Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

actuators: Use AWS Systems Manager Parameter Store #189

Closed
wants to merge 1 commit into from
Closed

actuators: Use AWS Systems Manager Parameter Store #189

wants to merge 1 commit into from

Conversation

randomvariable
Copy link
Member

@randomvariable randomvariable commented Oct 8, 2018
edited
Loading

What this PR does / why we need it:

Moves certificate authority information out of the cluster object and into AWS
Systems Manager Parameter store, removing one set of plain text secrets.

Also enables future change to clusterawsadm to be able to reconstruct the
kubeconfig without being the boootstrap user.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

This requires an expansion of the IAM profile as follows:

ManagedPolicyName: cluster-controller.cluster-api-provider-aws.sigs.k8s.io
  - Action:
    - ssm:GetParameter
    - ssm:GetParameters
    - ssm:GetParametersByPath
    - ssm:DeleteParameter
    - ssm:DeleteParameters
    - ssm:PutParameter
    Effect: Allow
    Resource:
    - arn:aws:ssm:*:<region>:parameter/sigs.k8s.io/cluster-api-provider-aws/certificate-authority/certificate/*
    - arn:aws:ssm:*:<region>:parameter/sigs.k8s.io/cluster-api-provider-aws/certificate-authority/private-key/*

ManagedPolicyName: nodes.cluster-api-provider-aws.sigs.k8s.io
PolicyDocument:
  Statement:
  - Action:
    - ssm:DescribeParameters
    - ssm:GetParameter
    - ssm:GetParameters
    - ssm:GetParametersByPath
    Effect: Allow
    Resource:
    - arn:aws:ssm:*:<region>:parameter/sigs.k8s.io/cluster-api-provider-aws/nodes/*
    - arn:aws:ssm:*:<region>:parameter/sigs.k8s.io/cluster-api-provider-aws/certificate-authority/certificate/*
  Version: "2012-10-17"

Parameters are written to the following locations:
/sigs.k8s.io/cluster-api-provider-aws/certificate-authority/certificate/<cluster name>
/sigs.k8s.io/cluster-api-provider-aws/certificate-authority/private-key/<cluster name>

This means that all control plane nodes for all clusters in a region have access to the
key material for all control planes if using the generated template from
clusterawsadm. It's possible to scope this further if a user applies their
own template.

Release note:

NONE

@randomvariable
actuators: Use AWS Systems Manager Parameter Store
be56be6 
for the certificate instead of using a field on
the object. Also allows external users to potentially
get a kubeconfig via clusterawsadm at a later date.

Signed-off-by: Naadir Jeewa <naadir@randomvariable.co.uk>
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 8, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: randomvariable
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: detiber

If they are not already assigned, you can assign the PR to them by writing /assign @detiber in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Oct 8, 2018
@detiber
Copy link
Member

detiber commented Oct 8, 2018

Lets defer this until after the initial release, I want to make sure that we do not add any additional IAM requirements until we've had a chance to fully weight the potential consequences. This would be a great topic to discuss at the planning meeting on the 15th.

@randomvariable
Copy link
Member Author

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 8, 2018
@randomvariable
Copy link
Member Author

This is too out of date now.

@randomvariable randomvariable deleted the feature/use-ssm branch February 8, 2019 10:19
enxebre pushed a commit to enxebre/cluster-api-provider-aws-2 that referenced this pull request Apr 16, 2019
@openshift-merge-robot
Merge pull request kubernetes-sigs#189 from frobware/fix-jira-435-mak…
d19c6e5 
…e-generate-fails

Fix panic when running: make generate
@randomvariable randomvariable mentioned this pull request Jun 20, 2019
Closed
@randomvariable randomvariable mentioned this pull request Jan 21, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidewatson davidewatson Awaiting requested review from davidewatson

@vincepri vincepri Awaiting requested review from vincepri

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@randomvariable @k8s-ci-robot @detiber