From a3733e1953528305e04148a640a2149307ff501a Mon Sep 17 00:00:00 2001
From: Tyler Gillson <tyler.gillson@gmail.com>
Date: Tue, 28 Nov 2023 10:57:25 -0700
Subject: [PATCH] chore: update AWS auth config

Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com>
---
 chart/validator/templates/plugin-secret-aws.yaml | 10 +++-------
 chart/validator/values.yaml                      | 13 +++++++++----
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/chart/validator/templates/plugin-secret-aws.yaml b/chart/validator/templates/plugin-secret-aws.yaml
index eac726a8..1424bbb7 100644
--- a/chart/validator/templates/plugin-secret-aws.yaml
+++ b/chart/validator/templates/plugin-secret-aws.yaml
@@ -4,11 +4,7 @@ kind: Secret
 metadata:
   name: {{ required ".Values.pluginSecrets.aws.secretName is required!" .Values.pluginSecrets.aws.secretName }}
 stringData:
-  credentials: |
-    [default]
-    aws_access_key_id={{ required ".Values.pluginSecrets.aws.accessKeyId is required!" .Values.pluginSecrets.aws.accessKeyId }}
-    aws_secret_access_key={{ required ".Values.pluginSecrets.aws.secretAccessKey is required!" .Values.pluginSecrets.aws.secretAccessKey }}
-    {{- if .Values.pluginSecrets.aws.sessionToken }}
-    aws_session_token={{ $.Values.pluginSecrets.aws.sessionToken }}
-    {{- end }}
+  {{- range $key, $val := .Values.pluginSecrets.aws.env }}
+  {{ $key }}: {{ $val | quote }}
+  {{- end }}
 {{- end }}
\ No newline at end of file
diff --git a/chart/validator/values.yaml b/chart/validator/values.yaml
index cb4c113a..e334822b 100644
--- a/chart/validator/values.yaml
+++ b/chart/validator/values.yaml
@@ -132,12 +132,13 @@ plugins:
         targetPort: https
       type: ClusterIP
     auth:
-      # Option 1: Leave secret undefined for implicit auth (node instance role, IMDSv2, etc.)
+      # Option 1: Leave secret undefined for implicit auth (node instance IAM role, IMDSv2, etc.)
       # Option 2: Create a secret via pluginSecrets (see below). Note: secretName and pluginSecrets.aws.secretName must match.
       # Option 3: Specify the name of a preexisting secret in your target cluster and leave pluginSecrets.aws undefined.
       #
       secret: {}  # Delete these curly braces if you're specifying secretName!
         # secretName: aws-creds
+
       # Override the service account used by AWS validator (optional, could be used for IMDSv2 on EKS)
       # WARNING: the chosen service account must include all RBAC privileges found in the AWS plugin template:
       #          https://github.com/spectrocloud-labs/validator-plugin-aws/blob/main/chart/validator-plugin-aws/templates/manager-rbac.yaml
@@ -347,9 +348,13 @@ pluginSecrets:
   #
   aws: {}  # Don't forget to delete these curly braces if you're specifying credentials here!
     # secretName: aws-creds  # ensure this matches the AWS plugin values above
-    # accessKeyId: ""
-    # secretAccessKey: ""
-    # sessionToken: ""
+    #
+    # Any valid combination of AWS credential environment variables, per the options defined in:
+    # https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#environment-variables.
+    # env:
+    #   AWS_ACCESS_KEY_ID: ""
+    #   AWS_SECRET_ACCESS_KEY: ""
+    #   AWS_SESSION_TOKEN: ""
 
   # If installing the Azure plugin, the below config is required unless one of the following applies:
   # - The target cluster already contains a secret with the correct format and you've specified its name above.