Skip to content

Commit

Permalink
Merge pull request #87 from nablaflow/main
Browse files Browse the repository at this point in the history
Add ability to authenticate against AWS via STS
  • Loading branch information
No9 authored May 20, 2022
2 parents a516b06 + a369cec commit d28569d
Show file tree
Hide file tree
Showing 7 changed files with 41 additions and 4 deletions.
11 changes: 11 additions & 0 deletions charts/core-dump-handler/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ helm install core-dump-handler . --create-namespace --namespace observe \
<tr>
<td>AWS</td><td>EKS</td><td><a href="values.aws.yaml">values.aws.yaml</a></td>
</tr>
<tr>
<td>AWS</td><td>EKS with IAM roles for service accounts</td><td><a href="values.aws.sts.yaml">values.aws.yaml</a></td>
</tr>
<tr>
<td>AWS</td><td>ROSA</td><td><a href="values.openshift.yaml">values.openshift.yaml</a></td>
</tr>
Expand Down Expand Up @@ -140,6 +143,14 @@ Example S3 policy:
}
```

### EKS setup with IAM roles for service accounts

This allows core-dump-handler to automatically assume the correct role with permissions on the S3 bucket without providing fixed credentials in the secret.

See [this guide](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).

[Example of `values.yaml`](values.aws.sts.yaml)

### Environment Variables

The agent pod has the following environment variables and these are all set by the chart but included here for informational purposes:
Expand Down
4 changes: 4 additions & 0 deletions charts/core-dump-handler/templates/secrets.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,12 @@ metadata:
name: s3config
type: Opaque
stringData:
{{- if .Values.daemonset.s3Secret }}
s3Secret: {{ .Values.daemonset.s3Secret }}
{{- end }}
{{- if .Values.daemonset.s3AccessKey }}
s3AccessKey: {{ .Values.daemonset.s3AccessKey }}
{{- end }}
s3BucketName: {{ .Values.daemonset.s3BucketName }}
s3Region: {{ .Values.daemonset.s3Region }}
{{- end }}
6 changes: 6 additions & 0 deletions charts/core-dump-handler/templates/serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "core-dump-handler.serviceAccountName" . }}
labels:
{{ include "core-dump-handler.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
9 changes: 9 additions & 0 deletions charts/core-dump-handler/values.aws.sts.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# AWS requires a crio client to be copied to the server
daemonset:
includeCrioExe: true
vendor: rhel7 # EKS EC2 images have an old libc=2.26

serviceAccount:
annotations:
# See https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html
eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here
5 changes: 4 additions & 1 deletion charts/core-dump-handler/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,9 @@
},
"name": {
"type": "string"
},
"annotations": {
"type": "object"
}
},
"required": [
Expand All @@ -289,4 +292,4 @@
"title": "ServiceAccount"
}
}
}
}
2 changes: 2 additions & 0 deletions charts/core-dump-handler/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ daemonset:
serviceAccount:
create: true
name: "core-dump-admin"
# annotations:
# eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here

# OpenShift specific for SecurityContextConstraints
scc:
Expand Down
8 changes: 5 additions & 3 deletions core-dump-agent/src/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -359,7 +359,9 @@ fn get_bucket() -> Result<Bucket, anyhow::Error> {
}
};

let credentials = if s3_access_key.is_empty() || s3_secret.is_empty() {
let credentials = if env::var("AWS_WEB_IDENTITY_TOKEN_FILE").is_ok() {
Credentials::from_sts_env(std::env!("CARGO_PKG_NAME"))
} else if s3_access_key.is_empty() || s3_secret.is_empty() {
Credentials::new(None, None, None, None, None)
} else {
Credentials::new(
Expand All @@ -369,12 +371,12 @@ fn get_bucket() -> Result<Bucket, anyhow::Error> {
None,
None,
)
};
}?;

let s3 = Storage {
name: "aws".into(),
region,
credentials: credentials.unwrap(),
credentials,
bucket: s3_bucket_name,
location_supported: false,
};
Expand Down

0 comments on commit d28569d

Please sign in to comment.