Skip to content

Commit 2e07c33

Browse files
fiunchinhofiunchinho
committed
Add crossplane IAM Roles for control plane nodes
1 parent 88ee5ea commit 2e07c33

File tree

3 files changed

+32
-14
lines changed

3 files changed

+32
-14
lines changed

helm/cluster-aws/templates/_aws_cluster.tpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -255,7 +255,7 @@ spec:
255255
{{- end }}
256256
sshKeyName: ssh-key
257257
s3Bucket:
258-
controlPlaneIAMInstanceProfile: control-plane-{{ include "resource.default.name" $ }}
258+
controlPlaneIAMInstanceProfile: {{ include "resource.default.name" $ }}-control-plane
259259
name: {{ include "aws-region" . }}-capa-{{ include "resource.default.name" $ }}
260260
nodesIAMInstanceProfiles:
261261
- {{ include "resource.default.name" $ }}-worker

helm/cluster-aws/templates/crossplane-iam-role-control-plane.yaml

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ spec:
1515
{
1616
"Effect": "Allow",
1717
"Principal": {
18-
"Service": "ec2.amazonaws.com{{- if hasPrefix "cn-" .Values.awsRegion }}.cn{{- end }}"
18+
"Service": "ec2.amazonaws.com{{- if hasPrefix "cn-" (include "aws-region" .) }}.cn{{- end }}"
1919
},
2020
"Action": "sts:AssumeRole"
2121
}
@@ -168,6 +168,23 @@ spec:
168168
name: {{ include "resource.default.name" $ }}
169169
---
170170
apiVersion: iam.aws.upbound.io/v1beta1
171+
kind: RolePolicyAttachment
172+
metadata:
173+
name: {{ include "resource.default.name" $ }}-control-plane
174+
labels:
175+
{{- include "labels.common" $ | nindent 4 }}
176+
app.kubernetes.io/version: {{ .Chart.Version | quote }}
177+
spec:
178+
forProvider:
179+
roleRef:
180+
name: {{ include "resource.default.name" $ }}-control-plane
181+
policyArnRef:
182+
name: {{ include "resource.default.name" $ }}-control-plane
183+
providerConfigRef:
184+
name: {{ include "resource.default.name" $ }}
185+
186+
---
187+
apiVersion: iam.aws.upbound.io/v1beta1
171188
kind: InstanceProfile
172189
metadata:
173190
name: {{ include "resource.default.name" $ }}-control-plane

helm/cluster-aws/templates/crossplane-iam-role-worker.yaml

Lines changed: 13 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ spec:
1515
{
1616
"Effect": "Allow",
1717
"Principal": {
18-
"Service": "ec2.amazonaws.com{{- if hasPrefix "cn-" .Values.awsRegion }}.cn{{- end }}"
18+
"Service": "ec2.amazonaws.com{{- if hasPrefix "cn-" (include "aws-region" .) }}.cn{{- end }}"
1919
},
2020
"Action": "sts:AssumeRole"
2121
}
@@ -86,34 +86,35 @@ spec:
8686
name: {{ include "resource.default.name" $ }}
8787
---
8888
apiVersion: iam.aws.upbound.io/v1beta1
89-
kind: InstanceProfile
89+
kind: RolePolicyAttachment
9090
metadata:
9191
name: {{ include "resource.default.name" $ }}-worker
9292
labels:
9393
{{- include "labels.common" $ | nindent 4 }}
9494
app.kubernetes.io/version: {{ .Chart.Version | quote }}
9595
spec:
9696
forProvider:
97-
tags:
98-
managed-by: "cluster-aws"
99-
giantswarm.io/cluster: {{ include "resource.default.name" $ }}
100-
giantswarm.io/installation: {{ .Values.global.managementCluster }}
101-
{{- if .Values.global.providerSpecific.additionalResourceTags -}}{{- toYaml .Values.global.providerSpecific.additionalResourceTags | nindent 4 }}{{- end}}
97+
roleRef:
98+
name: {{ include "resource.default.name" $ }}-worker
99+
policyArnRef:
100+
name: {{ include "resource.default.name" $ }}-worker
102101
providerConfigRef:
103102
name: {{ include "resource.default.name" $ }}
104103
---
105104
apiVersion: iam.aws.upbound.io/v1beta1
106-
kind: RolePolicyAttachment
105+
kind: InstanceProfile
107106
metadata:
108107
name: {{ include "resource.default.name" $ }}-worker
109108
labels:
110109
{{- include "labels.common" $ | nindent 4 }}
111110
app.kubernetes.io/version: {{ .Chart.Version | quote }}
112111
spec:
113112
forProvider:
114-
roleRef:
115-
name: {{ include "resource.default.name" $ }}-worker
116-
instanceProfileRef:
117-
name: {{ include "resource.default.name" $ }}-worker
113+
role: {{ include "resource.default.name" $ }}-worker
114+
tags:
115+
managed-by: "cluster-aws"
116+
giantswarm.io/cluster: {{ include "resource.default.name" $ }}
117+
giantswarm.io/installation: {{ .Values.global.managementCluster }}
118+
{{- if .Values.global.providerSpecific.additionalResourceTags -}}{{- toYaml .Values.global.providerSpecific.additionalResourceTags | nindent 4 }}{{- end}}
118119
providerConfigRef:
119120
name: {{ include "resource.default.name" $ }}

0 commit comments

Comments
 (0)