Add support for external-id and session-name #430
Conversation
|
@pingles draft opened here adding support for external id and session naming, yet to write any tests around this but wanted some early input with the direction before I go any further. |
stefansedich
force-pushed
the
session-name
branch
from
1f88406 to
9e61171
Compare
|
Yeah this looks great to me. I think with session name it would be good to change the default to include pod identifiers? It's been a while since I've looked at it, are there any limits on the size of the session names or formatting with Other than that, looks like a neat solution so thank you! |
I like the idea of using the pod name as a default, something like |
|
So having read the docs
Adding via annotation seems like a reasonable place to start. I also wonder if it's good to coerce the value into the expected format stated via their regex, or to have a default placeholder if it won't pass AWS' expectations. What do you think @stefansedich? |
Thanks, I had that doco handy but linking it here reminds me to look at it deeper to ensure we only use session names that are appropriate 😄! I like the idea of keeping it simple, just logging a warning if we cannot use the value provided and we can fallback to a default, which should hopefully land to something like |
stefansedich
force-pushed
the
session-name
branch
from
9e61171 to
94b4b00
Compare
|
@pingles the server already has the I am still unsure here what we do about validation, I am wondering if it does not pass the regex test if we just always default to I am just trying to avoid removing existing behavior assuming there might be users already using |
|
I'm not sure. My feeling is that typically it's a question of whether we'd want cluster operators to configure, or people scheduling pods? As you say, does add complexity so maybe another option is that you can enable the use of the annotation via a flag? Do you have an example of how you'd use this? @tombooth perhaps you have an idea about how we'd likely do the same and then use that to help guide the decisions. |
My usecase is simple, we intend to just use pod annotations for things we want to override the session name at a pod level. I personally am in favor of the simple route for this first release:
|
|
Thanks.
|
|
|
I would say default to on but allow it to be disabled. Use case I’m
thinking of is extending to support templates names that could be
configured on the server rather than needing annotations in all
deployments. But, that could be added later I guess. Good push back.
…On Wed, 21 Oct 2020 at 18:44, Stefan Sedich ***@***.***> wrote:
Thanks.
1. So, I'd say let's introduce a flag that enables the pod annotation
support (thus allowing pod control to be turned off later)
--enable-pod-session-name-annotation?
2. Rather than the regex, what about coercing the value, replacing any
invalid characters with a hyphen? That feels easier than reporting an error
in the pod events.
1.
We can do that, would it default to off? I question how useful a flag
even is, if the user does not annotate the existing behavior is used and
things change only when they decide to use the new annotation. What benefit
do we get adding a new flag?
2.
Yup this works, will corece the value to what AWS wants.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#430 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAI7QLIBAT7QIEUDICTULSL4MYZANCNFSM4STYEEKA>
.
|
👍 okies will get the coercing and tests done and get this open, I am not sure I will get time to wrap this up this week but will aim to have it ready for review next week. |
|
That’s great. No worries on time, appreciate the contribution!!
As you’re working let us know if you need a hand on anything, here or on
Slack.
On Wed, 21 Oct 2020 at 18:48, Stefan Sedich <[email protected]>
wrote:
… I would say default to on but allow it to be disabled. Use case I’m
thinking of is extending to support templates names that could be
configured on the server rather than needing annotations in all
deployments. But, that could be added later I guess. Good push back.
… <#m_5178614659173035544_>
On Wed, 21 Oct 2020 at 18:44, Stefan Sedich *@*.***> wrote: Thanks. 1.
So, I'd say let's introduce a flag that enables the pod annotation support
(thus allowing pod control to be turned off later)
--enable-pod-session-name-annotation? 2. Rather than the regex, what about
coercing the value, replacing any invalid characters with a hyphen? That
feels easier than reporting an error in the pod events. 1. We can do that,
would it default to off? I question how useful a flag even is, if the user
does not annotate the existing behavior is used and things change only when
they decide to use the new annotation. What benefit do we get adding a new
flag? 2. Yup this works, will corece the value to what AWS wants. — You are
receiving this because you were mentioned. Reply to this email directly,
view it on GitHub <#430 (comment)
<#430 (comment)>>, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/AAAAI7QLIBAT7QIEUDICTULSL4MYZANCNFSM4STYEEKA
.
