From 5ae95a12e505dd2529aa1c7293eaf32c02ff524a Mon Sep 17 00:00:00 2001 From: Christopher Haar Date: Tue, 13 Aug 2024 17:01:33 +0200 Subject: [PATCH 1/2] feat(pod-identity): add option for pod-identity Signed-off-by: Christopher Haar --- apis/v1beta1/types.go | 2 +- internal/clients/provider_config.go | 7 +++++++ package/crds/aws.upbound.io_providerconfigs.yaml | 1 + 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/apis/v1beta1/types.go b/apis/v1beta1/types.go index 81b956080c..3f856cfe95 100644 --- a/apis/v1beta1/types.go +++ b/apis/v1beta1/types.go @@ -226,7 +226,7 @@ type Tag struct { // ProviderCredentials required to authenticate. type ProviderCredentials struct { // Source of the provider credentials. - // +kubebuilder:validation:Enum=None;Secret;IRSA;WebIdentity;Upbound + // +kubebuilder:validation:Enum=None;Secret;IRSA;WebIdentity;PodIdentity;Upbound Source xpv1.CredentialsSource `json:"source"` // WebIdentity defines the options for assuming an IAM role with a Web Identity. diff --git a/internal/clients/provider_config.go b/internal/clients/provider_config.go index 71b24ca14e..1c6661776c 100644 --- a/internal/clients/provider_config.go +++ b/internal/clients/provider_config.go @@ -40,6 +40,7 @@ const ( // authentication types authKeyIRSA = "IRSA" authKeyWebIdentity = "WebIdentity" + authKeyPodIdentity = "PodIdentity" authKeyUpbound = "Upbound" // authKeySAML = "SAML" @@ -49,6 +50,7 @@ const ( errAWSConfig = "failed to get AWS config" errAWSConfigIRSA = "failed to get AWS config using IAM Roles for Service Accounts" errAWSConfigWebIdentity = "failed to get AWS config using web identity token" + errAWSConfigPodIdentity = "failed to get AWS config using pod identity" errAWSConfigUpbound = "failed to get AWS config using Upbound identity" upboundProviderIdentityTokenFile = "/var/run/secrets/upbound.io/provider/token" @@ -101,6 +103,11 @@ func GetAWSConfigWithoutTracking(ctx context.Context, c client.Client, obj runti if err != nil { return nil, errors.Wrap(err, errAWSConfigIRSA) } + case authKeyPodIdentity: + cfg, err = UseDefault(ctx, region) + if err != nil { + return nil, errors.Wrap(err, errAWSConfigPodIdentity) + } case authKeyWebIdentity: cfg, err = UseWebIdentityToken(ctx, region, &pc.Spec, c) if err != nil { diff --git a/package/crds/aws.upbound.io_providerconfigs.yaml b/package/crds/aws.upbound.io_providerconfigs.yaml index 0776539f7b..15d1c5ffa6 100644 --- a/package/crds/aws.upbound.io_providerconfigs.yaml +++ b/package/crds/aws.upbound.io_providerconfigs.yaml @@ -153,6 +153,7 @@ spec: - Secret - IRSA - WebIdentity + - PodIdentity - Upbound type: string upbound: From 2030f0d2b32c9446495b52f159d815c2c35076b8 Mon Sep 17 00:00:00 2001 From: Christopher Haar Date: Tue, 13 Aug 2024 17:22:48 +0200 Subject: [PATCH 2/2] feat(examples): add example for PodIdentity Signed-off-by: Christopher Haar --- .../v1beta1/pod-identity-providerconfig.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 examples/providerconfig/v1beta1/pod-identity-providerconfig.yaml diff --git a/examples/providerconfig/v1beta1/pod-identity-providerconfig.yaml b/examples/providerconfig/v1beta1/pod-identity-providerconfig.yaml new file mode 100644 index 0000000000..be7ae9dac1 --- /dev/null +++ b/examples/providerconfig/v1beta1/pod-identity-providerconfig.yaml @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2024 The Crossplane Authors +# +# SPDX-License-Identifier: CC0-1.0 + +apiVersion: aws.upbound.io/v1beta1 +kind: ProviderConfig +metadata: + name: pod-identity +spec: + credentials: + source: PodIdentity