diff --git a/README.md b/README.md index ada51a9..180e79b 100644 --- a/README.md +++ b/README.md @@ -27,9 +27,18 @@ some extra annotations to the kubernetes service objects. | Target Group Stickness | `aws-nlb-helper.3scale.net/enable-targetgroups-stickness` | `true`, `false` | `false` | | Target Group Deregistration Delay | `aws-nlb-helper.3scale.net/targetgroups-deregisration-delay` | `0-3600` | `300` | +## AWS authentication + +By default, the operator will use the role provided by the service acccount to +connect to the AWS API. The YAMLs for deploying using [IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) are available at [deploy/iam-service-accocunt](deploy/iam-service-accocunt). + +Otherwise, if the environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are set, +the operator will use them to interact with the AWS API. You can find the YAMLs +for deploying the resources using the environment access keys at [deploy/iam-env-credentials](deploy/iam-env-credentials). + ## Requirements -### Secret with IAM credentials +### Secret with IAM credentials (when using env based credentials) ```yaml kind: Secret diff --git a/deploy/aws_iam.yaml b/deploy/iam-env-credentials/aws_iam.yaml similarity index 100% rename from deploy/aws_iam.yaml rename to deploy/iam-env-credentials/aws_iam.yaml diff --git a/deploy/operator.yaml b/deploy/iam-env-credentials/operator.yaml similarity index 100% rename from deploy/operator.yaml rename to deploy/iam-env-credentials/operator.yaml diff --git a/deploy/role.yaml b/deploy/iam-env-credentials/role.yaml similarity index 100% rename from deploy/role.yaml rename to deploy/iam-env-credentials/role.yaml diff --git a/deploy/role_binding.yaml b/deploy/iam-env-credentials/role_binding.yaml similarity index 100% rename from deploy/role_binding.yaml rename to deploy/iam-env-credentials/role_binding.yaml diff --git a/deploy/service_account.yaml b/deploy/iam-env-credentials/service_account.yaml similarity index 100% rename from deploy/service_account.yaml rename to deploy/iam-env-credentials/service_account.yaml diff --git a/deploy/iam-service-accocunt/operator.yaml b/deploy/iam-service-accocunt/operator.yaml new file mode 100644 index 0000000..0776eaf --- /dev/null +++ b/deploy/iam-service-accocunt/operator.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: aws-nlb-helper-operator +spec: + replicas: 1 + selector: + matchLabels: + name: aws-nlb-helper-operator + template: + metadata: + labels: + name: aws-nlb-helper-operator + spec: + serviceAccountName: aws-nlb-helper-operator + containers: + - name: aws-nlb-helper-operator + # Replace this with the built image name + image: REPLACE_IMAGE + command: + - aws-nlb-helper-operator + imagePullPolicy: Always + env: + - name: OPERATOR_NAME + value: "aws-nlb-helper-operator" + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: AWS_REGION + valueFrom: + secretKeyRef: + name: aws-nlb-helper-iam + key: AWS_REGION + resources: + limits: + cpu: 150m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + securityContext: + # Required for accessing the service acccount token + fsGroup: 65534 \ No newline at end of file diff --git a/deploy/iam-service-accocunt/role.yaml b/deploy/iam-service-accocunt/role.yaml new file mode 100644 index 0000000..c9739bb --- /dev/null +++ b/deploy/iam-service-accocunt/role.yaml @@ -0,0 +1,67 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aws-nlb-helper-operator +rules: +- apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - "get" + - "create" +- apiGroups: + - apps + resources: + - deployments/finalizers + resourceNames: + - aws-nlb-helper-operator + verbs: + - "update" +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get diff --git a/deploy/iam-service-accocunt/role_binding.yaml b/deploy/iam-service-accocunt/role_binding.yaml new file mode 