✨ [0.4] Support use of AWS Secrets Manager for userdata privacy

Makefile

@@ -136,10 +136,10 @@ $(RELEASE_NOTES) : $(TOOLS_DIR)/go.mod
 
 .PHONY: lint
 lint: $(GOLANGCI_LINT) ## Lint codebase
-	$(GOLANGCI_LINT) run -v
+	$(GOLANGCI_LINT) run -v --deadline=5m
 
 lint-full: $(GOLANGCI_LINT) ## Run slower linters to detect possible issues
-	$(GOLANGCI_LINT) run -v --fast=false
+	$(GOLANGCI_LINT) run -v --fast=false --deadline=5m
 
 ## --------------------------------------
 ## Generate
@@ -157,8 +157,7 @@ generate: ## Generate code
 	$(MAKE) generate-manifests
 
 .PHONY: generate-go
-generate-go: $(CONTROLLER_GEN) $(MOCKGEN) $(CONVERSION_GEN) ## Runs Go related generate targets
-	go generate ./...
+generate-go: $(CONTROLLER_GEN) $(CONVERSION_GEN) $(MOCKGEN) ## Runs Go related generate targets
 	$(CONTROLLER_GEN) \
 		paths=./api/... \
 		object:headerFile=./hack/boilerplate/boilerplate.generatego.txt
@@ -167,6 +166,7 @@ generate-go: $(CONTROLLER_GEN) $(MOCKGEN) $(CONVERSION_GEN) ## Runs Go related g
 		--input-dirs=./api/v1alpha2 \
 		--output-file-base=zz_generated.conversion \
 		--go-header-file=./hack/boilerplate/boilerplate.generatego.txt
+	go generate ./...
 
 .PHONY: generate-manifests
 generate-manifests: $(CONTROLLER_GEN) ## Generate manifests e.g. CRD, RBAC etc.

api/v1alpha2/awsmachine_types.go

@@ -88,6 +88,27 @@ type AWSMachineSpec struct {
 	// +optional
 	// +kubebuilder:validation:MaxItems=2
 	NetworkInterfaces []string `json:"networkInterfaces,omitempty"`
+
+	// CloudInit defines options related to the bootstrapping systems where
+	// CloudInit is used.
+	// +optional
+	CloudInit *CloudInit `json:"cloudInit,omitempty"`
+}
+
+// CloudInit defines options related to the bootstrapping systems where
+// CloudInit is used.
+type CloudInit struct {
+	// enableSecureSecretsManager, when set to true will use AWS Secrets Manager to ensure
+	// userdata privacy. A cloud-init boothook shell script is prepended to download
+	// the userdata from Secrets Manager and additionally delete the secret.
+	// +optional
+	EnableSecureSecretsManager bool `json:"enableSecureSecretsManager,omitempty"`
+
+	// SecretARN is the Amazon Resource Name of the secret. This is stored
+	// temporarily, and deleted when the machine registers as a node against
+	// the workload cluster.
+	// +optional
+	SecretARN string `json:"secretARN,omitempty"`
 }
 
 // AWSMachineStatus defines the observed state of AWSMachine

api/v1alpha2/types.go

@@ -20,6 +20,8 @@ import (
 	"fmt"
 	"sort"
 	"time"
+
+	"k8s.io/apimachinery/pkg/util/sets"
 )
 
 // AWSResourceReference is a reference to a specific AWS resource by ID, ARN, or filters.
@@ -474,6 +476,23 @@ var (
 	// InstanceStateStopped is the string representing an instance
 	// that has been stopped and can be restarted
 	InstanceStateStopped = InstanceState("stopped")
+
+	// InstanceOperationalStates defines the set of states in which an EC2 instance is
+	// or can return to running, and supports all EC2 operations
+	InstanceOperationalStates = sets.NewString(
+		string(InstanceStatePending),
+		string(InstanceStateRunning),
+		string(InstanceStateStopping),
+		string(InstanceStateStopped),
+	)
+
+	// InstanceKnownStates represents all known EC2 instance states
+	InstanceKnownStates = InstanceOperationalStates.Union(
+		sets.NewString(
+			string(InstanceStateShuttingDown),
+			string(InstanceStateTerminated),
+		),
+	)
 )
 
 // Instance describes an AWS instance.

config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml

@@ -121,6 +121,22 @@ spec:
                 to use for this instance. If multiple subnets are matched for the
                 availability zone, the first one return is picked.
               type: string
+            cloudInit:
+              description: CloudInit defines options related to the bootstrapping
+                systems where CloudInit is used.
+              properties:
+                enableSecureSecretsManager:
+                  description: enableSecureSecretsManager, when set to true will use
+                    AWS Secrets Manager to ensure userdata privacy. A cloud-init boothook
+                    shell script is prepended to download the userdata from Secrets
+                    Manager and additionally delete the secret.
+                  type: boolean
+                secretARN:
+                  description: SecretARN is the Amazon Resource Name of the secret.
+                    This is stored temporarily, and deleted when the machine registers
+                    as a node against the workload cluster.
+                  type: string
+              type: object
             iamInstanceProfile:
               description: IAMInstanceProfile is a name of an IAM instance profile
                 to assign to the instance

config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml

@@ -132,6 +132,23 @@ spec:
                         zone to use for this instance. If multiple subnets are matched
                         for the availability zone, the first one return is picked.
                       type: string
+                    cloudInit:
+                      description: CloudInit defines options related to the bootstrapping
+                        systems where CloudInit is used.
+                      properties:
+                        enableSecureSecretsManager:
+                          description: enableSecureSecretsManager, when set to true
+                            will use AWS Secrets Manager to ensure userdata privacy.
+                            A cloud-init boothook shell script is prepended to download
+                            the userdata from Secrets Manager and additionally delete
+                            the secret.
+                          type: boolean
+                        secretARN:
+                          description: SecretARN is the Amazon Resource Name of the
+                            secret. This is stored temporarily, and deleted when the
+                            machine registers as a node against the workload cluster.
+                          type: string
+                      type: object
                     iamInstanceProfile:
                       description: IAMInstanceProfile is a name of an IAM instance
                         profile to assign to the instance