👍 okies will get the coercing and tests done and get this open, I am not
sure I will get time to wrap this up this week but will aim to have it
ready for review next week.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#430 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAI7TWM7VAI67BZIB3UJLSL4NGLANCNFSM4STYEEKA>
.
|
stefansedich
force-pushed
the
session-name
branch
from
6887223 to
a87ba4f
Compare
stefansedich
force-pushed
the
session-name
branch
3 times, most recently
from
786fa65 to
1133d44
Compare
pkg/prefetch/manager.go
Outdated
| @@ -81,7 +88,7 @@ func (m *CredentialManager) Run(ctx context.Context, parallelRoutines int) { | |||
| func (m *CredentialManager) handleExpiring(ctx context.Context, credentials *sts.CachedCredentials) { | |||
| logger := log.WithFields(sts.CredentialsFields(credentials.Identity, credentials.Credentials)) | |||
|
|
|||
| active, err := m.IsRoleActive(credentials.Identity.Role) | |||
| active, err := m.IsRoleActive(credentials.Identity.Role.Name) | |||
There was a problem hiding this comment.
I suspect this needs to change (and thus also needs some tests to prove the behaviour).
The purpose was originally to find any Pods in the Kubernetes API server filled cache. It should probably take the RoleIdentity type and then use that string for the cache key.
I'd expect the failing test to be something like if we had 2 pods using the same role but different session names, when one of them is no longer active (but the other is) we'd expect the non-active session to no longer be retained. If it's just matching on Role name, then it would keep them active.
The behaviour isn't horrific (it'd just mean refreshing credentials past them needing to be used) but be good to make it match the rest? What do you think?
There was a problem hiding this comment.
@pingles just so I have this correct, we want to change the pod cache to use something like indexRoleIdentity over the existing indexPodRole? where the existing cache of pods by only the role changes to be pods cached by the identity?
There was a problem hiding this comment.
Yep, that's right. At the moment, I would expect us to have incorrect behaviour assuming a state of:
Pod{Name: "foo", Status: "active", Role: "reader", Session: "active-reader"}
Pod{Name: "bar", Status: "stopped", Role: "reader", Session: "stopped-reader"}
IsRoleActive for an identity of Identity{Role: "reader", Session: "stopped-reader"} would still return true (because the active Pod remains) despite the call checking a different identity.
I suspect we should also include ExternalID if that's included also?
There was a problem hiding this comment.
Ok got it, I am thinking of just changing to build the Identity and using String on that for the key, will pull out constructing an identity to an IdentityFromPod function and go from there. Hold my 🍺
There was a problem hiding this comment.
Okies hopefully I did this right, refactoring+tests added 🤞
|
Thanks @stefansedich, super excited to get this added. |
stefansedich
force-pushed
the
session-name
branch
from
1133d44 to
ec9be5b
Compare
stefansedich
force-pushed
the
session-name
branch
from
d040cbe to
6a28e33
Compare
stefansedich
force-pushed
the
session-name
branch
4 times, most recently
from
edd4b90 to
78996ee
Compare
stefansedich
force-pushed
the
session-name
branch
from
78996ee to
69d4878
Compare
|
Had a quick scan on my phone but looks good to me! I'll have another look through on my laptop later but all looks good to me. |
This PR adds support for overriding the assumed roles session-name by use of a pod annotation, and also adds support for using an external-id when assuming the role.
For now I chose to simply use an annotation for overriding the session name, I felt that adding templating could be a future enhancement if it is desired.
It carries on the work from #399 and should help us finally close off #399 and #38