100644 index 0000000..47c0fee --- /dev/null +++ b/deploy/iam-service-accocunt/role_binding.yaml @@ -0,0 +1,11 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aws-nlb-helper-operator +subjects: +- kind: ServiceAccount + name: aws-nlb-helper-operator +roleRef: + kind: Role + name: aws-nlb-helper-operator + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/iam-service-accocunt/service_account.yaml b/deploy/iam-service-accocunt/service_account.yaml new file mode 100644 index 0000000..c768e91 --- /dev/null +++ b/deploy/iam-service-accocunt/service_account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + # Replace this with the AWS role ARN created for the AWS NLB helper + eks.amazonaws.com/role-arn: AWS_IAM_ROLE_ARN + name: aws-nlb-helper-operator diff --git a/pkg/controller/aws/aws_helper.go b/pkg/controller/aws/aws_helper.go index 817e1d7..a33385d 100644 --- a/pkg/controller/aws/aws_helper.go +++ b/pkg/controller/aws/aws_helper.go @@ -16,6 +16,7 @@ import ( var log = logf.Log.WithName("helper_aws") const ( + awsDefaultRegion = "us-east-1" awsLoadBalancerResourceTypeFilter = "elasticloadbalancing" awsTargetGroupResourceTypeFilter = "elasticloadbalancing:targetgroup" awsNetworkLoadBalancerResourceTypeFilter = "elasticloadbalancing:loadbalancer/net" @@ -41,17 +42,10 @@ func UpdateNetworkLoadBalancer(loadBalancerDNS string, serviceNameTagValue strin ulbLogger := log.WithValues("LoadBalancerDNS", loadBalancerDNS, "ServiceName", serviceNameTagValue) // Get AWS Clients for ELBV2 and ResourceGroupsTaggingAPI APIs - awsClient, err := newAPIClient( - os.Getenv("AWS_ACCESS_KEY_ID"), - os.Getenv("AWS_SECRET_ACCESS_KEY"), - os.Getenv("AWS_REGION"), - ) + awsClient, err := newAPIClient() if err != nil { - ulbLogger.Error(err, "Unable to create AWS Client", - "AWS_ACCESS_KEY_ID", os.Getenv("AWS_ACCESS_KEY_ID"), - "AWS_REGION", os.Getenv("AWS_REGION"), - ) + ulbLogger.Error(err, "Unable to initialize an AWS Client") return false, err } @@ -94,18 +88,38 @@ func UpdateNetworkLoadBalancer(loadBalancerDNS string, serviceNameTagValue strin return true, nil } -// newAPIClient obtains an AWS session and initiates the needed AWS clients. -func newAPIClient(id string, secret string, region string) (*APIClient, error) { +// newAWSConfig generates an AWS config. +func newAWSConfig() *aws.Config { + + awsRegion := os.Getenv("AWS_REGION") - // Get AWS config - awsConfig := &aws.Config{ - Region: aws.String(region), - Credentials: credentials.NewStaticCredentials(id, secret, ""), + if awsRegion == "" { + awsRegion = awsDefaultRegion + log.Info("Empty AWS_REGION, using default value", "awsRegion", awsRegion) + } + + if (os.Getenv("AWS_ACCESS_KEY_ID") != "") && (os.Getenv("AWS_SECRET_ACCESS_KEY") != "") { + log.Info("Configuring AWS client using the environment credentials", "AWS_ACCESS_KEY_ID", os.Getenv("AWS_ACCESS_KEY_ID")) + return &aws.Config{ + Region: aws.String(awsRegion), + Credentials: credentials.NewStaticCredentials( + os.Getenv("AWS_ACCESS_KEY_ID"), + os.Getenv("AWS_SECRET_ACCESS_KEY"), + "", + ), + } } + log.Info("Configuring AWS client using the service account") + return &aws.Config{Region: aws.String(awsRegion)} + +} + +// newAPIClient obtains an AWS session and initiates the needed AWS clients. +func newAPIClient() (*APIClient, error) { + // Initialize an AWS session - awsConfig = awsConfig.WithCredentialsChainVerboseErrors(true) - sess, err := session.NewSession(awsConfig) + sess, err := session.NewSession(newAWSConfig()) if err != nil { return nil, fmt.Errorf("Unable to initialize AWS session: %v", err) } diff --git a/version/version.go b/version/version.go index 3567f81..cb4d74c 100644 --- a/version/version.go +++ b/version/version.go @@ -2,5 +2,5 @@ package version var ( // Version of the aws-nlb-helper operator - Version = "0.0.1" + Version = "0.0.4" )