0

我目前正在研究 cloudformation 模板。该模板通常使用集群自动扩缩器创建 EKS 集群。为此,我创建了一个 lambda 函数,该函数将使用 EKS 集群 Url 自动创建 OIDC 提供程序。问题是指纹。我无法为相同的指纹创建导致集群自动缩放器 pod 失败的指纹。有什么方法可以通过 lambda 函数创建指纹?下面是 lambda 函数的代码。现有的指纹是一个示例。

          import boto3
          import json
          import cfnresponse

       
          def lambda_handler(event, context):
            
            client = boto3.client('iam')
            name=  event['ResourceProperties']['cluster_name']
            responseData= {}
            responseStatus="SUCCESS"
            
            try:
              print("In thetry block")
              if event['RequestType'] == 'Delete':
                print("Request Type:",event['RequestType'])
                print("Delete Request - No Physical resources to delete")
              elif event['RequestType'] == 'Create' or event['RequestType'] == 'Update':
                print("The request type is updated")
                response2 = client.create_open_id_connect_provider(
                        ClientIDList=[
                          'my-application-id',
                        ],
                        ThumbprintList=[
                          '3768084dfb3d2b68b7897bf5f565da8efEXAMPLE',
                        ],
                        Url=fetchClusterOIDC(name),
                        )
                print("The OIDC Created")
                oidc_response_url = fetchClusterOIDC(name)
                oidc_response=oidc_response_url.split("https://")[1]
                
                responseData = {'oidc': oidc_response}

                print("Responsedata Created",responseData)
                print("Request Type:",event['RequestType'])
                print("Sending response to custom resource for event type " + event['RequestType'])
                cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData)
            except Exception as e:
              print(e)
              responseData = {'Failed': 'Test Failed.'}
              responseStatus="FAILED"
              cfnresponse.send(event, context, cfnresponse.FAILED, responseData)  
          
          def fetchClusterOIDC(cluster_name):
            print("Getting Cluster OIDC value for cluster name "+ cluster_name)
            oidc = ''
            client = boto3.client('eks')
            try:
                response = client.describe_cluster(
                    name=cluster_name
                )
                if response['ResponseMetadata']['HTTPStatusCode'] == 200:
                    print("Success response recieved for describing cluster "+ cluster_name)
                    oidc = (response['cluster']['identity']['oidc']['issuer'])
                    print('OIDC output recieved '+ oidc + ' for Cluster Name ' + cluster_name)
                return oidc
            except Exception as e:
                print('Failed to fetch Cluster OIDC value for cluster name ' + cluster_name, e)
4

1 回答 1

1

我使用的是 aws api 而不是 Lambda 函数。cloudformation 脚本在输出中提供 OIDC url 和 CertificateAuthority。之后我运行 bash 脚本,该脚本会自动运行并生成指纹帖子,我们可以使用 Aws API 使用 url 和生成的指纹创建 OIDC 提供程序。

要生成指纹,请点击以下链接: https ://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

在此,我们可以直接解码 EKS 集群提供的 CertificateAuthority,而不是执行第 4 步。解码命令为:echo -n 'CertificateAuthority'| base64 --解码

这将生成证书并使您的工作更轻松。

我发现这种方式比创建 lambda 函数和生成 OIDC 提供程序要容易得多。

于 2021-01-27T15:34:56.377 回答