add role for aws-creds-secret-reader

openshift · Oct 6, 2018 · 0aa62e6 · 0aa62e6
1 parent cf0c81d
commit 0aa62e6
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 29 deletions.
diff --git a/pkg/asset/manifests/content/tectonic/aws-creds-secret-and-reader-role.go b/pkg/asset/manifests/content/tectonic/aws-creds-secret-and-reader-role.go
@@ -0,0 +1,31 @@
+package tectonic
+
+import (
+	"text/template"
+)
+
+var (
+	// AwsCredsSecretAndReaderRole is the constant to represent contents of aws-creds-secret.yaml file
+	AwsCredsSecretAndReaderRole = template.Must(template.New("aws-creds-secret-and-reader-role.yaml").Parse(`
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  namespace: kube-system
+  name: aws-creds-secret
+data:
+  aws_access_key_id: {{.Base64encodeAWSaccessKeyID}}
+  aws_secret_access_key: {{.Base64encodeAWSsecretAccessKey}}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  namespace: kube-system
+  name: aws-creds-secret-reader
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["aws-creds-secret"]
+  verbs: ["get"]
+`))
+)
diff --git a/pkg/asset/manifests/content/tectonic/aws-creds-secret.go b/pkg/asset/manifests/content/tectonic/aws-creds-secret.go
diff --git a/pkg/asset/manifests/tectonic.go b/pkg/asset/manifests/tectonic.go
@@ -40,20 +40,21 @@ func (t *Tectonic) Generate(dependencies asset.Parents) error {
 	ingressCertKey := &tls.IngressCertKey{}
 	kubeCA := &tls.KubeCA{}
 	dependencies.Get(installConfig, ingressCertKey, kubeCA)
-	// TODO: Fix this... to initiate an empty creds....
-	creds := credentials.Value{AccessKeyID: "", SecretAccessKey: ""}
+	// TODO: Find out what the format is for other cloud-provider creds
+	// make the secret/role 'cloud-creds-secret' instead of 'aws-creds-secret'
+	awscreds := credentials.Value{AccessKeyID: "", SecretAccessKey: ""}
 	var err error
 	if installConfig.Config.Platform.AWS != nil {
 		p := credentials.SharedCredentialsProvider{}
-		creds, err = p.Retrieve()
+		awscreds, err = p.Retrieve()
 		if err != nil {
 			return err
 		}
 	}
 
 	templateData := &tectonicTemplateData{
-		Base64encodeAWSaccessKeyID:             base64.StdEncoding.EncodeToString([]byte(creds.AccessKeyID)),
-		Base64encodeAWSsecretAccessKey:         base64.StdEncoding.EncodeToString([]byte(creds.SecretAccessKey)),
+		Base64encodeAWSaccessKeyID:             base64.StdEncoding.EncodeToString([]byte(awscreds.AccessKeyID)),
+		Base64encodeAWSsecretAccessKey:         base64.StdEncoding.EncodeToString([]byte(awscreds.SecretAccessKey)),
 		IngressCaCert:                          base64.StdEncoding.EncodeToString(kubeCA.Cert()),
 		IngressKind:                            "haproxy-router",
 		IngressStatusPassword:                  installConfig.Config.Admin.Password, // FIXME: generate a new random one instead?
@@ -68,7 +69,7 @@ func (t *Tectonic) Generate(dependencies asset.Parents) error {
 	}
 
 	assetData := map[string][]byte{
-		"99_aws-creds-secret.json":                   applyTemplateData(content.AwsCredsSecret, templateData),
+		"99_aws-creds-secret-and-reader-role.yaml":   applyTemplateData(content.AwsCredsSecretAndReaderRole, templateData),
 		"99_binding-discovery.yaml":                  []byte(content.BindingDiscovery),
 		"99_kube-addon-00-appversion.yaml":           []byte(content.AppVersionKubeAddon),
 		"99_kube-addon-01-operator.yaml":             applyTemplateData(content.KubeAddonOperator, templateData),