1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
# frozen_string_literal: true
module Kubeclient
# Get a bearer token to authenticate against aws eks.
class AmazonEksCredentials
class AmazonEksDependencyError < LoadError # rubocop:disable Lint/InheritException
end
class << self
def token(credentials, eks_cluster, region: 'us-east-1')
begin
require 'aws-sigv4'
require 'base64'
require 'cgi'
rescue LoadError => e
raise AmazonEksDependencyError,
'Error requiring aws gems. Kubeclient itself does not include the following ' \
'gems: [aws-sigv4]. To support auth-provider eks, you must ' \
"include it in your calling application. Failed with: #{e.message}"
end
# https://github.com/aws/aws-sdk-ruby/pull/1848
# Get a signer
signer = if credentials.respond_to?(:credentials)
Aws::Sigv4::Signer.new(
service: 'sts',
region: region,
credentials_provider: credentials
)
else
Aws::Sigv4::Signer.new(
service: 'sts',
region: region,
credentials: credentials
)
end
credentials = credentials.credentials if credentials.respond_to?(:credentials)
# https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Sigv4/Signer.html#presign_url-instance_method
presigned_url_string = signer.presign_url(
http_method: 'GET',
url: "https://sts.#{region}.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15",
body: '',
credentials: credentials,
expires_in: 60,
headers: {
'X-K8s-Aws-Id' => eks_cluster
}
)
kube_token = 'k8s-aws-v1.' + Base64.urlsafe_encode64(presigned_url_string.to_s).sub(/=*$/, '') # rubocop:disable Metrics/LineLength
kube_token
end
end
end
end
|
