Skip to content

Commit bde6774

Browse files
tongyimingmikatong
and
mikatong
authored
feat(provider): [123456789] support tke cam role (#2785)
* support pod oidc * update * add changelog --------- Co-authored-by: mikatong <[email protected]>
1 parent 5e701aa commit bde6774

File tree

2 files changed

+43
-0
lines changed

2 files changed

+43
-0
lines changed

.changelog/2785.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
```release-note:enhancement
2+
provider: support tke cam role auth
3+
```

tencentcloud/provider.go

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,10 @@ const (
133133
PROVIDER_SHARED_CREDENTIALS_DIR = "TENCENTCLOUD_SHARED_CREDENTIALS_DIR"
134134
PROVIDER_PROFILE = "TENCENTCLOUD_PROFILE"
135135
PROVIDER_CAM_ROLE_NAME = "TENCENTCLOUD_CAM_ROLE_NAME"
136+
POD_OIDC_TKE_REGION = "TKE_REGION"
137+
POD_OIDC_TKE_WEB_IDENTITY_TOKEN_FILE = "TKE_WEB_IDENTITY_TOKEN_FILE"
138+
POD_OIDC_TKE_PROVIDER_ID = "TKE_PROVIDER_ID"
139+
POD_OIDC_TKE_ROLE_ARN = "TKE_ROLE_ARN"
136140
)
137141

138142
const (
@@ -285,6 +289,11 @@ func Provider() *schema.Provider {
285289
},
286290
},
287291
},
292+
"enable_pod_oidc": {
293+
Type: schema.TypeBool,
294+
Optional: true,
295+
Description: "Enable pod oidc.",
296+
},
288297
"assume_role_with_web_identity": {
289298
Type: schema.TypeList,
290299
Optional: true,
@@ -2296,6 +2305,18 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
22962305
}
22972306
}
22982307

2308+
if v, ok := d.GetOkExists("enable_pod_oidc"); ok && v.(bool) {
2309+
if os.Getenv(POD_OIDC_TKE_REGION) != "" && os.Getenv(POD_OIDC_TKE_WEB_IDENTITY_TOKEN_FILE) != "" && os.Getenv(POD_OIDC_TKE_PROVIDER_ID) != "" && os.Getenv(POD_OIDC_TKE_ROLE_ARN) != "" {
2310+
err := genClientWithPodOidc(&tcClient)
2311+
if err != nil {
2312+
return nil, err
2313+
}
2314+
needSecret = false
2315+
} else {
2316+
return nil, fmt.Errorf("Can not get `TKE_REGION`, `TKE_WEB_IDENTITY_TOKEN_FILE`, `TKE_PROVIDER_ID`, `TKE_ROLE_ARN`. Must config serviceAccountName for pod.\n")
2317+
}
2318+
}
2319+
22992320
if needSecret && (secretId == "" || secretKey == "") {
23002321
return nil, fmt.Errorf("Please set your `secret_id` and `secret_key`.\n")
23012322
}
@@ -2486,3 +2507,22 @@ func getConfigFromProfile(d *schema.ResourceData, ProfileKey string) (interface{
24862507

24872508
return providerConfig[ProfileKey], nil
24882509
}
2510+
2511+
func genClientWithPodOidc(tcClient *TencentCloudClient) error {
2512+
provider, err := sdkcommon.DefaultTkeOIDCRoleArnProvider()
2513+
if err != nil {
2514+
return err
2515+
}
2516+
assumeResp, err := provider.GetCredential()
2517+
if err != nil {
2518+
return err
2519+
}
2520+
2521+
tcClient.apiV3Conn.Credential = sdkcommon.NewTokenCredential(
2522+
assumeResp.GetSecretId(),
2523+
assumeResp.GetSecretKey(),
2524+
assumeResp.GetToken(),
2525+
)
2526+
2527+
return nil
2528+
}

0 commit comments

Comments
 (0)