From 6f4d77b78c45ee8a52e5e8dd366b5835bfd9d162 Mon Sep 17 00:00:00 2001 From: romeroalx Date: Tue, 13 Aug 2024 13:09:23 +0200 Subject: [PATCH] Enable IRSA for aws s3 backends Enable IRSA for aws s3 backends by making the attributes s3-access-key-id and s3-secret-access-key optional in object_storage_s3_secret closes #1327 --- CHANGES/1327.bugfix | 2 ++ controllers/repo_manager/secret.go | 16 +++++++++++----- 2 files changed, 13 insertions(+), 5 deletions(-) create mode 100644 CHANGES/1327.bugfix diff --git a/CHANGES/1327.bugfix b/CHANGES/1327.bugfix new file mode 100644 index 000000000..3751cef99 --- /dev/null +++ b/CHANGES/1327.bugfix @@ -0,0 +1,2 @@ +S3 backend attributes `s3-access-key-id` and `s3-secret-access-key` made optional +to allow authentication via AWS IAM roles for Kubernetes service accounts. diff --git a/controllers/repo_manager/secret.go b/controllers/repo_manager/secret.go index 93f53ec65..b8eaa4d13 100644 --- a/controllers/repo_manager/secret.go +++ b/controllers/repo_manager/secret.go @@ -398,18 +398,26 @@ func s3Settings(resources controllers.FunctionResources, pulpSettings *string) { } logger.V(1).Info("Retrieving S3 data from " + resources.Pulp.Spec.ObjectStorageS3Secret) - storageData, err := controllers.RetrieveSecretData(context, pulp.Spec.ObjectStorageS3Secret, pulp.Namespace, true, client, "s3-access-key-id", "s3-secret-access-key", "s3-bucket-name") + storageData, err := controllers.RetrieveSecretData(context, pulp.Spec.ObjectStorageS3Secret, pulp.Namespace, true, client, "s3-bucket-name") if err != nil { logger.Error(err, "Secret Not Found!", "Secret.Namespace", pulp.Namespace, "Secret.Name", pulp.Spec.ObjectStorageS3Secret) return } - optionalKey, _ := controllers.RetrieveSecretData(resources.Context, resources.Pulp.Spec.ObjectStorageS3Secret, resources.Pulp.Namespace, false, client, "s3-endpoint", "s3-region") + optionalKey, _ := controllers.RetrieveSecretData(resources.Context, resources.Pulp.Spec.ObjectStorageS3Secret, resources.Pulp.Namespace, false, client, "s3-endpoint", "s3-region", "s3-access-key-id", "s3-secret-access-key") if len(optionalKey["s3-endpoint"]) == 0 && len(optionalKey["s3-region"]) == 0 { logger.Error(err, "Either s3-endpoint or s3-region needs to be specified", "Secret.Namespace", resources.Pulp.Namespace, "Secret.Name", resources.Pulp.Spec.ObjectStorageS3Secret) return } + if len(optionalKey["s3-secret-access-key"]) > 0 { + *pulpSettings = *pulpSettings + fmt.Sprintf("AWS_SECRET_ACCESS_KEY = \"%v\"\n", optionalKey["s3-secret-access-key"]) + } + + if len(optionalKey["s3-access-key-id"]) > 0 { + *pulpSettings = *pulpSettings + fmt.Sprintf("AWS_ACCESS_KEY_ID = \"%v\"\n", optionalKey["s3-access-key-id"]) + } + if len(optionalKey["s3-endpoint"]) > 0 { *pulpSettings = *pulpSettings + fmt.Sprintf("AWS_S3_ENDPOINT_URL = \"%v\"\n", optionalKey["s3-endpoint"]) } @@ -418,9 +426,7 @@ func s3Settings(resources controllers.FunctionResources, pulpSettings *string) { *pulpSettings = *pulpSettings + fmt.Sprintf("AWS_S3_REGION_NAME = \"%v\"\n", optionalKey["s3-region"]) } - *pulpSettings = *pulpSettings + `AWS_ACCESS_KEY_ID = '` + storageData["s3-access-key-id"] + `' -AWS_SECRET_ACCESS_KEY = '` + storageData["s3-secret-access-key"] + `' -AWS_STORAGE_BUCKET_NAME = '` + storageData["s3-bucket-name"] + `' + *pulpSettings = *pulpSettings + `AWS_STORAGE_BUCKET_NAME = '` + storageData["s3-bucket-name"] + `' AWS_DEFAULT_ACL = "@none None" S3_USE_SIGV4 = True AWS_S3_SIGNATURE_VERSION = "s3v4"