dracut5
commented
1 month ago Hi,
I have noticed that the service account already supports annotations https://github.com/reportportal/kubernetes/blob/reportportal-24.1.2/reportportal/templates/authorization/serviceaccount.yaml#L8
But the storage configuration still relies on DATASTORE_ACCESSKEY and DATASTORE_SECRETKEY - either from the secret or as plain values, as example
https://github.com/reportportal/kubernetes/blob/reportportal-24.1.2/reportportal/templates/service-api/api-deployment.yaml#L153-L169
The docs says that it is For AWS IAM role association
https://github.com/reportportal/kubernetes/blob/reportportal-24.1.2/reportportal/values.yaml#L667
I have tried to add eks.amazonaws.com/role-arn annotation to the service account and remove a reference to secretName, but got errors like
Caused by: org.jclouds.rest.AuthorizationException: HEAD https://reportportal****amazonaws.com/integration-secrets/secret-integration-salt HTTP/1.1 -> HTTP/1.1 403 ForbiddenSecrets were populated from defaults and it seems the services tried to use them ignoring the annotation with IAM role ARN.
I suppose, you are using some sort of standard HTTP client to sign and send requests to s3, correct?
It would be great to have IRSA option supported by Report Portal.
P.S. you are doing awesome things, many thanks!
Hi team, My request is pretty straightforward and I believe you must have already though about it. I need to use IAM Role for Service Account to be able to access my
AWS Elasticsearch, andMinio (AWS S3 Bucket)alsoAmazonMQif required The current Reporting Portal helm chart configuration does not allow this feature as of now. Having AWS access keys in the code would raise security concerns no matter how safely I store it also it needs to be rotated frequently.My painpoint is
Below would be the initial steps to get started with this issue -
This could be the only reason folks on AWS are thinking twice before using this portal. Any help would be appreciated