Fix the STS region to solve the unauthorized error in k8s

eyeem · Jan 3, 2020 · 4b9ffe6 · 4b9ffe6
1 parent fa0c153
commit 4b9ffe6
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 5 deletions.
diff --git a/handler.py b/handler.py
@@ -11,10 +11,10 @@
 LOGGER = logging.getLogger(__name__)
 
 # Initialise the helper, all inputs are optional, this example shows the defaults
-helper = CfnResource(json_logging=False, log_level='DEBUG', boto_level='WARN')
+helper = CfnResource(json_logging=False, log_level='INFO', boto_level='WARN')
 
 try:
-    create_kube_config(CONFIG.KUBE_FILEPATH, boto3.client('eks', region_name=CONFIG.REGION), CONFIG.CLUSTER_NAME)
+    create_kube_config(CONFIG.KUBE_FILEPATH, boto3.client('eks', region_name=CONFIG.REGION), CONFIG.CLUSTER_NAME, CONFIG.KUBE_USER)
 except Exception as ex:
     helper.init_failure(ex)
 

diff --git a/overpass/auth/aws_sts_auth.py b/overpass/auth/aws_sts_auth.py
@@ -14,9 +14,10 @@ class AwsStsAuth(AuthBase):
     STS_URL = 'sts.amazonaws.com'
     STS_ACTION = 'Action=GetCallerIdentity&Version=2011-06-15'
 
-    def __init__(self, cluster_id, region='us-east-1'):
+    def __init__(self, cluster_id):
         self.cluster_id = cluster_id
-        self.region = region
+        # For some stupid reason, the region has to be us-east-1 even though STS is region-agnostic :-/
+        self.region = 'us-east-1'
 
     def get_token(self):
         """

diff --git a/overpass/config/config.py b/overpass/config/config.py
@@ -9,6 +9,7 @@ class Config:
         raise RuntimeError("CLUSTER_NAME env variable is not set")
     REGION = os.environ.get('AWS_REGION', 'eu-west-1')
     AUTH_BACKEND = os.environ.get('AUTH_BACKEND', 'AwsSTS')
+    KUBE_USER = os.environ.get('KUBE_USER', 'lambda')
 
 
 CONFIG = Config()
diff --git a/overpass/kube/client.py b/overpass/kube/client.py
@@ -4,14 +4,16 @@
 from overpass.config import CONFIG
 
 LOGGER = logging.getLogger(__name__)
+#logging.getLogger("urllib3").setLevel(logging.DEBUG)
+#logging.getLogger('kubernetes').setLevel(logging.DEBUG)
 
 class KubeWrapper:
     def __init__(self, cluster_name, region, auth_backend, config_file_path):
         self.client = self._init_client(cluster_name, region, auth_backend, config_file_path)
 
     def _get_token(self, cluster_name, region, auth_backend):
         if auth_backend == 'AwsSTS':
-            return AwsStsAuth(cluster_name, region).get_token()
+            return AwsStsAuth(cluster_name).get_token()
         elif auth_backend == 'MockAuth':
             return MockAuth().get_token()
         else:
@@ -22,6 +24,7 @@ def _init_client(self, cluster_name, region, auth_backend, config_file_path):
         LOGGER.debug("Succesfully retrieved token for authentication with kube api server")
         config.load_kube_config(config_file_path)
         configuration = client.Configuration()
+        #configuration.debug = True
         configuration.api_key['authorization'] = token
         configuration.api_key_prefix['authorization'] = 'Bearer'
         return client.ApiClient(configuration)

diff --git a/overpass/kube/config.py b/overpass/kube/config.py
@@ -56,5 +56,6 @@ def create_kube_config(kube_filepath, eks_api, cluster_name, user_name='lambda')
 
         # Write kubeconfig
         with open(kube_filepath, 'w') as outfile:
+            LOGGER.debug(kube_content)
             yaml.dump(kube_content, outfile, default_flow_style=False)
         LOGGER.info(f"Done creating the {kube_filepath}")
diff --git a/tests/test_config.py b/tests/test_config.py
@@ -8,6 +8,7 @@ def test_config_loading():
     assert CONFIG.CLUSTER_NAME == "test-cluster"
     assert CONFIG.AUTH_BACKEND == "AwsSTS"
     assert CONFIG.REGION == "eu-west-1"
+    assert CONFIG.KUBE_USER == "lambda"
 
 
 def test_config_loading_error():