Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

legacy-cloud-providers: aws: Add support for consuming web identity credentials #104314

Merged
merged 1 commit into from Sep 2, 2021

Conversation

sjenning
Copy link
Contributor

What type of PR is this?

/kind bug

What this PR does / why we need it:

The in-tree AWS cloud provider currently uses a custom credential chain that does not support using service account tokens to authenticate with the AWS API. Namely the WebIdentityTokenProvider.

This is a pick from the external v1 AWS provider in kubernetes/cloud-provider-aws#238

I am aware that the in-tree legacy cloud providers are not looking to make changes at this point but I wanted to have a discussion about it.

Does this PR introduce a user-facing change?

None

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/bug Categorizes issue or PR as related to a bug. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Aug 11, 2021
@sjenning
Copy link
Contributor Author

/sig cloud-provider

@k8s-ci-robot k8s-ci-robot added sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Aug 11, 2021
@nckturner
Copy link
Contributor

nckturner commented Aug 20, 2021

/area provider/aws

@k8s-ci-robot k8s-ci-robot added the area/provider/aws Issues or PRs related to aws provider label Aug 20, 2021
@cheftako
Copy link
Member

/assign @nckturner
Nick does this look good to you?
Seems like a legitimate bug fix to me.
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 22, 2021
@cheftako
Copy link
Member

/assign

@cheftako
Copy link
Member

/priority important-soon

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Aug 22, 2021
@cheftako
Copy link
Member

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Aug 22, 2021
@nckturner
Copy link
Contributor

nckturner commented Aug 31, 2021

@cheftako agreed, I'd call it a bug fix because not being able to use the "web identity" JWTs in the credential chain is unintended and hampers certain use cases like using bound service account tokens for authentication to AWS when using the legacy provider in KCM.

@nckturner
Copy link
Contributor

/lgtm

@cheftako
Copy link
Member

cheftako commented Sep 2, 2021

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cheftako, sjenning

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 2, 2021
@k8s-ci-robot k8s-ci-robot merged commit b0836a6 into kubernetes:master Sep 2, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Sep 2, 2021
k8s-ci-robot added a commit that referenced this pull request Sep 10, 2021
…4314-upstream-release-1.21

Automated cherry pick of #104314: legacy-cloud-providers: aws: Add support for consuming web
k8s-ci-robot added a commit that referenced this pull request Sep 10, 2021
…4314-upstream-release-1.22

Automated cherry pick of #104314: legacy-cloud-providers: aws: Add support for consuming web
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/cloudprovider area/provider/aws Issues or PRs related to aws provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants