Merge pull request #76 from pkit/implicit_creds

fix hardcoded s3 creds

Author: No9

Cargo.lock

@@ -102,6 +102,41 @@ You can make use of a more compact values.yaml during installation to override f
 helm install core-dump-handler . --create-namespace --namespace observe --values values.openshift.yaml
 ```
 
+### EKS setup for gitops pipelines (`eksctl` or similar)
+
+Set up a service account with a role that has access to S3 bucket (in `cluster.yaml`):
+
+```yaml
+iam:
+  withOIDC: true
+  serviceAccounts:
+    - metadata:
+      name: core-dump-admin
+      namespace: core-dump
+    attachPolicyARNs:
+      - arn:aws:iam::123456789011:policy/s3-write-policy
+```
+
+**Note**: here the namespace is `core-dump`, change it to the namespace where you installed the chart
+
+Example S3 policy:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:*",
+      "Resource": [
+        "arn:aws:s3:::my-core-dump-bucket",
+        "arn:aws:s3:::my-core-dump-bucket/*"
+      ]
+    }
+  ]
+}
+```
+
 ### Environment Variables
 
 The agent pod has the following environment variables and these are all set by the chart but included here for informational purposes:

charts/core-dump-handler/README.md

@@ -57,11 +57,13 @@ spec:
               secretKeyRef:
                 name: s3config
                 key: s3AccessKey
+                optional: true
           - name: S3_SECRET
             valueFrom:
               secretKeyRef:
                 name: s3config
                 key: s3Secret
+                optional: true
           - name: S3_BUCKET_NAME
             valueFrom:
               secretKeyRef:

charts/core-dump-handler/templates/daemonset.yaml

@@ -1,3 +1,4 @@
 # AWS requires a crio client to be copied to the server
 daemonset:
   includeCrioExe: true
+  vendor: rhel7 # EKS EC2 images have an old libc=2.26

charts/core-dump-handler/values.aws.yaml

@@ -359,17 +359,21 @@ fn get_bucket() -> Result<Bucket, anyhow::Error> {
         }
     };
 
+    let credentials = if s3_access_key.is_empty() || s3_secret.is_empty() {
+        Credentials::new(None, None, None, None, None)
+    } else {
+        Credentials::new(Some(s3_access_key.as_str()),
+                         Some(s3_secret.as_str()),
+                         None,
+                         None,
+                         None,
+        )
+    };
+
     let s3 = Storage {
         name: "aws".into(),
         region,
-        credentials: Credentials::new(
-            Some(s3_access_key.as_str()),
-            Some(s3_secret.as_str()),
-            None,
-            None,
-            None,
-        )
-        .unwrap(),
+        credentials: credentials.unwrap(),
         bucket: s3_bucket_name,
         location_supported: false,
     };