Merge pull request #1459 from haarchri/feature/pod-identity

feat(pod-identity): add option for pod-identity
crossplane-contrib · Aug 14, 2024 · 0e04e1c · 0e04e1c
2 parents ad89d40 + 2030f0d
commit 0e04e1c
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 1 deletion.
diff --git a/apis/v1beta1/types.go b/apis/v1beta1/types.go
@@ -226,7 +226,7 @@ type Tag struct {
 // ProviderCredentials required to authenticate.
 type ProviderCredentials struct {
 	// Source of the provider credentials.
-	// +kubebuilder:validation:Enum=None;Secret;IRSA;WebIdentity;Upbound
+	// +kubebuilder:validation:Enum=None;Secret;IRSA;WebIdentity;PodIdentity;Upbound
 	Source xpv1.CredentialsSource `json:"source"`
 
 	// WebIdentity defines the options for assuming an IAM role with a Web Identity.

diff --git a/examples/providerconfig/v1beta1/pod-identity-providerconfig.yaml b/examples/providerconfig/v1beta1/pod-identity-providerconfig.yaml
@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 The Crossplane Authors <https://crossplane.io>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: pod-identity
+spec:
+  credentials:
+    source: PodIdentity
diff --git a/internal/clients/provider_config.go b/internal/clients/provider_config.go
@@ -40,6 +40,7 @@ const (
 	// authentication types
 	authKeyIRSA        = "IRSA"
 	authKeyWebIdentity = "WebIdentity"
+	authKeyPodIdentity = "PodIdentity"
 	authKeyUpbound     = "Upbound"
 	// authKeySAML        = "SAML"
 
@@ -49,6 +50,7 @@ const (
 	errAWSConfig            = "failed to get AWS config"
 	errAWSConfigIRSA        = "failed to get AWS config using IAM Roles for Service Accounts"
 	errAWSConfigWebIdentity = "failed to get AWS config using web identity token"
+	errAWSConfigPodIdentity = "failed to get AWS config using pod identity"
 	errAWSConfigUpbound     = "failed to get AWS config using Upbound identity"
 
 	upboundProviderIdentityTokenFile = "/var/run/secrets/upbound.io/provider/token"
@@ -101,6 +103,11 @@ func GetAWSConfigWithoutTracking(ctx context.Context, c client.Client, obj runti
 		if err != nil {
 			return nil, errors.Wrap(err, errAWSConfigIRSA)
 		}
+	case authKeyPodIdentity:
+		cfg, err = UseDefault(ctx, region)
+		if err != nil {
+			return nil, errors.Wrap(err, errAWSConfigPodIdentity)
+		}
 	case authKeyWebIdentity:
 		cfg, err = UseWebIdentityToken(ctx, region, &pc.Spec, c)
 		if err != nil {

diff --git a/package/crds/aws.upbound.io_providerconfigs.yaml b/package/crds/aws.upbound.io_providerconfigs.yaml
@@ -153,6 +153,7 @@ spec:
                     - Secret
                     - IRSA
                     - WebIdentity
+                    - PodIdentity
                     - Upbound
                     type: string
                   upbound: