From c1e9476b22089e3784923fefa63198b9bce5229c Mon Sep 17 00:00:00 2001
From: Alexander Babai <aliaksandr.babai@gmail.com>
Date: Mon, 24 Sep 2018 09:23:31 +0300
Subject: [PATCH] [kops]: add aws-iam-authenticator support (#282)

* feat(kops): add aws-iam-authenticator support

* refactor(kops): fix yaml

* refactor(kops): fix template
---
 rootfs/templates/kops/default.yaml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/rootfs/templates/kops/default.yaml b/rootfs/templates/kops/default.yaml
index 128394515..4bb7233eb 100644
--- a/rootfs/templates/kops/default.yaml
+++ b/rootfs/templates/kops/default.yaml
@@ -31,10 +31,28 @@ spec:
   api:
     loadBalancer:
       type: Public
-  {{- if bool (getenv "KOPS_AUTHORIZATION_RBAC_ENABLED" "false") }}
+  hooks:
+  {{- if bool (getenv "KOPS_AWS_IAM_AUTHENTICATOR_ENABLED" "false") }}
+    - name: kops-hook-authenticator-config.service
+      before:
+        - kubelet.service
+      roles: 
+        - Master
+      manifest: |-
+        [Unit]
+        Description=Download AWS Authenticator configs from S3
+        [Service]
+        Type=oneshot
+        ExecStart=/bin/mkdir -p /srv/kubernetes/aws-iam-authenticator
+        ExecStart=/usr/local/bin/aws s3 cp --recursive {{ getenv "KOPS_STATE_STORE" }}/{{ getenv "KOPS_CLUSTER_NAME" }}/addons/authenticator /srv/kubernetes/aws-iam-authenticator/
+  {{- end }}
   kubeAPIServer:
+  {{- if bool (getenv "KOPS_AUTHORIZATION_RBAC_ENABLED" "false") }}
     authorizationMode: {{ getenv "KOPS_KUBE_API_SERVER_AUTHORIZATION_MODE" "RBAC,AlwaysAllow" }}
     authorizationRbacSuperUser: {{ getenv "KOPS_KUBE_API_SERVER_AUTHORIZATION_RBAC_SUPER_USER" "admin" }}
+    {{- if bool (getenv "KOPS_AWS_IAM_AUTHENTICATOR_ENABLED" "false") }}
+    authenticationTokenWebhookConfigFile: /srv/kubernetes/aws-iam-authenticator/kubeconfig.yaml
+    {{- end }}
   {{- end }}
   authorization:
     {{- if bool (getenv "KOPS_AUTHORIZATION_RBAC_ENABLED" "false") }}