From d7302ca241c57851c80b45b9113f6b1e5c59b99c Mon Sep 17 00:00:00 2001
From: Miciah Masters <miciah.masters@gmail.com>
Date: Fri, 18 Jan 2019 16:35:51 -0500
Subject: [PATCH] Use credentials from cloud-credential-operator

Replace use of kube-system cloud credentials by using openshift-ingress
cloud credentials courtesy of cloud-credential-operator.

This commit resolves NE-140.

https://jira.coreos.com/browse/NE-140

* cmd/cluster-ingress-operator/main.go (cloudCredentialsSecretName): New
constant with the name of the cloud credentials secret that
cloud-credential-operator creates for cluster-ingress-operator.
(main): Pass operatorNamespace to createDNSManager.
(createDNSManager): Instead of using the "aws-creds" secret from the
"kube-system" namespace, use the "cloud-credentials" secret from the
operator's namespace.
* manifests/01-kube-system-aws-creds-role-binding.yaml: Deleted; the
operator no longer needs to read the secret from the kube-system namespace.
---
 cmd/cluster-ingress-operator/main.go               | 14 ++++++++++----
 .../01-kube-system-aws-creds-role-binding.yaml     | 14 --------------
 2 files changed, 10 insertions(+), 18 deletions(-)
 delete mode 100644 manifests/01-kube-system-aws-creds-role-binding.yaml

diff --git a/cmd/cluster-ingress-operator/main.go b/cmd/cluster-ingress-operator/main.go
index 2cccd27430..583483f8ed 100644
--- a/cmd/cluster-ingress-operator/main.go
+++ b/cmd/cluster-ingress-operator/main.go
@@ -17,7 +17,6 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
@@ -27,6 +26,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/runtime/signals"
 )
 
+const (
+	// cloudCredentialsSecretName is the name of the secret in the
+	// operator's namespace that will hold the credentials that the operator
+	// will use to authenticate with the cloud API.
+	cloudCredentialsSecretName = "cloud-credentials"
+)
+
 func main() {
 	// Get a kube client.
 	kubeConfig, err := config.GetConfig()
@@ -79,7 +85,7 @@ func main() {
 	}
 
 	// Set up the DNS manager.
-	dnsManager, err := createDNSManager(kubeClient, infraConfig, ingressConfig, dnsConfig, clusterVersionConfig)
+	dnsManager, err := createDNSManager(kubeClient, operatorNamespace, infraConfig, ingressConfig, dnsConfig, clusterVersionConfig)
 	if err != nil {
 		logrus.Fatalf("failed to create DNS manager: %v", err)
 	}
@@ -102,12 +108,12 @@ func main() {
 
 // createDNSManager creates a DNS manager compatible with the given cluster
 // configuration.
-func createDNSManager(cl client.Client, infraConfig *configv1.Infrastructure, ingressConfig *configv1.Ingress, dnsConfig *configv1.DNS, clusterVersionConfig *configv1.ClusterVersion) (dns.Manager, error) {
+func createDNSManager(cl client.Client, namespace string, infraConfig *configv1.Infrastructure, ingressConfig *configv1.Ingress, dnsConfig *configv1.DNS, clusterVersionConfig *configv1.ClusterVersion) (dns.Manager, error) {
 	var dnsManager dns.Manager
 	switch infraConfig.Status.Platform {
 	case configv1.AWSPlatform:
 		awsCreds := &corev1.Secret{}
-		err := cl.Get(context.TODO(), types.NamespacedName{Namespace: metav1.NamespaceSystem, Name: "aws-creds"}, awsCreds)
+		err := cl.Get(context.TODO(), types.NamespacedName{Namespace: namespace, Name: cloudCredentialsSecretName}, awsCreds)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get aws creds from %s/%s: %v", awsCreds.Namespace, awsCreds.Name, err)
 		}
diff --git a/manifests/01-kube-system-aws-creds-role-binding.yaml b/manifests/01-kube-system-aws-creds-role-binding.yaml
deleted file mode 100644
index aa1ce39925..0000000000
--- a/manifests/01-kube-system-aws-creds-role-binding.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-# Binds the aws-creds-secret-reader role to the operator Service Account.
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: ingress-operator-aws-creds-secret-reader
-  namespace: kube-system
-subjects:
-- kind: ServiceAccount
-  name: ingress-operator
-  namespace: openshift-ingress-operator
-roleRef:
-  kind: Role
-  apiGroup: rbac.authorization.k8s.io
-  name: aws-creds-secret-reader