Skip to content
This repository has been archived by the owner on Nov 1, 2022. It is now read-only.

whitelist two environment variables for AWS IAM roles in Kubernetes #3229

Merged
merged 3 commits into from Mar 16, 2021
Merged

whitelist two environment variables for AWS IAM roles in Kubernetes #3229

merged 3 commits into from Mar 16, 2021

Conversation

mattwillsher
Copy link

@mattwillsher mattwillsher commented Aug 4, 2020
edited by kingdonb

  • AWS_WEB_IDENTITY_TOKEN_FILE
  • AWS_ROLE_ARN

Such that the AWS CodeCommit git credential helper can be used in the fluxcd container so that static git credentials are not needed. This does require additional components in the fluxcd container. For example:

FROM fluxcd/flux:1.20.0

ARG PY3PIP_VERSION=20.1.1-r0
ARG AWSCLI_VERSION=1.18.55-r0
ARG GITREMOTECODECOMMIT_VERSION=1.13

RUN /sbin/apk add --no-cache py3-pip="$PY3PIP_VERSION" aws-cli="$AWSCLI_VERSION"
RUN pip3 install git-remote-codecommit=="$GITREMOTECODECOMMIT_VERSION"
RUN git config --global credential.helper '!aws codecommit credential-helper $@' \
    && git config --global credential.UseHttpPath true

An IAM role for the service account can then be used to authentication to CodeCommit (https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html), with --git-url set to the HTTPS URL of the CodeCommit repo as given by aws, and a patch to the flux ServiceAccount giving the IAM role ARN:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: flux
  name: flux
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/MyFluxRole

This goes someway to address #2895

@mattwillsher
Copy link
Author

I see the build job didn't return here. Is there anything I can do to get that passed?

@stefanprodan
Copy link
Member

/rebase

@jamesinc
Copy link

Keen for this PR to be merged

@kingdonb
Copy link
Member

This sounds like an important feature, for AWS CodeCommit users 👍

@kingdonb kingdonb mentioned this pull request Feb 5, 2021
Closed
@kingdonb
Copy link
Member

kingdonb commented Feb 9, 2021

I'd like to consider including this in the next release, but there are some CI checks which are still marked as failing.

@mattwillsher can you rebase this and add signoff according to instructions that the DCO merge check will provide? (Basically just git commit -s or git commit --amend -s if you want to skip a step, you can rebase and sign off.)

If you are still interested in merging this, the rebase update should trigger CI to run again. I will add it to the 1.21.3 milestone for now. Thanks.

@kingdonb kingdonb added this to the 1.21.3 milestone Feb 9, 2021
@kingdonb
Copy link
Member

Hi,

I want to include this in the next release, but I don't use AWS CodeCommit and can't test it by myself

Also, the DCO bot won't let me merge it if it isn't rebased, and signed-off

Would you be willing to rebase and amend the commit with --sign-off?

@kingdonb kingdonb modified the milestones: 1.22.1, 1.22.0 Feb 23, 2021
@kingdonb kingdonb self-assigned this Feb 23, 2021
@mattwillsher
Copy link
Author

Would you be willing to rebase and amend the commit with --sign-off?

Done

@kingdonb
Copy link
Member

Thank you, that helps. Using the Github UI to catch up the branch...

@kingdonb
Copy link
Member

I will rebase this into a release branch later, and update this PR with the final status when it gets merged in 1.22.0.

👍 thanks for your contribution!

Kingdon Barrett added 2 commits February 26, 2021 07:22
go get -u; go mod tidy
ba503e8 
go.mod - reset k8s machinery to 1.17.17

This is the latest release that we can update to
-- see fluxcd#3378

Try to remove when distribution/distribution#2905 is out

docker/distribution patch still needed for now

(Put it back for now.) On 2021-02-25 this has been merged, 2.7.2 of
docker/distribution should include it hopefully relatively soon!

Signed-off-by: Kingdon Barrett <kingdon@weave.works>
Merge branch 'go-mod-update' into omnibus-branch
d96986c
@kingdonb
Copy link
Member

kingdonb commented Mar 3, 2021

/rebase

whitelist two environment variables for AWS IAM roles in Kubernetes
3d4b462 
Signed-off-by: Matt Willsher <matt@monki.org.uk>
Signed-off-by: Kingdon Barrett <kingdon@weave.works>
@kingdonb kingdonb mentioned this pull request Mar 9, 2021
Merged
@kingdonb
Copy link
Member

kingdonb commented Mar 11, 2021
edited

I changed the language of this PR to say, from:

This goes someway to resolve #2895

to:

This goes someway to address #2895

because the former is a hotword that will close #2895 when this PR is merged, but the language in the PR indicates it has other issues blocking #2895

@kingdonb kingdonb self-requested a review March 11, 2021 06:23
kingdonb
kingdonb approved these changes Mar 11, 2021
View reviewed changes
Copy link
Member

@kingdonb kingdonb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kingdonb kingdonb merged commit 9310aa2 into fluxcd:master Mar 16, 2021
@kingdonb kingdonb removed their assignment Mar 17, 2021
@gofish-bot gofish-bot mentioned this pull request Mar 18, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kingdonb kingdonb kingdonb approved these changes

Assignees
No one assigned
Labels
bug enhancement
Projects
None yet
Milestone
1.22.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mattwillsher @stefanprodan @jamesinc @kingdonb