mirror of
https://github.com/lukaszraczylo/kubernetes-images-sync-operator.git
synced 2026-07-11 04:11:44 +00:00
fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! General improvements
This commit is contained in:
+2
-2
@@ -10,9 +10,9 @@ description: |
|
|||||||
|
|
||||||
type: application
|
type: application
|
||||||
|
|
||||||
version: 0.2.39
|
version: 0.2.40
|
||||||
|
|
||||||
appVersion: "0.2.39"
|
appVersion: "0.2.40"
|
||||||
|
|
||||||
home: https://github.com/lukaszraczylo/kubernetes-images-sync-operator
|
home: https://github.com/lukaszraczylo/kubernetes-images-sync-operator
|
||||||
|
|
||||||
|
|||||||
+1
-1
@@ -12,7 +12,7 @@ sa:
|
|||||||
- ALL
|
- ALL
|
||||||
image:
|
image:
|
||||||
repository: ghcr.io/lukaszraczylo/kubernetes-images-sync-operator
|
repository: ghcr.io/lukaszraczylo/kubernetes-images-sync-operator
|
||||||
tag: 0.2.39
|
tag: 0.2.40
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: 500m
|
cpu: 500m
|
||||||
|
|||||||
@@ -63,49 +63,98 @@ def get_s3_client(use_role=False, role_name=None, use_current_role=False, aws_ac
|
|||||||
# Use the current role (e.g., from Kubernetes service account)
|
# Use the current role (e.g., from Kubernetes service account)
|
||||||
logger.info("Using current role from environment")
|
logger.info("Using current role from environment")
|
||||||
try:
|
try:
|
||||||
# Import required components
|
# Log environment for debugging
|
||||||
from botocore.session import Session
|
for key, value in sorted(os.environ.items()):
|
||||||
import botocore.credentials
|
if any(k in key.lower() for k in ['aws', 'role', 'auth', 'token', 'credential']):
|
||||||
import json
|
logger.info(f"Environment: {key}={value}")
|
||||||
|
|
||||||
# Get required environment variables
|
# Get the AWS region from environment or parameter
|
||||||
|
aws_region = region or os.environ.get('AWS_REGION') or os.environ.get('AWS_DEFAULT_REGION')
|
||||||
|
if not aws_region:
|
||||||
|
raise ValueError("AWS region must be specified either through region parameter or AWS_REGION environment variable")
|
||||||
|
|
||||||
|
logger.info(f"Using AWS region: {aws_region}")
|
||||||
|
|
||||||
|
# Create an STS client in the correct region
|
||||||
|
sts = boto3.client('sts',
|
||||||
|
region_name=aws_region,
|
||||||
|
endpoint_url=f'https://sts.{aws_region}.amazonaws.com')
|
||||||
|
|
||||||
|
# Read the web identity token
|
||||||
token_file = os.environ.get('AWS_WEB_IDENTITY_TOKEN_FILE')
|
token_file = os.environ.get('AWS_WEB_IDENTITY_TOKEN_FILE')
|
||||||
role_arn = os.environ.get('AWS_ROLE_ARN')
|
role_arn = os.environ.get('AWS_ROLE_ARN')
|
||||||
|
|
||||||
if not token_file or not role_arn:
|
if not token_file or not role_arn:
|
||||||
raise ValueError("AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN must be set")
|
raise ValueError("AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN must be set")
|
||||||
|
|
||||||
# Read the web identity token
|
|
||||||
with open(token_file, 'r') as f:
|
with open(token_file, 'r') as f:
|
||||||
token = f.read().strip()
|
token = f.read().strip()
|
||||||
|
|
||||||
logger.info("Successfully read web identity token")
|
logger.info("Successfully read web identity token")
|
||||||
logger.info(f"Using role ARN: {role_arn}")
|
logger.info(f"Using role ARN: {role_arn}")
|
||||||
|
|
||||||
# Create an STS client with no credentials
|
# Assume role with web identity using regional endpoint
|
||||||
sts = boto3.client('sts', region_name=region if region else None)
|
try:
|
||||||
|
response = sts.assume_role_with_web_identity(
|
||||||
|
RoleArn=role_arn,
|
||||||
|
RoleSessionName=os.environ.get('AWS_ROLE_SESSION_NAME', 'WebIdentitySession'),
|
||||||
|
WebIdentityToken=token
|
||||||
|
)
|
||||||
|
|
||||||
# Assume role with web identity
|
# Get the temporary credentials
|
||||||
response = sts.assume_role_with_web_identity(
|
credentials = response['Credentials']
|
||||||
RoleArn=role_arn,
|
|
||||||
RoleSessionName=os.environ.get('AWS_ROLE_SESSION_NAME', 'WebIdentitySession'),
|
# Create the S3 client with the temporary credentials
|
||||||
WebIdentityToken=token
|
client = boto3.client(
|
||||||
)
|
's3',
|
||||||
|
region_name=aws_region,
|
||||||
|
aws_access_key_id=credentials['AccessKeyId'],
|
||||||
|
aws_secret_access_key=credentials['SecretAccessKey'],
|
||||||
|
aws_session_token=credentials['SessionToken'],
|
||||||
|
**client_kwargs
|
||||||
|
)
|
||||||
|
|
||||||
# Get the temporary credentials
|
logger.info(f"Successfully assumed role with web identity: {response['AssumedRoleUser']['Arn']}")
|
||||||
credentials = response['Credentials']
|
|
||||||
|
# Test the credentials
|
||||||
# Create the S3 client with the temporary credentials
|
try:
|
||||||
client = boto3.client(
|
# Try to get caller identity first
|
||||||
's3',
|
sts_test = boto3.client(
|
||||||
aws_access_key_id=credentials['AccessKeyId'],
|
'sts',
|
||||||
aws_secret_access_key=credentials['SecretAccessKey'],
|
region_name=aws_region,
|
||||||
aws_session_token=credentials['SessionToken'],
|
aws_access_key_id=credentials['AccessKeyId'],
|
||||||
**client_kwargs
|
aws_secret_access_key=credentials['SecretAccessKey'],
|
||||||
)
|
aws_session_token=credentials['SessionToken']
|
||||||
|
)
|
||||||
|
identity = sts_test.get_caller_identity()
|
||||||
|
logger.info(f"Successfully verified credentials as: {identity['Arn']}")
|
||||||
|
|
||||||
|
# Then try S3 access
|
||||||
|
bucket_name = os.environ.get('BUCKET_NAME', 'default-bucket')
|
||||||
|
try:
|
||||||
|
client.head_bucket(Bucket=bucket_name)
|
||||||
|
logger.info(f"Successfully verified S3 access to bucket: {bucket_name}")
|
||||||
|
except ClientError as e:
|
||||||
|
error_code = e.response['Error']['Code']
|
||||||
|
if error_code == '404':
|
||||||
|
logger.warning(f"Bucket {bucket_name} does not exist, but credentials work")
|
||||||
|
else:
|
||||||
|
logger.warning(f"S3 access check failed: {error_code} - {e.response['Error']['Message']}")
|
||||||
|
except Exception as e:
|
||||||
|
logger.warning(f"Could not verify credentials: {str(e)}")
|
||||||
|
|
||||||
|
return client
|
||||||
|
|
||||||
logger.info(f"Successfully assumed role with web identity: {response['AssumedRoleUser']['Arn']}")
|
except ClientError as e:
|
||||||
return client
|
error_code = e.response['Error']['Code']
|
||||||
|
error_message = e.response['Error']['Message']
|
||||||
|
logger.error("Failed to assume role with web identity:")
|
||||||
|
logger.error(f"Error Code: {error_code}")
|
||||||
|
logger.error(f"Error Message: {error_message}")
|
||||||
|
logger.error("Trust policy might need to be updated to allow sts:AssumeRoleWithWebIdentity")
|
||||||
|
logger.error("Current role ARN: " + role_arn)
|
||||||
|
logger.error("Token file path: " + token_file)
|
||||||
|
raise
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
logger.error(f"Failed to use current role: {str(e)}")
|
logger.error(f"Failed to use current role: {str(e)}")
|
||||||
logger.error("Current environment:")
|
logger.error("Current environment:")
|
||||||
|
|||||||
Reference in New Issue
Block a user