search

openshift / external-dns-operator

The ExternalDNS Operator provides simplified ExternalDNS controller management.
Apache License 2.0
28 stars 34 forks source link

Support for IRSA for AWS Provider #190

Closed scottd018 closed 7 months ago

scottd018 commented 1 year ago

As per https://github.com/openshift/external-dns-operator/blob/main/api/v1beta1/externaldns_types.go#L260 IRSA is not currently supported. This should allow a consumer of the external-dns to pass in a Role ARN and have the service account annotated as follows for an AWS provider:

metadata:
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT>:role/<ROLE>"
scottd018 commented 1 year ago

See https://github.com/openshift/external-dns-operator/pull/191 for a proposed change to support this feature

openshift-bot commented 1 year ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot commented 1 year ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

andyrepton commented 1 year ago

This is something that I also have a customer requesting. Can this be reviewed please?

Thanks!

alebedev87 commented 1 year ago

@Seth-Karlo , @scottd018 : sorry for the late reply. I'm interested in exploring specific customer cases that require this change. As far as I understand, IRSA only functions with EKS, so please correct me if I'm mistaken. Additionally, since kiam is currently in maintenance mode, it would be challenging to depend on it in the API provided by the operator. However, I'm uncertain about kube2iam. Having a customer using OpenShift who requires this feature would help to move this request forward. However we will need to go through the RFE process regardless.

alebedev87 commented 1 year ago

/remove-lifecycle rotten

scottd018 commented 1 year ago

@Seth-Karlo , @scottd018 : sorry for the late reply. I'm interested in exploring specific customer cases that require this change. As far as I understand, IRSA only functions with EKS, so please correct me if I'm mistaken. Additionally, since kiam is currently in maintenance mode, it would be challenging to depend on it in the API provided by the operator. However, I'm uncertain about kube2iam. Having a customer using OpenShift who requires this feature would help to move this request forward. However we will need to go through the RFE process regardless.

@alebedev87 Traditionally, you are correct in that IRSA is an EKS construct. However, ROSA (Red Hat OpenShift Service on AWS) also employs the IRSA standard and uses the same webhook that EKS uses in order to provide pod-authentication to AWS services via STS. Most customers like the idea of using ROSA in STS mode so that they do not have to use hard-coded access/secret keys, so this would be useful for customers using ROSA in STS mode (today, most customers use STS rather than non-STS).

Understood on the kiam/kube2iam front. I decided to put that in there because it was a simple change and lots of folks on raw Kubernetes use it (my background is raw Kube, so still learning OpenShift specifics). I could definitely see leaving that off, but IRSA would be extremely useful for ROSA customers.

alebedev87 commented 1 year ago

@scottd018: do you think that externaldns's aws-assume-role flag would do the same job? Maybe even a little more generic way as it doesn't expect any third party deployments (kiam/kube2iam) and can work on ROSA, standalone OpenShift or even any other Kubernetes cluster.

scottd018 commented 1 year ago

@alebedev87 That's a great find! I've used external-dns a lot (even contributed to it) and did not even realize that existed. I would anticipate that would pretty easily work and should satisfy all use cases.

scottd018 commented 1 year ago

@alebedev87 That's a great find! I've used external-dns a lot (even contributed to it) and did not even realize that existed. I would anticipate that would pretty easily work and should satisfy all use cases.

alebedev87 commented 1 year ago

@scottd018: then you can follow up on Grant's PR which had a different requirement (SharedVPC support) but will achieve it using --aws-assume-role flag.

openshift-bot commented 1 year ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

alebedev87 commented 1 year ago

/remove-lifecycle stale

openshift-bot commented 10 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

alebedev87 commented 10 months ago

@scottd018 : the assume role feature was shipped. However after looking closer at your request I doubt this will be enough for the IRSA support. The service account token is still not mounted to the operand's pod and the CredentialsRequest CR created for the operand doesn't have the IAM role. All this is a part of the STS support which was never requested for the ExternalDNS Operator. We will need a dedicated RFE for the STS support. Would you mind creating a feature request for OpenShift NetworkEdge team?

openshift-bot commented 8 months ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot commented 7 months ago

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci[bot] commented 7 months ago

@openshift-bot: Closing this issue.

In response to [this](https://github.com/openshift/external-dns-operator/issues/190#issuecomment-2029348986): >Rotten issues close after 30d of inactivity. > >Reopen the issue by commenting `/reopen`. >Mark the issue as fresh by commenting `/remove-lifecycle rotten`. >Exclude this issue from closing again by commenting `/lifecycle frozen`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.