def get_token(self): """ Return bearer token """ session = boto3.session.Session() # Get ServiceID required by class RequestSigner client = session.client("sts", region_name=self.region) service_id = client.meta.service_model.service_id signer = RequestSigner(service_id, session.region_name, 'sts', 'v4', session.get_credentials(), session.events) params = { 'method': self.METHOD, 'url': 'https://' + self.STS_URL + '/?' + self.STS_ACTION, 'body': {}, 'headers': { self.EKS_HEADER: self.cluster_id }, 'context': {} } signed_url = signer.generate_presigned_url(params, region_name=self.region, expires_in=self.EXPIRES, operation_name='') return self.EKS_PREFIX + re.sub( r'=*', '', base64.urlsafe_b64encode( signed_url.encode('utf-8')).decode('utf-8'))
def get_bearer_token(cluster_id, region): STS_TOKEN_EXPIRES_IN = 3600 session = boto3.session.Session() client = session.client('sts', region_name=region) service_id = client.meta.service_model.service_id signer = RequestSigner(service_id, region, 'sts', 'v4', session.get_credentials(), session.events) params = { 'method': 'GET', 'url': 'https://sts.{}.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15' .format(region), 'body': {}, 'headers': { 'x-k8s-aws-id': cluster_id }, 'context': {} } signed_url = signer.generate_presigned_url(params, region_name=region, expires_in=STS_TOKEN_EXPIRES_IN, operation_name='') base64_url = base64.urlsafe_b64encode( signed_url.encode('utf-8')).decode('utf-8') # remove any base64 encoding padding: return 'k8s-aws-v1.' + re.sub(r'=*', '', base64_url)
def fetch_access_token_for_cluster(self, eks_cluster_name: str) -> str: session = self.get_session() service_id = self.conn.meta.service_model.service_id sts_url = ( f'https://sts.{session.region_name}.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15' ) signer = RequestSigner( service_id=service_id, region_name=session.region_name, signing_name='sts', signature_version='v4', credentials=session.get_credentials(), event_emitter=session.events, ) request_params = { 'method': 'GET', 'url': sts_url, 'body': {}, 'headers': {'x-k8s-aws-id': eks_cluster_name}, 'context': {}, } signed_url = signer.generate_presigned_url( request_dict=request_params, region_name=session.region_name, expires_in=STS_TOKEN_EXPIRES_IN, operation_name='', ) base64_url = base64.urlsafe_b64encode(signed_url.encode('utf-8')).decode('utf-8') # remove any base64 encoding padding: return 'k8s-aws-v1.' + base64_url.rstrip("=")
def get_token(self): """ Return bearer token """ sess = self.__get_session() signer = RequestSigner('sts', sess.region_name, 'sts', 'v4', sess.get_credentials(), sess.events) params = { 'method': self.METHOD, 'url': 'https://' + self.STS_URL + '/?' + self.STS_ACTION, 'body': {}, 'headers': { self.EKS_HEADER: self.cluster_id }, 'context': {} } signed_url = signer.generate_presigned_url( params, region_name=sess.region_name, expires_in=self.EXPIRES, operation_name='') return (self.EKS_PREFIX + base64.urlsafe_b64encode( signed_url.encode('utf-8')).decode('utf-8'))
def get_token(): session = get_aws_session() sts_client = session.client("sts", region_name=REGION) print("caller identity ***####*************" + str(sts_client.get_caller_identity())) service_id = sts_client.meta.service_model.service_id print("service id ######" + service_id) signer = RequestSigner(service_id, session.region_name, 'sts', 'v4', session.get_credentials(), session.events) params = { 'method': 'GET', 'url': 'https://' + STS_END_POINT + '/?' + STS_ACTION, 'body': {}, 'headers': { EKS_HEADER: CLUSTER_NAME }, 'context': {} } signed_url = signer.generate_presigned_url(params, region_name=session.region_name, expires_in=EXPIRES_IN, operation_name='') print("signed url: " + signed_url) return ( EKS_PREFIX + base64.urlsafe_b64encode(signed_url.encode('utf-8')).decode('utf-8'))
def _get_presigned_url(self, cluster_name, role_arn): session = self._session_handler.get_session(self._region_name, role_arn) if self._region_name is None: self._region_name = session.get_config_variable('region') loader = botocore.loaders.create_loader() data = loader.load_data("endpoints") endpoint_resolver = botocore.regions.EndpointResolver(data) endpoint = endpoint_resolver.construct_endpoint( AUTH_SERVICE, self._region_name) signer = RequestSigner(ServiceId(AUTH_SERVICE), self._region_name, AUTH_SERVICE, AUTH_SIGNING_VERSION, session.get_credentials(), session.get_component('event_emitter')) action_params = 'Action=' + AUTH_COMMAND + '&Version=' + AUTH_API_VERSION params = { 'method': 'GET', 'url': 'https://' + endpoint["hostname"] + '/?' + action_params, 'body': {}, 'headers': { CLUSTER_NAME_HEADER: cluster_name }, 'context': {} } url = signer.generate_presigned_url( params, region_name=endpoint["credentialScope"]["region"], operation_name='', expires_in=URL_TIMEOUT) return url
def get_auth_token(self): presign_expires = 60 sts_http_action = 'Action=GetCallerIdentity&Version=2011-06-15' sts_http_method = 'GET' eks_header = 'x-k8s-aws-id' eks_prefix = 'k8s-aws-v1.' if self.role_arn: session = NewIdentity(role_arn=self.role_arn).get_session() else: session = boto3.session.Session() client = session.client("sts",region_name="us-east-1") service_id = client.meta.service_model.service_id signer = RequestSigner( service_id, session.region_name, 'sts', 'v4', session.get_credentials(), session.events ) params = { 'method': sts_http_method, 'url': 'https://' + "sts.amazonaws.com" + '/?' + sts_http_action, 'body': {}, 'headers': { eks_header: self.cluster_name }, 'context': {} } signed_url = signer.generate_presigned_url( params, region_name="us-east-1", expires_in=presign_expires, operation_name = '' ) logger.debug("Pre-signed URL: {}".format(signed_url)) logger.info("Caller Identity {}".format(client.get_caller_identity())) # This \/ \/ rstrip wasted 3 hours until I looked at aws cli code. return ( eks_prefix + base64.urlsafe_b64encode(signed_url.encode('utf-8')).decode('utf-8').rstrip('=') )
def generate_aws_eks_bearer_token(cluster_name, challenge): """Function to generate the AWS EKS bearer Token Arguments: cluster_name {string} -- Cluster name for which the object is generated challenge {Object} -- Challenge Object Returns: {string} -- Generated bearer token """ challenge_pk = challenge.id aws_keys = get_aws_credentials_for_challenge(challenge_pk) session = boto3.Session( aws_access_key_id=aws_keys["AWS_ACCESS_KEY_ID"], aws_secret_access_key=aws_keys["AWS_SECRET_ACCESS_KEY"], ) region = aws_keys["AWS_REGION"] client = session.client("sts", region_name=region) service_id = client.meta.service_model.service_id signer = RequestSigner( service_id, region, "sts", "v4", session.get_credentials(), session.events, ) params = { "method": "GET", "url": "https://sts.{}.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15" .format(region), "body": {}, "headers": { "x-k8s-aws-id": cluster_name }, "context": {}, } signed_url = signer.generate_presigned_url(params, region_name=region, expires_in=60, operation_name="") base64_url = base64.urlsafe_b64encode( signed_url.encode("utf-8")).decode("utf-8") # remove any base64 encoding padding bearer_token = "k8s-aws-v1." + re.sub(r"=*", "", base64_url) return bearer_token
def get_bearer_token(cluster, region): """Creates the authentication to token required by AWS IAM Authenticator. This is done by creating a base64 encoded string which represents a HTTP call to the STS GetCallerIdentity Query Request (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html). The AWS IAM Authenticator decodes the base64 string and makes the request on behalf of the user. """ STS_TOKEN_EXPIRES_IN = 60 session = boto3.session.Session() client = session.client('sts', region_name=region) service_id = client.meta.service_model.service_id signer = RequestSigner( service_id, region, 'sts', 'v4', session.get_credentials(), session.events ) params = { 'method': 'GET', 'url': 'https://sts.{}.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15'.format(region), 'body': {}, 'headers': { 'x-k8s-aws-id': cluster }, 'context': {} } signed_url = signer.generate_presigned_url( params, region_name=region, expires_in=STS_TOKEN_EXPIRES_IN, operation_name='' ) base64_url = base64.urlsafe_b64encode(signed_url.encode('utf-8')).decode('utf-8') # need to remove base64 encoding padding: # https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/202 return 'k8s-aws-v1.' + re.sub(r'=*', '', base64_url)
def get_bearer_token(cluster, region): """Creates the authentication to token required by AWS IAM Authenticator. This is done by creating a base64 encoded string which represents a HTTP call to the STS GetCallerIdentity Query Request (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html). The AWS IAM Authenticator decodes the base64 string and makes the request on behalf of the user. """ STS_TOKEN_EXPIRES_IN = 60 session = boto3.session.Session() client = session.client("sts", region_name=region) service_id = client.meta.service_model.service_id signer = RequestSigner(service_id, region, "sts", "v4", session.get_credentials(), session.events) params = { "method": "GET", "url": "https://sts.{}.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15" .format(region), "body": {}, "headers": { "x-k8s-aws-id": cluster }, "context": {}, } signed_url = signer.generate_presigned_url(params, region_name=region, expires_in=STS_TOKEN_EXPIRES_IN, operation_name="") base64_url = base64.urlsafe_b64encode( signed_url.encode("utf-8")).decode("utf-8") # need to remove base64 encoding padding: # https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/202 return "k8s-aws-v1." + re.sub(r"=*", "", base64_url)
def _get_presigned_url(self, cluster_name, role_arn): session = self._session_handler.get_session( self._region_name, role_arn ) if self._region_name is None: self._region_name = session.get_config_variable('region') loader = botocore.loaders.create_loader() data = loader.load_data("endpoints") endpoint_resolver = botocore.regions.EndpointResolver(data) endpoint = endpoint_resolver.construct_endpoint( AUTH_SERVICE, self._region_name ) signer = RequestSigner( ServiceId(AUTH_SERVICE), self._region_name, AUTH_SERVICE, AUTH_SIGNING_VERSION, session.get_credentials(), session.get_component('event_emitter') ) action_params='Action=' + AUTH_COMMAND + '&Version=' + AUTH_API_VERSION params = { 'method': 'GET', 'url': 'https://' + endpoint["hostname"] + '/?' + action_params, 'body': {}, 'headers': {CLUSTER_NAME_HEADER: cluster_name}, 'context': {} } url=signer.generate_presigned_url( params, region_name=endpoint["credentialScope"]["region"], operation_name='', expires_in=URL_TIMEOUT ) return url
def get_token(cluster_id): """ Return bearer token """ session = boto3.session.Session() #Get ServiceID required by class RequestSigner client = session.client("sts", region_name=AWS_REGION) service_id = client.meta.service_model.service_id signer = RequestSigner(service_id, session.region_name, 'sts', 'v4', session.get_credentials(), session.events) params = { 'method': 'GET', 'url': 'https://sts.{}.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15' .format(AWS_REGION), 'body': {}, 'headers': { 'x-k8s-aws-id': cluster_id }, 'context': {} } # print("params: "+str(params)) signed_url = signer.generate_presigned_url(params, region_name=AWS_REGION, expires_in=60, operation_name='') # print("SIGNED_URL: "+signed_url) base64_url = base64.urlsafe_b64encode( signed_url.encode('utf-8')).decode('utf-8') token = 'k8s-aws-v1.' + re.sub(r'=*', '', base64_url) # print("token: "+token) return token
def _get_eks_bearer_token(self, cluster_id, region): session = boto3.session.Session( aws_access_key_id=self._aws_access_key_id, aws_secret_access_key=self._aws_secret_access_key, ) client = session.client("sts", region_name=region) service_id = client.meta.service_model.service_id signer = RequestSigner(service_id, region, "sts", "v4", session.get_credentials(), session.events) params = { "method": "GET", "url": "https://sts.{}.amazonaws.com/?Action=GetCallerIdentity&" "Version=2011-06-15".format(region), "body": {}, "headers": { "x-k8s-aws-id": cluster_id }, "context": {}, } signed_url = signer.generate_presigned_url( params, region_name=region, expires_in=self.STS_TOKEN_EXPIRES_IN, operation_name="", ) base64_url = base64.urlsafe_b64encode( signed_url.encode("utf-8")).decode("utf-8") # remove any base64 encoding padding: return "Bearer k8s-aws-v1." + re.sub(r"=*", "", base64_url)
def get_token(self): session = boto3.session.Session() #Get ServiceID required by class RequestSigner client = session.client("sts", region_name=self.region) service_id = client.meta.service_model.service_id #An object to sign requests before they go out over the wire using one of the authentication mechanisms defined in auth.py signer = RequestSigner(service_id, session.region_name, 'sts', 'v4', session.get_credentials(), session.events) #creating the get request template params = { 'method': self.METHOD, 'url': 'https://' + self.STS_URL + '/?' + self.STS_ACTION, 'body': {}, 'headers': { self.EKS_HEADER: self.cluster_id }, 'context': {} } #Generates a presigned url signed_url = signer.generate_presigned_url( params, region_name=session.region_name, expires_in=self.EXPIRES, operation_name='') #bearere token hash base64_url = base64.urlsafe_b64encode( signed_url.encode('utf-8')).decode('utf-8') #removed padding from beare token #return bearere token hash return self.EKS_PREFIX + re.sub(r'=*', '', base64_url)
class TestSigner(BaseSignerTest): def test_region_name(self): self.assertEqual(self.signer.region_name, 'region_name') def test_signature_version(self): self.assertEqual(self.signer.signature_version, 'v4') def test_signing_name(self): self.assertEqual(self.signer.signing_name, 'signing_name') def test_region_required_for_sigv4(self): self.signer = RequestSigner( 'service_name', None, 'signing_name', 'v4', self.credentials, self.emitter) with self.assertRaises(NoRegionError): self.signer.sign('operation_name', mock.Mock()) def test_get_auth(self): auth_cls = mock.Mock() with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': auth_cls}): auth = self.signer.get_auth('service_name', 'region_name') self.assertEqual(auth, auth_cls.return_value) auth_cls.assert_called_with( credentials=self.fixed_credentials, service_name='service_name', region_name='region_name') def test_get_auth_signature_override(self): auth_cls = mock.Mock() with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4-custom': auth_cls}): auth = self.signer.get_auth( 'service_name', 'region_name', signature_version='v4-custom') self.assertEqual(auth, auth_cls.return_value) auth_cls.assert_called_with( credentials=self.fixed_credentials, service_name='service_name', region_name='region_name') def test_get_auth_bad_override(self): with self.assertRaises(UnknownSignatureVersionError): self.signer.get_auth('service_name', 'region_name', signature_version='bad') def test_emits_choose_signer(self): request = mock.Mock() with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': mock.Mock()}): self.signer.sign('operation_name', request) self.emitter.emit_until_response.assert_called_with( 'choose-signer.service_name.operation_name', signing_name='signing_name', region_name='region_name', signature_version='v4') def test_choose_signer_override(self): request = mock.Mock() auth = mock.Mock() auth.REQUIRES_REGION = False self.emitter.emit_until_response.return_value = (None, 'custom') with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'custom': auth}): self.signer.sign('operation_name', request) auth.assert_called_with(credentials=self.fixed_credentials) auth.return_value.add_auth.assert_called_with(request) def test_emits_before_sign(self): request = mock.Mock() with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': mock.Mock()}): self.signer.sign('operation_name', request) self.emitter.emit.assert_called_with( 'before-sign.service_name.operation_name', request=mock.ANY, signing_name='signing_name', region_name='region_name', signature_version='v4', request_signer=self.signer) def test_disable_signing(self): # Returning botocore.UNSIGNED from choose-signer disables signing! request = mock.Mock() auth = mock.Mock() self.emitter.emit_until_response.return_value = (None, botocore.UNSIGNED) with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': auth}): self.signer.sign('operation_name', request) auth.assert_not_called() def test_generate_url_emits_choose_signer(self): request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': mock.Mock()}): self.signer.generate_presigned_url(request_dict, 'operation_name') self.emitter.emit_until_response.assert_called_with( 'choose-signer.service_name.operation_name', signing_name='signing_name', region_name='region_name', signature_version='v4-query') def test_generate_url_choose_signer_override(self): request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } auth = mock.Mock() auth.REQUIRES_REGION = False self.emitter.emit_until_response.return_value = (None, 'custom') auth_types_map = {'custom': mock.Mock(), 'custom-query': auth} with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types_map): self.signer.generate_presigned_url(request_dict, 'operation_name') auth.assert_called_with(credentials=self.fixed_credentials, expires=3600) def test_generate_url_unsigned(self): request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } self.emitter.emit_until_response.return_value = ( None, botocore.UNSIGNED) url = self.signer.generate_presigned_url( request_dict, 'operation_name') self.assertEqual(url, 'https://foo.com') def test_generate_presigned_url(self): auth = mock.Mock() auth.REQUIRES_REGION = True request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4-query': auth}): presigned_url = self.signer.generate_presigned_url( request_dict, operation_name='operation_name') auth.assert_called_with( credentials=self.fixed_credentials, region_name='region_name', service_name='signing_name', expires=3600) self.assertEqual(presigned_url, 'https://foo.com') def test_generate_presigned_url_with_region_override(self): auth = mock.Mock() auth.REQUIRES_REGION = True request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4-query': auth}): presigned_url = self.signer.generate_presigned_url( request_dict, operation_name='operation_name', region_name='us-west-2') auth.assert_called_with( credentials=self.fixed_credentials, region_name='us-west-2', service_name='signing_name', expires=3600) self.assertEqual(presigned_url, 'https://foo.com') def test_generate_presigned_url_with_exipres_in(self): auth = mock.Mock() auth.REQUIRES_REGION = True request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4-query': auth}): presigned_url = self.signer.generate_presigned_url( request_dict, operation_name='operation_name', expires_in=900) auth.assert_called_with( credentials=self.fixed_credentials, region_name='region_name', expires=900, service_name='signing_name') self.assertEqual(presigned_url, 'https://foo.com') def test_presigned_url_throws_unsupported_signature_error(self): request_dict = { 'headers': {}, 'url': 'https://s3.amazonaws.com/mybucket/myobject', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } self.signer = RequestSigner( 'service_name', 'region_name', 'signing_name', 'foo', self.credentials, self.emitter) with self.assertRaises(UnsupportedSignatureVersionError): self.signer.generate_presigned_url( request_dict, operation_name='foo') def test_signer_with_refreshable_credentials_gets_credential_set(self): class FakeCredentials(Credentials): def get_frozen_credentials(self): return ReadOnlyCredentials('foo', 'bar', 'baz') self.credentials = FakeCredentials('a', 'b', 'c') self.signer = RequestSigner( 'service_name', 'region_name', 'signing_name', 'v4', self.credentials, self.emitter) auth_cls = mock.Mock() with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': auth_cls}): auth = self.signer.get_auth('service_name', 'region_name') self.assertEqual(auth, auth_cls.return_value) # Note we're called with 'foo', 'bar', 'baz', and *not* # 'a', 'b', 'c'. auth_cls.assert_called_with( credentials=ReadOnlyCredentials('foo', 'bar', 'baz'), service_name='service_name', region_name='region_name') def test_no_credentials_case_is_forwarded_to_signer(self): # If no credentials are given to the RequestSigner, we should # forward that fact on to the Auth class and let them handle # the error (which they already do). self.credentials = None self.signer = RequestSigner( 'service_name', 'region_name', 'signing_name', 'v4', self.credentials, self.emitter) auth_cls = mock.Mock() with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': auth_cls}): auth = self.signer.get_auth_instance( 'service_name', 'region_name', 'v4') auth_cls.assert_called_with( service_name='service_name', region_name='region_name', credentials=None, ) def test_sign_with_signing_type_standard(self): auth = mock.Mock() post_auth = mock.Mock() query_auth = mock.Mock() request = mock.Mock() auth_types = { 'v4-presign-post': post_auth, 'v4-query': query_auth, 'v4': auth } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): self.signer.sign('operation_name', request, signing_type='standard') self.assertFalse(post_auth.called) self.assertFalse(query_auth.called) auth.assert_called_with( credentials=ReadOnlyCredentials('key', 'secret', None), service_name='signing_name', region_name='region_name' ) def test_sign_with_signing_type_presign_url(self): auth = mock.Mock() post_auth = mock.Mock() query_auth = mock.Mock() request = mock.Mock() auth_types = { 'v4-presign-post': post_auth, 'v4-query': query_auth, 'v4': auth } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): self.signer.sign('operation_name', request, signing_type='presign-url') self.assertFalse(post_auth.called) self.assertFalse(auth.called) query_auth.assert_called_with( credentials=ReadOnlyCredentials('key', 'secret', None), service_name='signing_name', region_name='region_name' ) def test_sign_with_signing_type_presign_post(self): auth = mock.Mock() post_auth = mock.Mock() query_auth = mock.Mock() request = mock.Mock() auth_types = { 'v4-presign-post': post_auth, 'v4-query': query_auth, 'v4': auth } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): self.signer.sign('operation_name', request, signing_type='presign-post') self.assertFalse(auth.called) self.assertFalse(query_auth.called) post_auth.assert_called_with( credentials=ReadOnlyCredentials('key', 'secret', None), service_name='signing_name', region_name='region_name' ) def test_sign_with_region_name(self): request = mock.Mock() auth = mock.Mock() auth_types = { 'v4': auth } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): self.signer.sign('operation_name', request, region_name='foo') auth.assert_called_with( credentials=ReadOnlyCredentials('key', 'secret', None), service_name='signing_name', region_name='foo' ) def test_sign_with_expires_in(self): request = mock.Mock() auth = mock.Mock() auth_types = { 'v4': auth } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): self.signer.sign('operation_name', request, expires_in=2) auth.assert_called_with( credentials=ReadOnlyCredentials('key', 'secret', None), service_name='signing_name', region_name='region_name', expires=2 ) def test_unknown_signer_raises_unknown_on_standard(self): request = mock.Mock() auth = mock.Mock() auth_types = { 'v4': auth } self.emitter.emit_until_response.return_value = (None, 'custom') with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): with self.assertRaises(UnknownSignatureVersionError): self.signer.sign('operation_name', request, signing_type='standard') def test_unknown_signer_raises_unsupported_when_not_standard(self): request = mock.Mock() auth = mock.Mock() auth_types = { 'v4': auth } self.emitter.emit_until_response.return_value = (None, 'custom') with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): with self.assertRaises(UnsupportedSignatureVersionError): self.signer.sign('operation_name', request, signing_type='presign-url') with self.assertRaises(UnsupportedSignatureVersionError): self.signer.sign('operation_name', request, signing_type='presign-post')
class TestSigner(BaseSignerTest): def test_region_name(self): self.assertEqual(self.signer.region_name, 'region_name') def test_signature_version(self): self.assertEqual(self.signer.signature_version, 'v4') def test_signing_name(self): self.assertEqual(self.signer.signing_name, 'signing_name') def test_region_required_for_sigv4(self): self.signer = RequestSigner( ServiceId('service_name'), None, 'signing_name', 'v4', self.credentials, self.emitter ) with self.assertRaises(NoRegionError): self.signer.sign('operation_name', self.request) def test_get_auth(self): auth_cls = mock.Mock() with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': auth_cls}): auth = self.signer.get_auth('service_name', 'region_name') self.assertEqual(auth, auth_cls.return_value) auth_cls.assert_called_with( credentials=self.fixed_credentials, service_name='service_name', region_name='region_name') def test_get_auth_signature_override(self): auth_cls = mock.Mock() with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4-custom': auth_cls}): auth = self.signer.get_auth( 'service_name', 'region_name', signature_version='v4-custom') self.assertEqual(auth, auth_cls.return_value) auth_cls.assert_called_with( credentials=self.fixed_credentials, service_name='service_name', region_name='region_name') def