From 36e7ae689474882ebb5293a75b5c5ad54d13a0c6 Mon Sep 17 00:00:00 2001 From: Sebastian Florek Date: Tue, 1 Oct 2024 12:38:55 +0200 Subject: [PATCH] make aws access keys optional --- api/v1alpha1/upgradeinsights_types.go | 8 +-- .../upgradeinsights_cloudprovider.go | 59 ++++++++++++++----- 2 files changed, 47 insertions(+), 20 deletions(-) diff --git a/api/v1alpha1/upgradeinsights_types.go b/api/v1alpha1/upgradeinsights_types.go index bfc00209..d528a72b 100644 --- a/api/v1alpha1/upgradeinsights_types.go +++ b/api/v1alpha1/upgradeinsights_types.go @@ -108,8 +108,8 @@ type AWSProviderCredentials struct { Region string `json:"region"` // AccessKeyID is your access key ID used to authenticate against AWS API. - // +kubebuilder:validation:Required - AccessKeyID string `json:"accessKeyID"` + // +kubebuilder:validation:Optional + AccessKeyID *string `json:"accessKeyID,omitempty"` // SecretAccessKeyRef is a reference to the secret that contains secret access key. // Since UpgradeInsights is a cluster-scoped resource we can't use local reference. @@ -131,6 +131,6 @@ type AWSProviderCredentials struct { // name: eks-credentials // namespace: upgrade-insights-test // - // +kubebuilder:validation:Required - SecretAccessKeyRef corev1.SecretReference `json:"secretAccessKeyRef"` + // +kubebuilder:validation:Optional + SecretAccessKeyRef *corev1.SecretReference `json:"secretAccessKeyRef,omitempty"` } diff --git a/internal/controller/upgradeinsights_cloudprovider.go b/internal/controller/upgradeinsights_cloudprovider.go index b4db4f68..a89d0fb5 100644 --- a/internal/controller/upgradeinsights_cloudprovider.go +++ b/internal/controller/upgradeinsights_cloudprovider.go @@ -156,28 +156,55 @@ func (in *EKSCloudProvider) toInsightDetails(insight *types.Insight) []*console. } func (in *EKSCloudProvider) config(ctx context.Context, ui v1alpha1.UpgradeInsights) (aws.Config, error) { - // If credentials are not provided in the request, then use default credentials. - if ui.Spec.Credentials == nil || ui.Spec.Credentials.AWS == nil { - return awsconfig.LoadDefaultConfig(ctx, awsconfig.WithEC2IMDSRegion()) - } + options := []func(*awsconfig.LoadOptions) error{awsconfig.WithEC2IMDSRegion()} - // Otherwise use provided credentials. - credentials := ui.Spec.Credentials.AWS - secretAccessKey, err := in.handleSecretAccessKeyRef(ctx, ui.Spec.Credentials.AWS.SecretAccessKeyRef, ui.Namespace) - if err != nil { - return aws.Config{}, err + if in.hasAccessKeys(ui) { + options = append(options, in.withCredentials(ctx, ui)) } - config, err := awsconfig.LoadDefaultConfig(ctx) - if err != nil { - return aws.Config{}, err + if in.hasRegion(ui) { + options = append(options, in.withRegion(ui)) } - config.Region = credentials.Region - config.Credentials = awscredentials.NewStaticCredentialsProvider( - credentials.AccessKeyID, secretAccessKey, "") + return awsconfig.LoadDefaultConfig(ctx, options...) +} + +func (in *EKSCloudProvider) hasCredentials(ui v1alpha1.UpgradeInsights) bool { + return ui.Spec.Credentials != nil && ui.Spec.Credentials.AWS != nil +} + +func (in *EKSCloudProvider) hasAccessKeys(ui v1alpha1.UpgradeInsights) bool { + return in.hasCredentials(ui) && + ui.Spec.Credentials.AWS.SecretAccessKeyRef != nil && + ui.Spec.Credentials.AWS.AccessKeyID != nil +} + +func (in *EKSCloudProvider) hasRegion(ui v1alpha1.UpgradeInsights) bool { + return in.hasCredentials(ui) && len(ui.Spec.Credentials.AWS.Region) > 0 +} - return config, nil +func (in *EKSCloudProvider) withCredentials(ctx context.Context, ui v1alpha1.UpgradeInsights) awsconfig.LoadOptionsFunc { + credentials := ui.Spec.Credentials.AWS + return func(options *awsconfig.LoadOptions) error { + secretAccessKey, err := in.handleSecretAccessKeyRef(ctx, *credentials.SecretAccessKeyRef, ui.Namespace) + if err != nil { + return err + } + + options.Credentials = awscredentials.NewStaticCredentialsProvider( + *credentials.AccessKeyID, + secretAccessKey, + "", + ) + return nil + } +} + +func (in *EKSCloudProvider) withRegion(ui v1alpha1.UpgradeInsights) awsconfig.LoadOptionsFunc { + return func(options *awsconfig.LoadOptions) error { + options.Region = ui.Spec.Credentials.AWS.Region + return nil + } } func (in *EKSCloudProvider) handleSecretAccessKeyRef(ctx context.Context, ref corev1.SecretReference, namespace string) (string, error) {