Open camilamacedo86 opened 3 months ago
I could make it work by doing some changes manually. Following the suggestions to sort it out:
a) The CRD CouchbaseBackup need a spec for we are able to add the the required annotation to grant the IAM permissions to the ServiceAccount: (Also, the HelmChart needs allow us to provide the annotation via the values)
example
Name: couchbase-backup
Namespace: my-namespace
Annotations: iam.gke.io/gcp-service-account: couchbase-backup@my-project.iam.gserviceaccount.com
b) It would either helpful allow we create the serviceaccount manually if we wish to do so instead of always created it with the operator
c) The docs are missing examples about how to configure it and the required permissions. I need to grant all the following ones to check it working. Could you please clarify what permissions should be required?
roles/iam.serviceAccountTokenCreator
roles/iam.workloadIdentityUser
roles/storage.legacyBucketReader
roles/storage.objectCreator
roles/storage.objectViewer
roles/storage.admin
roles/storage.objectAdmin
Description
The documentation for configuring instance metadata authentication for Couchbase Operator Backup (link) IHMO is unclear on whether providing the secret is always necessary. The primary advantage of using IAM roles (specifically
roles/iam.workloadIdentityUser
) as you can see (here) is to avoid the need for secrets. Thus, if using a secret is mandatory, it shows for me that contradicts the purpose of IAM roles.Furthermore, the instance metadata authentication option does not function as expected. I attempted this with the latest release
couchbase/operator-backup:1.3.8
.Steps to Reproduce
serviceAccountName: couchbase-backup
.roles/storage.objectCreator
androles/storage.objectViewer
.Observed Behavior
The job fails to connect to the API, producing the following log output:
Expected Behavior
The backup job should successfully connect to the API and perform the backup without requiring a secret when using IAM roles.
Additional Information
Configuration
Request
Please clarify the documentation regarding the necessity of secrets when using IAM roles. Additionally, provide a resolution for the failure observed during instance metadata authentication.