swap caching for non-caching reads of Secrets

[jaypipes]

In order to allow the ClusterRole associated with the ServiceAccount of
a controller started in Cluster Mode to require Read/List/Watch
permissions on Secrets in ALL Kubernetes Namespaces, we need to change
the way that Secret values are read in the resource reconciler.

When a "normal" client-go Kubernetes client is created and a single
watch namespace is not provided, then whenever that client is used to
read object information, a new SharedInformer cache is created for that
Kind of resource across all Namespaces.

This SharedInformer cache sets up listers and watchers on all resources
of that Kind of resource across all Namespaces and thus the ClusterRole
associated with the ServiceAccount of the controller needs permissions
to get, list and watch those resources across all Namespaces.

For Secret resources, this permission to list/watch Secrets across all
Namespaces is too broad for many security-conscious organizations. For
these organizations, they wish to restrict the ACK controller to only
watch Secret resources that are in specific Namespaces that the ACK
custom resources are created in.

In order to fulfill this security requirement, we needed to make a
relatively small change to the resource reconciler's
SecretValueFromReference method to use the non-caching apiReader part of
the Kubernetes client.

The other changes included in this patch revolve around documentation
and renaming the environment variable used to determine the Namespace
that the CARM ConfigMap resides in.

Previously, the environment variable controlling the Namespace the
ack-role-account-map ConfigMap was in was called K8S_NAMESPACE. I
thought this name was overly broad and confusing, considering we have a
--watch-namespace CLI flag for determining if the ACK controller is
started in "Cluster Mode" or "Namespace Mode", and the generic
K8S_NAMESPACE environment variable name was being confused with this
entirely unrelated CLI flag. I have thus renamed K8S_NAMESPACE to
ACK_SYSTEM_NAMESPACE to more accurately reflect what the variable
configures. I have left support for falling back to the old, now
deprecated K8S_NAMESPACE name, however.

Finally, I removed the hard-coded string ack-system comparison in the
CARM Account cache and now have it checking the ConfigMap's Namespace
against the value of the ACK_SYSTEM_NAMESPACE environment variable.

Note that I have run RDS controller local kind tests against this
version of the ACK runtime to ensure there are no nasty surprises and
all e2e tests are passing properly.

Issue: aws-controllers-k8s/community#1173

Signed-off-by: Jay Pipes jaypipes@gmail.com

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license.

[vijtrip2]

Looks good!

We should also update the community CARM docs to let customers know about these new environment variables, right?

[a-hilaly]

Nice catch

[a-hilaly]

We should also change K8S_NAMESPACE to ACK_SYSTEM_NAMESPACE in helm/deployment.yaml and config/controller/deployment.yaml

[jaypipes]

Yeah, I've got a patch for that to code-generator. I'll submit it once we release the runtime (since I will pin code-generator to that runtime version)

[jaypipes]

Looks good!

We should also update the community CARM docs to let customers know about these new environment variables, right?

Yep. I did that here: aws-controllers-k8s/community#1178

[vijtrip2]

/lgtm

[ack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: A-Hilaly, jaypipes, vijtrip2

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [A-Hilaly,jaypipes,vijtrip2]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment