Documentation
¶
Index ¶
- Constants
- Variables
- func ARNValidator(input interface{}) error
- func CheckStackReadyForCreateCluster(reporter *rprtr.Object, logger *logrus.Logger)
- func GetRegion(region string) (string, error)
- func GetServiceQuota(serviceQuotas []*servicequotas.ServiceQuota, quotaCode string) (*servicequotas.ServiceQuota, error)
- func ListServiceQuotas(client *awsClient, serviceCode string) ([]*servicequotas.ServiceQuota, error)
- func ReadPolicyDocument(path string, args ...map[string]string) ([]byte, error)
- type AccessKey
- type AccountRole
- type Client
- type ClientBuilder
- func (b *ClientBuilder) AccessKeys(value *AccessKey) *ClientBuilder
- func (b *ClientBuilder) Build() (Client, error)
- func (b *ClientBuilder) BuildSessionWithOptions() (*session.Session, error)
- func (b *ClientBuilder) BuildSessionWithOptionsCredentials(value *AccessKey) (*session.Session, error)
- func (b *ClientBuilder) Logger(value *logrus.Logger) *ClientBuilder
- func (b *ClientBuilder) Region(value string) *ClientBuilder
- type Creator
- type Operator
- type PolicyDocument
- type PolicyStatement
- type PolicyStatementPrincipal
- type SimulateParams
Constants ¶
View Source
const ( AdminUserName = "osdCcsAdmin" OsdCcsAdminStackName = "osdCcsAdminIAMUser" // Since CloudFormation stacks are region-dependent, we hard-code OCM's default region and // then use it to ensure that the user always gets the stack from the same region. DefaultRegion = "us-east-1" )
Name of the AWS user that will be used to create all the resources of the cluster:
View Source
const ( OIDCClientIDOpenShift = "openshift" OIDCClientIDSTSAWS = "sts.amazonaws.com" )
Variables ¶
View Source
var AccountRoles map[string]AccountRole = map[string]AccountRole{
"installer": {Name: "Installer", Flag: "role-arn"},
"instance_controlplane": {Name: "ControlPlane", Flag: "master-iam-role"},
"instance_worker": {Name: "Worker", Flag: "worker-iam-role"},
"support": {Name: "Support", Flag: "support-role-arn"},
}
View Source
var CredentialRequests map[string]Operator = map[string]Operator{ "machine_api_aws_cloud_credentials": { Name: "aws-cloud-credentials", Namespace: "openshift-machine-api", ServiceAccountNames: []string{ "machine-api-controllers", }, }, "cloud_credential_operator_cloud_credential_operator_iam_ro_creds": { Name: "cloud-credential-operator-iam-ro-creds", Namespace: "openshift-cloud-credential-operator", ServiceAccountNames: []string{ "cloud-credential-operator", }, }, "image_registry_installer_cloud_credentials": { Name: "installer-cloud-credentials", Namespace: "openshift-image-registry", ServiceAccountNames: []string{ "cluster-image-registry-operator", "registry", }, }, "ingress_operator_cloud_credentials": { Name: "cloud-credentials", Namespace: "openshift-ingress-operator", ServiceAccountNames: []string{ "ingress-operator", }, }, "cluster_csi_drivers_ebs_cloud_credentials": { Name: "ebs-cloud-credentials", Namespace: "openshift-cluster-csi-drivers", ServiceAccountNames: []string{ "aws-ebs-csi-driver-operator", "aws-ebs-csi-driver-controller-sa", }, }, }
View Source
var DefaultPrefix = "ManagedOpenShift"
View Source
var JumpAccounts = map[string]string{
"production": "710019948333",
"staging": "644306948063",
"integration": "896164604406",
}
JumpAccounts are the various of AWS accounts used for the installer jump role in the various OCM environments
View Source
var RoleNameRE = regexp.MustCompile(`^[\w+=,.@-]+$`)
Functions ¶
func ARNValidator ¶ added in v1.1.1
func ARNValidator(input interface{}) error
func CheckStackReadyForCreateCluster ¶ added in v1.0.8
Validations will validate if CF stack/users exist
func GetRegion ¶
GetRegion will return a region selected by the user or given as a default to the AWS client. If the region given is empty, it will first attempt to use the default, and, failing that, will prompt for user input.
