Creates IAM roles for DP nodes (#65)

* Creates IAM roles for DP nodes, DNS serviceIP and Launch template discovery

Author: prateekgogia

operator/README.md

@@ -30,7 +30,8 @@ KIT uses the [operator pattern](https://kubernetes.io/docs/concepts/extend-kuber
   aws cloudformation deploy  \
   --template-file docs/kit.cloudformation.yaml \
   --capabilities CAPABILITY_NAMED_IAM \
-  --stack-name kitControllerPolicy
+  --stack-name kitControllerPolicy \
+  --parameter-overrides ClusterName=${SUBSTRATE_CLUSTER_NAME}
 ```
 
 #### Associate the policy we just created to the kit-controller service account 
@@ -40,7 +41,7 @@ KIT uses the [operator pattern](https://kubernetes.io/docs/concepts/extend-kuber
     --name kit-controller \
     --namespace kit \
     --cluster ${SUBSTRATE_CLUSTER_NAME} \
-    --attach-policy-arn arn:aws:iam::${AWS_ACCOUNT_ID}:policy/KitControllerPolicy \
+    --attach-policy-arn arn:aws:iam::${AWS_ACCOUNT_ID}:policy/KitControllerPolicy-${SUBSTRATE_CLUSTER_NAME} \
     --approve \
     --override-existing-serviceaccounts \
     --region=${AWS_REGION}

operator/charts/kit-operator/templates/data-plane-crd.yaml

@@ -35,10 +35,35 @@ spec:
             type: object
           spec:
             properties:
+              allocationStrategy:
+                description: AllocationStrategy helps user define the strategy to
+                  provision worker nodes in EC2, defaults to "lowest-price"
+                type: string
               clusterName:
+                description: ClusterName is used to connect the worker nodes to a
+                  control plane clusterName.
                 type: string
+              instanceTypes:
+                description: InstanceTypes is an optional field thats lets user specify
+                  the instance types for worker nodes, defaults to instance types
+                  "t2.xlarge", "t3.xlarge" or "t3a.xlarge"
+                items:
+                  type: string
+                type: array
               nodeCount:
+                description: NodeCount is the desired number of worker nodes for this
+                  dataplane.
                 type: integer
+              subnetSelector:
+                additionalProperties:
+                  type: string
+                description: SubnetSelector lets user define label key and values
+                  for kit to select the subnets for worker nodes. It can contain key:value
+                  to select subnets with particular label, or a specific key:"*" to
+                  select all subnets with a specific key. If no selector is provided,
+                  worker nodes are provisioned in the same subnet as control plane
+                  nodes.
+                type: object
             type: object
           status:
             properties:

operator/cmd/controller/main.go

@@ -5,9 +5,11 @@ import (
 	"fmt"
 
 	"github.com/awslabs/kit/operator/pkg/awsprovider"
+	"github.com/awslabs/kit/operator/pkg/awsprovider/iam"
 	"github.com/awslabs/kit/operator/pkg/controllers"
 	"github.com/awslabs/kit/operator/pkg/controllers/controlplane"
 	"github.com/awslabs/kit/operator/pkg/controllers/dataplane"
+	"github.com/awslabs/kit/operator/pkg/kubeprovider"
 	"github.com/awslabs/kit/operator/pkg/utils/scheme"
 
 	"github.com/go-logr/zapr"
@@ -51,7 +53,11 @@ func main() {
 	})
 	session := awsprovider.NewSession()
 	err := manager.RegisterControllers(
-		controlplane.NewController(manager.GetClient(), &awsprovider.AccountInfo{Session: session}),
+		controlplane.NewController(manager.GetClient(),
