diff --git a/pkg/asset/manifests/content/tectonic/aws-creds-secret-and-reader-role.go b/pkg/asset/manifests/content/tectonic/aws-creds-secret-and-reader-role.go new file mode 100644 index 00000000000..77cc0f9cecd --- /dev/null +++ b/pkg/asset/manifests/content/tectonic/aws-creds-secret-and-reader-role.go @@ -0,0 +1,31 @@ +package tectonic + +import ( + "text/template" +) + +var ( + // AwsCredsSecretAndReaderRole is the constant to represent contents of aws-creds-secret.yaml file + AwsCredsSecretAndReaderRole = template.Must(template.New("aws-creds-secret-and-reader-role.yaml").Parse(` +--- +kind: Secret +apiVersion: v1 +metadata: + namespace: kube-system + name: aws-creds-secret +data: + aws_access_key_id: {{.Base64encodeAWSaccessKeyID}} + aws_secret_access_key: {{.Base64encodeAWSsecretAccessKey}} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + namespace: kube-system + name: aws-creds-secret-reader +rules: +- apiGroups: [""] + resources: ["secrets"] + resourceNames: ["aws-creds-secret"] + verbs: ["get"] +`)) +) diff --git a/pkg/asset/manifests/content/tectonic/aws-creds-secret.go b/pkg/asset/manifests/content/tectonic/aws-creds-secret.go deleted file mode 100644 index 6d541ed7652..00000000000 --- a/pkg/asset/manifests/content/tectonic/aws-creds-secret.go +++ /dev/null @@ -1,23 +0,0 @@ -package tectonic - -import ( - "text/template" -) - -var ( - // AwsCredsSecret is the constant to represent contents of aws-creds-secret.yaml file - AwsCredsSecret = template.Must(template.New("aws-creds-secret.json").Parse(` -{ - "apiVersion": "v1", - "kind": "Secret", - "metadata": { - "namespace": "kube-system", - "name": "aws-creds-secret" - }, - "data": { - "aws_access_key_id": "{{.Base64encodeAWSaccessKeyID}}", - "aws_secret_access_key": "{{.Base64encodeAWSsecretAccessKey}}" - } -} -`)) -) diff --git a/pkg/asset/manifests/tectonic.go b/pkg/asset/manifests/tectonic.go index 85570921745..10c7c302706 100644 --- a/pkg/asset/manifests/tectonic.go +++ b/pkg/asset/manifests/tectonic.go @@ -40,20 +40,21 @@ func (t *Tectonic) Generate(dependencies asset.Parents) error { ingressCertKey := &tls.IngressCertKey{} kubeCA := &tls.KubeCA{} dependencies.Get(installConfig, ingressCertKey, kubeCA) - // TODO: Fix this... to initiate an empty creds.... - creds := credentials.Value{AccessKeyID: "", SecretAccessKey: ""} + // TODO: Find out what the format is for other cloud-provider creds + // make the secret/role 'cloud-creds-secret' instead of 'aws-creds-secret' + awscreds := credentials.Value{AccessKeyID: "", SecretAccessKey: ""} var err error if installConfig.Config.Platform.AWS != nil { p := credentials.SharedCredentialsProvider{} - creds, err = p.Retrieve() + awscreds, err = p.Retrieve() if err != nil { return err } } templateData := &tectonicTemplateData{ - Base64encodeAWSaccessKeyID: base64.StdEncoding.EncodeToString([]byte(creds.AccessKeyID)), - Base64encodeAWSsecretAccessKey: base64.StdEncoding.EncodeToString([]byte(creds.SecretAccessKey)), + Base64encodeAWSaccessKeyID: base64.StdEncoding.EncodeToString([]byte(awscreds.AccessKeyID)), + Base64encodeAWSsecretAccessKey: base64.StdEncoding.EncodeToString([]byte(awscreds.SecretAccessKey)), IngressCaCert: base64.StdEncoding.EncodeToString(kubeCA.Cert()), IngressKind: "haproxy-router", IngressStatusPassword: installConfig.Config.Admin.Password, // FIXME: generate a new random one instead? @@ -68,7 +69,7 @@ func (t *Tectonic) Generate(dependencies asset.Parents) error { } assetData := map[string][]byte{ - "99_aws-creds-secret.json": applyTemplateData(content.AwsCredsSecret, templateData), + "99_aws-creds-secret-and-reader-role.yaml": applyTemplateData(content.AwsCredsSecretAndReaderRole, templateData), "99_binding-discovery.yaml": []byte(content.BindingDiscovery), "99_kube-addon-00-appversion.yaml": []byte(content.AppVersionKubeAddon), "99_kube-addon-01-operator.yaml": applyTemplateData(content.KubeAddonOperator, templateData),