Rename and expose role

giantswarm · Mar 14, 2024 · 61afb31 · 61afb31
1 parent b638fcb
commit 61afb31
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 19 deletions.
diff --git a/controllers/config_map.go b/controllers/config_map.go
@@ -39,9 +39,10 @@ import (
 const Finalizer = "crossplane-config-operator.finalizers.giantswarm.io/config-map-controller"
 
 type ConfigMapReconciler struct {
-	Client                client.Client
-	BaseDomain            string
-	ManagementClusterRole string
+	Client       client.Client
+	BaseDomain   string
+	ProviderRole string
+	AssumeRole   string
 }
 
 // SetupWithManager sets up the controller with the Manager.
@@ -303,12 +304,12 @@ func (r *ConfigMapReconciler) getProviderConfigSpec(accountID string) map[string
 		"credentials": map[string]interface{}{
 			"source": "WebIdentity",
 			"webIdentity": map[string]interface{}{
-				"roleARN": fmt.Sprintf("arn:aws:iam::%s:role/crossplane-assume-role", accountID),
+				"roleARN": fmt.Sprintf("arn:aws:iam::%s:role/%s", accountID, r.AssumeRole),
 			},
 		},
 		"assumeRoleChain": []map[string]interface{}{
 			{
-				"roleARN": fmt.Sprintf("arn:aws:iam::%s:role/%s", accountID, r.ManagementClusterRole),
+				"roleARN": fmt.Sprintf("arn:aws:iam::%s:role/%s", accountID, r.ProviderRole),
 			},
 		},
 	}

diff --git a/controllers/config_map_test.go b/controllers/config_map_test.go
@@ -68,11 +68,11 @@ var _ = Describe("PrefixListEntryReconciler", func() {
 			"credentials": MatchKeys(IgnoreExtras, Keys{
 				"source": Equal("WebIdentity"),
 				"webIdentity": MatchKeys(IgnoreExtras, Keys{
-					"roleARN": Equal(fmt.Sprintf("arn:aws:iam::%s:role/crossplane-assume-role", accountID)),
+					"roleARN": Equal(fmt.Sprintf("arn:aws:iam::%s:role/the-assume-role", accountID)),
 				}),
 			}),
 			"assumeRoleChain": ConsistOf(MatchKeys(IgnoreExtras, Keys{
-				"roleARN": Equal(fmt.Sprintf("arn:aws:iam::%s:role/%s", accountID, "the-role")),
+				"roleARN": Equal(fmt.Sprintf("arn:aws:iam::%s:role/the-provider-role", accountID)),
 			})),
 		})))
 	}
@@ -82,9 +82,10 @@ var _ = Describe("PrefixListEntryReconciler", func() {
 
 		identity, cluster = createRandomClusterWithIdentity()
 		reconciler = &controllers.ConfigMapReconciler{
-			Client:                k8sClient,
-			BaseDomain:            "base.domain.io",
-			ManagementClusterRole: "the-role",
+			Client:       k8sClient,
+			BaseDomain:   "base.domain.io",
+			AssumeRole:   "the-assume-role",
+			ProviderRole: "the-provider-role",
 		}
 		roleARN, err := arn.Parse(identity.Spec.RoleArn)
 		Expect(err).NotTo(HaveOccurred())
@@ -149,12 +150,12 @@ var _ = Describe("PrefixListEntryReconciler", func() {
 					"credentials": map[string]interface{}{
 						"source": "WebIdentity",
 						"webIdentity": map[string]interface{}{
-							"roleARN": fmt.Sprintf("arn:aws:iam::%s:role/crossplane-assume-role", someOtherAccount),
+							"roleARN": fmt.Sprintf("arn:aws:iam::%s:role/some-other-assume-role", someOtherAccount),
 						},
 					},
 					"assumeRoleChain": []map[string]interface{}{
 						{
-							"roleARN": fmt.Sprintf("arn:aws:iam::%s:role/%s", someOtherAccount, "some-other-role"),
+							"roleARN": fmt.Sprintf("arn:aws:iam::%s:role/some-other-provider-role", someOtherAccount),
 						},
 					},
 				},

diff --git a/helm/aws-crossplane-cluster-config-operator/templates/deployment.yaml b/helm/aws-crossplane-cluster-config-operator/templates/deployment.yaml
@@ -34,7 +34,8 @@ spec:
             - /manager
           args:
             - --leader-elect
-            - --management-cluster-role={{ .Values.managementClusterRole }}
+            - --provider-role={{ .Values.providerRole }}
+            - --assume-role={{ .Values.assumeRole }}
             - --base-domain={{ .Values.baseDomain }}
           securityContext:
             {{- with .Values.securityContext }}

diff --git a/helm/aws-crossplane-cluster-config-operator/values.yaml b/helm/aws-crossplane-cluster-config-operator/values.yaml
@@ -10,7 +10,8 @@ pod:
   group:
     id: "1000"
 
-managementClusterRole: ""
+assumeRole: ""
+providerRole: ""
 baseDomain: ""
 
 # Add seccomp to pod security context

diff --git a/main.go b/main.go
@@ -53,10 +53,12 @@ func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
 	var probeAddr string
-	var managementClusterRole string
+	var assumeRole string
+	var providerRole string
 	var baseDomain string
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
-	flag.StringVar(&managementClusterRole, "management-cluster-role", "", "The management cluster role.")
+	flag.StringVar(&assumeRole, "assume-role", "", "The role used by the aws crossplane provider.")
+	flag.StringVar(&providerRole, "provider-role", "", "The role used by the aws crossplane provider.")
 	flag.StringVar(&baseDomain, "base-domain", "", "Management cluster base domain.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
@@ -84,9 +86,10 @@ func main() {
 	}
 
 	if err = (&controllers.ConfigMapReconciler{
-		Client:                mgr.GetClient(),
-		BaseDomain:            baseDomain,
-		ManagementClusterRole: managementClusterRole,
+		Client:       mgr.GetClient(),
+		BaseDomain:   baseDomain,
+		AssumeRole:   assumeRole,
+		ProviderRole: providerRole,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Frigate")
 		os.Exit(1)