Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document how to use IAM roles instead of the credentials CAPA started with #3130

Closed
sedefsavas opened this issue Feb 2, 2022 · 3 comments · Fixed by #3328
Closed

Document how to use IAM roles instead of the credentials CAPA started with #3130

sedefsavas opened this issue Feb 2, 2022 · 3 comments · Fixed by #3328
Assignees
@Ankitasw
Labels
kind/documentation Categorizes issue or PR as related to documentation. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@sedefsavas
Copy link
Contributor

sedefsavas commented Feb 2, 2022
edited
Loading

/kind documentation

We need documentation for the steps on how to make CAPA use the instance profiles (IAM roles) attached to a ec2 instance.

A possible scenario for CAPA-managed clusters:

  • Init bootstrap cluster with temporary credentials
  • Create a workload cluster
  • Control plane nodes on the workload cluster will have IAM roles attached which is enough for CAPA to work.
  • Want to move the bootstrap cluster to this workload cluster to turn it to a management cluster
  • Since only control-plane nodes have the required IAM roles attached, CAPA deployment should have the necessary tolerations for master (control-plane) node and node selector for master. To modify the CAPA deployment before running clusterctl init, check cluster api book.
  • Run clusterctl init --infrastructure aws on the workload cluster by setting export AWS_B64ENCODED_CREDENTIALS="Cg==" (equivalent to empty string)
  • capa-manager-bootstrap-credentials will be created as using AWS_B64ENCODED_CREDENTIALS which is nil, hence CAPA controllers will fall back to use the attached instance profile.

We should also cover how to do the same in EKS-managed clusters.

More details are in slack thread:
@k8s-ci-robot k8s-ci-robot added kind/documentation Categorizes issue or PR as related to documentation. needs-priority labels Feb 2, 2022
@k8s-ci-robot
Copy link
Contributor

@sedefsavas: This issue is currently awaiting triage.

If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Feb 2, 2022
@sedefsavas sedefsavas added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels Feb 2, 2022
@sedefsavas sedefsavas added this to the v1.x milestone Feb 2, 2022
@Ankitasw
Copy link
Member

/assign

@Ankitasw
Copy link
Member

/lifecycle active

@k8s-ci-robot k8s-ci-robot added the lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. label Mar 18, 2022
@Ankitasw Ankitasw mentioned this issue Mar 18, 2022
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Ankitasw Ankitasw

Labels
kind/documentation Categorizes issue or PR as related to documentation. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
3 participants
@k8s-ci-robot @sedefsavas @Ankitasw