ValidationError session-name

[cw-sakamoto]

When I tried to check CRD merged in #13 , I got the following error.

time="2019-05-07T02:31:53Z" level=error msg="Failed to get credentials for role kube-fluentd-operator-role: ValidationError: 1 validation error detected: Value 'arn_aws_iam__XXXXXX_role.kube-fluentd-operator-role-session' at 'roleSessionName' failed to satisfy constraint: Member must have length less than or equal to 64\n\tstatus code: 400, request id: 4690bf63-7070-11e9-bc91-XXXXXX"

[mikkeloscar]

Could you share your manifests so I could try to reproduce the error?

[cw-sakamoto]

Thanks for your comments !
it seems to work with the previous method(with secrets prefix), so CRD is not created.

manifest:

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  labels:
    app: log-router
    chart: log-router-0.3.0
    heritage: Tiller
    release: kube-fluentd-operator
  name: kube-fluentd-operator-log-router
  namespace: kube-system
spec:
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: log-router
      release: kube-fluentd-operator
  template:
    metadata:
      annotations:
        checksum/fluentd-extraenv: ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356
        checksum/reloader-extraenv: ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356
      creationTimestamp: null
      labels:
        app: log-router
        release: kube-fluentd-operator
    spec:
      containers:
      - env:
        - name: K8S_NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        image: cwsakamoto/kube-fluentd-operator:add-datadog-plugin
        imagePullPolicy: IfNotPresent
        name: fluentd
        resources:
          limits:
            cpu: 200m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 64Mi
        volumeMounts:
        - mountPath: /fluentd/etc
          name: fluentconf
        - mountPath: /var/log
          name: varlog
        - mountPath: /var/lib/kubelet
          name: kubeletroot
          readOnly: true
        - mountPath: /var/lib/docker/containers
          name: varlibdockercontainers
          readOnly: true
        - mountPath: /etc/google/auth/
          name: gcp-credentials
          readOnly: true
        - mountPath: /root/.aws
          name: aws-iam-credentials
          readOnly: true
      - command:
        - /bin/config-reloader
        - --datasource=default
        - --interval=45
        - --log-level=debug
        - --output-dir=/fluentd/etc
        - --templates-dir=/templates
        - --id=kube-fluentd-operator-log-router
        - --fluentd-binary
        - /usr/local/bin/fluentd -p /fluentd/plugins
        - --kubelet-root
        - /var/lib/kubelet
        image: cwsakamoto/kube-fluentd-operator:add-datadog-plugin
        imagePullPolicy: IfNotPresent
        name: reloader
        resources:
          limits:
            cpu: 200m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 64Mi
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /fluentd/etc
          name: fluentconf
        - mountPath: /etc/google/auth/
          name: gcp-credentials
          readOnly: true
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: kube-fluentd-operator-log-router
      serviceAccountName: kube-fluentd-operator-log-router
      terminationGracePeriodSeconds: 30
      tolerations:
      - effect: NoSchedule
        operator: Exists
      - effect: NoExecute
        operator: Exists
      - key: CriticalAddonsOnly
        operator: Exists
      volumes:
      - emptyDir: {}
        name: fluentconf
      - hostPath:
          path: /var/lib/kubelet
          type: ""
        name: kubeletroot
      - hostPath:
          path: /var/log
          type: ""
        name: varlog
      - hostPath:
          path: /var/lib/docker/containers
          type: ""
        name: varlibdockercontainers
      - name: gcp-credentials
        projected:
          defaultMode: 420
          sources:
          - secret:
              name: gcp-credentials
      - name: aws-iam-credentials
        secret:
          defaultMode: 420
          secretName: aws-iam-kube-fluentd-operator-role
  templateGeneration: 11
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate

[mikkeloscar]

Ok, but the CRD method should also work and will become the default in the future.

[cw-sakamoto]

Yes, I'm planning to migrate for CRD method👍

https://github.com/mikkeloscar/kube-aws-iam-controller/blob/master/credentials_getter.go#L55
Sessionname is trimmed(length less than or equal to 64) or hash (such as md5), it seems OK.

[cw-sakamoto]

I looked at https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html, it is written as

Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons.

, so session-name is likely to be unique.