make aws access keys optional

api/v1alpha1/upgradeinsights_types.go

@@ -108,8 +108,8 @@ type AWSProviderCredentials struct {
 	Region string `json:"region"`
 
 	// AccessKeyID is your access key ID used to authenticate against AWS API.
-	// +kubebuilder:validation:Required
-	AccessKeyID string `json:"accessKeyID"`
+	// +kubebuilder:validation:Optional
+	AccessKeyID *string `json:"accessKeyID,omitempty"`
 
 	// SecretAccessKeyRef is a reference to the secret that contains secret access key.
 	// Since UpgradeInsights is a cluster-scoped resource we can't use local reference.
@@ -131,6 +131,6 @@ type AWSProviderCredentials struct {
 	//      name: eks-credentials
 	//      namespace: upgrade-insights-test
 	//
-	// +kubebuilder:validation:Required
-	SecretAccessKeyRef corev1.SecretReference `json:"secretAccessKeyRef"`
+	// +kubebuilder:validation:Optional
+	SecretAccessKeyRef *corev1.SecretReference `json:"secretAccessKeyRef,omitempty"`
 }

internal/controller/upgradeinsights_cloudprovider.go

@@ -156,28 +156,55 @@ func (in *EKSCloudProvider) toInsightDetails(insight *types.Insight) []*console.
 }
 
 func (in *EKSCloudProvider) config(ctx context.Context, ui v1alpha1.UpgradeInsights) (aws.Config, error) {
-	// If credentials are not provided in the request, then use default credentials.
-	if ui.Spec.Credentials == nil || ui.Spec.Credentials.AWS == nil {
-		return awsconfig.LoadDefaultConfig(ctx, awsconfig.WithEC2IMDSRegion())
-	}
+	options := []func(*awsconfig.LoadOptions) error{awsconfig.WithEC2IMDSRegion()}
 
-	// Otherwise use provided credentials.
-	credentials := ui.Spec.Credentials.AWS
-	secretAccessKey, err := in.handleSecretAccessKeyRef(ctx, ui.Spec.Credentials.AWS.SecretAccessKeyRef, ui.Namespace)
-	if err != nil {
-		return aws.Config{}, err
+	if in.hasAccessKeys(ui) {
+		options = append(options, in.withCredentials(ctx, ui))
 	}
 
-	config, err := awsconfig.LoadDefaultConfig(ctx)
-	if err != nil {
-		return aws.Config{}, err
+	if in.hasRegion(ui) {
+		options = append(options, in.withRegion(ui))
 	}
 
-	config.Region = credentials.Region
-	config.Credentials = awscredentials.NewStaticCredentialsProvider(
-		credentials.AccessKeyID, secretAccessKey, "")
+	return awsconfig.LoadDefaultConfig(ctx, options...)
+}
+
+func (in *EKSCloudProvider) hasCredentials(ui v1alpha1.UpgradeInsights) bool {
+	return ui.Spec.Credentials != nil && ui.Spec.Credentials.AWS != nil
+}
+
+func (in *EKSCloudProvider) hasAccessKeys(ui v1alpha1.UpgradeInsights) bool {
+	return in.hasCredentials(ui) &&
+		ui.Spec.Credentials.AWS.SecretAccessKeyRef != nil &&
+		ui.Spec.Credentials.AWS.AccessKeyID != nil
+}
+
+func (in *EKSCloudProvider) hasRegion(ui v1alpha1.UpgradeInsights) bool {
+	return in.hasCredentials(ui) && len(ui.Spec.Credentials.AWS.Region) > 0
+}
 
-	return config, nil
+func (in *EKSCloudProvider) withCredentials(ctx context.Context, ui v1alpha1.UpgradeInsights) awsconfig.LoadOptionsFunc {
+	credentials := ui.Spec.Credentials.AWS
+	return func(options *awsconfig.LoadOptions) error {
+		secretAccessKey, err := in.handleSecretAccessKeyRef(ctx, *credentials.SecretAccessKeyRef, ui.Namespace)
+		if err != nil {
+			return err
+		}
+
+		options.Credentials = awscredentials.NewStaticCredentialsProvider(
+			*credentials.AccessKeyID,
+			secretAccessKey,
+			"",
+		)
+		return nil
+	}
+}
+
+func (in *EKSCloudProvider) withRegion(ui v1alpha1.UpgradeInsights) awsconfig.LoadOptionsFunc {
+	return func(options *awsconfig.LoadOptions) error {
+		options.Region = ui.Spec.Credentials.AWS.Region
+		return nil
+	}
 }
 
 func (in *EKSCloudProvider) handleSecretAccessKeyRef(ctx context.Context, ref corev1.SecretReference, namespace string) (string, error) {