Backport changes from the main branch into the v4.y branch for releas…

…e - adds regional support to the method, as well as allowing the kuebclient gem to be used in govcloud Signed-off-by: snorlaX-sleeps <[email protected]>
ManageIQ · Jun 18, 2024 · 5b8a34c · 5b8a34c
1 parent 2cde693
commit 5b8a34c
Showing 1 changed file with 19 additions and 10 deletions.
diff --git a/lib/kubeclient/aws_eks_credentials.rb b/lib/kubeclient/aws_eks_credentials.rb
@@ -7,39 +7,48 @@ class AmazonEksDependencyError < LoadError # rubocop:disable Lint/InheritExcepti
     end
 
     class << self
-      def token(credentials, eks_cluster)
+      def token(credentials, eks_cluster, region: 'us-east-1')
         begin
           require 'aws-sigv4'
           require 'base64'
           require 'cgi'
         rescue LoadError => e
           raise AmazonEksDependencyError,
-                'Error requiring aws gems. Kubeclient itself does not include the following ' \
+            'Error requiring aws gems. Kubeclient itself does not include the following ' \
                 'gems: [aws-sigv4]. To support auth-provider eks, you must ' \
                 "include it in your calling application. Failed with: #{e.message}"
         end
         # https://github.com/aws/aws-sdk-ruby/pull/1848
         # Get a signer
         # Note - sts only has ONE endpoint (not regional) so 'us-east-1' hardcoding should be OK
-        signer = Aws::Sigv4::Signer.new(
-          service: 'sts',
-          region: 'us-east-1',
-          credentials: credentials
-        )
+        signer = if credentials.respond_to?(:credentials)
+                   Aws::Sigv4::Signer.new(
+                     service: 'sts',
+                     region: region,
+                     credentials_provider: credentials
+                   )
+                 else
+                   Aws::Sigv4::Signer.new(
+                     service: 'sts',
+                     region: region,
+                     credentials: credentials
+                   )
+                 end
+
+        credentials = credentials.credentials if credentials.respond_to?(:credentials)
 
         # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Sigv4/Signer.html#presign_url-instance_method
         presigned_url_string = signer.presign_url(
           http_method: 'GET',
-          url: 'https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15',
+          url: "https://sts.#{region}.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15",
           body: '',
           credentials: credentials,
           expires_in: 60,
           headers: {
             'X-K8s-Aws-Id' => eks_cluster
           }
         )
-        kube_token = 'k8s-aws-v1.' + Base64.urlsafe_encode64(presigned_url_string.to_s).sub(/=*$/, '') # rubocop:disable Metrics/LineLength
-        kube_token
+        "k8s-aws-v1.#{Base64.urlsafe_encode64(presigned_url_string.to_s).sub(/=*$/, '')}"
       end
     end
   end