Merge pull request #78 from wongma7/efs-secret

Make AWS credentials secret optional
kubernetes-retired · Apr 19, 2017 · d4e9eae · d4e9eae
2 parents b00811f + d92d044
commit d4e9eae
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 33 deletions.
diff --git a/aws/efs/README.md b/aws/efs/README.md
@@ -6,7 +6,6 @@ quay.io/external_storage/efs-provisioner:latest
 ```
 
 ## Prerequisites
-* An IAM user assigned the AmazonElasticFileSystemReadOnlyAccess policy (or better)
 * An EFS file system in your cluster's region
 * [Mount targets](http://docs.aws.amazon.com/efs/latest/ug/accessing-fs.html) and [security groups](http://docs.aws.amazon.com/efs/latest/ug/accessing-fs-create-security-groups.html) such that any node (in any zone in the cluster's region) can mount the EFS file system by its [File system DNS name](http://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-dns-name.html)
 
@@ -21,13 +20,7 @@ $ kubectl create configmap efs-provisioner \
 --from-literal=provisioner.name=example.com/aws-efs
 ```
 
-Create a secret containing the AWS credentials of a user assigned the AmazonElasticFileSystemReadOnlyAccess policy. The credentials will be used by the provisioner only once at startup to check that the EFS file system you specified in the configmap actually exists.
-
-```console
-$ kubectl create secret generic aws-credentials \
---from-literal=aws-access-key-id=AKIAIOSFODNN7EXAMPLE \
---from-literal=aws-secret-access-key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-```
+> See [Optional: AWS credentials secret](#optional-aws-credentials-secret) if you want the provisioner to only once at startup check that the EFS file system you specified in the configmap actually exists.
 
 Decide on & set aside a directory within the EFS file system for the provisioner to use. The provisioner will create child directories to back each PV it provisions. Then edit the `volumes` section at the bottom of "deploy/deployment.yaml" so that the `path` refers to the directory you set aside and the `server` is the same EFS file system you specified. Create the deployment, and you're done.
 
@@ -114,3 +107,30 @@ NAME                                       CAPACITY   ACCESSMODES   RECLAIMPOLIC
 pvc-557b4436-ed73-11e6-84b3-06a700dda5f5   1Mi        RWX           Delete          Bound     default/efs             2s
 ```
 Note: any pod that consumes the claim will be able to read/write to the volume. This is because the volumes are provisioned with a GID (from the default range or according to `gidMin` + `gidMax`) and any pod that mounts the volume via the claim automatically gets the GID as a supplemental group.
+
+---
+##### Optional: AWS credentials secret
+
+Create a secret containing the AWS credentials of a user assigned the AmazonElasticFileSystemReadOnlyAccess policy. The credentials will be used by the provisioner only once at startup to check that the EFS file system you specified in the configmap actually exists.
+
+```console
+$ kubectl create secret generic aws-credentials \
+--from-literal=aws-access-key-id=AKIAIOSFODNN7EXAMPLE \
+--from-literal=aws-secret-access-key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+```
+
+Add a reference to the secret in the deployment yaml.
+```yaml
+...
+        - name: AWS_ACCESS_KEY_ID
+          valueFrom:
+            secretKeyRef:
+              name: aws-credentials
+              key: aws-access-key-id
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: aws-credentials
+              key: aws-secret-access-key
+...
+```
diff --git a/aws/efs/cmd/efs-provisioner/efs-provisioner.go b/aws/efs/cmd/efs-provisioner/efs-provisioner.go
@@ -58,7 +58,6 @@ type efsProvisioner struct {
 	dnsName    string
 	mountpoint string
 	source     string
-	svc        *efs.EFS
 	allocator  gidallocator.Allocator
 }
 
@@ -83,7 +82,7 @@ func NewEFSProvisioner(client kubernetes.Interface) controller.Provisioner {
 
 	sess, err := session.NewSession()
 	if err != nil {
-		glog.Fatal(err)
+		glog.Warningf("couldn't create an AWS session: %v", err)
 	}
 
 	svc := efs.New(sess, &aws.Config{Region: aws.String(awsRegion)})
@@ -93,14 +92,13 @@ func NewEFSProvisioner(client kubernetes.Interface) controller.Provisioner {
 
 	_, err = svc.DescribeFileSystems(params)
 	if err != nil {
-		glog.Fatal(err)
+		glog.Warningf("couldn't confirm that the EFS file system exists: %v", err)
 	}
 
 	return &efsProvisioner{
 		dnsName:    dnsName,
 		mountpoint: mountpoint,
 		source:     source,
-		svc:        svc,
 		allocator:  gidallocator.New(client),
 	}
 }
@@ -120,7 +118,7 @@ func getMount(dnsName string) (string, string, error) {
 		}
 	}
 
-	return "", "", fmt.Errorf("No mount entry found for %s", dnsName)
+	return "", "", fmt.Errorf("no mount entry found for %s", dnsName)
 }
 
 var _ controller.Provisioner = &efsProvisioner{}

diff --git a/aws/efs/deploy/deployment.yaml b/aws/efs/deploy/deployment.yaml
@@ -15,16 +15,6 @@ spec:
         - name: efs-provisioner
           image: quay.io/external_storage/efs-provisioner:latest
           env:
-            - name: AWS_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: aws-credentials
-                  key: aws-access-key-id
-            - name: AWS_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: aws-credentials
-                  key: aws-secret-access-key
             - name: FILE_SYSTEM_ID
               valueFrom:
                 configMapKeyRef:

diff --git a/aws/efs/deploy/pod.yaml b/aws/efs/deploy/pod.yaml
@@ -9,16 +9,6 @@ spec:
       env:
         - name: PROVISIONER_NAME
           value: "example.com/aws-efs"
-        - name: AWS_ACCESS_KEY_ID
-          valueFrom:
-            secretKeyRef:
-              name: aws-credentials
-              key: aws-access-key-id
-        - name: AWS_SECRET_ACCESS_KEY
-          valueFrom:
-            secretKeyRef:
-              name: aws-credentials
-              key: aws-secret-access-key
         - name: FILE_SYSTEM_ID
           valueFrom:
             configMapKeyRef: