Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: update eks in-cluster authentication to use web identify files #372

Merged
merged 2 commits into from
Jul 22, 2024
Merged

fix: update eks in-cluster authentication to use web identify files #372

merged 2 commits into from
Jul 22, 2024

Conversation

mrsimonemms
Copy link
Contributor

@mrsimonemms mrsimonemms commented Jul 18, 2024
edited
Loading

Description

The previous #288 installation doesn't seem to work because there's no secret specified in the credentials.NewStaticCredentialsProvider call. I don't fully understand the reasons why this was changed because the envvar AWS_WEB_IDENTITY_TOKEN_FILE is one of the documented ways of authenticating - https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specifying-credentials

This meant that the /regions/aws call always returns the error failed to refresh cached credentials, static credentials are empty.

@jarededwards I'd like to know if there is something I've misinterpreted in here. I also can't find any other use of the aws.NewEKSServiceAccountClientV1() call in the API, so I think it's safe to use.

Related Issue(s)

Fixes #

How to test

  • In your gitops repo, go to /registry/clusters/<cluster-name>/components/kubefirst/console.yaml
  • In spec.helm.values, update your kubefirst-api to include the image.api.repository and image.api.tag below 
    kubefirst-api:
  image:
    api:
      repository: ttl.sh/90df18fd-62d4-4cdc-8389-05364e3e4c48
      tag: 24h

NB. I've built the kubefirst-api locally and pushed to ttl.sh. This will expire at some point on 2024-07-23 (approx 09:00 UTC) so you may need to rebuild. Do that by running:

IMAGE_NAME=$(uuidgen)
docker build -t ttl.sh/${IMAGE_NAME}:24h .
docker push ttl.sh/${IMAGE_NAME}:24h

You can then update the image.api.repository value in the console.yaml

@mrsimonemms
fix: update eks in-cluster authentication to use web identify files
efac019 
The previous #288 installation doesn't seem to work because there's
no `secret` specified in the `credentials.NewStaticCredentialsProvider`
call. I don't fully understand the reasosn why this was changed because
the envvar `AWS_WEB_IDENTITY_TOKEN_FILE` is one of the documented ways
of authenticating - https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specifying-credentials
@mrsimonemms
fix: set the aws instanceSizes to use the service account's auth
359dd4c
@mrsimonemms mrsimonemms force-pushed the sje/update-in-cluster-eks-auth branch from f05f5ee to 359dd4c Compare July 18, 2024 13:35
@mrsimonemms mrsimonemms marked this pull request as ready for review July 18, 2024 19:04
@mrsimonemms mrsimonemms merged commit 01d71fe into main Jul 22, 2024
1 check passed
@mrsimonemms mrsimonemms deleted the sje/update-in-cluster-eks-auth branch July 22, 2024 19:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CristhianF7 CristhianF7 CristhianF7 approved these changes

@jarededwards jarededwards Awaiting requested review from jarededwards

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mrsimonemms @CristhianF7