fix: make aws region required (#3)

* fix: make aws region required

* fix: remove references of region from the secret

* fix: add a pod disruption budget

Author: givanov

Makefile

@@ -161,6 +161,7 @@ helm-clean:
 
 # does not work without explicitly specifying the api version
 # see: https://github.com/helm/helm/issues/6505
+# we explicitly set awsCredentials.awsRegion so that we pass the validate stage but the validation still occurs
 .PHONY: helm-validate
 helm-validate:
 	helm template node-tagger \
@@ -171,6 +172,7 @@ helm-validate:
 	-a monitoring.coreos.com/v1 \
 	-a apiextensions.k8s.io/v1beta1 \
 	-a credstash.ouzi.tech/v1 \
+	--set awsCredentials.awsRegion=us-west-2 \
 	$(CHART_PATH)/${CHART_NAME}
 
 .PHONY: helm-package

README.md

@@ -10,11 +10,10 @@ node-tagger is a Kubernetes operator that applies specified tags to all aws node
 The controller requires AWS credentials to be set before deploying it. This is accomplished by creating a secret with name `aws-credentials` in the controller namespace with the following keys:
 * AWS_ACCESS_KEY_ID
 * AWS_SECRET_ACCESS_KEY
-* AWS_REGION
 
 For example running the following will create an appropriate secret in the `node-tagger` namespace:
 ```
-kubectl create secret generic aws-credentials --from-literal=AWS_ACCESS_KEY_ID=access_key --from-literal=AWS_SECRET_ACCESS_KEY=secret_access_key --from-literal=AWS_REGION=us-west-2 --namespace=node-tagger
+kubectl create secret generic aws-credentials --from-literal=AWS_ACCESS_KEY_ID=access_key --from-literal=AWS_SECRET_ACCESS_KEY=secret_access_key --namespace=node-tagger
 ```
 
 ### Required IAM permissions

deploy/deployment.yaml

@@ -44,6 +44,8 @@ spec:
               path: /readyz
               port: http
           env:
+            - name: AWS_REGION
+              value: "us-east-1"
             - name: SERVICE_MONITOR_NAMESPACE
               valueFrom:
                 fieldRef:

deploy/helm/node-tagger/templates/aws_credentials_secret.yaml

@@ -13,5 +13,4 @@ type: Opaque
 data:
   AWS_ACCESS_KEY_ID: {{ .Values.awsCredentials.awsAccessKeyId | b64enc }}
   AWS_SECRET_ACCESS_KEY: {{ .Values.awsCredentials.awsSecretAccessKey | b64enc }}
-  AWS_REGION: {{ .Values.awsCredentials.awsRegion | b64enc }}
 {{- end -}}

deploy/helm/node-tagger/templates/deployment.yaml

@@ -55,6 +55,8 @@ spec:
               name: {{ include "node-tagger.credentialsSecretName" . }}
 {{- end }}
           env:
+          - name: AWS_REGION
+            value: {{ required "A valid AWS region is required. Please set .Values.awsCredentials.awsRegion" .Values.awsCredentials.awsRegion }}
           - name: SERVICE_MONITOR_NAMESPACE
             valueFrom:
               fieldRef:

deploy/helm/node-tagger/templates/pod_disruption_budget.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.podDisruptionBudget -}}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "node-tagger.fullname" . }}
+  labels:
+    {{- include "node-tagger.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+    {{- include "node-tagger.selectorLabels" . | nindent 6 }}
+{{ toYaml .Values.podDisruptionBudget | indent 2 }}
+{{- end -}}

deploy/helm/node-tagger/values.yaml

@@ -12,7 +12,12 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
+podDisruptionBudget:
+  minAvailable: 1
+
 awsCredentials:
+  # Region must always be set
+  awsRegion:
   # Whether to mount the secret in the pod
   # Set to false if you want to use a different aws auth method e.g. eks iam service account
   useSecret: true
@@ -22,7 +27,6 @@ awsCredentials:
   secretName:
   awsAccessKeyId:
   awsSecretAccessKey:
-  awsRegion:
 
 # Specifies the tags to apply to the aws node instances
 tagsToApply: