使用 cloudformation 从 eks 集群在 aws 中创建 OIDC 提供程序

Creating the OIDC provider in aws from the eks cluster using cloudformation

我目前正在研究 cloudformation 模板。该模板通常使用集群自动缩放器创建 EKS 集群。在这样做的过程中,我创建了一个 lambda 函数,它会自动创建带有 EKS 集群的 OIDC 提供程序 Url。问题是指纹。我无法为其创建指纹,这导致集群自动缩放器 pod 失败。有什么方法可以让我们也从 lambda 函数创建指纹吗?下面是 lambda 函数的代码。目前的指纹是一个样本。

          import boto3
          import json
          import cfnresponse

       
          def lambda_handler(event, context):
            
            client = boto3.client('iam')
            name=  event['ResourceProperties']['cluster_name']
            responseData= {}
            responseStatus="SUCCESS"
            
            try:
              print("In thetry block")
              if event['RequestType'] == 'Delete':
                print("Request Type:",event['RequestType'])
                print("Delete Request - No Physical resources to delete")
              elif event['RequestType'] == 'Create' or event['RequestType'] == 'Update':
                print("The request type is updated")
                response2 = client.create_open_id_connect_provider(
                        ClientIDList=[
                          'my-application-id',
                        ],
                        ThumbprintList=[
                          '3768084dfb3d2b68b7897bf5f565da8efEXAMPLE',
                        ],
                        Url=fetchClusterOIDC(name),
                        )
                print("The OIDC Created")
                oidc_response_url = fetchClusterOIDC(name)
                oidc_response=oidc_response_url.split("https://")[1]
                
                responseData = {'oidc': oidc_response}

                print("Responsedata Created",responseData)
                print("Request Type:",event['RequestType'])
                print("Sending response to custom resource for event type " + event['RequestType'])
                cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData)
            except Exception as e:
              print(e)
              responseData = {'Failed': 'Test Failed.'}
              responseStatus="FAILED"
              cfnresponse.send(event, context, cfnresponse.FAILED, responseData)  
          
          def fetchClusterOIDC(cluster_name):
            print("Getting Cluster OIDC value for cluster name "+ cluster_name)
            oidc = ''
            client = boto3.client('eks')
            try:
                response = client.describe_cluster(
                    name=cluster_name
                )
                if response['ResponseMetadata']['HTTPStatusCode'] == 200:
                    print("Success response recieved for describing cluster "+ cluster_name)
                    oidc = (response['cluster']['identity']['oidc']['issuer'])
                    print('OIDC output recieved '+ oidc + ' for Cluster Name ' + cluster_name)
                return oidc
            except Exception as e:
                print('Failed to fetch Cluster OIDC value for cluster name ' + cluster_name, e)

我使用 aws api 而不是 Lambda 函数。 cloudformation 脚本在输出中提供了 OIDC url 和 CertificateAuthority。之后我 运行 bash 脚本自动 运行s 并生成指纹 post 我们可以使用 Aws APIs 使用 [=26= 创建 OIDC 提供商] 和指纹生成。

要生成指纹,请遵循以下 link: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

在这里,我们可以直接解码 EKS 集群提供的 CertificateAuthority,而不是执行第 4 步。 解码命令是: echo -n 'CertificateAuhtority'| base64 --解码

这将生成证书并使您的工作更轻松。

我发现这种方式比创建 lambda 函数和生成 OIDC 提供程序容易得多。