feat: user aws-auth configmap for the cluster config

[skip ci]
flanksource · Jan 8, 2024 · 7862b99 · 7862b99
1 parent 2053323
commit 7862b99
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 1 deletion.
diff --git a/scrapers/kubernetes/kubernetes.go b/scrapers/kubernetes/kubernetes.go
@@ -2,6 +2,7 @@ package kubernetes
 
 import (
 	"fmt"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -50,7 +51,7 @@ func (kubernetes KubernetesScraper) Scrape(ctx api.ScrapeContext) v1.ScrapeResul
 			Name:        config.ClusterName,
 			ConfigClass: "Cluster",
 			Type:        ConfigTypePrefix + "Cluster",
-			Config:      make(map[string]string),
+			Config:      make(map[string]any),
 			ID:          clusterID,
 		})
 
@@ -180,6 +181,23 @@ func (kubernetes KubernetesScraper) Scrape(ctx api.ScrapeContext) v1.ScrapeResul
 				}
 			}
 
+			if obj.GetKind() == "ConfigMap" && obj.GetName() == "aws-auth" {
+				// If there is a aws-auth cm, then insert its contents into the cluster JSON at aws-auth
+				cm, ok := obj.Object["data"].(map[string]any)
+				if ok {
+					// Extract the account ID from the roles
+					var accountID string
+					if mapRolesYAML, ok := cm["mapRoles"].(string); ok {
+						accountID = extractAccountIDFromARN(mapRolesYAML)
+					}
+
+					if v, ok := results[0].Config.(map[string]any); ok {
+						v["aws-auth"] = cm
+						v["account-id"] = accountID
+					}
+				}
+			}
+
 			tags := make(map[string]string)
 			if obj.GetLabels() != nil {
 				tags = obj.GetLabels()
@@ -362,3 +380,14 @@ func cleanKubernetesObject(obj map[string]any) string {
 
 	return o.String()
 }
+
+var arnRegexp = regexp.MustCompile(`arn:aws:iam::(\d+):role/`)
+
+func extractAccountIDFromARN(input string) string {
+	matches := arnRegexp.FindStringSubmatch(input)
+	if len(matches) >= 2 {
+		return matches[1]
+	}
+
+	return ""
+}
diff --git a/scrapers/kubernetes/kubernetes_test.go b/scrapers/kubernetes/kubernetes_test.go
@@ -0,0 +1,27 @@
+package kubernetes
+
+import "testing"
+
+func Test_extractAccountIDFromARN(t *testing.T) {
+	type args struct {
+		input string
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{
+			name: "xx",
+			args: args{input: `- groups:\n  - system:masters\n  rolearn: arn:aws:iam::123456789:role/kubernetes-admin\n  username: admin\n- groups:\n  - system:bootstrappers\n  - system:nodes\n  rolearn: arn:aws:iam::123456789:role/eksctl-mission-control-demo-clust-NodeInstanceRole-VRLF7VBIVK3M\n  username: system:node:{{EC2PrivateDNSName}}\n`},
+			want: "123456789",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := extractAccountIDFromARN(tt.args.input); got != tt.want {
+				t.Errorf("extractAccountIDFromARN() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}