-
Notifications
You must be signed in to change notification settings - Fork 269
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3026: Add support for s3 data importer inheriting service account credentials #3433
base: main
Are you sure you want to change the base?
Changes from 4 commits
9c6eaba
81b3c8e
a87f77d
4b97bf6
69501ee
0f92ea5
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -255,6 +255,7 @@ func newDataSource(source string, contentType string, volumeMode v1.PersistentVo | |
ep, _ := util.ParseEnvVar(common.ImporterEndpoint, false) | ||
acc, _ := util.ParseEnvVar(common.ImporterAccessKeyID, false) | ||
sec, _ := util.ParseEnvVar(common.ImporterSecretKey, false) | ||
serviceAccount, _ := util.ParseEnvVar(common.ImporterServiceAccountName, false) | ||
keyf, _ := util.ParseEnvVar(common.ImporterGoogleCredentialFileVar, false) | ||
diskID, _ := util.ParseEnvVar(common.ImporterDiskID, false) | ||
uuid, _ := util.ParseEnvVar(common.ImporterUUID, false) | ||
|
@@ -271,34 +272,45 @@ func newDataSource(source string, contentType string, volumeMode v1.PersistentVo | |
case cc.SourceHTTP: | ||
ds, err := importer.NewHTTPDataSource(getHTTPEp(ep), acc, sec, certDir, cdiv1.DataVolumeContentType(contentType)) | ||
if err != nil { | ||
errorCannotConnectDataSource(err, "http") | ||
errorCannotConnectDataSource(err, cc.SourceHTTP) | ||
} | ||
return ds | ||
case cc.SourceImageio: | ||
ds, err := importer.NewImageioDataSource(ep, acc, sec, certDir, diskID, currentCheckpoint, previousCheckpoint) | ||
if err != nil { | ||
errorCannotConnectDataSource(err, "imageio") | ||
errorCannotConnectDataSource(err, cc.SourceImageio) | ||
} | ||
return ds | ||
case cc.SourceRegistry: | ||
ds := importer.NewRegistryDataSource(ep, acc, sec, certDir, insecureTLS) | ||
return ds | ||
case cc.SourceS3: | ||
ds, err := importer.NewS3DataSource(ep, acc, sec, certDir) | ||
var ( | ||
ds *importer.S3DataSource | ||
err error | ||
) | ||
if serviceAccount != "" { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is the value of There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The latter! hopefully i was too far off base, but the approach was that this would be used as a "flag" given the service account should have been properly set up by the time it is invoked here? (or fail on referencing an un-instantiated SA) |
||
// use this as a flag to say the user has a SAN set up with creds that IRSA will read | ||
klog.Infof("Attempting to create your S3 Data Source with cloud provider creds.\n") | ||
ds, err = importer.NewChainCredentialsS3DataSource(ep, certDir) | ||
} else { | ||
// default behaviour of using supplied access key and secret key to configure S3 client | ||
ds, err = importer.NewS3DataSource(ep, acc, sec, certDir) | ||
} | ||
if err != nil { | ||
errorCannotConnectDataSource(err, "s3") | ||
errorCannotConnectDataSource(err, cc.SourceS3) | ||
} | ||
return ds | ||
case cc.SourceGCS: | ||
ds, err := importer.NewGCSDataSource(ep, keyf) | ||
if err != nil { | ||
errorCannotConnectDataSource(err, "gcs") | ||
errorCannotConnectDataSource(err, cc.SourceGCS) | ||
} | ||
return ds | ||
case cc.SourceVDDK: | ||
ds, err := importer.NewVDDKDataSource(ep, acc, sec, thumbprint, uuid, backingFile, currentCheckpoint, previousCheckpoint, finalCheckpoint, volumeMode) | ||
if err != nil { | ||
errorCannotConnectDataSource(err, "vddk") | ||
errorCannotConnectDataSource(err, cc.SourceVDDK) | ||
} | ||
return ds | ||
default: | ||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -102,6 +102,7 @@ type importPodEnvVar struct { | |
extraHeaders []string | ||
secretExtraHeaders []string | ||
cacheMode string | ||
serviceAccountName string | ||
} | ||
|
||
type importerPodArgs struct { | ||
|
@@ -1263,6 +1264,10 @@ func makeImportEnv(podEnvVar *importPodEnvVar, uid types.UID) []corev1.EnvVar { | |
Name: common.CacheMode, | ||
Value: podEnvVar.cacheMode, | ||
}, | ||
{ | ||
Name: common.ImporterServiceAccountName, | ||
Value: podEnvVar.serviceAccountName, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Couple things
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. hi -- thanks for explaining this, i think i am almost on the same page so appreciate the patience on your end.
thanks again for taking your time to help me with this, @mhenriks! There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Spec: corev1.PodSpec{
Containers: makeImporterContainerSpec(args),
InitContainers: makeImporterInitContainersSpec(args),
Volumes: makeImporterVolumeSpec(args),
RestartPolicy: corev1.RestartPolicyOnFailure,
NodeSelector: args.workloadNodePlacement.NodeSelector,
Tolerations: args.workloadNodePlacement.Tolerations,
Affinity: args.workloadNodePlacement.Affinity,
PriorityClassName: args.priorityClassName,
ImagePullSecrets: args.imagePullSecrets,
-------------> ServiceAccountName: args.serviceAccountName
}, There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. some documentation here explaining what happens when the |
||
}, | ||
} | ||
if podEnvVar.secretName != "" && podEnvVar.source != cc.SourceGCS { | ||
env = append(env, corev1.EnvVar{ | ||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see that this env var is getting set on the import pod. Here are some reference points:
https://github.com/russellcain/containerized-data-importer/blob/a87f77d4f010ee3fb2ca4b30111b7d70596c2eb2/pkg/controller/import-controller.go#L558
https://github.com/russellcain/containerized-data-importer/blob/a87f77d4f010ee3fb2ca4b30111b7d70596c2eb2/pkg/controller/import-controller.go#L1176
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah rats! thanks for closing this gap in my understanding -- let me take a stab at that right now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
okay so fingers crossed that I understood how this flows in 04d29c3
I dont need to add anything here, right?
https://github.com/russellcain/containerized-data-importer/blob/41ba02d03ce0205b38fdfc9cbae4a1dc17b3abff/tools/cdi-source-update-poller/main.go#L48
looks like more so this parses env vars (which the SA doesnt fall into) and args passed at invocation (also not applicable)?
should i be adding a check about the source here? and then set it to any value if the PodSpec has a SA set?