Skip to content

Commit aa4f25e

Browse files
invidianDongsu Park
andcommitted
controllers: reconcile S3Bucket as part of reconciliation loop
When S3Bucket.Enabled is true, cluster controller will create an S3 bucket, by default with cluster name as a bucket name, where machine controller will be able to put userdata for systems, which do not support pulling them from Secret Manager, like Ignition. When cluster is deleted, bucket will be removed as well. Co-authored-by: Dongsu Park <[email protected]> Signed-off-by: Mateusz Gozdek <[email protected]>
1 parent 07a296f commit aa4f25e

File tree

8 files changed

+502
-0
lines changed

8 files changed

+502
-0
lines changed

cmd/clusterawsadm/api/bootstrap/v1alpha1/zz_generated.conversion.go

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

cmd/clusterawsadm/api/bootstrap/v1beta1/defaults.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,8 @@ const (
3333
DefaultPartitionName = "aws"
3434
// DefaultKMSAliasPattern is the default KMS alias.
3535
DefaultKMSAliasPattern = "cluster-api-provider-aws-*"
36+
// DefaultS3BucketPrefix is the default S3 bucket prefix.
37+
DefaultS3BucketPrefix = "cluster-api-provider-aws-"
3638
)
3739

3840
func addDefaultingFuncs(scheme *runtime.Scheme) error {
@@ -91,6 +93,10 @@ func SetDefaults_AWSIAMConfigurationSpec(obj *AWSIAMConfigurationSpec) { //nolin
9193
if len(obj.EKS.KMSAliasPrefix) == 0 {
9294
obj.EKS.KMSAliasPrefix = DefaultKMSAliasPattern
9395
}
96+
97+
if obj.S3Buckets.NamePrefix == "" {
98+
obj.S3Buckets.NamePrefix = DefaultS3BucketPrefix
99+
}
94100
}
95101

96102
// SetDefaults_AWSIAMConfiguration is used by defaulter-gen.

cmd/clusterawsadm/api/bootstrap/v1beta1/types.go

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -159,6 +159,17 @@ type AWSIAMConfiguration struct {
159159
Spec AWSIAMConfigurationSpec `json:"spec,omitempty"`
160160
}
161161

162+
// S3Buckets controls the configuration of the AWS IAM role for S3 buckets
163+
// which can be created for storing bootstrap data for nodes requiring it.
164+
type S3Buckets struct {
165+
// Enable controls whether permissions are granted to manage S3 buckets.
166+
Enable bool `json:"enable"`
167+
168+
// NamePrefix will be prepended to every AWS IAM role bucket name. Defaults to "cluster-api-provider-aws-".
169+
// AWSCluster S3 Bucket name must be prefixed with the same prefix.
170+
NamePrefix string `json:"namePrefix"`
171+
}
172+
162173
// AWSIAMConfigurationSpec defines the specification of the AWSIAMConfiguration.
163174
type AWSIAMConfigurationSpec struct {
164175
// NamePrefix will be prepended to every AWS IAM role, user and policy created by clusterawsadm. Defaults to "".
@@ -207,6 +218,12 @@ type AWSIAMConfigurationSpec struct {
207218
// will generate AWS Secrets Manager policies instead.
208219
// +kubebuilder:validation:Enum=secrets-manager;ssm-parameter-store
209220
SecureSecretsBackends []infrav1.SecretBackend `json:"secureSecretBackends,omitempty"`
221+
222+
// S3Buckets, when enabled, will add controller nodes permissions to
223+
// create S3 Buckets for workload clusters.
224+
// TODO: This field could be a pointer, but it seems it breaks setting default values?
225+
// +optional
226+
S3Buckets S3Buckets `json:"s3Buckets,omitempty"`
210227
}
211228

212229
// GetObjectKind returns the AAWSIAMConfiguration's TypeMeta.

cmd/clusterawsadm/api/bootstrap/v1beta1/zz_generated.deepcopy.go

Lines changed: 16 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -236,6 +236,21 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
236236
})
237237
}
238238
}
239+
if t.Spec.S3Buckets.Enable {
240+
statement = append(statement, iamv1.StatementEntry{
241+
Effect: iamv1.EffectAllow,
242+
Resource: iamv1.Resources{
243+
fmt.Sprintf("arn:*:s3:::%s*", t.Spec.S3Buckets.NamePrefix),
244+
},
245+
Action: iamv1.Actions{
246+
"s3:CreateBucket",
247+
"s3:DeleteBucket",
248+
"s3:PutObject",
249+
"s3:DeleteObject",
250+
"s3:PutBucketPolicy",
251+
},
252+
})
253+
}
239254
if t.Spec.EventBridge.Enable {
240255
statement = append(statement, iamv1.StatementEntry{
241256
Effect: iamv1.EffectAllow,

0 commit comments

Comments
 (0)