-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LOG-1977: Enable STS role support for cloudwatch forwarding via fluentd #1397
LOG-1977: Enable STS role support for cloudwatch forwarding via fluentd #1397
Conversation
1c2ecf9
to
978f63e
Compare
return AWSKey{ | ||
KeyRoleArn: ParseRoleArn(secret), | ||
KeyRoleSessionName: constants.AWSRoleSessionName, | ||
KeyWebIdentityToken: mountPath + "/" + filePath, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can use path.Join
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any reason we can not rely on the podspec volume/volumemount path abstraction? The path to the token file is from the container's perspective. We can mount it anywhere meaning we can make it a fixed location. Doing so means we just need to map the volume and volume mount correctly when setting up the podspec.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The user specifies the path for the token. A refactor was done after speaking with the ROSA team. This is so that our add-on functions the same as all other operators, when working in sts mode. More details are in the ticket.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Upon further testing and attempts at accomplishing a fixed location, we must keep the functionality as is. We are required to create a mount in the container, at the path provided in the secret. The pods' projected SA volume specifies a relative file path to this container mount. Therefor we must utilize both the mount and the pod volume spec to build the specified path.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After our long discussion yesterday, (including Victor K as well) the logic has been reverted and we are back to using our opinionated path:
KeyWebIdentityToken: path.Join(constants.AWSWebIdentityTokenMount, constants.AWSWebIdentityTokenFilePath),
func ParseRoleArn(secret *corev1.Secret) string { | ||
credentials := security.GetFromSecret(secret, constants.AWSCredentialsKey) | ||
if credentials != "" { | ||
roleIndex := strings.Index(credentials, "arn:aws:iam::") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should consider replacing with a regex
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
func ParseIdentityToken(secret *corev1.Secret) (mountPath, filePath string) { | ||
credentials := security.GetFromSecret(secret, constants.AWSCredentialsKey) | ||
if credentials != "" { | ||
split := strings.Split(credentials, "web_identity_token_file = ") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we shoudl consider replacing with a regex
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
function has been removed and we are back to using our opinionated (constant) path
} | ||
|
||
// AppendVolumeActions Add mount and volumes based on attributes from the secret | ||
func AppendVolumeActions(secret *corev1.Secret) (mount corev1.VolumeMount, volume corev1.Volume) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider adding an isolated unit test for this helper function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Further review compared to the pod setup. This should be moved to maybe some path under k8shandler since its not generator code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There have been several discussions and I am open to suggestions as to where this should live. Please explain, is this not part of the generation of the cloudwatch configuration?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After our long discussion yesterday, (including Victor K as well) the logic has been refactored again and this func removed.
internal/k8shandler/fluentd.go
Outdated
@@ -182,6 +183,12 @@ func newFluentdPodSpec(cluster *logging.ClusterLogging, trustedCABundleCM *v1.Co | |||
fluentdContainer.VolumeMounts = append(fluentdContainer.VolumeMounts, v1.VolumeMount{Name: name, ReadOnly: true, MountPath: path}) | |||
} | |||
|
|||
// Append any additional volumes based on attributes of the secret and forwarder spec | |||
appendMounts, appendVolumes := GetAppendVolumes(secrets, &clfspec) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm actually in the process of reworking this section but until that lands, a more flexible pattern is to do something like:
func(*core.PodSpec, map[string]*Secret,*logging.ClusterLogForwarderSpec) {}
in newFluentdPodSpec
pass an equivalent of GetAppendVolumes
to update the podSpec
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How close are you with your changes? I will leave mine as is for now. It may be easier for us to have me rebase onto your changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Much simpler now, so is on you :)
|
||
// GetAppendVolumes Append any additional volumes based output type and values from secret and forwarder spec | ||
// otherwise return empty | ||
func GetAppendVolumes(secrets map[string]*corev1.Secret, clfspec *logging.ClusterLogForwarderSpec) (mount corev1.VolumeMount, volume corev1.Volume) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment here. This is not generator code but podspec code. We should find a home for it there
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed based on discussion yesterday. The logic to append now lives within fluentd.go
0539f8e
to
e933703
Compare
e933703
to
ab885ea
Compare
ab885ea
to
b516426
Compare
/retest |
1 similar comment
/retest |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cahartma, jcantrill The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@cahartma: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
…-log-forwarding LOG-1977: Enable STS role support for cloudwatch forwarding via fluentd
Description
For STS enabled clusters we needed to modify a few things in the collector pod and fluentd config, in order to change from long-lived credentials to using sts role and token. This required:
Links