-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added documentation for running on EKS #548
Conversation
@@ -741,6 +741,14 @@ Get the url to connect to with | |||
|
|||
minikube service jenkins --namespace kubernetes-plugin --url | |||
|
|||
## Running in AWS EKS | |||
|
|||
EKS enforces authentication to the cluster through [aws-iam-authenticator](https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html). The token expires after 15 minutes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is only relevant if the Jenkins master is not running in the cluster using a service account, which I would expect to be the most common mode. That should be made clearer.
Please also read, and refer to, JENKINS-58143 which discusses this flag. Ideally no such tricks would be necessary. The Kubernetes client we use does support exec authentication such as is needed to use aws-iam-authenticator
automatically from your kubeconfig, but last I checked it does not yet support automatic reauthentication after token expiry the way the Golang client does (for example).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I added the docs in the wrong place then. In our use case, the Jenkins master is running an on EC2 instances out of k8s.
I added this particular bit of documentation because, while it does initially authenticate using the aws-iam-authenticator
correctly it does not re-authenticate later (as you stated it would not), however, setting the client cache expiry to something short seems to make it create a new client and thus reauthing.
Co-Authored-By: Vincent Latombe <vincent@latombe.net>
Good suggestion @Vlatombe, updated! |
Hey, I am not sure from this side note how you actually set up aws-iam-authenticator. Do I need it installed on the jenkins master? What do you set inside the configure tab in Jenkins? This information is missing. |
Good catch @guysoft and it's easy to get going:
After that when you go to configure the cluster in jenkins settings, you should just be able to select the secret file for the Don't forget to set the jenkins tunnel IP if your jenkins install is behind a proxy! |
i am running jenkins in docker and get nothing but this
Anyone seem this before? It doesnt work even if I specify absolute path and permissions are fine Edit: This was caused by jenkins running two containers... i was testing in the wrong one. Using the helm deployment I recommend just creating your own image and copying to /usr/local/bin. |
Jenkins in docker within k8s? If not, does the user jenkins is running as
have permissions to aws-iam-authenticator?
…On Thu, Oct 31, 2019 at 10:45 AM Sam ***@***.***> wrote:
i am running jenkins in docker and get nothing but this
Caused: java.io.IOException: Cannot run program "aws-iam-authenticator":
error=2, No such file or directory
Anyone seem this before? It doesnt work even if I specify absolute path
and permissions are fine
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#548?email_source=notifications&email_token=AAAQ7L622TIYFTRRYHFJI6DQRLVOZA5CNFSM4IE3PTX2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECYBEJY#issuecomment-548409895>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAQ7L6S36ZJMT33Q6HH5RLQRLVOZANCNFSM4IE3PTXQ>
.
|
Ok, got it to work here.
If you skip directly to the aws instruction you have no idea that you need to not include the url and just use the kube config file. It might be worth noting that this is the only way to do it. Because when you see a large list of value UX suggests that you start filling them. I think its worth adding that as a note. Should I PR something around those lines? |
I got it working. See edit. I made a stupid mistake. |
Hi,
I went through an exercise finding this fix to my issue with authentication in EKS and noticed there were notes for other cloud k8s providers in the README and thought it'd be helpful to make note of this caveat as well.