Add bootstrap changes to support eks-pod-identity-agent with IAM-RA

Dockerfile

@@ -40,7 +40,8 @@ RUN dnf update -y && \
         xfsprogs \
         lvm2 \
         mdadm \
-        rsync && \
+        rsync \
+        gettext && \
     dnf clean all
 
 # Verify that all packages are installed
@@ -52,12 +53,14 @@ RUN \
     command -v mkfs.xfs && \
     command -v lvm && \
     command -v mdadm && \
-    command -v rsync
+    command -v rsync && \
+    command -v envsubst
 
 # Copy the wrapper script and EKS Hybrid setup scripts into the container
 COPY bootstrap-script.sh /usr/local/bin/bootstrap-script.sh
 COPY eks-hybrid-ssm-setup.sh /usr/local/bin/eks-hybrid-ssm-setup
 COPY eks-hybrid-iam-ra-setup.sh /usr/local/bin/eks-hybrid-iam-ra-setup
+COPY aws-signing-helper-update.service.in /usr/share/bootstrap/aws-signing-helper-update.service.in
 
 # Copy the SSM agent from the builder stage
 COPY --from=builder /usr/bin/amazon-ssm-agent /usr/local/bin/amazon-ssm-agent

Makefile

@@ -73,7 +73,7 @@ check-iam-ra-setup:
 	@echo "Running IAM-RA setup check"
 	@OUTPUT=$$(docker run --rm --entrypoint /usr/bin/bash \
 		$(IMAGE_NAME) \
-		-c "cp /usr/bin/true /usr/bin/apiclient; eks-hybrid-iam-ra-setup --certificate=${TEST_NODE_CERT} --key=${TEST_NODE_KEY} --dry-run=true 2>&1 || true"); \
+		-c "eks-hybrid-iam-ra-setup --certificate=${TEST_NODE_CERT} --key=${TEST_NODE_KEY} --dry-run=true 2>&1 || true"); \
 	if echo "$$OUTPUT" | grep -q "${TEST_NODE_CERT}"; then \
 		echo "Test failed: certificate content found in output"; \
 		exit 1; \

aws-signing-helper-update.service.in

@@ -0,0 +1,14 @@
+[Unit]
+Description=Service that runs aws_signing_helper update to keep the AWS credentials refreshed in ${EKS_HYBRID_SHARED_CREDENTIALS_FILE}.
+
+[Service]
+User=root
+Environment=AWS_SHARED_CREDENTIALS_FILE=${EKS_HYBRID_SHARED_CREDENTIALS_FILE}
+ExecStart=${SIGNING_HELPER_UPDATE_COMMAND}
+StandardOutput=journal
+StandardError=inherit
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target

eks-hybrid-iam-ra-setup.sh

@@ -3,7 +3,15 @@
 exec >&2
 set -eu -o pipefail
 
-declare -r SECRETS_DIR="/.bottlerocket/rootfs/root/.aws"
+declare -r HOST_ROOTFS="/.bottlerocket/rootfs"
+declare -r SECRETS_DIR="${HOST_ROOTFS}/root/.aws"
+declare -r EKS_HYBRID_AWS_DIR="/root/.aws/eks-hybrid"
+declare -r EKS_HYBRID_SHARED_CREDENTIALS_FILE="${EKS_HYBRID_AWS_DIR}/credentials"
+declare -r EKS_HYBRID_POD_IDENTITY_AWS_DIR="${HOST_ROOTFS}/var/eks-hybrid/.aws"
+declare -r SIGNING_HELPER_SERVICE="aws-signing-helper-update.service"
+declare -r SIGNING_HELPER_SERVICE_TEMPLATE_PATH="/usr/share/bootstrap/${SIGNING_HELPER_SERVICE}.in"
+declare -r SYSTEMD_UNIT_DIR="${HOST_ROOTFS}/run/systemd/system"
+declare -r SIGNING_HELPER_SERVICE_PATH="${SYSTEMD_UNIT_DIR}/${SIGNING_HELPER_SERVICE}"
 
 DRY_RUN="false"
 for opt in "$@"; do
@@ -43,6 +51,17 @@ if ! [ "${DRY_RUN}" = "true" ]; then
     fi
 fi
 
+get_aws-signing-helper-update_command() {
+    local credential_process_from_config
+    credential_process_from_config="$(AWS_CONFIG_FILE="$1" aws configure get profile.default.credential_process)"
+    if [ -n "${credential_process_from_config}" ]; then
+        echo "${credential_process_from_config/aws_signing_helper credential-process/aws_signing_helper update}"
+    else
+        echo "Error: No credential_process found in default profile" >&2
+        return 1
+    fi
+}
+
 cat << EOF > "${SECRETS_DIR}/node.crt"
 ${NODE_CERT_DATA}
 EOF
@@ -51,6 +70,20 @@ cat << EOF > "${SECRETS_DIR}/node.key"
 ${NODE_KEY_DATA}
 EOF
 
+if [ "${DRY_RUN}" = "true" ]; then
+  exit 0
+fi
+
+SIGNING_HELPER_UPDATE_COMMAND="$(get_aws-signing-helper-update_command ${SECRETS_DIR}/config)"
+export EKS_HYBRID_SHARED_CREDENTIALS_FILE SIGNING_HELPER_UPDATE_COMMAND
+# shellcheck disable=SC2016 # we want to replace the variables verbatim
+envsubst '${EKS_HYBRID_SHARED_CREDENTIALS_FILE}:${SIGNING_HELPER_UPDATE_COMMAND}' \
+    < "${SIGNING_HELPER_SERVICE_TEMPLATE_PATH}" \
+    > "${SIGNING_HELPER_SERVICE_PATH}"
+chroot "${HOST_ROOTFS}" systemctl enable "${SIGNING_HELPER_SERVICE}" --no-reload --quiet
+mkdir -p "$(dirname "${EKS_HYBRID_POD_IDENTITY_AWS_DIR}")"
+ln -sf "${EKS_HYBRID_AWS_DIR}" "${EKS_HYBRID_POD_IDENTITY_AWS_DIR}"
+
 variant_id="$(apiclient get os.variant_id | jq -r '.os.variant_id')"
 version_id="$(apiclient get os.version_id | jq -r '.os.version_id')"
 apiclient set \