappings from AWS IAM User to
 	// Kubernetes username + groups.
 	UserMappings []config.UserMapping `json:"mapUsers"`
@@ -48,6 +55,7 @@ func NewDynamicFileMapStore(cfg config.Config) (*DynamicFileMapStore, error) {
 	ms := DynamicFileMapStore{}
 	ms.filename = cfg.DynamicFilePath
 	ms.userIDStrict = cfg.DynamicFileUserIDStrict
+	ms.dynamicFileInitDone = false
 	return &ms, nil
 }
 
@@ -165,6 +173,26 @@ func (ms *DynamicFileMapStore) CallBackForFileLoad(dynamicContent []byte) error
 		return err
 	}
 	ms.saveMap(userMappings, roleMappings, awsAccounts)
+
+	// when instance or container restarts, the dynamic file is (re)loaded and the latency metric is calculated
+	// regardless if there was a change upstream, and thus can emit an incorrect latency value
+	// so a workaround is to skip the first time the metric is calculated, and only emit metris after
+	// as we know any subsequent calculations are from a valid change upstream
+	if ms.dynamicFileInitDone {
+		latency, err := fileutil.CalculateTimeDeltaFromUnixInSeconds(dynamicFileData.LastUpdatedDateTime)
+		if err != nil {
+			logrus.Errorf("error parsing latency for dynamic file: %v", err)
+		} else {
+			metrics.Get().E2ELatency.WithLabelValues("dynamic_file").Observe(float64(latency))
+			logrus.WithFields(logrus.Fields{
+				"Version": dynamicFileData.Version,
+				"Type":    "dynamic_file",
+				"Latency": latency,
+			}).Infof("logging latency metric")
+		}
+	}
+	ms.dynamicFileInitDone = true
+
 	return nil
 }
 

diff --git a/pkg/mapper/dynamicfile/dynamicfile_test.go b/pkg/mapper/dynamicfile/dynamicfile_test.go
@@ -7,9 +7,11 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
+	"github.com/prometheus/client_golang/prometheus"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/config"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/errutil"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/fileutil"
+	"sigs.k8s.io/aws-iam-authenticator/pkg/metrics"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/token"
 )
 
@@ -18,6 +20,11 @@ var (
 	testRole = config.RoleMapping{RoleARN: "arn:aws:iam::012345678912:role/computer", Username: "computer", Groups: []string{"system:nodes"}}
 )
 
+func TestMain(m *testing.M) {
+	metrics.InitMetrics(prometheus.NewRegistry())
+	m.Run()
+}
+
 func makeStore(users map[string]config.UserMapping, roles map[string]config.RoleMapping, filename string, userIDStrict bool) DynamicFileMapStore {
 	ms := DynamicFileMapStore{
 		users:        users,
@@ -96,6 +103,9 @@ func TestAWSAccount(t *testing.T) {
 
 var origFileContent = `
 {
+  "Version": "1",
+  "LastUpdatedDateTime": "12345678",
+  "ClusterId": "000000000098",
   "mapRoles": [
     {
       "rolearn": "arn:aws:iam::000000000098:role/KubernetesAdmin",
@@ -133,6 +143,9 @@ var origFileContent = `
 
 var updatedFileContent = `
 {
+  "Version": "1",
+  "LastUpdatedDateTime": "12345678",
+  "ClusterId": "000000000098",
   "mapRoles": [
     {
       "rolearn": "arn:aws:iam::000000000098:role/KubernetesAdmin",
Original file line number	Diff line number	Diff line change
Expand Up		@@ -26,4 +26,3 @@ jobs:
		with:
		go-version-input: 1.21.5
		go-version-file: go.mod