+			&awsprovider.AccountInfo{Session: session},
+			iam.NewController(awsprovider.IAMClient(session),
+				kubeprovider.New(manager.GetClient())),
+		),
 		dataplane.NewController(manager.GetClient(), session),
 	).Start(controllerruntime.SetupSignalHandler())
 	if err != nil {

operator/docs/kit.cloudformation.yaml

@@ -1,36 +1,14 @@
 AWSTemplateFormatVersion: "2010-09-09"
 Description: Resources used by https://github.com/awslabs/kit/operator
+Parameters:
+  ClusterName:
+    Type: String
+    Description: "Substrate/host cluster name"
 Resources:
-  KitNodeInstanceProfile:
-    Type: "AWS::IAM::InstanceProfile"
-    Properties:
-      InstanceProfileName: "KitNodeInstanceProfile"
-      Path: "/"
-      Roles:
-        - Ref: "KitNodeRole"
-  KitNodeRole:
-    Type: "AWS::IAM::Role"
-    Properties:
-      RoleName: "KitNodeRole"
-      Path: /
-      AssumeRolePolicyDocument:
-        Version: "2012-10-17"
-        Statement:
-          - Effect: Allow
-            Principal:
-              Service:
-                !Sub "ec2.${AWS::URLSuffix}"
-            Action:
-              - "sts:AssumeRole"
-      ManagedPolicyArns:
-        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
-        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy"
-        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
-        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
   KitControllerPolicy:
     Type: "AWS::IAM::ManagedPolicy"
     Properties:
-      ManagedPolicyName: "KitControllerPolicy"
+      ManagedPolicyName: !Sub "KitControllerPolicy-${ClusterName}"
       PolicyDocument:
         Version: "2012-10-17"
         Statement:
@@ -49,10 +27,21 @@ Resources:
               - "autoscaling:DeleteAutoScalingGroup"
               - "autoscaling:UpdateAutoScalingGroup"
               - "autoscaling:SetDesiredCapacity"
+              - "iam:CreateRole"
+              - "iam:AddRoleToInstanceProfile"
+              - "iam:CreateInstanceProfile"
+              - "iam:AttachRolePolicy"
+              - "iam:RemoveRoleFromInstanceProfile"
+              - "iam:DeleteInstanceProfile"
+              - "iam:DetachRolePolicy"
+              - "iam:DeleteRole"
+              - "iam:TagRole"
               # Read Operations
               - "ec2:DescribeInstances"
               - "ec2:DescribeLaunchTemplates"
               - "ec2:DescribeLaunchTemplateVersions"
               - "ec2:DescribeSubnets"
               - "ssm:GetParameter"
               - "autoscaling:DescribeAutoScalingGroups"
+              - "iam:GetRole"
+              - "iam:GetInstanceProfile"

operator/pkg/apis/controlplane/v1alpha1/controlplane.go

@@ -15,6 +15,8 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"context"
+
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -82,3 +84,8 @@ type Instances struct {
 func (c *ControlPlane) ClusterName() string {
 	return c.Name
 }
+
+type ReconcileFinalize interface {
+	Reconcile(context.Context, *ControlPlane) error
+	Finalize(context.Context, *ControlPlane) error
+}

operator/pkg/awsprovider/awsprovider.go

@@ -27,6 +27,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/autoscaling"
 	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/ssm"
 	"github.com/aws/aws-sdk-go/service/ssm/ssmiface"
 )
@@ -83,6 +84,14 @@ func AutoScalingClient(sess *session.Session) *AutoScaling {
 	return &AutoScaling{AutoScaling: autoscaling.New(sess)}
 }
 
+type IAM struct {
+	*iam.IAM
+}
+
+func IAMClient(sess *session.Session) *IAM {
+	return &IAM{IAM: iam.New(sess)}
