From d92d0442c0136e43a7e21c75b2673910d11bd821 Mon Sep 17 00:00:00 2001 From: Matthew Wong Date: Tue, 18 Apr 2017 15:16:22 -0400 Subject: [PATCH] Make AWS credentials secret optional --- aws/efs/README.md | 36 ++++++++++++++----- .../cmd/efs-provisioner/efs-provisioner.go | 8 ++--- aws/efs/deploy/deployment.yaml | 10 ------ aws/efs/deploy/pod.yaml | 10 ------ 4 files changed, 31 insertions(+), 33 deletions(-) diff --git a/aws/efs/README.md b/aws/efs/README.md index c748bea5b5d..3e980555c34 100644 --- a/aws/efs/README.md +++ b/aws/efs/README.md @@ -6,7 +6,6 @@ quay.io/external_storage/efs-provisioner:latest ``` ## Prerequisites -* An IAM user assigned the AmazonElasticFileSystemReadOnlyAccess policy (or better) * An EFS file system in your cluster's region * [Mount targets](http://docs.aws.amazon.com/efs/latest/ug/accessing-fs.html) and [security groups](http://docs.aws.amazon.com/efs/latest/ug/accessing-fs-create-security-groups.html) such that any node (in any zone in the cluster's region) can mount the EFS file system by its [File system DNS name](http://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-dns-name.html) @@ -21,13 +20,7 @@ $ kubectl create configmap efs-provisioner \ --from-literal=provisioner.name=example.com/aws-efs ``` -Create a secret containing the AWS credentials of a user assigned the AmazonElasticFileSystemReadOnlyAccess policy. The credentials will be used by the provisioner only once at startup to check that the EFS file system you specified in the configmap actually exists. - -```console -$ kubectl create secret generic aws-credentials \ ---from-literal=aws-access-key-id=AKIAIOSFODNN7EXAMPLE \ ---from-literal=aws-secret-access-key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY -``` +> See [Optional: AWS credentials secret](#optional-aws-credentials-secret) if you want the provisioner to only once at startup check that the EFS file system you specified in the configmap actually exists. Decide on & set aside a directory within the EFS file system for the provisioner to use. The provisioner will create child directories to back each PV it provisions. Then edit the `volumes` section at the bottom of "deploy/deployment.yaml" so that the `path` refers to the directory you set aside and the `server` is the same EFS file system you specified. Create the deployment, and you're done. @@ -114,3 +107,30 @@ NAME CAPACITY ACCESSMODES RECLAIMPOLIC pvc-557b4436-ed73-11e6-84b3-06a700dda5f5 1Mi RWX Delete Bound default/efs 2s ``` Note: any pod that consumes the claim will be able to read/write to the volume. This is because the volumes are provisioned with a GID (from the default range or according to `gidMin` + `gidMax`) and any pod that mounts the volume via the claim automatically gets the GID as a supplemental group. + +--- +##### Optional: AWS credentials secret + +Create a secret containing the AWS credentials of a user assigned the AmazonElasticFileSystemReadOnlyAccess policy. The credentials will be used by the provisioner only once at startup to check that the EFS file system you specified in the configmap actually exists. + +```console +$ kubectl create secret generic aws-credentials \ +--from-literal=aws-access-key-id=AKIAIOSFODNN7EXAMPLE \ +--from-literal=aws-secret-access-key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY +``` + +Add a reference to the secret in the deployment yaml. +```yaml +... + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: aws-credentials + key: aws-access-key-id + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: aws-credentials + key: aws-secret-access-key +... +``` diff --git a/aws/efs/cmd/efs-provisioner/efs-provisioner.go b/aws/efs/cmd/efs-provisioner/efs-provisioner.go index b1fba36f20c..a26bd930f64 100644 --- a/aws/efs/cmd/efs-provisioner/efs-provisioner.go +++ b/aws/efs/cmd/efs-provisioner/efs-provisioner.go @@ -58,7 +58,6 @@ type efsProvisioner struct { dnsName string mountpoint string source string - svc *efs.EFS allocator gidallocator.Allocator } @@ -83,7 +82,7 @@ func NewEFSProvisioner(client kubernetes.Interface) controller.Provisioner { sess, err := session.NewSession() if err != nil { - glog.Fatal(err) + glog.Warningf("couldn't create an AWS session: %v", err) } svc := efs.New(sess, &aws.Config{Region: aws.String(awsRegion)}) @@ -93,14 +92,13 @@ func NewEFSProvisioner(client kubernetes.Interface) controller.Provisioner { _, err = svc.DescribeFileSystems(params) if err != nil { - glog.Fatal(err) + glog.Warningf("couldn't confirm that the EFS file system exists: %v", err) } return &efsProvisioner{ dnsName: dnsName, mountpoint: mountpoint, source: source, - svc: svc, allocator: gidallocator.New(client), } } @@ -120,7 +118,7 @@ func getMount(dnsName string) (string, string, error) { } } - return "", "", fmt.Errorf("No mount entry found for %s", dnsName) + return "", "", fmt.Errorf("no mount entry found for %s", dnsName) } var _ controller.Provisioner = &efsProvisioner{} diff --git a/aws/efs/deploy/deployment.yaml b/aws/efs/deploy/deployment.yaml index 9ec8988d1b6..3670fca6c5f 100644 --- a/aws/efs/deploy/deployment.yaml +++ b/aws/efs/deploy/deployment.yaml @@ -15,16 +15,6 @@ spec: - name: efs-provisioner image: quay.io/external_storage/efs-provisioner:latest env: - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: aws-credentials - key: aws-access-key-id - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: aws-credentials - key: aws-secret-access-key - name: FILE_SYSTEM_ID valueFrom: configMapKeyRef: diff --git a/aws/efs/deploy/pod.yaml b/aws/efs/deploy/pod.yaml index ed3492425fb..80138310aa2 100644 --- a/aws/efs/deploy/pod.yaml +++ b/aws/efs/deploy/pod.yaml @@ -9,16 +9,6 @@ spec: env: - name: PROVISIONER_NAME value: "example.com/aws-efs" - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: aws-credentials - key: aws-access-key-id - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: aws-credentials - key: aws-secret-access-key - name: FILE_SYSTEM_ID valueFrom: configMapKeyRef: