Add support for the region of China (#156)

Signed-off-by: QuentinBisson <[email protected]>
giantswarm · Jun 17, 2024 · 679e5fa · 679e5fa
1 parent d479eef
commit 679e5fa
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 18 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Add support for the region of China.
+
 ## [0.5.5] - 2024-05-13
 
 ### Fixed

diff --git a/internal/pkg/service/objectstorage/cloud/aws/iam.go b/internal/pkg/service/objectstorage/cloud/aws/iam.go
@@ -67,6 +67,14 @@ func (s IAMAccessRoleServiceAdapter) getRole(ctx context.Context, roleName strin
 	return output.Role, nil
 }
 
+func (s IAMAccessRoleServiceAdapter) irsaDomain() string {
+	if isChinaRegion(s.cluster.Region) {
+		return fmt.Sprintf("s3.%s.amazonaws.com.cn/%s-g8s-%s-oidc-pod-identity-v2", s.cluster.Region, s.accountId, s.cluster.GetName())
+	} else {
+		return fmt.Sprintf("irsa.%s.%s", s.cluster.Name, s.cluster.GetBaseDomain())
+	}
+}
+
 func (s IAMAccessRoleServiceAdapter) ConfigureRole(ctx context.Context, bucket *v1alpha1.Bucket) error {
 	roleName := bucket.Spec.AccessRole.RoleName
 	role, err := s.getRole(ctx, roleName)
@@ -94,8 +102,8 @@ func (s IAMAccessRoleServiceAdapter) ConfigureRole(ctx context.Context, bucket *
 	var trustPolicy bytes.Buffer
 	err = s.trustIdentityPolicy.Execute(&trustPolicy, TrustIdentityPolicyData{
 		AccountId:               s.accountId,
-		CloudDomain:             s.cluster.GetBaseDomain(),
-		Installation:            s.cluster.GetName(),
+		AWSDomain:               awsDomain(s.cluster.Region),
+		CloudFrontDomain:        s.irsaDomain(),
 		ServiceAccountName:      bucket.Spec.AccessRole.ServiceAccountName,
 		ServiceAccountNamespace: bucket.Spec.AccessRole.ServiceAccountNamespace,
 	})
@@ -148,11 +156,9 @@ func (s IAMAccessRoleServiceAdapter) ConfigureRole(ctx context.Context, bucket *
 
 	var rolePolicy bytes.Buffer
 	var data = RolePolicyData{
-		BucketName: bucket.Spec.Name,
-	}
-
-	if len(bucket.Spec.AccessRole.ExtraBucketNames) > 0 {
-		data.ExtraBucketNames = bucket.Spec.AccessRole.ExtraBucketNames
+		AWSDomain:        awsDomain(s.cluster.Region),
+		BucketName:       bucket.Spec.Name,
+		ExtraBucketNames: bucket.Spec.AccessRole.ExtraBucketNames,
 	}
 
 	err = s.rolePolicy.Execute(&rolePolicy, data)

diff --git a/internal/pkg/service/objectstorage/cloud/aws/s3.go b/internal/pkg/service/objectstorage/cloud/aws/s3.go
@@ -120,7 +120,10 @@ func (s S3ObjectStorageAdapter) setLifecycleRules(ctx context.Context, bucket *v
 
 func (s S3ObjectStorageAdapter) setBucketPolicy(ctx context.Context, bucket *v1alpha1.Bucket) error {
 	var policy bytes.Buffer
-	err := s.bucketPolicyTemplate.Execute(&policy, BucketPolicyData{bucket.Spec.Name})
+	err := s.bucketPolicyTemplate.Execute(&policy, BucketPolicyData{
+		AWSDomain:  awsDomain(s.cluster.Region),
+		BucketName: bucket.Spec.Name,
+	})
 	if err != nil {
 		return err
 	}

diff --git a/internal/pkg/service/objectstorage/cloud/aws/templates.go b/internal/pkg/service/objectstorage/cloud/aws/templates.go
@@ -1,10 +1,29 @@
 package aws
 
+import (
+	"strings"
+)
+
 type RolePolicyData struct {
+	AWSDomain        string
 	BucketName       string
 	ExtraBucketNames []string
 }
 
+func awsDomain(region string) string {
+	domain := "aws"
+
+	if isChinaRegion(region) {
+		domain = "aws-cn"
+	}
+
+	return domain
+}
+
+func isChinaRegion(region string) bool {
+	return strings.Contains(region, "cn-")
+}
+
 const rolePolicy = `{
 	"Version": "2012-10-17",
 	"Statement": [
@@ -18,11 +37,11 @@ const rolePolicy = `{
 			],
 			"Resource": [
 				{{ range .ExtraBucketNames }}
-				"arn:aws:s3:::{{ . }}",
-				"arn:aws:s3:::{{ . }}/*",
+				"arn:{{ .AWSDomain }}:s3:::{{ . }}",
+				"arn:{{ .AWSDomain }}:s3:::{{ . }}/*",
 				{{ end }}
-				"arn:aws:s3:::{{ .BucketName }}",
-				"arn:aws:s3:::{{ .BucketName }}/*"
+				"arn:{{ .AWSDomain }}:s3:::{{ .BucketName }}",
+				"arn:{{ .AWSDomain }}:s3:::{{ .BucketName }}/*"
 			]
 		},
 		{
@@ -39,8 +58,8 @@ const rolePolicy = `{
 
 type TrustIdentityPolicyData struct {
 	AccountId               string
-	CloudDomain             string
-	Installation            string
+	AWSDomain               string
+	CloudFrontDomain        string
 	ServiceAccountName      string
 	ServiceAccountNamespace string
 }
@@ -51,19 +70,20 @@ const trustIdentityPolicy = `{
 		{
 			"Effect": "Allow",
 			"Principal": {
-				"Federated": "arn:aws:iam::{{ .AccountId }}:oidc-provider/irsa.{{ .Installation }}.{{ .CloudDomain }}"
+				"Federated": "arn:{{ .AWSDomain }}:iam::{{ .AccountId }}:oidc-provider/{{ .CloudFrontDomain }}"
 			},
 			"Action": "sts:AssumeRoleWithWebIdentity",
 			"Condition": {
 				"StringEquals": {
-					"irsa.{{ .Installation }}.{{ .CloudDomain }}:sub": "system:serviceaccount:{{ .ServiceAccountNamespace }}:{{ .ServiceAccountName }}"
+					"{{ .CloudFrontDomain }}:sub": "system:serviceaccount:{{ .ServiceAccountNamespace }}:{{ .ServiceAccountName }}"
 				}
 			}
 		}
 	]
 }`
 
 type BucketPolicyData struct {
+	AWSDomain  string
 	BucketName string
 }
 
@@ -76,8 +96,8 @@ const bucketPolicy = `{
 			"Principal": "*",
 			"Action": "s3:*",
 			"Resource": [
-				"arn:aws:s3:::{{ .BucketName }}",
-				"arn:aws:s3:::{{ .BucketName }}/*"
+				"arn:{{ .AWSDomain }}:s3:::{{ .BucketName }}",
+				"arn:{{ .AWSDomain }}:s3:::{{ .BucketName }}/*"
 			],
 			"Condition": {
 				"Bool": {