+}
+
 type AccountMetadata interface {
 	ID() (string, error)
 }

operator/pkg/awsprovider/iam/reconciler.go

@@ -0,0 +1,211 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package iam
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/iam"
+	apis "github.com/awslabs/kit/operator/pkg/apis/controlplane/v1alpha1"
+	"github.com/awslabs/kit/operator/pkg/awsprovider"
+	"github.com/awslabs/kit/operator/pkg/errors"
+	"github.com/awslabs/kit/operator/pkg/kubeprovider"
+	"go.uber.org/zap"
+
+	"knative.dev/pkg/ptr"
+)
+
+type Controller struct {
+	iam        *awsprovider.IAM
+	kubeClient *kubeprovider.Client
+}
+
+// NewController returns a controller for managing IAM resources in AWS
+func NewController(iam *awsprovider.IAM, client *kubeprovider.Client) *Controller {
+	return &Controller{iam: iam, kubeClient: client}
+}
+
+var (
+	kitNodeRolePolicies = []string{
+		"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
+		"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
+		"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
+		"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
+	}
+)
+
+func (c *Controller) Reconcile(ctx context.Context, controlPlane *apis.ControlPlane) error {
+	role, err := c.getRole(ctx, KitNodeRoleNameFor(controlPlane.ClusterName()))
+	if err != nil && !errors.IsIAMObjectDoNotExist(err) {
+		return fmt.Errorf("getting IAM role for %v, %w", controlPlane.ClusterName(), err)
+	}
+	if role == nil {
+		role, err = c.createRole(ctx, &iam.CreateRoleInput{
+			AssumeRolePolicyDocument: aws.String(assumeRolePolicyDocument),
+			Description:              aws.String("Role assumed by dataplane nodes created by KIT operated"),
+			RoleName:                 aws.String(KitNodeRoleNameFor(controlPlane.ClusterName())),
+			Tags:                     generateRoleTags(controlPlane.ClusterName()),
+		})
+		if err != nil {
+			return fmt.Errorf("creating IAM role for %v, %w", controlPlane.ClusterName(), err)
+		}
+		zap.S().Infof("[%s] Created IAM Role %v", controlPlane.ClusterName(), aws.StringValue(role.RoleName))
+	}
+	if err := role.addRoleToInstanceProfile(ctx, KitNodeRoleNameFor(controlPlane.ClusterName()),
+		KitNodeInstanceProfileNameFor(controlPlane.ClusterName())); err != nil {
+		return fmt.Errorf("adding instance profile to role, %w", err)
+	}
+	for _, policy := range kitNodeRolePolicies {
+		if err := role.attachPolicy(ctx, policy, KitNodeRoleNameFor(controlPlane.ClusterName())); err != nil {
+			return fmt.Errorf("attaching policies to role, %w", err)
+		}
+	}
+	return nil
+}
+
+func (c *Controller) Finalize(ctx context.Context, controlPlane *apis.ControlPlane) error {
+	_, err := c.iam.RemoveRoleFromInstanceProfileWithContext(ctx, &iam.RemoveRoleFromInstanceProfileInput{
+		InstanceProfileName: aws.String(KitNodeInstanceProfileNameFor(controlPlane.ClusterName())),
+		RoleName:            aws.String(KitNodeRoleNameFor(controlPlane.ClusterName())),
+	})
+	if err != nil && !errors.IsIAMObjectDoNotExist(err) {
+		return fmt.Errorf("removing role from instance profile, %w", err)
+	}
+	_, err = c.iam.DeleteInstanceProfileWithContext(ctx, &iam.DeleteInstanceProfileInput{
+		InstanceProfileName: aws.String(KitNodeInstanceProfileNameFor(controlPlane.ClusterName())),
+	})
+	if err != nil && !errors.IsIAMObjectDoNotExist(err) {
+		return fmt.Errorf("deleting instance profile, %w", err)
+	}
+
+	for _, policy := range kitNodeRolePolicies {
+		if _, err = c.iam.DetachRolePolicyWithContext(ctx, &iam.DetachRolePolicyInput{
+			PolicyArn: aws.String(policy),
