From 90534c16e1584071067086eb83f91a9590e4bc44 Mon Sep 17 00:00:00 2001
From: brendanb <brendanb@btcx.com>
Date: Mon, 19 Apr 2021 12:27:11 +1000
Subject: [PATCH] Add ability to use aws iam access key/secret from a
 kubernetes secret that gets mounted in /root/.aws/credentials

---
 .../templates/controller-deployment.yaml               | 10 ++++++++++
 .../aws-efs-csi-driver/templates/node-daemonset.yaml   | 10 ++++++++++
 charts/aws-efs-csi-driver/values.yaml                  |  4 ++++
 3 files changed, 24 insertions(+)

diff --git a/charts/aws-efs-csi-driver/templates/controller-deployment.yaml b/charts/aws-efs-csi-driver/templates/controller-deployment.yaml
index 122ffe23d..367c7e729 100644
--- a/charts/aws-efs-csi-driver/templates/controller-deployment.yaml
+++ b/charts/aws-efs-csi-driver/templates/controller-deployment.yaml
@@ -59,6 +59,11 @@ spec:
           volumeMounts:
             - name: socket-dir
               mountPath: /var/lib/csi/sockets/pluginproxy/
+{{- if .Values.awsCredentialsSecret }}
+            - name: aws-credentials
+              mountPath: /root/.aws
+              readOnly: true
+{{- end }}
           ports:
             - name: healthz
               containerPort: 9808
@@ -95,4 +100,9 @@ spec:
       volumes:
         - name: socket-dir
           emptyDir: {}
+{{- if .Values.awsCredentialsSecret }}
+        - name: aws-credentials
+          secret:
+            secretName: {{ .Values.awsCredentialsSecretName }}
+{{- end }}
 {{- end }}
diff --git a/charts/aws-efs-csi-driver/templates/node-daemonset.yaml b/charts/aws-efs-csi-driver/templates/node-daemonset.yaml
index 31ec2b2e2..cd9a497af 100644
--- a/charts/aws-efs-csi-driver/templates/node-daemonset.yaml
+++ b/charts/aws-efs-csi-driver/templates/node-daemonset.yaml
@@ -87,6 +87,11 @@ spec:
               mountPath: /var/amazon/efs
             - name: efs-utils-config-legacy
               mountPath: /etc/amazon/efs-legacy
+{{- if .Values.awsCredentialsSecret }}
+            - name: aws-credentials
+              mountPath: /root/.aws
+              readOnly: true
+{{- end }}
           ports:
             - name: healthz
               containerPort: 9809
@@ -153,3 +158,8 @@ spec:
           hostPath:
             path: /etc/amazon/efs
             type: DirectoryOrCreate
+{{- if .Values.awsCredentialsSecret }}
+        - name: aws-credentials
+          secret:
+            secretName: {{ .Values.awsCredentialsSecretName }}
+{{- end }}
diff --git a/charts/aws-efs-csi-driver/values.yaml b/charts/aws-efs-csi-driver/values.yaml
index eb7c03973..1616faa3d 100644
--- a/charts/aws-efs-csi-driver/values.yaml
+++ b/charts/aws-efs-csi-driver/values.yaml
@@ -95,3 +95,7 @@ storageClasses: []
 #     gidRangeStart: "1000"
 #     gidRangeEnd: "2000"
 #     basePath: "/dynamic_provisioning"
+# Use aws credentials secret instead of relying on eks iam auth or instance profiles
+awsCredentialsSecret: false
+# aws credentials secret name
+awsCredentialsSecretName: aws-efs-csi-driver-credentials