From 09e038170282b0b99aace2b2793791649e617c21 Mon Sep 17 00:00:00 2001 From: Federico Ravasio Date: Tue, 3 May 2022 22:02:43 +0000 Subject: [PATCH 1/4] feat(helm): add ability to specify annotations on ServiceAccount --- charts/core-dump-handler/templates/serviceaccount.yaml | 6 ++++++ charts/core-dump-handler/values.schema.json | 5 ++++- charts/core-dump-handler/values.yaml | 2 ++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/charts/core-dump-handler/templates/serviceaccount.yaml b/charts/core-dump-handler/templates/serviceaccount.yaml index 1a23607..fb11f93 100644 --- a/charts/core-dump-handler/templates/serviceaccount.yaml +++ b/charts/core-dump-handler/templates/serviceaccount.yaml @@ -1,6 +1,12 @@ +{{- if .Values.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "core-dump-handler.serviceAccountName" . }} labels: {{ include "core-dump-handler.labels" . | nindent 4 }} +{{- with .Values.serviceAccount.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/core-dump-handler/values.schema.json b/charts/core-dump-handler/values.schema.json index bd617fa..f8a2f0c 100644 --- a/charts/core-dump-handler/values.schema.json +++ b/charts/core-dump-handler/values.schema.json @@ -280,6 +280,9 @@ }, "name": { "type": "string" + }, + "annotations": { + "type": "object" } }, "required": [ @@ -289,4 +292,4 @@ "title": "ServiceAccount" } } -} \ No newline at end of file +} diff --git a/charts/core-dump-handler/values.yaml b/charts/core-dump-handler/values.yaml index 71ec16c..8f0315e 100644 --- a/charts/core-dump-handler/values.yaml +++ b/charts/core-dump-handler/values.yaml @@ -50,6 +50,8 @@ daemonset: serviceAccount: create: true name: "core-dump-admin" + # annotations: + # eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here # OpenShift specific for SecurityContextConstraints scc: From f426eaf1d05438f5119f67e19d9f07c87fc193ec Mon Sep 17 00:00:00 2001 From: Federico Ravasio Date: Tue, 3 May 2022 22:11:40 +0000 Subject: [PATCH 2/4] feat(helm): allow not to specify aws credentials so that other methods of authentication can be used --- charts/core-dump-handler/templates/secrets.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/core-dump-handler/templates/secrets.yaml b/charts/core-dump-handler/templates/secrets.yaml index 1b9ff8c..9bcf205 100644 --- a/charts/core-dump-handler/templates/secrets.yaml +++ b/charts/core-dump-handler/templates/secrets.yaml @@ -5,8 +5,12 @@ metadata: name: s3config type: Opaque stringData: +{{- if .Values.daemonset.s3Secret }} s3Secret: {{ .Values.daemonset.s3Secret }} +{{- end }} +{{- if .Values.daemonset.s3AccessKey }} s3AccessKey: {{ .Values.daemonset.s3AccessKey }} +{{- end }} s3BucketName: {{ .Values.daemonset.s3BucketName }} s3Region: {{ .Values.daemonset.s3Region }} {{- end }} From be1924036f18f4221b417cc9f22aa9986ceae9b2 Mon Sep 17 00:00:00 2001 From: Federico Ravasio Date: Wed, 4 May 2022 10:30:08 +0000 Subject: [PATCH 3/4] feat(agent): aws auth via assume role web identity adapter --- core-dump-agent/src/main.rs | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/core-dump-agent/src/main.rs b/core-dump-agent/src/main.rs index 2df2a36..447679c 100644 --- a/core-dump-agent/src/main.rs +++ b/core-dump-agent/src/main.rs @@ -359,7 +359,9 @@ fn get_bucket() -> Result { } }; - let credentials = if s3_access_key.is_empty() || s3_secret.is_empty() { + let credentials = if env::var("AWS_WEB_IDENTITY_TOKEN_FILE").is_ok() { + Credentials::from_sts_env(std::env!("CARGO_PKG_NAME")) + } else if s3_access_key.is_empty() || s3_secret.is_empty() { Credentials::new(None, None, None, None, None) } else { Credentials::new( @@ -369,12 +371,12 @@ fn get_bucket() -> Result { None, None, ) - }; + }?; let s3 = Storage { name: "aws".into(), region, - credentials: credentials.unwrap(), + credentials, bucket: s3_bucket_name, location_supported: false, }; From a369cec313a528d76afca7a3518084346626977e Mon Sep 17 00:00:00 2001 From: Federico Ravasio Date: Tue, 10 May 2022 10:46:26 +0000 Subject: [PATCH 4/4] chore(chart): improve doc regarding eks iam roles for service accounts --- charts/core-dump-handler/README.md | 11 +++++++++++ charts/core-dump-handler/values.aws.sts.yaml | 9 +++++++++ 2 files changed, 20 insertions(+) create mode 100644 charts/core-dump-handler/values.aws.sts.yaml diff --git a/charts/core-dump-handler/README.md b/charts/core-dump-handler/README.md index 4dbc39e..110557a 100644 --- a/charts/core-dump-handler/README.md +++ b/charts/core-dump-handler/README.md @@ -36,6 +36,9 @@ helm install core-dump-handler . --create-namespace --namespace observe \ AWSEKSvalues.aws.yaml + + AWSEKS with IAM roles for service accountsvalues.aws.yaml + AWSROSAvalues.openshift.yaml @@ -140,6 +143,14 @@ Example S3 policy: } ``` +### EKS setup with IAM roles for service accounts + +This allows core-dump-handler to automatically assume the correct role with permissions on the S3 bucket without providing fixed credentials in the secret. + +See [this guide](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). + +[Example of `values.yaml`](values.aws.sts.yaml) + ### Environment Variables The agent pod has the following environment variables and these are all set by the chart but included here for informational purposes: diff --git a/charts/core-dump-handler/values.aws.sts.yaml b/charts/core-dump-handler/values.aws.sts.yaml new file mode 100644 index 0000000..0ca3d32 --- /dev/null +++ b/charts/core-dump-handler/values.aws.sts.yaml @@ -0,0 +1,9 @@ +# AWS requires a crio client to be copied to the server +daemonset: + includeCrioExe: true + vendor: rhel7 # EKS EC2 images have an old libc=2.26 + +serviceAccount: + annotations: + # See https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html + eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here