Merge pull request #38 from Mirantis/credentials

Support to set default secret with AWS Credentials

Makefile

@@ -167,6 +167,8 @@ LOCAL_REGISTRY_NAME ?= hmc-local-registry
 LOCAL_REGISTRY_PORT ?= 5001
 LOCAL_REGISTRY_REPO ?= oci://127.0.0.1:$(LOCAL_REGISTRY_PORT)/charts
 
+AWS_CREDENTIALS=${AWS_B64ENCODED_CREDENTIALS}
+
 ifndef ignore-not-found
   ignore-not-found = false
 endif
@@ -247,8 +249,12 @@ dev-templates: templates-generate
 dev-management:
 	$(KUBECTL) -n $(NAMESPACE) apply -f config/dev/management.yaml
 
+.PHONY: dev-aws
+dev-aws: yq
+	$(YQ) e ".data.credentials = \"${AWS_CREDENTIALS}\"" config/dev/awscredentials.yaml | $(KUBECTL) -n $(NAMESPACE) apply -f -
+
 .PHONY: dev-apply
-dev-apply: kind-deploy crd-install registry-deploy helm-controller-deploy dev-push dev-deploy dev-templates dev-management
+dev-apply: kind-deploy crd-install registry-deploy helm-controller-deploy dev-push dev-deploy dev-templates dev-management dev-aws
 
 .PHONY: dev-destroy
 dev-destroy: kind-undeploy registry-undeploy
@@ -279,6 +285,7 @@ GOLANGCI_LINT = $(LOCALBIN)/golangci-lint-$(GOLANGCI_LINT_VERSION)
 HELM ?= $(LOCALBIN)/helm-$(HELM_VERSION)
 HELMIFY ?= $(LOCALBIN)/helmify-$(HELMIFY_VERSION)
 KIND ?= $(LOCALBIN)/kind-$(KIND_VERSION)
+YQ ?= $(LOCALBIN)/yq-$(YQ_VERSION)
 
 FLUX_CHART_REPOSITORY ?= oci://ghcr.io/fluxcd-community/charts/flux2
 FLUX_CHART_VERSION ?= 2.13.0
@@ -292,6 +299,7 @@ GOLANGCI_LINT_VERSION ?= v1.57.2
 HELM_VERSION ?= v3.15.1
 HELMIFY_VERSION ?= v0.4.13
 KIND_VERSION ?= v0.23.0
+YQ_VERSION ?= v4.44.2
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
@@ -330,6 +338,11 @@ kind: $(KIND) ## Download kind locally if necessary.
 $(KIND): | $(LOCALBIN)
 	$(call go-install-tool,$(KIND),sigs.k8s.io/kind,${KIND_VERSION})
 
+.PHONY: yq
+yq: $(YQ) ## Download yq locally if necessary.
+$(YQ): | $(LOCALBIN)
+	$(call go-install-tool,$(YQ),github.com/mikefarah/yq/v4,${YQ_VERSION})
+
 $(FLUX_HELM_CRD): | $(EXTERNAL_CRD_DIR)
 	rm -f $(FLUX_HELM_CRD)
 	curl -s https://raw.githubusercontent.com/fluxcd/helm-controller/$(FLUX_HELM_VERSION)/config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml > $(FLUX_HELM_CRD)

config/dev/awscredentials.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  credentials: Cg==
+kind: Secret
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: infrastructure-aws
+    clusterctl.cluster.x-k8s.io: ""
+  name: aws-credentials
+  namespace: hmc-system
+type: Opaque

config/dev/management.yaml

@@ -7,4 +7,6 @@ spec:
   components:
     - template: cluster-api
     - template: cluster-api-provider-aws
+      config:
+        credentialsSecretName: aws-credentials
     - template: k0smotron

templates/cluster-api-provider-aws/templates/deployment.yaml

@@ -46,6 +46,10 @@ spec:
         env:
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: "cluster.local"
+        {{- if .Values.credentialsSecretName }}
+        - name: AWS_SHARED_CREDENTIALS_FILE
+          value: /home/.aws/credentials
+        {{- end }}
         image: {{ .Values.manager.image.repository }}/{{ .Values.manager.image.name }}:{{ .Values.manager.image.tag }}
         imagePullPolicy: {{ .Values.manager.imagePullPolicy }}
         livenessProbe:
@@ -81,6 +85,10 @@ spec:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert
           readOnly: true
+        {{- if .Values.credentialsSecretName }}
+        - mountPath: /home/.aws
+          name: credentials
+        {{- end }}
       securityContext:
         fsGroup: 1000
         runAsNonRoot: true
@@ -98,3 +106,8 @@ spec:
         secret:
           defaultMode: 420
           secretName: capa-webhook-service-cert
+      {{- if .Values.credentialsSecretName }}
+      - name: credentials
+        secret:
+          secretName: {{ .Values.credentialsSecretName }}
+      {{- end }}

templates/cluster-api-provider-aws/values.yaml

@@ -5,6 +5,8 @@ manager:
     tag: v2.5.0
   imagePullPolicy: IfNotPresent
 
+credentialsSecretName: ""
+
 autoControllerIdentityCreator: true
 awsControllerIamRole: ""