New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws: update the bootstrap ignition fetching to use custom region endpoints #2854
aws: update the bootstrap ignition fetching to use custom region endpoints #2854
Conversation
a7c5da9
to
82f112f
Compare
With move to presigned URL, do we have to change anything wrt to permissions?
also is there improvement in the UPI flow that we can make to improve that for users? |
78ced0b
to
260318c
Compare
260318c
to
6c66604
Compare
No permissions should need changing. Using a presigned URL will use the same permissions of the role that created it.
It should have the same access as it currently does. If a presigned URL were to be manually configured for elsewhere, additional permissions might need to be configured.
I don't believe so.
It looks like we can change the UPI flow to use a presigned URL also. |
Previously the permissions of the bootstrap host were used to fetch the ignition file from S3, but now the credentials of the user invoking the installer will be used to fetch it. so maybe permission on bootstrap like https://github.com/openshift/installer/pull/2854/files#diff-8af9be4a478f6109c2539e6abc13acaeR104-R110 are no longer required?? @jhixson74 I think we need to take another look at required changes in permissions with this move..
|
Can you explain to me how the credentials of the user invoking the installer are used here? My understanding here is everything remains the same as it was, but now uses a presigned URL. Since the bucket name and filename contents are known before it is created, the presigned URL is created using them. These values are passed into the terraform where they are created with the same roles and permissions as they previously were. What am I missing?
|
6c66604
to
afe506b
Compare
afe506b
to
a505b01
Compare
f82e6dc
to
cc56d4b
Compare
/test e2e-aws |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
we can merge this when master opens for 4.6, until then this can stay open. |
…oints Update the S3 bucket that stores the ignition config to use a presigned URL. This allows the S3 bucket to be accesseed via HTTP(s) similar to Azure and GCP thus allowing the installer to pick the correct endpoint based on region/user specification. https://issues.redhat.com/browse/CORS-1322
cc56d4b
to
dfd34eb
Compare
/lgtm |
/skip |
/retest |
/retest Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest |
1 similar comment
/retest |
@jhixson74: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
the failing test is an e2e, known broken https://coreos.slack.com/archives/CNHC2DK2M/p1591025728087100 /override ci/prow/e2e-aws |
@abhinavdahiya: Overrode contexts on behalf of abhinavdahiya: ci/prow/e2e-aws In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Update the S3 bucket that stores the ignition config to use a presigned URL.
This allows the S3 bucket to be accesseed via HTTP(s) similar to Azure and GCP
thus allowing the installer to pick the correct endpoint based on region/user
specification.
https://issues.redhat.com/browse/CORS-1322