From 43028d4d824731997442ba917cff3ee251dc61f2 Mon Sep 17 00:00:00 2001 From: EliseCastle23 Date: Wed, 24 Apr 2024 16:14:09 -0600 Subject: [PATCH 1/3] making changes to kube-setup-batch-export, so it can use IRSA instead of AWS keys --- gen3/bin/kube-setup-batch-export.sh | 45 ++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 14 deletions(-) diff --git a/gen3/bin/kube-setup-batch-export.sh b/gen3/bin/kube-setup-batch-export.sh index 25b3f5bb0..5d24907d7 100644 --- a/gen3/bin/kube-setup-batch-export.sh +++ b/gen3/bin/kube-setup-batch-export.sh @@ -11,7 +11,7 @@ if ! g3kubectl get secrets | grep batch-export-g3auto /dev/null 2>&1; then hostname="$(gen3 api hostname)" ref_hostname=$(echo "$hostname" | sed 's/\./-/g') bucket_name="${ref_hostname}-batch-export-bucket" - aws_user="${ref_hostname}-batch-export-user" + sa_name="batch-export-sa" mkdir -p $(gen3_secrets_folder)/g3auto/batch-export creds_file="$(gen3_secrets_folder)/g3auto/batch-export/config.json" @@ -19,22 +19,39 @@ if ! g3kubectl get secrets | grep batch-export-g3auto /dev/null 2>&1; then if [[ -z "$JENKINS_HOME" ]]; then gen3 s3 create $bucket_name - gen3 awsuser create $aws_user - gen3 s3 attach-bucket-policy $bucket_name --read-write --user-name $aws_user - gen3 secrets sync "aws reources for batch export" - gen3_log_info "initializing batch-export config.json" - user=$(gen3 secrets decode $aws_user-g3auto awsusercreds.json) - key_id=$(jq -r .id <<< $user) - access_key=$(jq -r .secret <<< $user) - cat - > $creds_file < "export-job-aws-policy.json" < /dev/null 2>&1; then + if ! gen3 iam-serviceaccount -c "${sa_name}" -p ./export-job-aws-policy.json; then + gen3_log_err "Failed to create iam service account" + return 1 + fi + gen3_log_info "created service account 'batch-export-sa' with s3 access" + gen3_log_info "created role name '${role_name}'" + fi + + gen3_log_info "creating batch-export-g3auto configmap" + kubectl create configmap batch-export-g3auto --from-literal=bucket_name="$sa_name" fi fi From 57965a14893a612e90d993184c8516bac8803225 Mon Sep 17 00:00:00 2001 From: EliseCastle23 Date: Thu, 25 Apr 2024 09:14:57 -0600 Subject: [PATCH 2/3] fixing typo --- gen3/bin/kube-setup-batch-export.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gen3/bin/kube-setup-batch-export.sh b/gen3/bin/kube-setup-batch-export.sh index 5d24907d7..aba6a49ab 100644 --- a/gen3/bin/kube-setup-batch-export.sh +++ b/gen3/bin/kube-setup-batch-export.sh @@ -52,6 +52,6 @@ EOM fi gen3_log_info "creating batch-export-g3auto configmap" - kubectl create configmap batch-export-g3auto --from-literal=bucket_name="$sa_name" + kubectl create configmap batch-export-g3auto --from-literal=bucket_name="$bucket_name" fi fi From 388dee058215981422dbbae51b4a71e1bc0ced23 Mon Sep 17 00:00:00 2001 From: EliseCastle23 Date: Thu, 25 Apr 2024 09:26:22 -0600 Subject: [PATCH 3/3] updating the logging for this script and removing unneeded variables --- gen3/bin/kube-setup-batch-export.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/gen3/bin/kube-setup-batch-export.sh b/gen3/bin/kube-setup-batch-export.sh index aba6a49ab..7861f5024 100644 --- a/gen3/bin/kube-setup-batch-export.sh +++ b/gen3/bin/kube-setup-batch-export.sh @@ -12,10 +12,8 @@ if ! g3kubectl get secrets | grep batch-export-g3auto /dev/null 2>&1; then ref_hostname=$(echo "$hostname" | sed 's/\./-/g') bucket_name="${ref_hostname}-batch-export-bucket" sa_name="batch-export-sa" - mkdir -p $(gen3_secrets_folder)/g3auto/batch-export - creds_file="$(gen3_secrets_folder)/g3auto/batch-export/config.json" - - gen3_log_info "Creating batch export secret" + + gen3_log_info "Creating batch export bucket" if [[ -z "$JENKINS_HOME" ]]; then gen3 s3 create $bucket_name