From 9d607b516d62a714b8f7cf925bfc548a2d7b98fc Mon Sep 17 00:00:00 2001 From: Shyam Jeedigunta Date: Mon, 21 Jan 2019 15:09:42 -0800 Subject: [PATCH] Make AWS credentials configurable easily --- .../generated-security-jobs.yaml | 2 +- .../sig-aws/eks/k8s-aws-eks-periodics.yaml | 10 +++--- .../sig-aws/eks/k8s-aws-eks-presets.yaml | 31 +++++++++++-------- .../sig-aws/eks/k8s-aws-eks-presubmits.yaml | 2 +- config/tests/jobs/jobs_test.go | 20 ++++++------ prow/config/config.go | 11 ++++--- 6 files changed, 40 insertions(+), 36 deletions(-) diff --git a/config/jobs/kubernetes-security/generated-security-jobs.yaml b/config/jobs/kubernetes-security/generated-security-jobs.yaml index ccaad602bdd0..16e742dd5c8e 100644 --- a/config/jobs/kubernetes-security/generated-security-jobs.yaml +++ b/config/jobs/kubernetes-security/generated-security-jobs.yaml @@ -9,8 +9,8 @@ presubmits: cluster: security context: pull-security-kubernetes-e2e-aws-eks-1-11-correctness labels: + preset-aws-credential: aws-oss-testing preset-kubernetes-e2e-aws-eks-1-11: "true" - preset-kubernetes-e2e-aws-eks-common: "true" preset-service-account: "true" name: pull-security-kubernetes-e2e-aws-eks-1-11-correctness optional: true diff --git a/config/jobs/kubernetes/sig-aws/eks/k8s-aws-eks-periodics.yaml b/config/jobs/kubernetes/sig-aws/eks/k8s-aws-eks-periodics.yaml index f00f56b1dff0..b7842eb9bc51 100644 --- a/config/jobs/kubernetes/sig-aws/eks/k8s-aws-eks-periodics.yaml +++ b/config/jobs/kubernetes/sig-aws/eks/k8s-aws-eks-periodics.yaml @@ -4,7 +4,7 @@ periodics: name: ci-kubernetes-e2e-aws-eks-1-11-correctness labels: preset-service-account: "true" - preset-kubernetes-e2e-aws-eks-common: "true" + preset-aws-credential: "aws-oss-testing" preset-kubernetes-e2e-aws-eks-1-11: "true" spec: containers: @@ -29,7 +29,7 @@ periodics: name: ci-kubernetes-e2e-aws-eks-1-11-conformance labels: preset-service-account: "true" - preset-kubernetes-e2e-aws-eks-common: "true" + preset-aws-credential: "aws-oss-testing" preset-kubernetes-e2e-aws-eks-1-11: "true" spec: containers: @@ -54,7 +54,7 @@ periodics: name: ci-kubernetes-e2e-aws-eks-1-11-scalability labels: preset-service-account: "true" - preset-kubernetes-e2e-aws-eks-common: "true" + preset-aws-credential: "aws-oss-testing" preset-kubernetes-e2e-aws-eks-1-11: "true" spec: containers: @@ -78,7 +78,7 @@ periodics: name: ci-kubernetes-e2e-aws-eks-1-10-correctness labels: preset-service-account: "true" - preset-kubernetes-e2e-aws-eks-common: "true" + preset-aws-credential: "aws-oss-testing" preset-kubernetes-e2e-aws-eks-1-10: "true" spec: containers: @@ -103,7 +103,7 @@ periodics: name: ci-kubernetes-e2e-aws-eks-1-10-conformance labels: preset-service-account: "true" - preset-kubernetes-e2e-aws-eks-common: "true" + preset-aws-credential: "aws-oss-testing" preset-kubernetes-e2e-aws-eks-1-10: "true" spec: containers: diff --git a/config/jobs/kubernetes/sig-aws/eks/k8s-aws-eks-presets.yaml b/config/jobs/kubernetes/sig-aws/eks/k8s-aws-eks-presets.yaml index 139a0e2fbd6c..7956ef04162b 100644 --- a/config/jobs/kubernetes/sig-aws/eks/k8s-aws-eks-presets.yaml +++ b/config/jobs/kubernetes/sig-aws/eks/k8s-aws-eks-presets.yaml @@ -1,23 +1,16 @@ presets: - env: - # URL to download 