add cloud creds secret & reader role for cluster components to use po…

…st launch

docs/user/environment-variables.md

@@ -38,6 +38,8 @@ The installer accepts a number of environment variable that allow the interactiv
 
 ## Platform-Specific
 
+* `AWS_PROFILE`:
+     The AWS profile that corresponds to value in `${HOME}/.aws/credentials`.  If not provided, the default is "default".
 * `OPENSHIFT_INSTALL_AWS_REGION`:
     The AWS region to be used for installation.
 * `OPENSHIFT_INSTALL_LIBVIRT_URI`:

pkg/asset/manifests/content/tectonic/cloud-creds-secret.go

@@ -0,0 +1,28 @@
+package tectonic
+
+import (
+	"text/template"
+)
+
+var (
+	// CloudCredsSecret is the constant to represent contents of corresponding yaml file
+	CloudCredsSecret = template.Must(template.New("cloud-creds-secret.yaml").Parse(`
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  namespace: kube-system
+{{- if .CloudCreds.AWS}}
+  name: aws-creds
+{{- else if .CloudCreds.OpenStack}}
+  name: openstack-creds
+{{- end}}
+data:
+{{- if .CloudCreds.AWS}}
+  aws_access_key_id: {{.CloudCreds.AWS.Base64encodeAccessKeyID}}
+  aws_secret_access_key: {{.CloudCreds.AWS.Base64encodeSecretAccessKey}}
+{{- else if .CloudCreds.OpenStack}}
+  clouds.yaml: {{.CloudCreds.OpenStack.Base64encodeCloudCreds}}
+{{- end}}
+`))
+)

pkg/asset/manifests/content/tectonic/role-cloud-creds-secret-reader.go

@@ -0,0 +1,30 @@
+package tectonic
+
+import (
+	"text/template"
+)
+
+var (
+	// RoleCloudCredsSecretReader is the variable to represent contents of corresponding file
+	RoleCloudCredsSecretReader = template.Must(template.New("role-cloud-creds-secret-reader.yaml").Parse(`
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  namespace: kube-system
+{{- if .CloudCreds.AWS}}
+  name: aws-creds-secret-reader
+{{- else if .CloudCreds.OpenStack}}
+  name: openstack-creds-secret-reader
+{{- end}}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+{{- if .CloudCreds.AWS}}
+  resourceNames: ["aws-creds"]
+{{- else if .CloudCreds.OpenStack}}
+  resourceNames: ["openstack-creds"]
+{{- end}}
+  verbs: ["get"]
+`))
+)

pkg/asset/manifests/tectonic.go

@@ -1,12 +1,16 @@
 package manifests
 
 import (
+	"bufio"
 	"encoding/base64"
+	"io/ioutil"
+	"os"
 	"path/filepath"
 
 	"github.com/ghodss/yaml"
 	"github.com/pkg/errors"
 
+	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/installconfig"
 	"github.com/openshift/installer/pkg/asset/machines"
@@ -16,6 +20,7 @@ import (
 
 const (
 	tectonicManifestDir = "tectonic"
+	openStackCredsFile  = "/etc/openstack/clouds.yaml"
 )
 
 var (
@@ -57,10 +62,37 @@ func (t *Tectonic) Generate(dependencies asset.Parents) error {
 	master := &machines.Master{}
 	addon := &kubeAddonOperator{}
 	dependencies.Get(installConfig, clusterk8sio, worker, master, addon)
+	var cloudCreds cloudCredsSecretData
+	platform := installConfig.Config.Platform.Name()
+	switch platform {
+	case "aws":
+		p := credentials.SharedCredentialsProvider{}
+		creds, err := p.Retrieve()
+		if err != nil {
+			return err
+		}
+		cloudCreds = cloudCredsSecretData{
+			AWS: &AwsCredsSecretData{
+				Base64encodeAccessKeyID:     base64.StdEncoding.EncodeToString([]byte(creds.AccessKeyID)),
+				Base64encodeSecretAccessKey: base64.StdEncoding.EncodeToString([]byte(creds.SecretAccessKey)),
+			},
+		}
+	case "openstack":
+		credsEncoded, err := credsFileEncode(openStackCredsFile)
+		if err != nil {
+			return err
+		}
+		cloudCreds = cloudCredsSecretData{
+			OpenStack: &OpenStackCredsSecretData{
+				Base64encodeCloudCreds: credsEncoded,
+			},
+		}
+	}
 
 	templateData := &tectonicTemplateData{
 		KubeAddonOperatorImage: "quay.io/coreos/kube-addon-operator-dev:70cae49142ff69e83ed7b41fa81a585b02cdea7d",
 		PullSecret:             base64.StdEncoding.EncodeToString([]byte(installConfig.Config.PullSecret)),
+		CloudCreds:             cloudCreds,
 	}
 
 	assetData := map[string][]byte{
@@ -78,6 +110,12 @@ func (t *Tectonic) Generate(dependencies asset.Parents) error {
 		"99_tectonic-system-02-pull.json":                        applyTemplateData(content.PullTectonicSystem, templateData),
 	}
 
+	switch platform {
+	case "aws", "openstack":
+		assetData["99_cloud-creds-secret.yaml"] = applyTemplateData(content.CloudCredsSecret, templateData)
+		assetData["99_role-cloud-creds-secret-reader.yaml"] = applyTemplateData(content.RoleCloudCredsSecretReader, templateData)
+	}
+
 	// addon goes to openshift system
 	t.TectonicConfig = configMap("tectonic-system", "cluster-config-v1", genericData{
 		"addon-config": string(addon.Files()[0].Data),
@@ -136,3 +174,14 @@ func (t *Tectonic) Load(f asset.FileFetcher) (bool, error) {
 	t.FileList, t.TectonicConfig = fileList, tectonicConfig
 	return true, nil
 }
+
+// credsFileEncode returns contents of a file as base64 encoded string
+func credsFileEncode(credsFile string) (string, error) {
+	f, _ := os.Open(credsFile)
+	reader := bufio.NewReader(f)
+	credsData, err := ioutil.ReadAll(reader)
+	if err != nil {
+		return "", err
+	}
+	return base64.StdEncoding.EncodeToString(credsData), nil
+}

pkg/asset/manifests/template.go

@@ -1,5 +1,21 @@
 package manifests
 
+// AwsCredsSecretData holds encoded credentials and is used to generate cloud-creds secret
+type AwsCredsSecretData struct {
+	Base64encodeAccessKeyID     string
+	Base64encodeSecretAccessKey string
+}
+
+// OpenStackCredsSecretData holds encoded credentials and is used to generate cloud-creds secret
+type OpenStackCredsSecretData struct {
+	Base64encodeCloudCreds string
+}
+
+type cloudCredsSecretData struct {
+	AWS       *AwsCredsSecretData
+	OpenStack *OpenStackCredsSecretData
+}
+
 type bootkubeTemplateData struct {
 	AggregatorCaCert                string
 	AggregatorCaKey                 string
@@ -37,4 +53,5 @@ type bootkubeTemplateData struct {
 type tectonicTemplateData struct {
 	KubeAddonOperatorImage string
 	PullSecret             string
+	CloudCreds             cloudCredsSecretData
 }