test_get_auth_bad_override(self): with self.assertRaises(UnknownSignatureVersionError): self.signer.get_auth('service_name', 'region_name', signature_version='bad') def test_emits_choose_signer(self): with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': mock.Mock()}): self.signer.sign('operation_name', self.request) self.emitter.emit_until_response.assert_called_with( 'choose-signer.service_name.operation_name', signing_name='signing_name', region_name='region_name', signature_version='v4', context=mock.ANY) def test_choose_signer_override(self): auth = mock.Mock() auth.REQUIRES_REGION = False self.emitter.emit_until_response.return_value = (None, 'custom') with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'custom': auth}): self.signer.sign('operation_name', self.request) auth.assert_called_with(credentials=self.fixed_credentials) auth.return_value.add_auth.assert_called_with(self.request) def test_emits_before_sign(self): with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': mock.Mock()}): self.signer.sign('operation_name', self.request) self.emitter.emit.assert_called_with( 'before-sign.service_name.operation_name', request=self.request, signing_name='signing_name', region_name='region_name', signature_version='v4', request_signer=self.signer, operation_name='operation_name') def test_disable_signing(self): # Returning botocore.UNSIGNED from choose-signer disables signing! auth = mock.Mock() self.emitter.emit_until_response.return_value = (None, botocore.UNSIGNED) with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': auth}): self.signer.sign('operation_name', self.request) auth.assert_not_called() def test_generate_url_emits_choose_signer(self): request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': mock.Mock()}): self.signer.generate_presigned_url(request_dict, 'operation_name') self.emitter.emit_until_response.assert_called_with( 'choose-signer.service_name.operation_name', signing_name='signing_name', region_name='region_name', signature_version='v4-query', context=mock.ANY) def test_choose_signer_passes_context(self): self.request.context = {'foo': 'bar'} with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': mock.Mock()}): self.signer.sign('operation_name', self.request) self.emitter.emit_until_response.assert_called_with( 'choose-signer.service_name.operation_name', signing_name='signing_name', region_name='region_name', signature_version='v4', context={'foo': 'bar'}) def test_generate_url_choose_signer_override(self): request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } auth = mock.Mock() auth.REQUIRES_REGION = False self.emitter.emit_until_response.return_value = (None, 'custom') auth_types_map = {'custom': mock.Mock(), 'custom-query': auth} with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types_map): self.signer.generate_presigned_url(request_dict, 'operation_name') auth.assert_called_with(credentials=self.fixed_credentials, expires=3600) def test_generate_url_unsigned(self): request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } self.emitter.emit_until_response.return_value = ( None, botocore.UNSIGNED) url = self.signer.generate_presigned_url( request_dict, 'operation_name') self.assertEqual(url, 'https://foo.com') def test_generate_presigned_url(self): auth = mock.Mock() auth.REQUIRES_REGION = True request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4-query': auth}): presigned_url = self.signer.generate_presigned_url( request_dict, operation_name='operation_name') auth.assert_called_with( credentials=self.fixed_credentials, region_name='region_name', service_name='signing_name', expires=3600) self.assertEqual(presigned_url, 'https://foo.com') def test_generate_presigned_url_with_region_override(self): auth = mock.Mock() auth.REQUIRES_REGION = True request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4-query': auth}): presigned_url = self.signer.generate_presigned_url( request_dict, operation_name='operation_name', region_name='us-west-2') auth.assert_called_with( credentials=self.fixed_credentials, region_name='us-west-2', service_name='signing_name', expires=3600) self.assertEqual(presigned_url, 'https://foo.com') def test_generate_presigned_url_with_exipres_in(self): auth = mock.Mock() auth.REQUIRES_REGION = True request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4-query': auth}): presigned_url = self.signer.generate_presigned_url( request_dict, operation_name='operation_name', expires_in=900) auth.assert_called_with( credentials=self.fixed_credentials, region_name='region_name', expires=900, service_name='signing_name') self.assertEqual(presigned_url, 'https://foo.com') def test_presigned_url_throws_unsupported_signature_error(self): request_dict = { 'headers': {}, 'url': 'https://s3.amazonaws.com/mybucket/myobject', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } self.signer = RequestSigner( ServiceId('service_name'), 'region_name', 'signing_name', 'foo', self.credentials, self.emitter) with self.assertRaises(UnsupportedSignatureVersionError): self.signer.generate_presigned_url( request_dict, operation_name='foo') def test_signer_with_refreshable_credentials_gets_credential_set(self): class FakeCredentials(Credentials): def get_frozen_credentials(self): return ReadOnlyCredentials('foo', 'bar', 'baz') self.credentials = FakeCredentials('a', 'b', 'c') self.signer = RequestSigner( ServiceId('service_name'), 'region_name', 'signing_name', 'v4', self.credentials, self.emitter) auth_cls = mock.Mock() with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': auth_cls}): auth = self.signer.get_auth('service_name', 'region_name') self.assertEqual(auth, auth_cls.return_value) # Note we're called with 'foo', 'bar', 'baz', and *not* # 'a', 'b', 'c'. auth_cls.assert_called_with( credentials=ReadOnlyCredentials('foo', 'bar', 'baz'), service_name='service_name', region_name='region_name') def test_no_credentials_case_is_forwarded_to_signer(self): # If no credentials are given to the RequestSigner, we should # forward that fact on to the Auth class and let them handle # the error (which they already do). self.credentials = None self.signer = RequestSigner( ServiceId('service_name'), 'region_name', 'signing_name', 'v4', self.credentials, self.emitter) auth_cls = mock.Mock() with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': auth_cls}): auth = self.signer.get_auth_instance( 'service_name', 'region_name', 'v4') auth_cls.assert_called_with( service_name='service_name', region_name='region_name', credentials=None, ) def test_sign_with_signing_type_standard(self): auth = mock.Mock() post_auth = mock.Mock() query_auth = mock.Mock() auth_types = { 'v4-presign-post': post_auth, 'v4-query': query_auth, 'v4': auth } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): self.signer.sign('operation_name', self.request, signing_type='standard') self.assertFalse(post_auth.called) self.assertFalse(query_auth.called) auth.assert_called_with( credentials=ReadOnlyCredentials('key', 'secret', None), service_name='signing_name', region_name='region_name' ) def test_sign_with_signing_type_presign_url(self): auth = mock.Mock() post_auth = mock.Mock() query_auth = mock.Mock() auth_types = { 'v4-presign-post': post_auth, 'v4-query': query_auth, 'v4': auth } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): self.signer.sign('operation_name', self.request, signing_type='presign-url') self.assertFalse(post_auth.called) self.assertFalse(auth.called) query_auth.assert_called_with( credentials=ReadOnlyCredentials('key', 'secret', None), service_name='signing_name', region_name='region_name' ) def test_sign_with_signing_type_presign_post(self): auth = mock.Mock() post_auth = mock.Mock() query_auth = mock.Mock() auth_types = { 'v4-presign-post': post_auth, 'v4-query': query_auth, 'v4': auth } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): self.signer.sign('operation_name', self.request, signing_type='presign-post') self.assertFalse(auth.called) self.assertFalse(query_auth.called) post_auth.assert_called_with( credentials=ReadOnlyCredentials('key', 'secret', None), service_name='signing_name', region_name='region_name' ) def test_sign_with_region_name(self): auth = mock.Mock() auth_types = { 'v4': auth } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): self.signer.sign('operation_name', self.request, region_name='foo') auth.assert_called_with( credentials=ReadOnlyCredentials('key', 'secret', None), service_name='signing_name', region_name='foo' ) def test_sign_override_region_from_context(self): auth = mock.Mock() auth_types = { 'v4': auth } self.request.context = {'signing': {'region': 'my-override-region'}} with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): self.signer.sign('operation_name', self.request) auth.assert_called_with( credentials=ReadOnlyCredentials('key', 'secret', None), service_name='signing_name', region_name='my-override-region' ) def test_sign_with_region_name_overrides_context(self): auth = mock.Mock() auth_types = { 'v4': auth } self.request.context = {'signing': {'region': 'context-override'}} with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): self.signer.sign('operation_name', self.request, region_name='param-override') auth.assert_called_with( credentials=ReadOnlyCredentials('key', 'secret', None), service_name='signing_name', region_name='param-override' ) def test_sign_with_expires_in(self): auth = mock.Mock() auth_types = { 'v4': auth } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): self.signer.sign('operation_name', self.request, expires_in=2) auth.assert_called_with( credentials=ReadOnlyCredentials('key', 'secret', None), service_name='signing_name', region_name='region_name', expires=2 ) def test_sign_with_custom_signing_name(self): auth = mock.Mock() auth_types = { 'v4': auth } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): self.signer.sign('operation_name', self.request, signing_name='foo') auth.assert_called_with( credentials=ReadOnlyCredentials('key', 'secret', None), service_name='foo', region_name='region_name' ) def test_presign_with_custom_signing_name(self): auth = mock.Mock() auth.REQUIRES_REGION = True request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET', 'context': {} } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4-query': auth}): presigned_url = self.signer.generate_presigned_url( request_dict, operation_name='operation_name', signing_name='foo') auth.assert_called_with( credentials=self.fixed_credentials, region_name='region_name', expires=3600, service_name='foo') self.assertEqual(presigned_url, 'https://foo.com') def test_unknown_signer_raises_unknown_on_standard(self): auth = mock.Mock() auth_types = { 'v4': auth } self.emitter.emit_until_response.return_value = (None, 'custom') with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): with self.assertRaises(UnknownSignatureVersionError): self.signer.sign('operation_name', self.request, signing_type='standard') def test_unknown_signer_raises_unsupported_when_not_standard(self): auth = mock.Mock() auth_types = { 'v4': auth } self.emitter.emit_until_response.return_value = (None, 'custom') with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, auth_types): with self.assertRaises(UnsupportedSignatureVersionError): self.signer.sign('operation_name', self.request, signing_type='presign-url') with self.assertRaises(UnsupportedSignatureVersionError): self.signer.sign('operation_name', self.request, signing_type='presign-post')
class TestSigner(BaseSignerTest): def test_region_name(self): self.assertEqual(self.signer.region_name, 'region_name') def test_signature_version(self): self.assertEqual(self.signer.signature_version, 'v4') def test_signing_name(self): self.assertEqual(self.signer.signing_name, 'signing_name') def test_region_required_for_sigv4(self): self.signer = RequestSigner( 'service_name', None, 'signing_name', 'v4', self.credentials, self.emitter) with self.assertRaises(NoRegionError): self.signer.sign('operation_name', mock.Mock()) def test_get_auth(self): auth_cls = mock.Mock() with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': auth_cls}): auth = self.signer.get_auth('service_name', 'region_name') self.assertEqual(auth, auth_cls.return_value) auth_cls.assert_called_with( credentials=self.credentials, service_name='service_name', region_name='region_name') def test_get_auth_cached(self): def side_effect(*args, **kwargs): return mock.Mock() auth_cls = mock.Mock(side_effect=side_effect) with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': auth_cls}): auth1 = self.signer.get_auth('service_name', 'region_name') auth2 = self.signer.get_auth('service_name', 