Open andrewhibbert opened 3 years ago
Not a bug but wandering if anyone is successfully using IRSA with NiFi
It will be really helpful if someone can help here.
I'm also facing the same issue. It assumes the role of the worker node even after specifying eks.amazonaws.com/role-arn
in serviceAccount annotations.
Chart version: 0.6.4
NiFi 1.13.2
Ok, so I'm trying to reverse-engineer this as well... here is what I did but I'm missing the final pieces: Add this to your values.yml
sts:
serviceAccount:
create: true
name: mynifi
When I deploy the chart, it creates and assigns the service account as mynifi-sa.
You then need to create a "Web Identity" role as per https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html and then inject the annotation into the service account.
Since the chart isn't set up to inject annotations into the service account (perhaps we could submit a pull request for this?)
I use kubectl edit serviceaccount mynifi-sa
, I didn't verify the method in the URL for this.
Once I did this, I'm able to log onto the "nifi-0 server" container and validate that the environment variables are set.
I'm now trying to configure the AWSCredentialsProviderControllerService in nifi to use this somehow, but it doesn't seem to want to do this "directly".
I have a feeling that something needs to be modified in the code to take advantage of this and it's not exposed yet: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-web_identity_token_file.html
Hi @nuttybrewer, yes the environment variables do populate inside the container. But still there were issues assuming the role.
So our team created custom plugins with software.amazon.awssdk:sts
added as a dependency which solved the issue.
I also went ahead and created a PR #143 to inject annotations into service account.
@Shivam9268
Hi @nuttybrewer, yes the environment variables do populate inside the container. But still there were issues assuming the role. So our team created custom plugins with
software.amazon.awssdk:sts
added as a dependency which solved the issue. I also went ahead and created a PR #143 to inject annotations into service account.
"custom plugins" ... Do you mean NiFi authenticator plugins?
Many thanks, Steve
Hi Steve,
I submitted https://github.com/apache/nifi/pull/5108 to support this. You can fork and compile nifi, the dockerfiles are already in the distribution. I can change the image and version in the current charts to load those custom ones and they now work fine.
Pat
On Thu, Jun 17, 2021 at 4:52 PM Steve Brown @.***> wrote:
@Shivam9268 https://github.com/Shivam9268
Hi @nuttybrewer https://github.com/nuttybrewer, yes the environment variables do populate inside the container. But still there were issues assuming the role. So our team created custom plugins with software.amazon.awssdk:sts added as a dependency which solved the issue. I also went ahead and created a PR #143 https://github.com/cetic/helm-nifi/pull/143 to inject annotations into service account.
"custom plugins" ... Do you mean NiFi authenticator plugins?
Many thanks, Steve
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cetic/helm-nifi/issues/134#issuecomment-863308171, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAM2ANID5JACUSCY7JHP4R3TTID3PANCNFSM42AHZZ4Q .
marking this as stale since the above mentioned PR has been closed.
Describe the bug
I'm trying to use nifi with IAM roles for service accounts, we are using nifi 1.13 which seems to have a supported SDK - https://github.com/apache/nifi/blob/rel/nifi-1.13.0/nifi-nar-bundles/nifi-aws-bundle/pom.xml#L29 which is higher than the minimum supported in here - [https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html]. However Nifi does not seem to be using the role at all, any ideas? I have set fsGroup to 65534 as this has been mentioned as a general problem using IAM roles for service accounts via k8s
Version of Helm and Kubernetes:
Helm 3.15 Kubernetes 1.18