Skip to content

Commit

Permalink
feat: make aws credentials optional when s3 backup
Browse files Browse the repository at this point in the history
Signed-off-by: Carlos Salas <[email protected]>
  • Loading branch information
salasberryfin committed Jan 9, 2025
1 parent b1d4cfa commit b9367bb
Show file tree
Hide file tree
Showing 9 changed files with 37 additions and 23 deletions.
3 changes: 2 additions & 1 deletion controlplane/api/v1alpha1/rke2controlplane_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -283,7 +283,8 @@ type EtcdS3 struct {

// S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket.
// The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key".
S3CredentialSecret corev1.ObjectReference `json:"s3CredentialSecret"`
// If empty, the controller will default to IAM authentication
S3CredentialSecret *corev1.ObjectReference `json:"s3CredentialSecret,omitempty"`

// Bucket S3 bucket name.
//+optional
Expand Down
4 changes: 2 additions & 2 deletions controlplane/api/v1alpha1/zz_generated.conversion.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion controlplane/api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion controlplane/api/v1beta1/rke2controlplane_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -323,7 +323,8 @@ type EtcdS3 struct {

// S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket.
// The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key".
S3CredentialSecret corev1.ObjectReference `json:"s3CredentialSecret"`
// If empty, the controller will default to IAM authentication
S3CredentialSecret *corev1.ObjectReference `json:"s3CredentialSecret,omitempty"`

// Bucket S3 bucket name.
//+optional
Expand Down
6 changes: 5 additions & 1 deletion controlplane/api/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -938,6 +938,7 @@ spec:
description: |-
S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket.
The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key".
If empty, the controller will default to IAM authentication
properties:
apiVersion:
description: API version of the referent.
Expand Down Expand Up @@ -981,7 +982,6 @@ spec:
x-kubernetes-map-type: atomic
required:
- endpoint
- s3CredentialSecret
type: object
scheduleCron:
description: 'ScheduleCron Snapshot interval time in cron
Expand Down Expand Up @@ -2243,6 +2243,7 @@ spec:
description: |-
S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket.
The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key".
If empty, the controller will default to IAM authentication
properties:
apiVersion:
description: API version of the referent.
Expand Down Expand Up @@ -2286,7 +2287,6 @@ spec:
x-kubernetes-map-type: atomic
required:
- endpoint
- s3CredentialSecret
type: object
scheduleCron:
description: 'ScheduleCron Snapshot interval time in cron
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1094,6 +1094,7 @@ spec:
description: |-
S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket.
The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key".
If empty, the controller will default to IAM authentication
properties:
apiVersion:
description: API version of the referent.
Expand Down Expand Up @@ -1137,7 +1138,6 @@ spec:
x-kubernetes-map-type: atomic
required:
- endpoint
- s3CredentialSecret
type: object
scheduleCron:
description: 'ScheduleCron Snapshot interval time
Expand Down
30 changes: 17 additions & 13 deletions pkg/rke2/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -268,24 +268,28 @@ func newRKE2ServerConfig(opts ServerConfigOpts) (*ServerConfig, []bootstrapv1.Fi
if opts.ServerConfig.Etcd.BackupConfig.S3 != nil {
rke2ServerConfig.EtcdS3 = true
awsCredentialsSecret := &corev1.Secret{}
accessKeyID, secretAccessKey := []byte{}, []byte{}

if err := opts.Client.Get(opts.Ctx, types.NamespacedName{
Name: opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret.Name,
Namespace: opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret.Namespace,
}, awsCredentialsSecret); err != nil {
return nil, nil, fmt.Errorf("failed to get aws credentials secret: %w", err)
}
if opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret != nil {
if err := opts.Client.Get(opts.Ctx, types.NamespacedName{
Name: opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret.Name,
Namespace: opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret.Namespace,
}, awsCredentialsSecret); err != nil {
return nil, nil, fmt.Errorf("failed to get aws credentials secret: %w", err)
}

accessKeyID, ok := awsCredentialsSecret.Data["aws_access_key_id"]
var ok bool
accessKeyID, ok = awsCredentialsSecret.Data["aws_access_key_id"]

if !ok {
return nil, nil, fmt.Errorf("aws credentials secret is missing aws_access_key_id")
}
if !ok {
return nil, nil, fmt.Errorf("aws credentials secret is missing aws_access_key_id")
}

secretAccessKey, ok := awsCredentialsSecret.Data["aws_secret_access_key"]
secretAccessKey, ok = awsCredentialsSecret.Data["aws_secret_access_key"]

if !ok {
return nil, nil, fmt.Errorf("aws credentials secret is missing aws_secret_access_key")
if !ok {
return nil, nil, fmt.Errorf("aws credentials secret is missing aws_secret_access_key")
}
}

rke2ServerConfig.EtcdS3AccessKey = string(accessKeyID)
Expand Down
2 changes: 1 addition & 1 deletion pkg/rke2/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ var _ = Describe("RKE2ServerConfig", func() {
ExposeMetrics: true,
BackupConfig: controlplanev1.EtcdBackupConfig{
S3: &controlplanev1.EtcdS3{
S3CredentialSecret: corev1.ObjectReference{
S3CredentialSecret: &corev1.ObjectReference{
Name: "test",
Namespace: "test",
},
Expand Down

0 comments on commit b9367bb

Please sign in to comment.