Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(2/4) Make openscapes' grafana pod acquire credentials to assume the IAM Role #4548

Closed
2 tasks done
Tracked by #4546
consideRatio opened this issue Jul 31, 2024 · 2 comments · Fixed by #4573
Closed
2 tasks done
Tracked by #4546

(2/4) Make openscapes' grafana pod acquire credentials to assume the IAM Role #4548

consideRatio opened this issue Jul 31, 2024 · 2 comments · Fixed by #4573
Assignees
@GeorgianaElena

Comments

@consideRatio
Copy link
Contributor

consideRatio commented Jul 31, 2024
edited by GeorgianaElena
Loading

This is task 2/4 in #4546, which is part of the big epic #4453.

We look to expose AWS credentials for grafana to assume the IAM role created in #4547. The Grafana chart is creating a k8s ServiceAccount by default it seems, and it can be configured with an annotation - this is everything we need!

The annotation should be eks.amazonaws.com/role-arn: <previously created iam role arn here>, so in practice it looks from the grafana helm chart's default chart values we just have to declare the following in the openscapes support chart and verify success after deploying:

grafana:
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: <previously created iam role arn here>

Definition of done

  • The grafana pod references a k8s ServiceAccount via serviceAccountName, which is annotated with eks.amazonaws.com/role-arn=<arn of iam role created with terraform>.
    kubectl get pod -l app.kubernetes.io/name=grafana -n support -o yaml | grep serviceAccountName can be used for this, followed by inspecting that the named ServiceAccount has the relevant annotation.

  • The grafana pod has been updated to include AWS_... environment variables.
    kubectl get pod -l app.kubernetes.io/name=grafana -n support -o yaml | grep AWS can be used for this.

    PS: these variables are set on pod creation time by an AWS pod admission controller manipulating the pod specification. It is registered with the k8s api-server to be contacted whenever a Pod is being created. This is setup via a MutatingWebhookConfiguration resource. This is what makes the k8s ServiceAccount's annotation meaningful.
@consideRatio consideRatio mentioned this issue Jul 31, 2024
Closed
@consideRatio consideRatio changed the title Make openscapes' grafana pod acquire credentials to assume the IAM Role DRAFT: Make openscapes' grafana pod acquire credentials to assume the IAM Role Jul 31, 2024
@consideRatio consideRatio changed the title DRAFT: Make openscapes' grafana pod acquire credentials to assume the IAM Role Make openscapes' grafana pod acquire credentials to assume the IAM Role Jul 31, 2024
@consideRatio consideRatio changed the title Make openscapes' grafana pod acquire credentials to assume the IAM Role Draft (almost not-draft): Make openscapes' grafana pod acquire credentials to assume the IAM Role Jul 31, 2024
@consideRatio consideRatio changed the title Draft (almost not-draft): Make openscapes' grafana pod acquire credentials to assume the IAM Role Make openscapes' grafana pod acquire credentials to assume the IAM Role Jul 31, 2024
@consideRatio consideRatio changed the title Make openscapes' grafana pod acquire credentials to assume the IAM Role (2/4) Make openscapes' grafana pod acquire credentials to assume the IAM Role Jul 31, 2024
@sgibson91
Copy link
Member

sgibson91 commented Aug 1, 2024
edited
Loading

  • The grafana pod has been updated to include AWS_... environment variables.
    kubectl get pod -n dask-staging jupyter-consideratio -o yaml | grep AWS can be used for this.

This talks about the grafana pod being given AWS_* env variables, but then the example command references a jupyter singleuser server which is confusing.

@consideRatio
Copy link
Contributor Author

consideRatio commented Aug 1, 2024
edited
Loading

Nice catch @sgibson91! It should be "-l app.kubernetes.io/name=grafana -n support" within that command. Top post is now updated!

@GeorgianaElena GeorgianaElena mentioned this issue Aug 5, 2024
Closed
3 tasks
@GeorgianaElena GeorgianaElena self-assigned this Aug 5, 2024
@GeorgianaElena GeorgianaElena mentioned this issue Aug 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GeorgianaElena GeorgianaElena

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@consideRatio @GeorgianaElena @sgibson91