-
Notifications
You must be signed in to change notification settings - Fork 269
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3026: Add support for s3 data importer inheriting service account credentials #3433
base: main
Are you sure you want to change the base?
3026: Add support for s3 data importer inheriting service account credentials #3433
Conversation
Hi @russellcain. Thanks for your PR. PRs from untrusted users cannot be marked as trusted with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold |
…dentials Signed-off-by: russellcain <[email protected]>
Signed-off-by: russellcain <[email protected]>
e1f84ca
to
81b3c8e
Compare
(recent force push to include signoff) |
/test |
@mhenriks: The
The following commands are available to trigger optional jobs:
Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/test all |
Signed-off-by: russellcain <[email protected]>
a82147e
to
a87f77d
Compare
/test all |
@russellcain: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
@mhenriks would you mind kicking off the tests for me, please? |
/test all |
/test pull-cdi-goveralls |
cmd/cdi-importer/importer.go
Outdated
@@ -255,6 +255,7 @@ func newDataSource(source string, contentType string, volumeMode v1.PersistentVo | |||
ep, _ := util.ParseEnvVar(common.ImporterEndpoint, false) | |||
acc, _ := util.ParseEnvVar(common.ImporterAccessKeyID, false) | |||
sec, _ := util.ParseEnvVar(common.ImporterSecretKey, false) | |||
serviceAccount, _ := util.ParseEnvVar(common.ImporterServiceAccountName, false) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see that this env var is getting set on the import pod. Here are some reference points:
https://github.com/russellcain/containerized-data-importer/blob/a87f77d4f010ee3fb2ca4b30111b7d70596c2eb2/pkg/controller/import-controller.go#L558
https://github.com/russellcain/containerized-data-importer/blob/a87f77d4f010ee3fb2ca4b30111b7d70596c2eb2/pkg/controller/import-controller.go#L1176
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah rats! thanks for closing this gap in my understanding -- let me take a stab at that right now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
okay so fingers crossed that I understood how this flows in 04d29c3
I dont need to add anything here, right?
https://github.com/russellcain/containerized-data-importer/blob/41ba02d03ce0205b38fdfc9cbae4a1dc17b3abff/tools/cdi-source-update-poller/main.go#L48
looks like more so this parses env vars (which the SA doesnt fall into) and args passed at invocation (also not applicable)?
should i be adding a check about the source here? and then set it to any value if the PodSpec has a SA set?
cmd/cdi-importer/importer.go
Outdated
ds *importer.S3DataSource | ||
err error | ||
) | ||
if serviceAccount != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the value of serviceAccount
ever used in the aws API? Or does the aws lib assume that the pod is running as the privileged service account?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The latter! hopefully i was too far off base, but the approach was that this would be used as a "flag" given the service account should have been properly set up by the time it is invoked here? (or fail on referencing an un-instantiated SA)
Signed-off-by: russellcain <[email protected]>
04d29c3
to
4b97bf6
Compare
/retest |
@russellcain: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/test all |
pkg/controller/import-controller.go
Outdated
@@ -1263,6 +1264,10 @@ func makeImportEnv(podEnvVar *importPodEnvVar, uid types.UID) []corev1.EnvVar { | |||
Name: common.CacheMode, | |||
Value: podEnvVar.cacheMode, | |||
}, | |||
{ | |||
Name: common.ImporterServiceAccountName, | |||
Value: podEnvVar.serviceAccountName, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couple things
-
if the worker pod does not need to know the SA name and this param is just a flag for setting
sessionConfig.CredentialsChainVerboseErrors = aws.Bool(true)
then why not make this a boolean value with key something likeS3_CREDENTIALS_CHAIN_AUTH
-
You have to set the service account name in the importer pod spec somewhere in here: https://github.com/russellcain/containerized-data-importer/blob/3026/IRSA-integration-for-s3-service-accounts/pkg/controller/import-controller.go#L884-L949
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi -- thanks for explaining this, i think i am almost on the same page so appreciate the patience on your end.
-
for 1, does this handle my concern posted here? I agree that, to the best of my knowledge, the SA name itself will not be meaningfully used by the worker pod and instead is just a flag to not set
sessionConfig.Credentials
. I guess i was hoping to make a smaller footprint / mimic other patterns where referencing/supplying a SA name in the pod spec communicates that the values of that account are consumed by the pod (since that is happening in this case, just not through an explicit invocation). If I'm talking myself into circles, please let me know, but does this make sense?- I also see the merit in an explicit boolean flag -- if what im explaining above comes across as anything hand-wavy, then I'd be alright with someone knowing what they are signing up for with the
S3_CREDENTIALS_CHAIN_AUTH
value being set. I guess I'd just be a bit worried that the hypothetical user would set this value without having set a SA? and the approach of specifying the SA name slightly safeguards against that? I might be over-worrying here.
- I also see the merit in an explicit boolean flag -- if what im explaining above comes across as anything hand-wavy, then I'd be alright with someone knowing what they are signing up for with the
-
for 2, happy to make this change, but wanted to confirm my understanding. are you saying we need the value set at the top level spec definition for how I'm attempting to consume it later on in
cmd/cdi-importer/importer.go
? that makes sense to me, but would still want to make sure i got eyes on https://github.com/kubevirt/containerized-data-importer/pull/3433/files#r1767598831
thanks again for taking your time to help me with this, @mhenriks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-
S3_CREDENTIALS_CHAIN_AUTH
would just be the name of the environment variable in the importer pod spec. This should not be visible to users in any way. Importer pods are created/managed by cdi-deployment controller. The user will still specify the service account name in the API as you have already declared -
The pod
spec.serviceAccountName
should be set to the value the user set in the datavolume. See here: https://github.com/russellcain/containerized-data-importer/blob/3026/IRSA-integration-for-s3-service-accounts/pkg/controller/import-controller.go#L915-L925
Spec: corev1.PodSpec{
Containers: makeImporterContainerSpec(args),
InitContainers: makeImporterInitContainersSpec(args),
Volumes: makeImporterVolumeSpec(args),
RestartPolicy: corev1.RestartPolicyOnFailure,
NodeSelector: args.workloadNodePlacement.NodeSelector,
Tolerations: args.workloadNodePlacement.Tolerations,
Affinity: args.workloadNodePlacement.Affinity,
PriorityClassName: args.priorityClassName,
ImagePullSecrets: args.imagePullSecrets,
-------------> ServiceAccountName: args.serviceAccountName
},
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some documentation here explaining what happens when the serviceAccountName
is added to the pod, what the pod-identity-webhook
is mutating in the pod spec
will wait back on a response to this conversation before i push up my changes. thanks again, @mhenriks |
Signed-off-by: russellcain <[email protected]>
thanks for the added context, @chomatdam -- can you let me know if my changes in 69501ee seem to line up with the approach you described, please @mhenriks? thanks again for your guidance on this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
getting there!
cmd/cdi-importer/importer.go
Outdated
@@ -255,6 +255,7 @@ func newDataSource(source string, contentType string, volumeMode v1.PersistentVo | |||
ep, _ := util.ParseEnvVar(common.ImporterEndpoint, false) | |||
acc, _ := util.ParseEnvVar(common.ImporterAccessKeyID, false) | |||
sec, _ := util.ParseEnvVar(common.ImporterSecretKey, false) | |||
use_s3_credential_chain_auth, _ := strconv.ParseBool(os.Getenv(common.UseS3CredentialsChainAuth)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use_s3_credential_chain_auth
is a little verbose compared to other variable names maybe just s3ChainAuth
?
pkg/controller/import-controller.go
Outdated
extraHeaders []string | ||
secretExtraHeaders []string | ||
cacheMode string | ||
use_s3_credential_chain_auth bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about s3ChainAuth
as variable name?
@@ -117,6 +118,7 @@ type importerPodArgs struct { | |||
workloadNodePlacement *sdkapi.NodePlacement | |||
vddkImageName *string | |||
priorityClassName string | |||
serviceAccountName string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where is this getting assigned?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i was thinking it should be set here? https://github.com/kubevirt/containerized-data-importer/pull/3433/files#diff-868af4b730094e9180f78af4cc069ae6cecf7077a46c186553f331dccbd32993R954
/test all |
Signed-off-by: russellcain <[email protected]>
@mhenriks may I have another review / test run, please? |
@mhenriks hi, i was hoping to get another test run in and another crack at it before the year is out, if possible, please -- thank you |
/test all |
@russellcain: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
/unhold |
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Release note:
Signed-off-by: _____