Use Metal-Edit user for HMAC (#69)

Co-authored-by: Valentin Knabel <dev@vknabel.com>

Author: simcod

Makefile

@@ -167,7 +167,8 @@ endif
 
 # this is configured to work with the capi-lab
 export METAL_API_URL := "http://metal.203.0.113.1.nip.io:8080"
-export METAL_API_HMAC := "metal-admin"
+export METAL_API_HMAC := "metal-edit"
+export METAL_API_HMAC_AUTH_TYPE := "Metal-Edit"
 
 .PHONY: install
 install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.

README.md

@@ -41,6 +41,7 @@ Now, you are able to install the CAPMS into your management cluster:
 # export the following environment variables
 export METAL_API_URL=<url>
 export METAL_API_HMAC=<hmac>
+export METAL_API_HMAC_AUTH_TYPE=<Metal-Admin or Metal-Edit>
 export EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION=true
 
 # initialize the management cluster

capi-lab/Makefile

@@ -7,9 +7,11 @@ KUBECONFIG := $(shell pwd)/mini-lab/.kubeconfig
 MINI_LAB_FLAVOR=capms
 
 METAL_API_URL=http://metal.203.0.113.1.nip.io:8080
-METAL_API_HMAC=metal-admin
+METAL_API_HMAC=metal-edit
+METAL_API_HMAC_AUTH_TYPE=Metal-Edit
 METALCTL_API_URL=http://metal.203.0.113.1.nip.io:8080
-METALCTL_HMAC=metal-admin
+METALCTL_HMAC=metal-edit
+METALCTL_HMAC_AUTH_TYPE=Metal-Edit
 
 METAL_PARTITION ?= mini-lab
 METAL_PROJECT_ID ?= 00000000-0000-0000-0000-000000000001

capi-lab/metal-ccm.yaml

@@ -7,6 +7,7 @@ metadata:
 stringData:
   api-url: ${METAL_API_URL}
   api-hmac: ${METAL_API_HMAC}
+  api-hmac-auth-type: ${METAL_API_HMAC_AUTH_TYPE}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -172,6 +173,11 @@ spec:
             secretKeyRef:
               key: api-hmac
               name: cloud-controller-manager
+        - name: METAL_AUTH_HMAC_AUTH_TYPE
+          valueFrom:
+            secretKeyRef:
+              key: api-hmac-auth-type
+              name: cloud-controller-manager
         - name: METAL_PROJECT_ID
           value: 00000000-0000-0000-0000-000000000001
         - name: METAL_PARTITION_ID
@@ -185,7 +191,7 @@ spec:
           value: internet-mini-lab,${METAL_NODE_NETWORK_ID}
         - name: METAL_SSH_PUBLICKEY
           value: ""
-        image: ghcr.io/metal-stack/metal-ccm:v0.9.3
+        image: ghcr.io/metal-stack/metal-ccm:v0.9.4
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 2

cmd/main.go

@@ -202,5 +202,10 @@ func newMetalClient() (metalgo.Client, error) {
 		return nil, errors.New("METAL_API_HMAC environment variable must be set")
 	}
 
-	return metalgo.NewDriver(url, "", hmac)
+	hmacAuthType := os.Getenv("METAL_API_HMAC_AUTH_TYPE")
+	if hmacAuthType == "" {
+		return nil, errors.New("METAL_API_HMAC_AUTH_TYPE environment variable must be set")
+	}
+
+	return metalgo.NewDriver(url, "", hmac, metalgo.AuthType(hmacAuthType))
 }

config/manager/manager.yaml

@@ -6,6 +6,7 @@ metadata:
 stringData:
   api-url: ${METAL_API_URL}
   api-hmac: ${METAL_API_HMAC}
+  api-hmac-auth-type: ${METAL_API_HMAC_AUTH_TYPE}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -44,6 +45,11 @@ spec:
               secretKeyRef:
                 name: controller-manager-config
                 key: api-hmac
+          - name: METAL_API_HMAC_AUTH_TYPE
+            valueFrom:
+              secretKeyRef:
+                name: controller-manager-config
+                key: api-hmac-auth-type
         command:
         - /manager
         args:

metadata.yaml

@@ -5,6 +5,9 @@
 # update this file only when a new major or minor version is released
 apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
 releaseSeries:
+  - major: 0
+    minor: 3
+    contract: v1beta1
   - major: 0
     minor: 2
     contract: v1beta1