func GetServiceQuota ¶
func GetServiceQuota(serviceQuotas []*servicequotas.ServiceQuota, quotaCode string) (*servicequotas.ServiceQuota, error)
GetServiceQuota extract service quota for the list of service quotas
func ListServiceQuotas ¶
func ListServiceQuotas(client *awsClient, serviceCode string) ([]*servicequotas.ServiceQuota, error)
ListServiceQuotas list available quotas for service
Types ¶
type AccountRole ¶ added in v1.1.0
type Client ¶
type Client interface {
CheckAdminUserNotExisting(userName string) (err error)
CheckAdminUserExists(userName string) (err error)
CheckStackReadyOrNotExisting(stackName string) (stackReady bool, stackStatus *string, err error)
CheckRoleExists(roleName string) (bool, error)
GetIAMCredentials() (credentials.Value, error)
GetRegion() string
ValidateCredentials() (isValid bool, err error)
EnsureOsdCcsAdminUser(stackName string, adminUserName string, awsRegion string) (bool, error)
DeleteOsdCcsAdminUser(stackName string) error
GetAWSAccessKeys() (*AccessKey, error)
GetCreator() (*Creator, error)
ValidateSCP(*string) (bool, error)
GetSubnetIDs() ([]*ec2.Subnet, error)
ValidateQuota() (bool, error)
TagUserRegion(username string, region string) error
GetClusterRegionTagForUser(username string) (string, error)
EnsureRole(name string, policy string, permissionsBoundary string,
version string, tagList map[string]string) (string, error)
PutRolePolicy(roleName string, policyName string, policy string) error
EnsurePolicy(policyArn string, document string, version string, tagList map[string]string) (string, error)
AttachRolePolicy(roleName string, policyARN string) error
CreateOpenIDConnectProvider(issuerURL string, thumbprint string) (string, error)
HasOpenIDConnectProvider(issuerURL string, accountID string) (bool, error)
FindPolicyARN(operator Operator, version string) (string, error)
}
Client defines a client interface
func GetAWSClientForUserRegion ¶ added in v1.0.8
* Currently user can rosa init using the region from their config or using --region When checking for cloud formation we need to check in the region used by the user
func New ¶
func New( logger *logrus.Logger, iamClient iamiface.IAMAPI, ec2Client ec2iface.EC2API, orgClient organizationsiface.OrganizationsAPI, stsClient stsiface.STSAPI, cfClient cloudformationiface.CloudFormationAPI, servicequotasClient servicequotasiface.ServiceQuotasAPI, awsSession *session.Session, awsAccessKeys *AccessKey, ) Client
type ClientBuilder ¶
type ClientBuilder struct {
// contains filtered or unexported fields
}
ClientBuilder contains the information and logic needed to build a new AWS client.
func NewClient ¶
func NewClient() *ClientBuilder
NewClient creates a builder that can then be used to configure and build a new AWS client.
func (*ClientBuilder) AccessKeys ¶
func (b *ClientBuilder) AccessKeys(value *AccessKey) *ClientBuilder
func (*ClientBuilder) Build ¶
func (b *ClientBuilder) Build() (Client, error)
Build uses the information stored in the builder to build a new AWS client.
func (*ClientBuilder) BuildSessionWithOptions ¶
func (b *ClientBuilder) BuildSessionWithOptions() (*session.Session, error)
func (*ClientBuilder) BuildSessionWithOptionsCredentials ¶
func (b *ClientBuilder) BuildSessionWithOptionsCredentials(value *AccessKey) (*session.Session, error)
Create AWS session with a specific set of credentials
func (*ClientBuilder) Logger ¶
func (b *ClientBuilder) Logger(value *logrus.Logger) *ClientBuilder
Logger sets the logger that the AWS client will use to send messages to the log.
func (*ClientBuilder) Region ¶
func (b *ClientBuilder) Region(value string) *ClientBuilder
type PolicyDocument ¶
type PolicyDocument struct {
ID string `json:"Id,omitempty"`
// Specify the version of the policy language that you want to use.
// As a best practice, use the latest 2012-10-17 version.
Version string `json:"Version,omitempty"`
// Use this main policy element as a container for the following elements.
// You can include more than one statement in a policy.
Statement []PolicyStatement `json:"Statement"`
}
PolicyDocument models an AWS IAM policy document
type PolicyStatement ¶
type PolicyStatement struct {
// Include an optional statement ID to differentiate between your statements.
Sid string `json:"Sid,omitempty"`
// Use `Allow` or `Deny` to indicate whether the policy allows or denies access.
Effect string `json:"Effect"`
// If you create a resource-based policy, you must indicate the account, user, role, or
// federated user to which you would like to allow or deny access. If you are creating an
// IAM permissions policy to attach to a user or role, you cannot include this element.
// The principal is implied as that user or role.
Principal PolicyStatementPrincipal `json:"Principal"`
// Include a list of actions that the policy allows or denies.
// (i.e. ec2:StartInstances, iam:ChangePassword)
Action []string `json:"Action"`
// If you create an IAM permissions policy, you must specify a list of resources to which
// the actions apply. If you create a resource-based policy, this element is optional. If
// you do not include this element, then the resource to which the action applies is the
// resource to which the policy is attached.
Resource []string `json:"Resource"`
}
PolicyStatement models an AWS policy statement entry.
type PolicyStatementPrincipal ¶ added in v1.1.0
type PolicyStatementPrincipal struct {
// A service principal is an identifier that is used to grant permissions to a service.
// The identifier for a service principal includes the service name, and is usually in the
// following format: service-name.amazonaws.com
Service []string `json:"Service"`
// You can specify an individual IAM role ARN (or array of role ARNs) as the principal.
// In IAM roles, the Principal element in the role's trust policy specifies who can assume the role.
// When you specify more than one principal in the element, you grant permissions to each principal.
AWS []string `json:"AWS"`
// A federated principal uses a web identity token or SAML federation
Federated string `json:"Federated"`
}
type SimulateParams ¶
type SimulateParams struct {
Region string
}
SimulateParams captures any additional details that should be used when simulating permissions.
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.