Merge pull request #1751 from bertinatto/render-aws-ebs-creds-mgmt

STOR-1040: Render AWS CSI Driver credentials in the mgmt cluster

cmd/infra/aws/iam.go

@@ -68,7 +68,32 @@ const (
 				"ec2:ModifyVolume"
 			],
 			"Resource": "*"
-		}
+		},
+		{
+			"Effect": "Allow",
+			"Action": [
+				"kms:Decrypt",
+				"kms:Encrypt",
+				"kms:GenerateDataKey",
+				"kms:GenerateDataKeyWithoutPlainText",
+				"kms:DescribeKey"
+			],
+			"Resource": "*"
+		},
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:RevokeGrant",
+                "kms:CreateGrant",
+                "kms:ListGrants"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Bool": {
+                    "kms:GrantIsForAWSResource": true
+                }
+            }
+        }
 	]
 }`
 

hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go

@@ -259,6 +259,7 @@ web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
 		hcluster.Spec.Platform.AWS.RolesRef.NodePoolManagementARN:   NodePoolManagementCredsSecret(controlPlaneNamespace),
 		hcluster.Spec.Platform.AWS.RolesRef.ControlPlaneOperatorARN: ControlPlaneOperatorCredsSecret(controlPlaneNamespace),
 		hcluster.Spec.Platform.AWS.RolesRef.NetworkARN:              CloudNetworkConfigControllerCredsSecret(controlPlaneNamespace),
+		hcluster.Spec.Platform.AWS.RolesRef.StorageARN:              AWSEBSCSIDriverCredsSecret(controlPlaneNamespace),
 	} {
 		err := syncSecret(secret, arn)
 		if err != nil {
@@ -376,3 +377,12 @@ func CloudNetworkConfigControllerCredsSecret(controlPlaneNamespace string) *core
 		},
 	}
 }
+
+func AWSEBSCSIDriverCredsSecret(controlPlaneNamespace string) *corev1.Secret {
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: controlPlaneNamespace,
+			Name:      "ebs-cloud-credentials",
+		},
+	}
+}