feat: Add support for IRSA and aws default provider chain. (argoproj#…

…2468)
dreamholy · Mar 19, 2020 · 55c315d · 55c315d
1 parent c724c7c
commit 55c315d
Show file tree

Hide file tree

Showing 11 changed files with 54 additions and 22 deletions.
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
@@ -2430,6 +2430,11 @@
  "secretKeySecret": {
  "title": "SecretKeySecret is the secret selector to the bucket's secret key",
  "$ref": "#/definitions/io.k8s.api.core.v1.SecretKeySelector"
+ },
+ "useSDKCreds": {
+ "description": "UseSDKCreds tells the driver to figure out credentials based on sdk defaults.",
+ "type": "boolean",
+ "format": "boolean"
  }
  }
  },

diff --git a/docs/configure-artifact-repository.md b/docs/configure-artifact-repository.md
@@ -123,6 +123,7 @@ data:
  secretKeySecret: #omit if accessing via AWS IAM
  name: my-minio-cred
  key: secretkey
+ useSDKCreds: true #tells argo to use AWS SDK's default provider chain, enable for things like IRSA support
 ```
 The secrets are retrieved from the namespace you use to run your workflows. Note that you can specify a `keyPrefix`.
 

diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ require (
  github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible
  github.com/ajg/form v1.5.1 // indirect
  github.com/aliyun/aliyun-oss-go-sdk v2.0.6+incompatible
- github.com/argoproj/pkg v0.0.0-20200226231057-d69f0b04da65
+ github.com/argoproj/pkg v0.0.0-20200318225345-d3be5f29b1a8
  github.com/aws/aws-sdk-go v1.27.1 // indirect
  github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f // indirect
  github.com/beorn7/perks v1.0.1 // indirect

diff --git a/go.sum b/go.sum
@@ -41,8 +41,8 @@ github.com/aliyun/aliyun-oss-go-sdk v2.0.6+incompatible/go.mod h1:T/Aws4fEfogEE9
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q=
-github.com/argoproj/pkg v0.0.0-20200226231057-d69f0b04da65 h1:bBC9exkuWvqhyDDhoNr66BpE6B4f+vxxKIXKxg6E6us=
-github.com/argoproj/pkg v0.0.0-20200226231057-d69f0b04da65/go.mod h1:2EZ44RG/CcgtPTwrRR0apOc7oU6UIw8GjCUJWZ8X3bM=
+github.com/argoproj/pkg v0.0.0-20200318145624-4a09c98c01ea h1:YZl3PlsfTujZsiOK3Uhf+KemT5z2pVlfzJdrU0S1qEw=
+github.com/argoproj/pkg v0.0.0-20200318145624-4a09c98c01ea/go.mod h1:2EZ44RG/CcgtPTwrRR0apOc7oU6UIw8GjCUJWZ8X3bM=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aws/aws-sdk-go v1.27.1 h1:MXnqY6SlWySaZAqNnXThOvjRFdiiOuKtC6i7baFdNdU=

diff --git a/pkg/apiclient/cronworkflow/cron-workflow.swagger.json b/pkg/apiclient/cronworkflow/cron-workflow.swagger.json
@@ -1252,6 +1252,11 @@
  "roleARN": {
  "type": "string",
  "description": "RoleARN is the Amazon Resource Name (ARN) of the role to assume."
+ },
+ "useSDKCreds": {
+ "type": "boolean",
+ "format": "boolean",
+ "description": "UseSDKCreds tells the driver to figure out credentials based on sdk defaults."
  }
  },
  "title": "S3Bucket contains the access information required for interfacing with an S3 bucket"

diff --git a/pkg/apiclient/workflow/workflow.swagger.json b/pkg/apiclient/workflow/workflow.swagger.json
@@ -1621,6 +1621,11 @@
  "roleARN": {
  "type": "string",
  "description": "RoleARN is the Amazon Resource Name (ARN) of the role to assume."
+ },
+ "useSDKCreds": {
+ "type": "boolean",
+ "format": "boolean",
+ "description": "UseSDKCreds tells the driver to figure out credentials based on sdk defaults."
  }
  },
  "title": "S3Bucket contains the access information required for interfacing with an S3 bucket"

