feat: add the ability to fetch aws creds from a secret on startup (#158)

* feat: allow using a secret to configure aws credentials on controller startup

Signed-off-by: Georgi Ivanov <[email protected]>

* fix: use correct command line flag in the deployment manifest

Signed-off-by: Georgi Ivanov <[email protected]>

* fix: reorder secret loading logic so that we fall back to env config in case we cannot read the secret

Signed-off-by: Georgi Ivanov <[email protected]>

* fix: lint new changes

Signed-off-by: Georgi Ivanov <[email protected]>

cmd/manager/main.go

@@ -52,6 +52,11 @@ func init() {
 		"selector-label",
 		"",
 		"If provided the controller will only process CRDs that have the provided label")
+	pflag.StringVar(
+		&flags.AwsConfigSecret,
+		"aws-config-secret",
+		"",
+		"If provided the controller will load AWS credentials from the named kubernetes secret")
 }
 
 func printVersion() {

deploy/deployment.yaml

@@ -18,15 +18,15 @@ spec:
           image: quay.io/ouzi/credstash-operator:latest
           command:
             - credstash-operator
+          args:
+            - --aws-config-secret
+            - aws-credentials
           imagePullPolicy: Always
-          envFrom:
-            - secretRef:
-                name: aws-credentials
           env:
-#            - name: WATCH_NAMESPACE
-#              valueFrom:
-#                fieldRef:
-#                  fieldPath: metadata.namespace
+            - name: WATCH_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
             - name: SERVICE_MONITOR_NAMESPACE
               valueFrom:
                 fieldRef:
@@ -35,5 +35,9 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.name
+            - name: POD_NAMESPACE
+                valueFrom:
+                  fieldRef:
+                    fieldPath: metadata.namespace
             - name: OPERATOR_NAME
               value: "credstash-operator"

deploy/helm/credstash-operator/templates/deployment.yaml

@@ -67,6 +67,10 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
           - name: OPERATOR_NAME
             value: {{ include "credstash-operator.fullname" . }}
           resources:

go.mod

@@ -4,52 +4,52 @@ go 1.14
 
 require (
 	github.com/apex/log v1.1.4 // indirect
-	github.com/aws/aws-sdk-go v1.33.1
+	github.com/aws/aws-sdk-go v1.33.5
 	github.com/fatih/color v1.9.0 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
 	github.com/golang/mock v1.4.3
 	github.com/kr/pretty v0.2.0 // indirect
 	github.com/mattn/go-colorable v0.1.6 // indirect
 	github.com/mattn/go-runewidth v0.0.9 // indirect
 	github.com/olekukonko/tablewriter v0.0.4 // indirect
-	github.com/operator-framework/operator-sdk v0.18.2
+	github.com/operator-framework/operator-sdk v0.19.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.6.1
 	github.com/versent/unicreds v1.5.1-0.20180327234242-7135c859e003
 	golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9 // indirect
 	gopkg.in/yaml.v2 v2.3.0 // indirect
-	k8s.io/api v0.18.2
-	k8s.io/apimachinery v0.18.2
+	k8s.io/api v0.18.5
+	k8s.io/apimachinery v0.18.5
 	k8s.io/client-go v12.0.0+incompatible
 	k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6
-	sigs.k8s.io/controller-runtime v0.6.0
+	sigs.k8s.io/controller-runtime v0.6.1
 )
 
 // Pinned to kubernetes-1.18.5
 replace (
 	github.com/Azure/go-autorest => github.com/Azure/go-autorest v13.3.3+incompatible // Required by OLM
 	github.com/openshift/api => github.com/openshift/api v0.0.0-20200117162508-e7ccdda6ba67
-	k8s.io/api => k8s.io/api v0.18.2
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.18.2
-	k8s.io/apimachinery => k8s.io/apimachinery v0.18.2
-	k8s.io/apiserver => k8s.io/apiserver v0.18.2
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.18.2
-	k8s.io/client-go => k8s.io/client-go v0.18.2 // Required by prometheus-operator
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.18.2
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.18.2
-	k8s.io/code-generator => k8s.io/code-generator v0.18.2
-	k8s.io/component-base => k8s.io/component-base v0.18.2
-	k8s.io/cri-api => k8s.io/cri-api v0.18.2
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.18.2
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.18.2
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.18.2
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.18.2
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.18.2
-	k8s.io/kubectl => k8s.io/kubectl v0.18.2
-	k8s.io/kubelet => k8s.io/kubelet v0.18.2
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.18.2
-	k8s.io/metrics => k8s.io/metrics v0.18.2
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.18.2
+	k8s.io/api => k8s.io/api v0.18.5
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.18.5
+	k8s.io/apimachinery => k8s.io/apimachinery v0.18.5
+	k8s.io/apiserver => k8s.io/apiserver v0.18.5
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.18.5
+	k8s.io/client-go => k8s.io/client-go v0.18.5 // Required by prometheus-operator
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.18.5
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.18.5
+	k8s.io/code-generator => k8s.io/code-generator v0.18.5
+	k8s.io/component-base => k8s.io/component-base v0.18.5
+	k8s.io/cri-api => k8s.io/cri-api v0.18.5
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.18.5
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.18.5
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.18.5
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.18.5
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.18.5
+	k8s.io/kubectl => k8s.io/kubectl v0.18.5
+	k8s.io/kubelet => k8s.io/kubelet v0.18.5
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.18.5
+	k8s.io/metrics => k8s.io/metrics v0.18.5
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.18.5
 	k8s.io/utils => k8s.io/utils v0.0.0-20191114184206-e782cd3c129f
 )