diff --git a/controlplane/api/v1alpha1/rke2controlplane_types.go b/controlplane/api/v1alpha1/rke2controlplane_types.go index c3dddead..23293042 100644 --- a/controlplane/api/v1alpha1/rke2controlplane_types.go +++ b/controlplane/api/v1alpha1/rke2controlplane_types.go @@ -283,7 +283,8 @@ type EtcdS3 struct { // S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket. // The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key". - S3CredentialSecret corev1.ObjectReference `json:"s3CredentialSecret"` + // If empty, the controller will default to IAM authentication + S3CredentialSecret *corev1.ObjectReference `json:"s3CredentialSecret,omitempty"` // Bucket S3 bucket name. //+optional diff --git a/controlplane/api/v1alpha1/zz_generated.conversion.go b/controlplane/api/v1alpha1/zz_generated.conversion.go index 6414cecb..19f43009 100644 --- a/controlplane/api/v1alpha1/zz_generated.conversion.go +++ b/controlplane/api/v1alpha1/zz_generated.conversion.go @@ -288,7 +288,7 @@ func autoConvert_v1alpha1_EtcdS3_To_v1beta1_EtcdS3(in *EtcdS3, out *v1beta1.Etcd out.Endpoint = in.Endpoint out.EndpointCASecret = (*v1.ObjectReference)(unsafe.Pointer(in.EndpointCASecret)) out.EnforceSSLVerify = in.EnforceSSLVerify - out.S3CredentialSecret = in.S3CredentialSecret + out.S3CredentialSecret = (*v1.ObjectReference)(unsafe.Pointer(in.S3CredentialSecret)) out.Bucket = in.Bucket out.Region = in.Region out.Folder = in.Folder @@ -304,7 +304,7 @@ func autoConvert_v1beta1_EtcdS3_To_v1alpha1_EtcdS3(in *v1beta1.EtcdS3, out *Etcd out.Endpoint = in.Endpoint out.EndpointCASecret = (*v1.ObjectReference)(unsafe.Pointer(in.EndpointCASecret)) out.EnforceSSLVerify = in.EnforceSSLVerify - out.S3CredentialSecret = in.S3CredentialSecret + out.S3CredentialSecret = (*v1.ObjectReference)(unsafe.Pointer(in.S3CredentialSecret)) out.Bucket = in.Bucket out.Region = in.Region out.Folder = in.Folder diff --git a/controlplane/api/v1alpha1/zz_generated.deepcopy.go b/controlplane/api/v1alpha1/zz_generated.deepcopy.go index bda4b33b..74df47b6 100644 --- a/controlplane/api/v1alpha1/zz_generated.deepcopy.go +++ b/controlplane/api/v1alpha1/zz_generated.deepcopy.go @@ -108,7 +108,11 @@ func (in *EtcdS3) DeepCopyInto(out *EtcdS3) { *out = new(corev1.ObjectReference) **out = **in } - out.S3CredentialSecret = in.S3CredentialSecret + if in.S3CredentialSecret != nil { + in, out := &in.S3CredentialSecret, &out.S3CredentialSecret + *out = new(corev1.ObjectReference) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EtcdS3. diff --git a/controlplane/api/v1beta1/rke2controlplane_types.go b/controlplane/api/v1beta1/rke2controlplane_types.go index b2c3b7aa..07bcfeff 100644 --- a/controlplane/api/v1beta1/rke2controlplane_types.go +++ b/controlplane/api/v1beta1/rke2controlplane_types.go @@ -323,7 +323,8 @@ type EtcdS3 struct { // S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket. // The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key". - S3CredentialSecret corev1.ObjectReference `json:"s3CredentialSecret"` + // If empty, the controller will default to IAM authentication + S3CredentialSecret *corev1.ObjectReference `json:"s3CredentialSecret,omitempty"` // Bucket S3 bucket name. //+optional diff --git a/controlplane/api/v1beta1/zz_generated.deepcopy.go b/controlplane/api/v1beta1/zz_generated.deepcopy.go index ec469099..b4f4776d 100644 --- a/controlplane/api/v1beta1/zz_generated.deepcopy.go +++ b/controlplane/api/v1beta1/zz_generated.deepcopy.go @@ -108,7 +108,11 @@ func (in *EtcdS3) DeepCopyInto(out *EtcdS3) { *out = new(corev1.ObjectReference) **out = **in } - out.S3CredentialSecret = in.S3CredentialSecret + if in.S3CredentialSecret != nil { + in, out := &in.S3CredentialSecret, &out.S3CredentialSecret + *out = new(corev1.ObjectReference) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EtcdS3. diff --git a/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanes.yaml b/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanes.yaml index d453d1a2..d4985c05 100644 --- a/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanes.yaml +++ b/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanes.yaml @@ -938,6 +938,7 @@ spec: description: |- S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket. The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key". + If empty, the controller will default to IAM authentication properties: apiVersion: description: API version of the referent. @@ -981,7 +982,6 @@ spec: x-kubernetes-map-type: atomic required: - endpoint - - s3CredentialSecret type: object scheduleCron: description: 'ScheduleCron Snapshot interval time in cron @@ -2243,6 +2243,7 @@ spec: description: |- S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket. The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key". + If empty, the controller will default to IAM authentication properties: apiVersion: description: API version of the referent. @@ -2286,7 +2287,6 @@ spec: x-kubernetes-map-type: atomic required: - endpoint - - s3CredentialSecret type: object scheduleCron: description: 'ScheduleCron Snapshot interval time in cron diff --git a/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanetemplates.yaml b/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanetemplates.yaml index f85b24b7..c279563a 100644 --- a/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanetemplates.yaml +++ b/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanetemplates.yaml @@ -1094,6 +1094,7 @@ spec: description: |- S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket. The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key". + If empty, the controller will default to IAM authentication properties: apiVersion: description: API version of the referent. @@ -1137,7 +1138,6 @@ spec: x-kubernetes-map-type: atomic required: - endpoint - - s3CredentialSecret type: object scheduleCron: description: 'ScheduleCron Snapshot interval time diff --git a/pkg/rke2/config.go b/pkg/rke2/config.go index 62fd7dbe..ed9b53c3 100644 --- a/pkg/rke2/config.go +++ b/pkg/rke2/config.go @@ -266,24 +266,28 @@ func newRKE2ServerConfig(opts ServerConfigOpts) (*ServerConfig, []bootstrapv1.Fi if opts.ServerConfig.Etcd.BackupConfig.S3 != nil { rke2ServerConfig.EtcdS3 = true awsCredentialsSecret := &corev1.Secret{} + accessKeyID, secretAccessKey := []byte{}, []byte{} - if err := opts.Client.Get(opts.Ctx, types.NamespacedName{ - Name: opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret.Name, - Namespace: opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret.Namespace, - }, awsCredentialsSecret); err != nil { - return nil, nil, fmt.Errorf("failed to get aws credentials secret: %w", err) - } + if opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret != nil { + if err := opts.Client.Get(opts.Ctx, types.NamespacedName{ + Name: opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret.Name, + Namespace: opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret.Namespace, + }, awsCredentialsSecret); err != nil { + return nil, nil, fmt.Errorf("failed to get aws credentials secret: %w", err) + } - accessKeyID, ok := awsCredentialsSecret.Data["aws_access_key_id"] + var ok bool + accessKeyID, ok = awsCredentialsSecret.Data["aws_access_key_id"] - if !ok { - return nil, nil, fmt.Errorf("aws credentials secret is missing aws_access_key_id") - } + if !ok { + return nil, nil, fmt.Errorf("aws credentials secret is missing aws_access_key_id") + } - secretAccessKey, ok := awsCredentialsSecret.Data["aws_secret_access_key"] + secretAccessKey, ok = awsCredentialsSecret.Data["aws_secret_access_key"] - if !ok { - return nil, nil, fmt.Errorf("aws credentials secret is missing aws_secret_access_key") + if !ok { + return nil, nil, fmt.Errorf("aws credentials secret is missing aws_secret_access_key") + } } rke2ServerConfig.EtcdS3AccessKey = string(accessKeyID) diff --git a/pkg/rke2/config_test.go b/pkg/rke2/config_test.go index a2c74d83..8e21fd69 100644 --- a/pkg/rke2/config_test.go +++ b/pkg/rke2/config_test.go @@ -110,7 +110,7 @@ var _ = Describe("RKE2ServerConfig", func() { ExposeMetrics: true, BackupConfig: controlplanev1.EtcdBackupConfig{ S3: &controlplanev1.EtcdS3{ - S3CredentialSecret: corev1.ObjectReference{ + S3CredentialSecret: &corev1.ObjectReference{ Name: "test", Namespace: "test", },