+			RoleName:  aws.String(KitNodeRoleNameFor(controlPlane.ClusterName())),
+		}); err != nil {
+			return fmt.Errorf("detaching policy from role, %w", err)
+		}
+	}
+	_, err = c.iam.DeleteRoleWithContext(ctx, &iam.DeleteRoleInput{
+		RoleName: aws.String(KitNodeRoleNameFor(controlPlane.ClusterName())),
+	})
+	if err != nil && !errors.IsIAMObjectDoNotExist(err) {
+		return fmt.Errorf("deleting role, %w", err)
+	}
+	zap.S().Infof("[%s] Deleted IAM Role %v and instance profile",
+		controlPlane.ClusterName(), KitNodeRoleNameFor(controlPlane.ClusterName()))
+	return nil
+}
+
+func (c *Controller) getRole(ctx context.Context, roleName string) (*role, error) {
+	roleOutput, err := c.iam.GetRoleWithContext(ctx, &iam.GetRoleInput{
+		RoleName: aws.String(roleName),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("getting iam role %v, %w", roleName, err)
+	}
+	return &role{iam: c.iam, Role: roleOutput.Role}, nil
+}
+
+func (c *Controller) createRole(ctx context.Context, roleInput *iam.CreateRoleInput) (*role, error) {
+	roleOutput, err := c.iam.CreateRoleWithContext(ctx, roleInput)
+	return &role{iam: c.iam, Role: roleOutput.Role}, err
+}
+
+type role struct {
+	iam *awsprovider.IAM
+	*iam.Role
+}
+
+func (r *role) addRoleToInstanceProfile(ctx context.Context, roleName, profileName string) error {
+	profile, err := createInstanceProfile(ctx, r.iam, profileName)
+	if err != nil {
+		return fmt.Errorf("creating instance profile, %w", err)
+	}
+	if profile == nil {
+		return fmt.Errorf("instance profile is NIL")
+	}
+	for _, role := range profile.Roles {
+		if aws.StringValue(role.RoleName) == roleName {
+			return nil
+		}
+	}
+	_, err = r.iam.AddRoleToInstanceProfile(&iam.AddRoleToInstanceProfileInput{
+		InstanceProfileName: aws.String(profileName),
+		RoleName:            aws.String(roleName),
+	})
+	return err
+}
+
+func (r *role) attachPolicy(ctx context.Context, policyARN, roleName string) error {
+	_, err := r.iam.AttachRolePolicy(&iam.AttachRolePolicyInput{
+		PolicyArn: aws.String(policyARN),
+		RoleName:  aws.String(roleName),
+	})
+	if errors.IsIAMObjectAlreadyExist(err) {
+		return nil
+	}
+	return err
+}
+
+func createInstanceProfile(ctx context.Context, iamAPI *awsprovider.IAM, profileName string) (*iam.InstanceProfile, error) {
+	profile, err := iamAPI.CreateInstanceProfileWithContext(ctx, &iam.CreateInstanceProfileInput{
+		InstanceProfileName: aws.String(profileName),
+	})
+	if errors.IsIAMObjectAlreadyExist(err) {
+		output, err := iamAPI.GetInstanceProfileWithContext(ctx, &iam.GetInstanceProfileInput{
+			InstanceProfileName: aws.String(profileName),
+		})
+		if err != nil {
+			return nil, err
+		}
+		return output.InstanceProfile, nil
+	}
+	if err != nil {
+		return nil, fmt.Errorf("creating instance profile, %w", err)
+	}
+	return profile.InstanceProfile, nil
+}
+
+func KitNodeRoleNameFor(clusterName string) string {
+	return fmt.Sprintf("KitDataplaneNodes-%s-cluster", clusterName)
+}
+
+func KitNodeInstanceProfileNameFor(clusterName string) string {
+	return fmt.Sprintf("KitDataplaneNodesProfile-%s-cluster", clusterName)
+}
+
+func generateRoleTags(clusterName string) []*iam.Tag {
+	return []*iam.Tag{{
+		Key:   ptr.String(fmt.Sprintf("kubernetes.io/cluster/%s", clusterName)),
+		Value: ptr.String("owned"),
+	}}
+}
+
+// KitNodeRole is assumed by the nodes provisioned by kit-operator for dataplane
+const assumeRolePolicyDocument = `{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Action": "sts:AssumeRole",
+			"Effect": "Allow",
+			"Principal": {
+				"Service": "ec2.amazonaws.com"
+			}
+		}
+	]
+}`