Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove admin-sa feature #5248

Merged
merged 5 commits into from
Dec 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 0 additions & 6 deletions config/clusters/opensci/sciencecore.values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,6 @@ userServiceAccount:
enabled: true
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::211125293633:role/opensci-sciencecore
adminServiceAccount:
enabled: true
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::211125293633:role/opensci-sciencecore-admin-sa

jupyterhub:
ingress:
Expand Down Expand Up @@ -36,8 +32,6 @@ jupyterhub:
funded_by:
name: ""
url: ""
singleuserAdmin:
serviceAccountName: admin-sa
singleuser:
nodeSelector:
2i2c/hub-name: sciencecore
Expand Down
7 changes: 0 additions & 7 deletions helm-charts/basehub/templates/serviceaccount-admin.yaml

This file was deleted.

24 changes: 0 additions & 24 deletions helm-charts/basehub/values.schema.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ required:
- global
- jupyterhub
- userServiceAccount
- adminServiceAccount
- dex
- staticWebsite
- ingressBasicAuth
Expand Down Expand Up @@ -150,27 +149,6 @@ properties:
description: |
Dictionary of annotations that can be applied to the service account.

When used with GKE and Workload Identity, you need to set
the annotation with key "iam.gke.io/gcp-service-account" to the
email address of the Google Service Account whose credentials it
should have.
adminServiceAccount:
type: object
additionalProperties: false
required:
- enabled
properties:
enabled:
type: boolean
description: |
Enables creation of a Service Account named admin-sa for opt-in use
via jupyterhub.custom.singleuserAdmin.serviceAccountName.
annotations:
type: object
additionalProperties: true
description: |
Dictionary of annotations that can be applied to the service account.

When used with GKE and Workload Identity, you need to set
the annotation with key "iam.gke.io/gcp-service-account" to the
email address of the Google Service Account whose credentials it
Expand Down Expand Up @@ -526,8 +504,6 @@ properties:
additionalProperties: true
extraEnv:
type: object
serviceAccountName:
type: string
2i2c:
type: object
additionalProperties: false
Expand Down
4 changes: 0 additions & 4 deletions helm-charts/basehub/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,6 @@ userServiceAccount:
enabled: true
annotations: {}

adminServiceAccount:
enabled: false
annotations: {}

binderhub-service:
enabled: false
ingress:
Expand Down
153 changes: 0 additions & 153 deletions terraform/aws/bucket-access.tf

This file was deleted.

42 changes: 42 additions & 0 deletions terraform/aws/buckets.tf
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,48 @@ resource "aws_s3_bucket_lifecycle_configuration" "user_bucket_expiry" {
}
}

locals {
# Nested for loop, thanks to https://www.daveperrett.com/articles/2021/08/19/nested-for-each-with-terraform/
bucket_permissions = distinct(flatten([
for hub_name, permissions in var.hub_cloud_permissions : [
for bucket_name in permissions.bucket_admin_access : {
hub_name = hub_name
bucket_name = bucket_name
}
]
]))
}

# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
data "aws_iam_policy_document" "bucket_access" {
for_each = { for bp in local.bucket_permissions : "${bp.hub_name}.${bp.bucket_name}" => bp }
statement {
effect = "Allow"
actions = ["s3:*"]
principals {
type = "AWS"
identifiers = [
aws_iam_role.irsa_role[each.value.hub_name].arn
]
}
resources = [
# Grant access only to the bucket and its contents
aws_s3_bucket.user_buckets[each.value.bucket_name].arn,
"${aws_s3_bucket.user_buckets[each.value.bucket_name].arn}/*"
]
}
}

# There can only be one of these per bucket, if more are defined they will end
# up replacing each other without terraform indicating there is trouble.
#
# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy
resource "aws_s3_bucket_policy" "user_bucket_access" {
for_each = { for bp in local.bucket_permissions : "${bp.hub_name}.${bp.bucket_name}" => bp }
bucket = aws_s3_bucket.user_buckets[each.value.bucket_name].id
policy = data.aws_iam_policy_document.bucket_access[each.key].json
}

output "buckets" {
value = { for b, _ in var.user_buckets : b => aws_s3_bucket.user_buckets[b].id }
description = <<-EOT
Expand Down
Loading
Loading