This repository was archived by the owner on Nov 5, 2024. It is now read-only.
AWS IAM auth SA name support#1453
Merged
Merged
Conversation
7d4083c to
1ff4515
Compare
FranBarrera
approved these changes
Jun 29, 2023
FranBarrera
left a comment
Contributor
There was a problem hiding this comment.
+1 (I haven't tested it manually)
Contributor
|
For docs, I'm assuming for now that this has no impact on the spec.auth.credentials.assumeIamRole parameter which remains in the same place. Let me know if that isn't right! |
Contributor
|
@tzununbekov your Bonus 1 comment makes it sound like this feature request would be addressed by this PR: #1463 How ever, the comment from the user there indicates that this might only work for sources and not targets? Any thoughts? Perhaps there is still a TODO for GCP targets. |
Contributor
|
docs PR triggermesh/docs#394 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Initial proposal: #1309
Context
The original PR was not merged because the solution there was based on the k8s object annotations which is not a common approach for this kind of modification in our components.
An additional requirement: provided service account may already exist; in this case, we should not reconcile it to avoid conflicts.
Proposed change
This PR introduces the following AWS Auth spec update (for all AWS components):
spec.auth.iamRoleparameter - all creation requests for AWS components with this attribute in their spec will be rejected by the webhook (and CRD requirements). Existing objects will continue their work,spec.auth.iamobject withroleArnandserviceAccountattributes to replace and extend the deprecatediamRoleparameter.roleArnexpects the value that was previously set iniamRoleparameter, andserviceAccountis the Kubernetes service account name to create or re-use for the adapter deployment. At least one of the attributes must be present in thespec.auth.iamobject.Example
AWS Auth spec before:
-service account with a preconfigured name will be created for the source by the controller.
Some options after this PR:
-spec format update with no behavior change - SA with the preconfigured name will be created by the controller.
-service account
aws-source-sawill be created by the controller. If a service account with this name already exists, the controller checks the labels, and, if the labelmanaged-byhas the valuetriggermesh-controller, SA's owners list is updated with the current object. If the labelmanaged-bydoes not exist or it has a value different fromtriggermesh-controller, reconciliation is skipped. Then this SA is assigned to the adapter deployment.SA's annotation "eks.amazonaws.com/role-arn" can be overwritten by the controller only if SA is managed by the triggermesh controller and there is only one owner to it, otherwise, annotation is ignored to avoid reconciliation conflicts.
-service account
aws-source-sawill be created if needed and assigned to the receive adapter deployment. If the service account did not exist before, it will be created without the IAM role annotation (spec.auth.iam.roleArnis not defined) and the source will fail to authenticate against the AWS API.Bonus 1:
Since this PR updates common reconciliation logic for Kubernetes service accounts, this also affects the GCP components. Custom KSA name support added in #1372 can now be utilized as shared and externally created service account support in GCP sources and targets.
Bonus 2:
This PR introduces a new Make target -
codegen-cleanup. In dev environments where the triggermesh project is located outside the GOPATH,make codegencould result in agithub.comdirectory created in the project's root with all the generated files in it. While I failed to find the proper configuration fix for the k8s code generators,make codegen-cleanupcan fix the resulting directory tree.