diff --git a/controllers/config_map.go b/controllers/config_map.go index d5210ab..7c76208 100644 --- a/controllers/config_map.go +++ b/controllers/config_map.go @@ -39,9 +39,10 @@ import ( const Finalizer = "crossplane-config-operator.finalizers.giantswarm.io/config-map-controller" type ConfigMapReconciler struct { - Client client.Client - BaseDomain string - ManagementClusterRole string + Client client.Client + BaseDomain string + ProviderRole string + AssumeRole string } // SetupWithManager sets up the controller with the Manager. @@ -303,12 +304,12 @@ func (r *ConfigMapReconciler) getProviderConfigSpec(accountID string) map[string "credentials": map[string]interface{}{ "source": "WebIdentity", "webIdentity": map[string]interface{}{ - "roleARN": fmt.Sprintf("arn:aws:iam::%s:role/crossplane-assume-role", accountID), + "roleARN": fmt.Sprintf("arn:aws:iam::%s:role/%s", accountID, r.AssumeRole), }, }, "assumeRoleChain": []map[string]interface{}{ { - "roleARN": fmt.Sprintf("arn:aws:iam::%s:role/%s", accountID, r.ManagementClusterRole), + "roleARN": fmt.Sprintf("arn:aws:iam::%s:role/%s", accountID, r.ProviderRole), }, }, } diff --git a/controllers/config_map_test.go b/controllers/config_map_test.go index 4e704af..f370ca7 100644 --- a/controllers/config_map_test.go +++ b/controllers/config_map_test.go @@ -68,11 +68,11 @@ var _ = Describe("PrefixListEntryReconciler", func() { "credentials": MatchKeys(IgnoreExtras, Keys{ "source": Equal("WebIdentity"), "webIdentity": MatchKeys(IgnoreExtras, Keys{ - "roleARN": Equal(fmt.Sprintf("arn:aws:iam::%s:role/crossplane-assume-role", accountID)), + "roleARN": Equal(fmt.Sprintf("arn:aws:iam::%s:role/the-assume-role", accountID)), }), }), "assumeRoleChain": ConsistOf(MatchKeys(IgnoreExtras, Keys{ - "roleARN": Equal(fmt.Sprintf("arn:aws:iam::%s:role/%s", accountID, "the-role")), + "roleARN": Equal(fmt.Sprintf("arn:aws:iam::%s:role/the-provider-role", accountID)), })), }))) } @@ -82,9 +82,10 @@ var _ = Describe("PrefixListEntryReconciler", func() { identity, cluster = createRandomClusterWithIdentity() reconciler = &controllers.ConfigMapReconciler{ - Client: k8sClient, - BaseDomain: "base.domain.io", - ManagementClusterRole: "the-role", + Client: k8sClient, + BaseDomain: "base.domain.io", + AssumeRole: "the-assume-role", + ProviderRole: "the-provider-role", } roleARN, err := arn.Parse(identity.Spec.RoleArn) Expect(err).NotTo(HaveOccurred()) @@ -149,12 +150,12 @@ var _ = Describe("PrefixListEntryReconciler", func() { "credentials": map[string]interface{}{ "source": "WebIdentity", "webIdentity": map[string]interface{}{ - "roleARN": fmt.Sprintf("arn:aws:iam::%s:role/crossplane-assume-role", someOtherAccount), + "roleARN": fmt.Sprintf("arn:aws:iam::%s:role/some-other-assume-role", someOtherAccount), }, }, "assumeRoleChain": []map[string]interface{}{ { - "roleARN": fmt.Sprintf("arn:aws:iam::%s:role/%s", someOtherAccount, "some-other-role"), + "roleARN": fmt.Sprintf("arn:aws:iam::%s:role/some-other-provider-role", someOtherAccount), }, }, }, diff --git a/helm/aws-crossplane-cluster-config-operator/templates/deployment.yaml b/helm/aws-crossplane-cluster-config-operator/templates/deployment.yaml index 353b341..edfd481 100644 --- a/helm/aws-crossplane-cluster-config-operator/templates/deployment.yaml +++ b/helm/aws-crossplane-cluster-config-operator/templates/deployment.yaml @@ -34,7 +34,8 @@ spec: - /manager args: - --leader-elect - - --management-cluster-role={{ .Values.managementClusterRole }} + - --provider-role={{ .Values.providerRole }} + - --assume-role={{ .Values.assumeRole }} - --base-domain={{ .Values.baseDomain }} securityContext: {{- with .Values.securityContext }} diff --git a/helm/aws-crossplane-cluster-config-operator/values.yaml b/helm/aws-crossplane-cluster-config-operator/values.yaml index 9d5e38a..39b3cf9 100644 --- a/helm/aws-crossplane-cluster-config-operator/values.yaml +++ b/helm/aws-crossplane-cluster-config-operator/values.yaml @@ -10,7 +10,8 @@ pod: group: id: "1000" -managementClusterRole: "" +assumeRole: "" +providerRole: "" baseDomain: "" # Add seccomp to pod security context diff --git a/main.go b/main.go index 2b45764..f30b941 100644 --- a/main.go +++ b/main.go @@ -53,10 +53,12 @@ func main() { var metricsAddr string var enableLeaderElection bool var probeAddr string - var managementClusterRole string + var assumeRole string + var providerRole string var baseDomain string flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") - flag.StringVar(&managementClusterRole, "management-cluster-role", "", "The management cluster role.") + flag.StringVar(&assumeRole, "assume-role", "", "The role used by the aws crossplane provider.") + flag.StringVar(&providerRole, "provider-role", "", "The role used by the aws crossplane provider.") flag.StringVar(&baseDomain, "base-domain", "", "Management cluster base domain.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, @@ -84,9 +86,10 @@ func main() { } if err = (&controllers.ConfigMapReconciler{ - Client: mgr.GetClient(), - BaseDomain: baseDomain, - ManagementClusterRole: managementClusterRole, + Client: mgr.GetClient(), + BaseDomain: baseDomain, + AssumeRole: assumeRole, + ProviderRole: providerRole, }).SetupWithManager(mgr); err != nil { setupLog.Error(err, "unable to create controller", "controller", "Frigate") os.Exit(1)