-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: replace aws CLI with argocd-k8s-auth #8032
Conversation
@jannfis , @jessesuen what do you think? Does it worth it? |
Codecov Report
@@ Coverage Diff @@
## master #8032 +/- ##
==========================================
- Coverage 45.51% 45.47% -0.05%
==========================================
Files 217 217
Lines 25663 25663
==========================================
- Hits 11680 11669 -11
- Misses 12355 12369 +14
+ Partials 1628 1625 -3
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I do like this change very much - instead of pulling in several (large) vendor specific binaries, having a single binary using the vendor's libraries is the right way to go. I share the concern for code support tho, because maintaining this piece of code would require access to a vendor specific cluster. I for my part have zero access to any AWS or Google platforms. I have a couple of cosmetic nits for this one:
|
Thank you for reviewing @jannfis ! I agree - |
@jessesuen pointed out that We could use https://github.com/kubernetes-sigs/aws-iam-authenticator . In the past, we've moved from The |
Any ETA on this PR? I'm interested to see if we can enhance to support GCP auth as a followup. |
@zhang-xuebin by GCP support you mean workload identity? |
I mean to allow ArgoCD's application controller (and server) to be able to obtain a GCP Oauth token so it can call Google APIs and manage more platforms provided by Google (including Private GKE, GKE-on-VMware, etc). I have figured a short-term solution to use Workload Identity and let ArgoCD manage Private GKE and GKE-on-VMware clusters. But if Argo can support this natively, it will be definitely fantastic. |
how did you accomplish this? |
b7ac88e
to
ce81b28
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For posterity the options were:
- aws cli - too big, brings in python. we only used it because it was the only one that supported IRSA originally
- aws-iam-authenticator - one more binary to vendor
- argocd-k8s-auth aws - our own command which replicates functionality of
aws-iam-authenticator
After discussion, we agreed to go with option 3 because:
- it produces the smallest image size
- code maintenance will be easier than expected (only needs two AWS API calls)
- dependabot can help us keep up-to-date (vs. upstream CLI)
Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>
Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> Signed-off-by: wojtekidd <wojtek.cichon@protonmail.com>
This reverts commit 655be25. Signed-off-by: Leonardo Luz Almeida <leonardo_almeida@intuit.com>
This reverts commit 655be25. Signed-off-by: Leonardo Luz Almeida <leonardo_almeida@intuit.com>
Signed-off-by: Alexander Matyushentsev AMatyushentsev@gmail.com
PR is inspired by #7947 . PR removes
aws
and replaces it with the newargocd-k8s-auth
binary . Theargocd-k8s-auth
providesargocd-k8s-auth aws
command that generates authentication token.This change provides several following advantages: removes ~120+ mb from the image, gives us the opportunity to support GKE authentication #3027
The disadvantage is that we have to support more code. I also could not find any easy way to test it, since we need real EKS cluster.
Let me know what you think please