From 11d37f238b9147bf7fed17e9831628b7c7db903f Mon Sep 17 00:00:00 2001 From: eromanova Date: Tue, 18 Jun 2024 16:05:35 +0400 Subject: [PATCH 1/2] Support to pass credentials secret to CAPA --- .../templates/deployment.yaml | 13 +++++++++++++ templates/cluster-api-provider-aws/values.yaml | 2 ++ 2 files changed, 15 insertions(+) diff --git a/templates/cluster-api-provider-aws/templates/deployment.yaml b/templates/cluster-api-provider-aws/templates/deployment.yaml index f8d60b3b9..64b046931 100644 --- a/templates/cluster-api-provider-aws/templates/deployment.yaml +++ b/templates/cluster-api-provider-aws/templates/deployment.yaml @@ -46,6 +46,10 @@ spec: env: - name: KUBERNETES_CLUSTER_DOMAIN value: "cluster.local" + {{- if .Values.credentialsSecretName }} + - name: AWS_SHARED_CREDENTIALS_FILE + value: /home/.aws/credentials + {{- end }} image: {{ .Values.manager.image.repository }}/{{ .Values.manager.image.name }}:{{ .Values.manager.image.tag }} imagePullPolicy: {{ .Values.manager.imagePullPolicy }} livenessProbe: @@ -81,6 +85,10 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true + {{- if .Values.credentialsSecretName }} + - mountPath: /home/.aws + name: credentials + {{- end }} securityContext: fsGroup: 1000 runAsNonRoot: true @@ -98,3 +106,8 @@ spec: secret: defaultMode: 420 secretName: capa-webhook-service-cert + {{- if .Values.credentialsSecretName }} + - name: credentials + secret: + secretName: {{ .Values.credentialsSecretName }} + {{- end }} diff --git a/templates/cluster-api-provider-aws/values.yaml b/templates/cluster-api-provider-aws/values.yaml index b45c18e1b..a470cdfd7 100644 --- a/templates/cluster-api-provider-aws/values.yaml +++ b/templates/cluster-api-provider-aws/values.yaml @@ -5,6 +5,8 @@ manager: tag: v2.5.0 imagePullPolicy: IfNotPresent +credentialsSecretName: "" + autoControllerIdentityCreator: true awsControllerIamRole: "" From 4b37a6935f4606df78019dedeae18a0ca8896891 Mon Sep 17 00:00:00 2001 From: eromanova Date: Tue, 18 Jun 2024 16:41:49 +0400 Subject: [PATCH 2/2] Create AWS credentials secret on dev env --- Makefile | 15 ++++++++++++++- config/dev/awscredentials.yaml | 11 +++++++++++ config/dev/management.yaml | 2 ++ 3 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 config/dev/awscredentials.yaml diff --git a/Makefile b/Makefile index 2382fa626..9a40297a3 100644 --- a/Makefile +++ b/Makefile @@ -167,6 +167,8 @@ LOCAL_REGISTRY_NAME ?= hmc-local-registry LOCAL_REGISTRY_PORT ?= 5001 LOCAL_REGISTRY_REPO ?= oci://127.0.0.1:$(LOCAL_REGISTRY_PORT)/charts +AWS_CREDENTIALS=${AWS_B64ENCODED_CREDENTIALS} + ifndef ignore-not-found ignore-not-found = false endif @@ -247,8 +249,12 @@ dev-templates: templates-generate dev-management: $(KUBECTL) -n $(NAMESPACE) apply -f config/dev/management.yaml +.PHONY: dev-aws +dev-aws: yq + $(YQ) e ".data.credentials = \"${AWS_CREDENTIALS}\"" config/dev/awscredentials.yaml | $(KUBECTL) -n $(NAMESPACE) apply -f - + .PHONY: dev-apply -dev-apply: kind-deploy crd-install registry-deploy helm-controller-deploy dev-push dev-deploy dev-templates dev-management +dev-apply: kind-deploy crd-install registry-deploy helm-controller-deploy dev-push dev-deploy dev-templates dev-management dev-aws .PHONY: dev-destroy dev-destroy: kind-undeploy registry-undeploy @@ -279,6 +285,7 @@ GOLANGCI_LINT = $(LOCALBIN)/golangci-lint-$(GOLANGCI_LINT_VERSION) HELM ?= $(LOCALBIN)/helm-$(HELM_VERSION) HELMIFY ?= $(LOCALBIN)/helmify-$(HELMIFY_VERSION) KIND ?= $(LOCALBIN)/kind-$(KIND_VERSION) +YQ ?= $(LOCALBIN)/yq-$(YQ_VERSION) FLUX_CHART_REPOSITORY ?= oci://ghcr.io/fluxcd-community/charts/flux2 FLUX_CHART_VERSION ?= 2.13.0 @@ -292,6 +299,7 @@ GOLANGCI_LINT_VERSION ?= v1.57.2 HELM_VERSION ?= v3.15.1 HELMIFY_VERSION ?= v0.4.13 KIND_VERSION ?= v0.23.0 +YQ_VERSION ?= v4.44.2 .PHONY: kustomize kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. @@ -330,6 +338,11 @@ kind: $(KIND) ## Download kind locally if necessary. $(KIND): | $(LOCALBIN) $(call go-install-tool,$(KIND),sigs.k8s.io/kind,${KIND_VERSION}) +.PHONY: yq +yq: $(YQ) ## Download yq locally if necessary. +$(YQ): | $(LOCALBIN) + $(call go-install-tool,$(YQ),github.com/mikefarah/yq/v4,${YQ_VERSION}) + $(FLUX_HELM_CRD): | $(EXTERNAL_CRD_DIR) rm -f $(FLUX_HELM_CRD) curl -s https://raw.githubusercontent.com/fluxcd/helm-controller/$(FLUX_HELM_VERSION)/config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml > $(FLUX_HELM_CRD) diff --git a/config/dev/awscredentials.yaml b/config/dev/awscredentials.yaml new file mode 100644 index 000000000..e4546e87c --- /dev/null +++ b/config/dev/awscredentials.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + credentials: Cg== +kind: Secret +metadata: + labels: + cluster.x-k8s.io/provider: infrastructure-aws + clusterctl.cluster.x-k8s.io: "" + name: aws-credentials + namespace: hmc-system +type: Opaque diff --git a/config/dev/management.yaml b/config/dev/management.yaml index 02474bce2..b533fcc36 100644 --- a/config/dev/management.yaml +++ b/config/dev/management.yaml @@ -7,4 +7,6 @@ spec: components: - template: cluster-api - template: cluster-api-provider-aws + config: + credentialsSecretName: aws-credentials - template: k0smotron