actuators: Use AWS Systems Manager Parameter Store #189
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Moves certificate authority information out of the cluster object and into AWS
Systems Manager Parameter store, removing one set of plain text secrets.
Also enables future change to clusterawsadm to be able to reconstruct the
kubeconfig without being the boootstrap user.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
This requires an expansion of the IAM profile as follows:
Parameters are written to the following locations:
/sigs.k8s.io/cluster-api-provider-aws/certificate-authority/certificate/<cluster name>
/sigs.k8s.io/cluster-api-provider-aws/certificate-authority/private-key/<cluster name>
This means that all control plane nodes for all clusters in a region have access to the
key material for all control planes if using the generated template from
clusterawsadm
. It's possible to scope this further if a user applies theirown template.
Release note: