LOG-1977: Enable STS role support for cloudwatch forwarding via fluentd #1397
Conversation
cahartma
force-pushed
the
role-based-cloudwatch-log-forwarding
branch
2 times, most recently
from
1c2ecf9
to
978f63e
Compare
| return AWSKey{ | ||
| KeyRoleArn: ParseRoleArn(secret), | ||
| KeyRoleSessionName: constants.AWSRoleSessionName, | ||
| KeyWebIdentityToken: mountPath + "/" + filePath, |
There was a problem hiding this comment.
Is there any reason we can not rely on the podspec volume/volumemount path abstraction? The path to the token file is from the container's perspective. We can mount it anywhere meaning we can make it a fixed location. Doing so means we just need to map the volume and volume mount correctly when setting up the podspec.
There was a problem hiding this comment.
The user specifies the path for the token. A refactor was done after speaking with the ROSA team. This is so that our add-on functions the same as all other operators, when working in sts mode. More details are in the ticket.
There was a problem hiding this comment.
Upon further testing and attempts at accomplishing a fixed location, we must keep the functionality as is. We are required to create a mount in the container, at the path provided in the secret. The pods' projected SA volume specifies a relative file path to this container mount. Therefor we must utilize both the mount and the pod volume spec to build the specified path.
There was a problem hiding this comment.
After our long discussion yesterday, (including Victor K as well) the logic has been reverted and we are back to using our opinionated path:
KeyWebIdentityToken: path.Join(constants.AWSWebIdentityTokenMount, constants.AWSWebIdentityTokenFilePath),
| func ParseRoleArn(secret *corev1.Secret) string { | ||
| credentials := security.GetFromSecret(secret, constants.AWSCredentialsKey) | ||
| if credentials != "" { | ||
| roleIndex := strings.Index(credentials, "arn:aws:iam::") |
There was a problem hiding this comment.
We should consider replacing with a regex
| func ParseIdentityToken(secret *corev1.Secret) (mountPath, filePath string) { | ||
| credentials := security.GetFromSecret(secret, constants.AWSCredentialsKey) | ||
| if credentials != "" { | ||
| split := strings.Split(credentials, "web_identity_token_file = ") |
There was a problem hiding this comment.
we shoudl consider replacing with a regex
There was a problem hiding this comment.
function has been removed and we are back to using our opinionated (constant) path
| } | ||
|
|
||
| // AppendVolumeActions Add mount and volumes based on attributes from the secret | ||
| func AppendVolumeActions(secret *corev1.Secret) (mount corev1.VolumeMount, volume corev1.Volume) { |
There was a problem hiding this comment.
Consider adding an isolated unit test for this helper function
There was a problem hiding this comment.
Further review compared to the pod setup. This should be moved to maybe some path under k8shandler since its not generator code
There was a problem hiding this comment.
There have been several discussions and I am open to suggestions as to where this should live. Please explain, is this not part of the generation of the cloudwatch configuration?
There was a problem hiding this comment.
After our long discussion yesterday, (including Victor K as well) the logic has been refactored again and this func removed.
internal/k8shandler/fluentd.go
Outdated
| @@ -182,6 +183,12 @@ func newFluentdPodSpec(cluster *logging.ClusterLogging, trustedCABundleCM *v1.Co | |||
| fluentdContainer.VolumeMounts = append(fluentdContainer.VolumeMounts, v1.VolumeMount{Name: name, ReadOnly: true, MountPath: path}) | |||
| } | |||
|
|
|||
| // Append any additional volumes based on attributes of the secret and forwarder spec | |||
| appendMounts, appendVolumes := GetAppendVolumes(secrets, &clfspec) | |||
There was a problem hiding this comment.
I'm actually in the process of reworking this section but until that lands, a more flexible pattern is to do something like:
func(*core.PodSpec, map[string]*Secret,*logging.ClusterLogForwarderSpec) {}
in newFluentdPodSpec pass an equivalent of GetAppendVolumes to update the podSpec
There was a problem hiding this comment.
How close are you with your changes? I will leave mine as is for now. It may be easier for us to have me rebase onto your changes.
There was a problem hiding this comment.
Much simpler now, so is on you :)
|
|
||
| // GetAppendVolumes Append any additional volumes based output type and values from secret and forwarder spec | ||
| // otherwise return empty | ||
| func GetAppendVolumes(secrets map[string]*corev1.Secret, clfspec *logging.ClusterLogForwarderSpec) (mount corev1.VolumeMount, volume corev1.Volume) { |
There was a problem hiding this comment.
Same comment here. This is not generator code but podspec code. We should find a home for it there
There was a problem hiding this comment.
removed based on discussion yesterday. The logic to append now lives within fluentd.go
cahartma
force-pushed
the
role-based-cloudwatch-log-forwarding
branch
3 times, most recently
from
0539f8e
to
e933703
Compare
cahartma
force-pushed
the
role-based-cloudwatch-log-forwarding
branch
from
e933703
to
ab885ea
Compare
cahartma
force-pushed
the
role-based-cloudwatch-log-forwarding
branch
from
ab885ea
to
b516426
Compare
|
/retest |
1 similar comment
|
/retest |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cahartma, jcantrill The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@cahartma: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
…-log-forwarding LOG-1977: Enable STS role support for cloudwatch forwarding via fluentd
Description
For STS enabled clusters we needed to modify a few things in the collector pod and fluentd config, in order to change from long-lived credentials to using sts role and token. This required:
Links