feat: make aws credentials optional when s3 backup

Signed-off-by: Carlos Salas <carlos.salas@suse.com>

controlplane/api/v1alpha1/rke2controlplane_types.go

@@ -283,7 +283,8 @@ type EtcdS3 struct {
 
 	// S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket.
 	// The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key".
-	S3CredentialSecret corev1.ObjectReference `json:"s3CredentialSecret"`
+	// If empty, the controller will default to IAM authentication
+	S3CredentialSecret *corev1.ObjectReference `json:"s3CredentialSecret,omitempty"`
 
 	// Bucket S3 bucket name.
 	//+optional

controlplane/api/v1beta1/rke2controlplane_types.go

@@ -323,7 +323,8 @@ type EtcdS3 struct {
 
 	// S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket.
 	// The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key".
-	S3CredentialSecret corev1.ObjectReference `json:"s3CredentialSecret"`
+	// If empty, the controller will default to IAM authentication
+	S3CredentialSecret *corev1.ObjectReference `json:"s3CredentialSecret,omitempty"`
 
 	// Bucket S3 bucket name.
 	//+optional

controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanes.yaml

@@ -938,6 +938,7 @@ spec:
                                 description: |-
                                   S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket.
                                   The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key".
+                                  If empty, the controller will default to IAM authentication
                                 properties:
                                   apiVersion:
                                     description: API version of the referent.
@@ -981,7 +982,6 @@ spec:
                                 x-kubernetes-map-type: atomic
                             required:
                             - endpoint
-                            - s3CredentialSecret
                             type: object
                           scheduleCron:
                             description: 'ScheduleCron Snapshot interval time in cron
@@ -2243,6 +2243,7 @@ spec:
                                 description: |-
                                   S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket.
                                   The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key".
+                                  If empty, the controller will default to IAM authentication
                                 properties:
                                   apiVersion:
                                     description: API version of the referent.
@@ -2286,7 +2287,6 @@ spec:
                                 x-kubernetes-map-type: atomic
                             required:
                             - endpoint
-                            - s3CredentialSecret
                             type: object
                           scheduleCron:
                             description: 'ScheduleCron Snapshot interval time in cron

controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanetemplates.yaml

@@ -1094,6 +1094,7 @@ spec:
                                         description: |-
                                           S3CredentialSecret is a reference to a Secret containing the Access Key and Secret Key necessary to access the target S3 Bucket.
                                           The Secret must contain the following keys: "aws_access_key_id" and "aws_secret_access_key".
+                                          If empty, the controller will default to IAM authentication
                                         properties:
                                           apiVersion:
                                             description: API version of the referent.
@@ -1137,7 +1138,6 @@ spec:
                                         x-kubernetes-map-type: atomic
                                     required:
                                     - endpoint
-                                    - s3CredentialSecret
                                     type: object
                                   scheduleCron:
                                     description: 'ScheduleCron Snapshot interval time

pkg/rke2/config.go

@@ -269,23 +269,27 @@ func newRKE2ServerConfig(opts ServerConfigOpts) (*ServerConfig, []bootstrapv1.Fi
 		rke2ServerConfig.EtcdS3 = true
 		awsCredentialsSecret := &corev1.Secret{}
 
-		if err := opts.Client.Get(opts.Ctx, types.NamespacedName{
-			Name:      opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret.Name,
-			Namespace: opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret.Namespace,
-		}, awsCredentialsSecret); err != nil {
-			return nil, nil, fmt.Errorf("failed to get aws credentials secret: %w", err)
-		}
+		accessKeyID, secretAccessKey := []byte{}, []byte{}
+		if opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret != nil {
+			if err := opts.Client.Get(opts.Ctx, types.NamespacedName{
+				Name:      opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret.Name,
+				Namespace: opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret.Namespace,
+			}, awsCredentialsSecret); err != nil {
+				return nil, nil, fmt.Errorf("failed to get aws credentials secret (S3CredentialSecret - %v): %w", opts.ServerConfig.Etcd.BackupConfig.S3.S3CredentialSecret, err)
+			}
 
-		accessKeyID, ok := awsCredentialsSecret.Data["aws_access_key_id"]
+			var ok bool
+			accessKeyID, ok = awsCredentialsSecret.Data["aws_access_key_id"]
 
-		if !ok {
-			return nil, nil, fmt.Errorf("aws credentials secret is missing aws_access_key_id")
-		}
+			if !ok {
+				return nil, nil, fmt.Errorf("aws credentials secret is missing aws_access_key_id")
+			}
 
-		secretAccessKey, ok := awsCredentialsSecret.Data["aws_secret_access_key"]
+			secretAccessKey, ok = awsCredentialsSecret.Data["aws_secret_access_key"]
 
-		if !ok {
-			return nil, nil, fmt.Errorf("aws credentials secret is missing aws_secret_access_key")
+			if !ok {
+				return nil, nil, fmt.Errorf("aws credentials secret is missing aws_secret_access_key")
+			}
 		}
 
 		rke2ServerConfig.EtcdS3AccessKey = string(accessKeyID)
@@ -301,7 +305,7 @@ func newRKE2ServerConfig(opts ServerConfigOpts) (*ServerConfig, []bootstrapv1.Fi
 				Name:      opts.ServerConfig.Etcd.BackupConfig.S3.EndpointCASecret.Name,
 				Namespace: opts.ServerConfig.Etcd.BackupConfig.S3.EndpointCASecret.Namespace,
 			}, endpointCAsecret); err != nil {
-				return nil, nil, fmt.Errorf("failed to get aws credentials secret: %w", err)
+				return nil, nil, fmt.Errorf("failed to get aws credentials secret (EndpointCASecret): %w", err)
 			}
 
 			caCert, ok := endpointCAsecret.Data["ca.pem"]

pkg/rke2/config_test.go

@@ -110,7 +110,7 @@ var _ = Describe("RKE2ServerConfig", func() {
 					ExposeMetrics: true,
 					BackupConfig: controlplanev1.EtcdBackupConfig{
 						S3: &controlplanev1.EtcdS3{
-							S3CredentialSecret: corev1.ObjectReference{
+							S3CredentialSecret: &corev1.ObjectReference{
 								Name:      "test",
 								Namespace: "test",
 							},