'region_name') self.assertEqual(auth1, auth2) def test_get_auth_cached_expires(self): def side_effect(*args, **kwargs): return mock.Mock() auth_cls = mock.Mock(side_effect=side_effect) with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': auth_cls}): auth1 = self.signer.get_auth('service_name', 'region_name', expires=60) auth2 = self.signer.get_auth('service_name', 'region_name', expires=90) self.assertNotEqual(auth1, auth2) def test_get_auth_signature_override(self): auth_cls = mock.Mock() with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4-custom': auth_cls}): auth = self.signer.get_auth( 'service_name', 'region_name', signature_version='v4-custom') self.assertEqual(auth, auth_cls.return_value) auth_cls.assert_called_with( credentials=self.credentials, service_name='service_name', region_name='region_name') def test_get_auth_bad_override(self): with self.assertRaises(UnknownSignatureVersionError): self.signer.get_auth('service_name', 'region_name', signature_version='bad') def test_emits_choose_signer(self): request = mock.Mock() with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': mock.Mock()}): self.signer.sign('operation_name', request) self.emitter.emit_until_response.assert_called_with( 'choose-signer.service_name.operation_name', signing_name='signing_name', region_name='region_name', signature_version='v4') def test_choose_signer_override(self): request = mock.Mock() auth = mock.Mock() auth.REQUIRES_REGION = False self.emitter.emit_until_response.return_value = (None, 'custom') with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'custom': auth}): self.signer.sign('operation_name', request) auth.assert_called_with(credentials=self.credentials) auth.return_value.add_auth.assert_called_with(request=request) def test_emits_before_sign(self): request = mock.Mock() with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': mock.Mock()}): self.signer.sign('operation_name', request) self.emitter.emit.assert_called_with( 'before-sign.service_name.operation_name', request=mock.ANY, signing_name='signing_name', region_name='region_name', signature_version='v4', request_signer=self.signer) def test_disable_signing(self): # Returning botocore.UNSIGNED from choose-signer disables signing! request = mock.Mock() auth = mock.Mock() self.emitter.emit_until_response.return_value = (None, botocore.UNSIGNED) with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4': auth}): self.signer.sign('operation_name', request) auth.assert_not_called() def test_generate_presigned_url(self): auth = mock.Mock() auth.REQUIRES_REGION = True request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET' } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4-query': auth}): presigned_url = self.signer.generate_presigned_url(request_dict) auth.assert_called_with( credentials=self.credentials, region_name='region_name', service_name='signing_name', expires=3600) self.assertEqual(presigned_url, 'https://foo.com') def test_generate_presigned_url_with_region_override(self): auth = mock.Mock() auth.REQUIRES_REGION = True request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET' } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4-query': auth}): presigned_url = self.signer.generate_presigned_url( request_dict, region_name='us-west-2') auth.assert_called_with( credentials=self.credentials, region_name='us-west-2', service_name='signing_name', expires=3600) self.assertEqual(presigned_url, 'https://foo.com') def test_generate_presigned_url_with_exipres_in(self): auth = mock.Mock() auth.REQUIRES_REGION = True request_dict = { 'headers': {}, 'url': 'https://foo.com', 'body': b'', 'url_path': '/', 'method': 'GET' } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'v4-query': auth}): presigned_url = self.signer.generate_presigned_url( request_dict, expires_in=900) auth.assert_called_with( credentials=self.credentials, region_name='region_name', expires=900, service_name='signing_name') self.assertEqual(presigned_url, 'https://foo.com') def test_generate_presigned_url_fixes_s3_host(self): self.signer = RequestSigner( 'service_name', 'region_name', 'signing_name', 's3', self.credentials, self.emitter) auth = mock.Mock() auth.REQUIRES_REGION = True request_dict = { 'headers': {}, 'url': 'https://s3.amazonaws.com/mybucket/myobject', 'body': b'', 'url_path': '/', 'method': 'GET' } with mock.patch.dict(botocore.auth.AUTH_TYPE_MAPS, {'s3-query': auth}): presigned_url = self.signer.generate_presigned_url( request_dict, expires_in=900) auth.assert_called_with( credentials=self.credentials, region_name='region_name', expires=900, service_name='signing_name') self.assertEqual(presigned_url, 'https://mybucket.s3.amazonaws.com/myobject') def test_presigned_url_throws_unsupported_signature_error(self): self.signer = RequestSigner( 'service_name', 'region_name', 'signing_name', 'foo', self.credentials, self.emitter) with self.assertRaises(UnsupportedSignatureVersionError): self.signer.generate_presigned_url({})
def alertingfunc(cluster_id, region): # define variables initialtime = "" STS_TOKEN_EXPIRES_IN = 60 session = boto3.session.Session(profile_name='default') client = session.client('sts', region_name=region) c = client.get_caller_identity() service_id = client.meta.service_model.service_id signer = RequestSigner(service_id, region, 'sts', 'v4', session.get_credentials(), session.events) params = { 'method': 'GET', 'url': 'https://sts.{}.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15' .format(region), 'body': {}, 'headers': { 'x-k8s-aws-id': cluster_id }, 'context': {} } signed_url = signer.generate_presigned_url(params, region_name=region, expires_in=STS_TOKEN_EXPIRES_IN, operation_name='') base64_url = base64.urlsafe_b64encode( signed_url.encode('utf-8')).decode('utf-8') output = subprocess.check_output( "kubectl get event -A -o custom-columns=NAME:.metadata.name,REASON:.reason", shell=True) events = output.decode('utf-8').split() print(events) # alerting or notifications to email or SNS emaillist = ["*****@*****.**"] def send_email(event): for member in emaillist: sender = smtplib.SMTP('smtp.gmail.com', 587) sender.starttls() sender.login("sender_email_id", "sender_email_id_password") message = "Node-Pod alerting mechanism:" + event sender.sendmail("sender_email_id", dest, message) sender.quit() def sns_notification(event): sns = boto3.client('sns') response = sns.publish( TopicArn= 'arn:aws:sns:us-west-2:031679903962:newproject-NewprojectTopic2D161F5E-7N7IKAKxxxx', #add the topic arn Message='Alert: pod or node broken', ) #print(response) if os.path.getsize("events.txt") == 0: print("No previous data related to kubectl events recorded") initialoutput = subprocess.check_output( "kubectl get events -o custom-columns=Firstseen:.firstTimestamp --sort-by='.firstTimestamp'", shell=True) newevents = initialoutput.decode('utf-8').split() newevents.reverse() initialtime = str(newevents[0]) with open('events.txt', 'w') as f: with redirect_stdout(f): print(newevents[0]) f.close() else: files = open("events.txt", "r+") prevtime = str(files.read()).split() newtime = prevtime[0] #print(prevtime) newoutput = subprocess.check_output( "kubectl get events -o custom-columns=Firstseen:.firstTimestamp --sort-by='.firstTimestamp'", shell=True) newevents = newoutput.decode('utf-8').split() newevents.reverse() currenttime = str(newevents[0]) #print(type(currenttime)) #print(currenttime) if (initialtime == currenttime): with open('events.txt', 'w') as f: with redirect_stdout(f): print(newevents[0]) f.close() elif (newtime == currenttime): sys.exit() else: with open('events.txt', 'w') as f: with redirect_stdout(f): print(newevents[0]) f.close() for previous, current in zip(events, events[1:]): if current == "RemovingNode": event = "Alert: A node is getting removed from cluster:" + previous print(event) send_email(event) sns_notification(event) continue elif current == "NotNotReady": event = "Alert: One of the node is in Not Ready state:" + previous print(event) send_email(event) sns_notification(event) continue elif current == "FailedScheduling": event = "Alert: Pod is failed to schedule:" + previous print(event) #send_email(event) sns_notification(event) continue elif current == "Failed": event = "Alert: FailedToCreateContainer or FailedToStartContainer or FailedToPullImage:" + previous print(event) send_email(event) sns_notification(event) continue elif current == "Killing": event = "Alert: KillingContainer:" + previous print(event) send_email(event) sns_notification(event) continue elif current == "NodeNotSchedulable": event = "Alert: NodeNotSchedulable:" + previous print(event) send_email(event) sns_notification(event) continue else: None return 0
def create_client_config(self): config = kubernetes_client.Configuration() if self.auth_mode == "aws-iam": # https://github.com/kubernetes-sigs/aws-iam-authenticator # https://aws.amazon.com/de/about-aws/whats-new/2019/05/amazon-eks-simplifies-kubernetes-cluster-authentication/ # https://github.com/aws/aws-cli/blob/develop/awscli/customizations/eks/get_token.py # get cluster info import boto3 eks_client = boto3.client( 'eks', region_name=self.aws_region_name, aws_access_key_id=self.aws_access_key_id, aws_secret_access_key=self.aws_secret_access_key) cluster_info = eks_client.describe_cluster( name=self.aws_cluster_name) aws_cluster_ca = cluster_info['cluster']['certificateAuthority'][ 'data'] aws_cluster_url = cluster_info['cluster']['endpoint'] # get authentication token from botocore.signers import RequestSigner # pylint: disable=import-error STS_TOKEN_EXPIRES_IN = 60 session = boto3.Session( region_name=self.aws_region_name, aws_access_key_id=self.aws_access_key_id, aws_secret_access_key=self.aws_secret_access_key) sts_client = session.client('sts') service_id = sts_client.meta.service_model.service_id token_signer = RequestSigner(service_id, self.aws_region_name, 'sts', 'v4', session.get_credentials(), session.events) signed_url = token_signer.generate_presigned_url( { 'method': 'GET', 'url': 'https://sts.{}.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15' .format(self.aws_region_name), 'body': {}, 'headers': { 'x-k8s-aws-id': self.aws_cluster_name }, 'context': {} }, region_name=self.aws_region_name, expires_in=STS_TOKEN_EXPIRES_IN, operation_name='') base64_url = base64.urlsafe_b64encode( signed_url.encode('utf-8')).decode('utf-8') auth_token = 'k8s-aws-v1.' + re.sub(r'=*', '', base64_url) config.host = aws_cluster_url ca_data = base64.standard_b64decode(aws_cluster_ca) fp = tempfile.NamedTemporaryFile( delete=False) # TODO when to delete? fp.write(ca_data) fp.close() config.ssl_ca_cert = fp.name config.api_key["authorization"] = auth_token config.api_key_prefix["authorization"] = "Bearer" elif self.auth_mode == "cert-key": config.host = self.cluster_url if self.client_cert: try: cert_data = base64.standard_b64decode(self.client_cert) fp = tempfile.NamedTemporaryFile( delete=False) # TODO when to delete? fp.write(cert_data) fp.close() config.cert_file = fp.name except Exception as e: raise Exception("Error applying cluster cert: %s" % (e)) if self.client_key: try: key_data = base64.standard_b64decode(self.client_key) fp = tempfile.NamedTemporaryFile( delete=False) # TODO when to delete? fp.write(key_data) fp.close() config.key_file = fp.name except Exception as e: raise Exception("Error applying cluster key: %s" % (e)) if self.cluster_ca: try: cluster_ca_data = base64.standard_b64decode( self.cluster_ca) fp = tempfile.NamedTemporaryFile( delete=False) # TODO when to delete? fp.write(cluster_ca_data) fp.close() config.ssl_ca_cert = fp.name except Exception as e: raise Exception("Error applying cluster ca: %s" % (e)) config.verify_ssl = False elif self.auth_mode == "user-token": # TODO: should cluster_ca be used here too? config.host = self.cluster_url config.api_key["authorization"] = self.user_token config.api_key_prefix["authorization"] = "Bearer" config.verify_ssl = False elif self.auth_mode == "user-password": if self.cluster_ca: try: cluster_ca_data = base64.standard_b64decode( self.cluster_ca) fp = tempfile.NamedTemporaryFile( delete=False) # TODO when to delete? fp.write(cluster_ca_data) fp.close() config.ssl_ca_cert = fp.name except Exception as e: raise Exception("Error applying cluster ca: %s" % (e)) config.host = self.cluster_url import urllib3 config.api_key["authorization"] = urllib3.util.make_headers( basic_auth=self.user_name + ':' + self.user_password).get('authorization') config.verify_ssl = False elif self.auth_mode == "in-cluster": kubernetes_config.load_incluster_config() config = kubernetes_client.Configuration._default else: raise Exception("invalid auth mode '%s'" % self.auth_mode) return config