chore(docs): Update release notes to document change to CLI and kubeconfig file required changes #371
Conversation
…onfig file required changes
…onfig file required changes
| * AWS CLI to 1.22 | ||
|
|
||
| ### FUTURE BREAKING CHANGE: | ||
| kubectl in the latest releases have removed support for token aquisition using the `apiVersion: client.authentication.k8s.io/v1alpha1` exec API. The aws cli version 1.22 does not support this new beta1 syntax yet but the aws-iam-authenticator supports both v1alpha1 and v1beta1 exec APIs. It's recommended that |
There was a problem hiding this comment.
Isn’t there something more specific we can say? If version 1.22 of the aws cli doesn't work with k8s >= 1.24, then this isn't a future breaking change, it's a present breaking change, right?
As I understand it, it’s important to have a “new enough" aws-iam-authenticator to target k8s clusters >= 1.24, where "new enough" means no longer references client.authentication.k8s.io/v1alpha1 ExecCredential. https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md even says:
The client.authentication.k8s.io/v1alpha1 ExecCredential has been removed.
Clouddriver currently brings in version 0.5.9 of aws-iam-authenticator in slim and 1.16.8? in ubuntu. I'm not sure where the corresponding source is for 1.16.8, but 0.5.9 is already new enough. See here that already references v1beta1.
Is there a consequence of using version 1.22 of the aws cli with older eks clusters? From what I can tell, client.authentication.k8s.io/v1beta1 of ExecCredential first appeared in this commit, which was first released (according to git tags) in k8s 1.11.0 although the 1.11 changelog doesn't mention it.
There was a problem hiding this comment.
SO you can continue to use alpha1/beta1 TODAY. You can't use beta1 with the AWS CLI until we bump that to 1.24. It's more at ... 1.25 of kubectl binary that alpha1 will no longer work in kubeconfig files
aws-iam-authenticator 0.5.9 supports alpha1/beta1 APIs and also supports idmsv2 metadata queries. Don't recall if it supports the newst v1 exec apis. It uses an env passed from kubectl to determine which API to respond with. There's a separate PR to change the ubuntu install of aws-iam-authenticator to use this version. Note I don't have SF access to look at the kubeconfig.
The aws cli isn't really used for spinnaker, or much of anything else. I've tested the aws cli... and 1.22 wasn't working with the v1beta1 exec call.
There was a problem hiding this comment.
Let's remove the aws cli then?
There was a problem hiding this comment.
Sadly it IS still used :( the aws-iam-authenticator is more performant, and I'd ABSOLUTELY prefer that. BUT the other place it's used is for fetching ECR tokens for docker containers. https://docs.armory.io/continuous-deployment/armory-admin/aws/artifacts-ecr-connect/ e.g. this.
There was a problem hiding this comment.
Hmmm...it certainly is nice to have the aws cli in clouddriver for troubleshooting all manner of aws issues. I'd really like the text here to be a bit more crisp though. Is there something definitive we can say for 1.32? Did we break something/change behavior? If there's something people need to do when we release 1.33, I'd say let's wait for 1.33 so we can make sure we get it right. Predicting the future makes me nervous.
There was a problem hiding this comment.
Nothing's broken yet ... was just "hey we should start warning people" :) Happy to change the text to something else... RIGHT NOW, nothing has changed. just hoping to bump later.
There was a problem hiding this comment.
Leave this for the next release then and update the text to be more ... direct?
|
Closing - have a new PR with this. |
No description provided.