Merge pull request #78 from luisdavim/injected_identity

Injected identity

README.md

@@ -81,6 +81,12 @@ kubectl apply -f examples/install.yaml
 
 Notice that in this example Provider resource is referencing ControllerConfig with debug enabled.
 
+You can also setup the Terraform Provider using AWS
+[IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+For more information, check out the example [setup](./examples/aws-eks-irsa-seup.yaml), the process is
+similar to what you would use for the
+[provider-aws](https://github.com/crossplane-contrib/provider-aws/blob/master/AUTHENTICATION.md#using-iam-roles-for-serviceaccounts).
+
 ## Private Git repository support
 
 To securely propagate git credentials create a `git-credentials` secret in [git credentials store] format.

apis/v1alpha1/types.go

@@ -41,7 +41,7 @@ type ProviderCredentials struct {
  Filename string `json:"filename"`
 
  // Source of the provider credentials.
- // +kubebuilder:validation:Enum=None;Secret;InjectedIdentity;Environment;Filesystem
+ // +kubebuilder:validation:Enum=None;Secret;Environment;Filesystem
  Source xpv1.CredentialsSource `json:"source"`
 
  xpv1.CommonCredentialSelectors `json:",inline"`

examples/aws-eks-irsa-seup.yaml

@@ -0,0 +1,66 @@
+# NOTE: You need a trust policy associated with the role matching the Service Account and OIDC provider
+# Something like the following:
+# {
+# "Version": "2012-10-17",
+# "Statement": [
+# {
+# "Effect": "Allow",
+# "Principal": {
+# "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
+# },
+# "Action": "sts:AssumeRoleWithWebIdentity",
+# "Condition": {
+# "StringLike": {
+# "${OIDC_PROVIDER}:sub": "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:provider-terraform-*"
+# }
+# }
+# }
+# ]
+# }
+#
+# Where:
+# OIDC_PROVIDER=$(aws eks describe-cluster --name "${CLUSTER_NAME}" --region "${AWS_REGION}" --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
+---
+apiVersion: pkg.crossplane.io/v1alpha1
+kind: ControllerConfig
+metadata:
+ name: terraform-config
+ labels:
+ app: crossplane-provider-terraform
+ annotations:
+ eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNTID:role/provider-terraform
+spec:
+ image: crossplane/provider-terraform-controller:v0.2.0
+ args:
+ - "--debug"
+ podSecurityContext:
+ fsGroup: 2000
+---
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+ name: crossplane-provider-terraform
+spec:
+ package: crossplane/provider-terraform:v0.2.0
+ controllerConfigRef:
+ name: terraform-config
+---
+apiVersion: tf.crossplane.io/v1alpha1
+kind: ProviderConfig
+metadata:
+ annotations: {}
+ name: aws-irsa
+spec:
+ configuration: |
+ terraform {
+ backend "kubernetes" {
+ secret_suffix = "providerconfig-tf-aws"
+ namespace = "crossplane-system"
+ in_cluster_config = true
+ }
+ }
+ provider "aws" {}
+ credentials:
+ # Terraform natively supports IRSA auth so we can use None here
+ - filename: aws.json
+ source: None

package/crds/tf.crossplane.io_providerconfigs.yaml

@@ -89,7 +89,6 @@ spec:
  enum:
  - None
  - Secret
- - InjectedIdentity
  - Environment
  - Filesystem
  type: string