diff --git a/pkg/apiclient/workflowarchive/workflow-archive.swagger.json b/pkg/apiclient/workflowarchive/workflow-archive.swagger.json
@@ -1052,6 +1052,11 @@
  "roleARN": {
  "type": "string",
  "description": "RoleARN is the Amazon Resource Name (ARN) of the role to assume."
+ },
+ "useSDKCreds": {
+ "type": "boolean",
+ "format": "boolean",
+ "description": "UseSDKCreds tells the driver to figure out credentials based on sdk defaults."
  }
  },
  "title": "S3Bucket contains the access information required for interfacing with an S3 bucket"

diff --git a/pkg/apiclient/workflowtemplate/workflow-template.swagger.json b/pkg/apiclient/workflowtemplate/workflow-template.swagger.json
@@ -1120,6 +1120,11 @@
  "roleARN": {
  "type": "string",
  "description": "RoleARN is the Amazon Resource Name (ARN) of the role to assume."
+ },
+ "useSDKCreds": {
+ "type": "boolean",
+ "format": "boolean",
+ "description": "UseSDKCreds tells the driver to figure out credentials based on sdk defaults."
  }
  },
  "title": "S3Bucket contains the access information required for interfacing with an S3 bucket"

diff --git a/pkg/apis/workflow/v1alpha1/workflow_types.go b/pkg/apis/workflow/v1alpha1/workflow_types.go
@@ -1151,6 +1151,9 @@ type S3Bucket struct {
 
  // RoleARN is the Amazon Resource Name (ARN) of the role to assume.
  RoleARN string `json:"roleARN,omitempty" protobuf:"bytes,7,opt,name=roleARN"`
+
+ // UseSDKCreds tells the driver to figure out credentials based on sdk defaults.
+ UseSDKCreds bool `json:"useSDKCreds,omitempty" protobuf:"varint,8,opt,name=useSDKCreds"`
 }
 
 // S3Artifact is the location of an S3 artifact

diff --git a/workflow/artifacts/artifacts.go b/workflow/artifacts/artifacts.go
@@ -46,12 +46,13 @@ func NewDriver(art *wfv1.Artifact, ri resource.Interface) (ArtifactDriver, error
  }
 
  driver := s3.S3ArtifactDriver{
- Endpoint: art.S3.Endpoint,
- AccessKey: accessKey,
- SecretKey: secretKey,
- Secure: art.S3.Insecure == nil || !*art.S3.Insecure,
- Region: art.S3.Region,
- RoleARN: art.S3.RoleARN,
+ Endpoint: art.S3.Endpoint,
+ AccessKey: accessKey,
+ SecretKey: secretKey,
+ Secure: art.S3.Insecure == nil || !*art.S3.Insecure,
+ Region: art.S3.Region,
+ RoleARN: art.S3.RoleARN,
+ UseSDKCreds: art.S3.UseSDKCreds,
  }
  return &driver, nil
  }

diff --git a/workflow/artifacts/s3/s3.go b/workflow/artifacts/s3/s3.go
@@ -16,24 +16,26 @@ import (
 
 // S3ArtifactDriver is a driver for AWS S3
 type S3ArtifactDriver struct {
- Endpoint string
- Region string
- Secure bool
- AccessKey string
- SecretKey string
- RoleARN string
+ Endpoint string
+ Region string
+ Secure bool
+ AccessKey string
+ SecretKey string
+ RoleARN string
+ UseSDKCreds bool
 }
 
 // newMinioClient instantiates a new minio client object.
 func (s3Driver *S3ArtifactDriver) newS3Client() (argos3.S3Client, error) {
  opts := argos3.S3ClientOpts{
- Endpoint: s3Driver.Endpoint,
- Region: s3Driver.Region,
- Secure: s3Driver.Secure,
- AccessKey: s3Driver.AccessKey,
- SecretKey: s3Driver.SecretKey,
- RoleARN: s3Driver.RoleARN,
- Trace: os.Getenv(common.EnvVarArgoTrace) == "1",
+ Endpoint: s3Driver.Endpoint,
+ Region: s3Driver.Region,
+ Secure: s3Driver.Secure,
+ AccessKey: s3Driver.AccessKey,
+ SecretKey: s3Driver.SecretKey,
+ RoleARN: s3Driver.RoleARN,
+ Trace: os.Getenv(common.EnvVarArgoTrace) == "1",
+ UseSDKCreds: s3Driver.UseSDKCreds,
  }
  return argos3.NewS3Client(opts)
 }