-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update: service account for capa and aws provider on irsa #230
Conversation
…ns-app into update-sa-for-irsa
helm/external-dns-app/values.yaml
Outdated
# aws.accountID | ||
# AWS account ID is used to assume role via IRSA (IAM roles for service accounts). | ||
# It is dynamically set and will be overridden. | ||
accountID: "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we still need this for non vintage clusters
{{- $_ := set .Values.serviceAccount.annotations "eks.amazonaws.com/role-arn" (tpl "arn:aws:iam::{{ .Values.aws.accountID }}:role/{{ template \"aws.iam.role\" . }}" .) }} | ||
{{- end}} | ||
{{- if and (or (eq .Values.provider "capa")) }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We still need to verify aws access internal. The reason is customer can also use "external" which uses ENV to set AWS credentials
{{- if and (or (eq .Values.provider "capa")) }} | |
{{- else if and (eq .Values.provider "capa") (eq .Values.aws.access "internal") }} |
@@ -11,9 +11,6 @@ | |||
"access": { | |||
"type": "string" | |||
}, | |||
"accountID": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please add that back? Thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch. Thanks!
Co-authored-by: Matías Charrière <matias@giantswarm.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good!
This PR:
Updates the service account annotation for irsa on
aws
andcapa
Towards - giantswarm/roadmap#1640
Checklist
Testing
The instance of external-dns installed as part of Giant Swarm platform releases watches services in the
kube-system
namespace with annotationsgiantswarm.io/external-dns=managed
andexternal-dns.alpha.kubernetes.io/hostname
matching the clusters base domain. (You can find this in the deployments args--domain-filter
value)You can take this example
Service
, apply it to your cluster. Change theexternal-dns.alpha.kubernetes.io/hostname
annotation to match your clusters base domain.then:
Desired change: CREATE test.your.configured.domain.gigantic.io CNAME
https://www.dnstester.net/
)For testing upgrades:
Default app on AWS releases
Default app on Azure releases
Optional app (KVM)