New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CLI option for IAM Role in annotations #1581
Comments
Thanks for logging the issue @tlkamp. We're trying to balance keeping |
@skriss thanks for getting back to me! Please forgive me as I have no working experience with Helm (we are not using it), just an idea of what it is/does. Ideally, we would like to deploy Velero onto our EKS clusters when they are built to ensure the cluster "base load" includes backup and migration/DR utilities. In order to enable Helm deployments of Velero as part of the base infrastructure load for us, we would need to also add Helm/Tiller into the base load for this single deployment. It would be a little cumbersome to do this if we could accomplish the same resulting deployment with a single extra CLI option. If I'm missing some key points to a better solution here, please please please let me know. I also understand the desire to keep the installation options minimal. Perhaps a better alternative would be to support a generic |
@tlkamp Would generating the YAML via |
@nrb it would be, yes, in the same way that adding Helm to my automation would be "usable"; it just creates a really terrible user experience when a new version of Velero is released. The workflow becomes:
This is the only issue we're encountering with our use of Velero -- the deployment not being generated "fully" and it' all due to a single annotation missing in the file. I'm more than happy to submit a PR for this myself, assuming it would be accepted. |
Yeah, that's a valid problem. Truthfully, I'm very torn about extending For myself, I wouldn't reject a PR for this and would be happy to review it. |
I think the generic approach of adding a |
@tlkamp Are you using restic? Do you want/need different pod template annotations on the restic daemonset as opposed to the velero server deployment? |
@nrb we are not using restic. We're only using Velero for our backups. The Velero documentation for AWS indicates that it needs some IAM grants in order to backup the cluster and upload said backup to S3. We're using EKS with AWS IAM instance profiles so the credentials are auto-rotated by the system. We use kube2iam to make the connection between the applications and the IAM grants they require. kube2iam works by reading the annotations on the pod to associate the role, hence needing the annotation on the Velero pod, which is defined in the Deployment :) |
@tlkamp Thanks! Just making sure, I can foresee that there may be a use case for adding different annotations to the restic daemonset. For now, I'm 👍 to having a single flag that adds the same annotations to both the daemonset and velero deployment. |
Describe the solution you'd like
Following the AWS Config instructions for using kube2iam enabled EKS clusters, we have to edit the Velero Deployment object after it is generated, either interactively through
kubectl edit deploy/velero
or through another means (creating and applying a patch for the deployment, using a mutating admission webhook to intercept the deployment); this is not great for deploying Velero in automation.It would be ideal if the
velero install ...
command provided an option to set the value of theiam.amazonaws.com/role
annotation to a given value to generate the Deployment fully.I would like to propose a workflow like this:
that results in a Deployment containing the following:
Anything else you would like to add:
If there is a better way to handle this situation, I would also be open to suggestions.
Environment:
AWS EKS with kube2iam
velero version
): 1.0.0kubectl version
): 1.10.13/etc/os-release
): Amazon Linux 2 (CentOS)The text was updated successfully, but these errors were encountered: