Enable IRSA for aws s3 backends

Enable IRSA for aws s3 backends by making the attributes s3-access-key-id and s3-secret-access-key optional in object_storage_s3_secret closes #1327
pulp · Aug 19, 2024 · 6f4d77b · 6f4d77b
1 parent e65c0f3
commit 6f4d77b
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/CHANGES/1327.bugfix b/CHANGES/1327.bugfix
@@ -0,0 +1,2 @@
+S3 backend attributes `s3-access-key-id` and `s3-secret-access-key` made optional
+to allow authentication via AWS IAM roles for Kubernetes service accounts.
diff --git a/controllers/repo_manager/secret.go b/controllers/repo_manager/secret.go
@@ -398,18 +398,26 @@ func s3Settings(resources controllers.FunctionResources, pulpSettings *string) {
 	}
 
 	logger.V(1).Info("Retrieving S3 data from " + resources.Pulp.Spec.ObjectStorageS3Secret)
-	storageData, err := controllers.RetrieveSecretData(context, pulp.Spec.ObjectStorageS3Secret, pulp.Namespace, true, client, "s3-access-key-id", "s3-secret-access-key", "s3-bucket-name")
+	storageData, err := controllers.RetrieveSecretData(context, pulp.Spec.ObjectStorageS3Secret, pulp.Namespace, true, client, "s3-bucket-name")
 	if err != nil {
 		logger.Error(err, "Secret Not Found!", "Secret.Namespace", pulp.Namespace, "Secret.Name", pulp.Spec.ObjectStorageS3Secret)
 		return
 	}
 
-	optionalKey, _ := controllers.RetrieveSecretData(resources.Context, resources.Pulp.Spec.ObjectStorageS3Secret, resources.Pulp.Namespace, false, client, "s3-endpoint", "s3-region")
+	optionalKey, _ := controllers.RetrieveSecretData(resources.Context, resources.Pulp.Spec.ObjectStorageS3Secret, resources.Pulp.Namespace, false, client, "s3-endpoint", "s3-region", "s3-access-key-id", "s3-secret-access-key")
 	if len(optionalKey["s3-endpoint"]) == 0 && len(optionalKey["s3-region"]) == 0 {
 		logger.Error(err, "Either s3-endpoint or s3-region needs to be specified", "Secret.Namespace", resources.Pulp.Namespace, "Secret.Name", resources.Pulp.Spec.ObjectStorageS3Secret)
 		return
 	}
 
+	if len(optionalKey["s3-secret-access-key"]) > 0 {
+		*pulpSettings = *pulpSettings + fmt.Sprintf("AWS_SECRET_ACCESS_KEY = \"%v\"\n", optionalKey["s3-secret-access-key"])
+	}
+
+	if len(optionalKey["s3-access-key-id"]) > 0 {
+		*pulpSettings = *pulpSettings + fmt.Sprintf("AWS_ACCESS_KEY_ID = \"%v\"\n", optionalKey["s3-access-key-id"])
+	}
+
 	if len(optionalKey["s3-endpoint"]) > 0 {
 		*pulpSettings = *pulpSettings + fmt.Sprintf("AWS_S3_ENDPOINT_URL = \"%v\"\n", optionalKey["s3-endpoint"])
 	}
@@ -418,9 +426,7 @@ func s3Settings(resources controllers.FunctionResources, pulpSettings *string) {
 		*pulpSettings = *pulpSettings + fmt.Sprintf("AWS_S3_REGION_NAME = \"%v\"\n", optionalKey["s3-region"])
 	}
 
-	*pulpSettings = *pulpSettings + `AWS_ACCESS_KEY_ID = '` + storageData["s3-access-key-id"] + `'
-AWS_SECRET_ACCESS_KEY = '` + storageData["s3-secret-access-key"] + `'
-AWS_STORAGE_BUCKET_NAME = '` + storageData["s3-bucket-name"] + `'
+	*pulpSettings = *pulpSettings + `AWS_STORAGE_BUCKET_NAME = '` + storageData["s3-bucket-name"] + `'
 AWS_DEFAULT_ACL = "@none None"
 S3_USE_SIGV4 = True
 AWS_S3_SIGNATURE_VERSION = "s3v4"