Add Operator AWS credentials (#349)

Author: ospillinger

cortex.sh

@@ -115,6 +115,9 @@ if [ "$AWS_SECRET_ACCESS_KEY" = "" ]; then
   fi
 fi
 
+export CORTEX_AWS_ACCESS_KEY_ID="${CORTEX_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID}"
+export CORTEX_AWS_SECRET_ACCESS_KEY="${CORTEX_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY}"
+
 export CORTEX_LOG_GROUP="${CORTEX_LOG_GROUP:-cortex}"
 export CORTEX_BUCKET="${CORTEX_BUCKET:-""}"
 export CORTEX_REGION="${CORTEX_REGION:-us-west-2}"
@@ -183,6 +186,8 @@ function install_cortex() {
   docker run -it --entrypoint /root/install_cortex.sh \
     -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
     -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
+    -e CORTEX_AWS_ACCESS_KEY_ID=$CORTEX_AWS_ACCESS_KEY_ID \
+    -e CORTEX_AWS_SECRET_ACCESS_KEY=$CORTEX_AWS_SECRET_ACCESS_KEY \
     -e CORTEX_CLUSTER=$CORTEX_CLUSTER \
     -e CORTEX_REGION=$CORTEX_REGION \
     -e CORTEX_NAMESPACE=$CORTEX_NAMESPACE \
@@ -394,7 +399,7 @@ function confirm_for_uninstall() {
   while true
   do
     echo
-    read -p "Are you sure you want to uninstall Cortex? Your cluster will be spun down and all resources will be deleted. [Y/n] " -n 1 -r
+    read -p "Are you sure you want to uninstall Cortex? (Your cluster will be spun down and all resources will be deleted) [Y/n] " -n 1 -r
     echo
     if [[ $REPLY =~ ^[Yy]$ ]]; then
       break

docs/cluster/config.md

@@ -11,6 +11,10 @@ These environment variables can be modified and exported before running `cortex.
 export AWS_ACCESS_KEY_ID="***"
 export AWS_SECRET_ACCESS_KEY="***"
 
+# Optional AWS credentials for the Operator which may be used to restrict its AWS access (defaults to the AWS credentials set above)
+export CORTEX_AWS_ACCESS_KEY_ID="***"
+export CORTEX_AWS_SECRET_ACCESS_KEY="***"
+
 # The name of the CloudWatch log group Cortex will use
 export CORTEX_LOG_GROUP="cortex"
 

docs/cluster/security.md

@@ -6,9 +6,36 @@ If you are not using a sensitive AWS account and do not have a lot of experience
 
 ### Operator
 
-The operator requires read permissions for any data sources, read and write permissions for the Cortex S3 bucket, and read and write permissions for the Cortex CloudWatch log group. The pre-defined `AmazonS3FullAccess` and `CloudWatchLogsFullAccess` policies cover these permissions, but you can create more limited policies manually.
-
-If you don't already have a Cortex S3 bucket and/or Cortex CloudWatch log group, you will need to add create permissions during installation.
+The operator requires read permissions for any S3 bucket containing exported models, read and write permissions for the Cortex S3 bucket, read and write permissions for the Cortex CloudWatch log group, and read and write permissions for CloudWatch metrics. The policy below may be used to restrict the Operator's access:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "sts:GetCallerIdentity"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "s3:*",
+            "Resource": "*"
+        },
+        {
+            "Action": [
+                "cloudwatch:*",
+                "logs:*"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        }
+    ]
+}
+```
 
 ### CLI
 

docs/cluster/upgrade.md renamed to docs/cluster/update.md

@@ -1,4 +1,4 @@
-# Upgrade
+# Update
 
 ## Prerequisites
 
@@ -22,10 +22,10 @@ chmod +x cortex.sh
 export AWS_ACCESS_KEY_ID=***
 export AWS_SECRET_ACCESS_KEY=***
 
-# Upgrade Cortex
-./cortex.sh upgrade
+# Update Cortex
+./cortex.sh update
 
-# Upgrade the CLI
+# Update the CLI
 ./cortex.sh install cli
 
 # Confirm version

docs/summary.md

@@ -22,7 +22,7 @@
 * [AWS Credentials](cluster/aws.md)
 * [Configuration](cluster/config.md)
 * [Security](cluster/security.md)
-* [Upgrade](cluster/upgrade.md)
+* [Update](cluster/update.md)
 * [Uninstall](cluster/uninstall.md)
 * [Development](cluster/development.md)
 

manager/install_cortex.sh

@@ -75,8 +75,8 @@ function setup_configmap() {
 
 function setup_secrets() {
   kubectl -n=$CORTEX_NAMESPACE create secret generic 'aws-credentials' \
-    --from-literal='AWS_ACCESS_KEY_ID'=$AWS_ACCESS_KEY_ID \
-    --from-literal='AWS_SECRET_ACCESS_KEY'=$AWS_SECRET_ACCESS_KEY \
+    --from-literal='AWS_ACCESS_KEY_ID'=$CORTEX_AWS_ACCESS_KEY_ID \
+    --from-literal='AWS_SECRET_ACCESS_KEY'=$CORTEX_AWS_SECRET_ACCESS_KEY \
     -o yaml --dry-run | kubectl apply -f - >/dev/null
 }
 
@@ -104,8 +104,8 @@ function setup_istio() {
   envsubst < manifests/istio-metrics.yaml | kubectl apply -f - >/dev/null
 
   kubectl -n=istio-system create secret generic 'aws-credentials' \
-    --from-literal='AWS_ACCESS_KEY_ID'=$AWS_ACCESS_KEY_ID \
-    --from-literal='AWS_SECRET_ACCESS_KEY'=$AWS_SECRET_ACCESS_KEY \
+    --from-literal='AWS_ACCESS_KEY_ID'=$CORTEX_AWS_ACCESS_KEY_ID \
+    --from-literal='AWS_SECRET_ACCESS_KEY'=$CORTEX_AWS_SECRET_ACCESS_KEY \
     -o yaml --dry-run | kubectl apply -f - >/dev/null
   istio_patch="[
     {\"op\": \"add\", \"path\": \"/spec/template/spec/containers/0/env/-\", \"value\": {\"name\": \"AWS_ACCESS_KEY_ID\", \"valueFrom\": {\"secretKeyRef\": {\"name\": \"aws-credentials\", \"key\": \"AWS_ACCESS_KEY_ID\"}}}},\