'kubectl', required for 'kubectl' calls to EKS (https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) - # TODO: use upstream 'kubectl' - - name: AWS_K8S_TESTER_EKS_KUBECTL_DOWNLOAD_URL - value: https://amazon-eks.s3-us-west-2.amazonaws.com/1.11.5/2018-12-06/bin/linux/amd64/kubectl - # URL to download 'aws-iam-authenticator', required for 'kubectl' calls to EKS (https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) - - name: AWS_K8S_TESTER_EKS_AWS_IAM_AUTHENTICATOR_DOWNLOAD_URL - value: https://amazon-eks.s3-us-west-2.amazonaws.com/1.11.5/2018-12-06/bin/linux/amd64/aws-iam-authenticator - # AWS test account credential mounted path, required for AWS API call + # Credentials for using AWS test account 607362164682. - name: AWS_SHARED_CREDENTIALS_FILE - value: /etc/eks-aws-credentials/eks-aws-credentials + value: /etc/aws-cred/credentials labels: - preset-kubernetes-e2e-aws-eks-common: "true" + preset-aws-credential: "aws-oss-testing" volumeMounts: - - mountPath: /etc/eks-aws-credentials - name: eks-aws-credentials + - mountPath: /etc/aws-cred + name: aws-cred readOnly: true volumes: - - name: eks-aws-credentials + - name: aws-cred secret: secretName: eks-aws-credentials @@ -28,6 +21,12 @@ presets: # Amazon EKS-optimized AMI (non-GPU, https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) - name: AWS_K8S_TESTER_EKS_WORKER_NODE_AMI value: ami-0a2abab4107669c1b + # URL to download 'kubectl', required for 'kubectl' calls to EKS (https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) + - name: AWS_K8S_TESTER_EKS_KUBECTL_DOWNLOAD_URL + value: https://amazon-eks.s3-us-west-2.amazonaws.com/1.11.5/2018-12-06/bin/linux/amd64/kubectl + # URL to download 'aws-iam-authenticator', required for 'kubectl' calls to EKS (https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) + - name: AWS_K8S_TESTER_EKS_AWS_IAM_AUTHENTICATOR_DOWNLOAD_URL + value: https://amazon-eks.s3-us-west-2.amazonaws.com/1.11.5/2018-12-06/bin/linux/amd64/aws-iam-authenticator labels: preset-kubernetes-e2e-aws-eks-1-11: "true" @@ -38,5 +37,11 @@ presets: # Amazon EKS-optimized AMI (non-GPU, https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) - name: AWS_K8S_TESTER_EKS_WORKER_NODE_AMI value: ami-09e1df3bad220af0b + # URL to download 'kubectl', required for 'kubectl' calls to EKS (https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) + - name: AWS_K8S_TESTER_EKS_KUBECTL_DOWNLOAD_URL + value: https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.11/2018-12-06/bin/linux/amd64/kubectl + # URL to download 'aws-iam-authenticator', required for 'kubectl' calls to EKS (https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) + - name: AWS_K8S_TESTER_EKS_AWS_IAM_AUTHENTICATOR_DOWNLOAD_URL + value: https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.11/2018-12-06/bin/linux/amd64/aws-iam-authenticator labels: preset-kubernetes-e2e-aws-eks-1-10: "true" diff --git a/config/jobs/kubernetes/sig-aws/eks/k8s-aws-eks-presubmits.yaml b/config/jobs/kubernetes/sig-aws/eks/k8s-aws-eks-presubmits.yaml index 70240c8b0dae..cd71ab7e7aa6 100644 --- a/config/jobs/kubernetes/sig-aws/eks/k8s-aws-eks-presubmits.yaml +++ b/config/jobs/kubernetes/sig-aws/eks/k8s-aws-eks-presubmits.yaml @@ -9,7 +9,7 @@ presubmits: optional: true labels: preset-service-account: "true" - preset-kubernetes-e2e-aws-eks-common: "true" + preset-aws-credential: "aws-oss-testing" preset-kubernetes-e2e-aws-eks-1-11: "true" spec: containers: diff --git a/config/tests/jobs/jobs_test.go b/config/tests/jobs/jobs_test.go index 3d9d9d553311..d0603f2ef60e 100644 --- a/config/tests/jobs/jobs_test.go +++ b/config/tests/jobs/jobs_test.go @@ -589,7 +589,7 @@ func TestLatestUsesImagePullPolicy(t *testing.T) { // checkKubekinsPresets returns an error if a spec references to kubekins-e2e|bootstrap image, // but doesn't use service preset or ssh preset -func checkKubekinsPresets(jobName string, spec *v1.PodSpec, labels, validLabels map[string]string) error { +func checkKubekinsPresets(jobName string, spec *v1.PodSpec, labels map[string]string, validLabels map[string]bool) error { service := true ssh := true @@ -629,10 +629,9 @@ func checkKubekinsPresets(jobName string, spec *v1.PodSpec, labels, validLabels } for key, val := range labels { - if validVal, ok := validLabels[key]; !ok { - return fmt.Errorf("label %s is not a valid preset label", key) - } else if validVal != val { - return fmt.Errorf("label %s does not have valid value, have %s, expect %s", key, val, validVal) + pair := key + ":" + val + if validVal, ok := validLabels[pair]; !ok || !validVal { + return fmt.Errorf("key-value pair %s is not found in list of valid presets list", pair) } } @@ -642,18 +641,17 @@ func checkKubekinsPresets(jobName string, spec *v1.PodSpec, labels, validLabels // TestValidPresets makes sure all presets name starts with 'preset-', all job presets are valid, // and jobs that uses kubekins-e2e image has the right service account preset func TestValidPresets(t *testing.T) { - validLabels := map[string]string{} + validLabels := map[string]bool{} for _, preset := range c.Presets { for label, val := range preset.Labels { if !strings.HasPrefix(label, "preset-") { t.Errorf("Preset label %s - label name should start with 'preset-'", label) - } else if val != "true" { - t.Errorf("Preset label %s - label value should be true", label) } - if _, ok := validLabels[label]; ok { - t.Errorf("Duplicated preset label : %s", label) + pair := label + ":" + val + if _, ok := validLabels[pair]; ok { + t.Errorf("Duplicated preset 'label:value' pair : %s", pair) } else { - validLabels[label] = val + validLabels[pair] = true } } } diff --git a/prow/config/config.go b/prow/config/config.go index 64a18c59012a..9dac8df44568 100644 --- a/prow/config/config.go +++ b/prow/config/config.go @@ -469,14 +469,15 @@ func (c *Config) mergeJobConfig(jc JobConfig) error { // *** Presets *** c.Presets = append(c.Presets, jc.Presets...) - // validate no duplicated presets - validLabels := map[string]string{} + // validate no duplicated preset key-value pairs + validLabels := map[string]bool{} for _, preset := range c.Presets { for label, val := range preset.Labels { - if _, ok := validLabels[label]; ok { - return fmt.Errorf("duplicated preset label : %s", label) + pair := label + ":" + val + if _, ok := validLabels[pair]; ok { + return fmt.Errorf("duplicated preset 'label:value' pair : %s", pair) } - validLabels[label] = val + validLabels[pair] = true } }