Instance roles for service accounts (IRSA) contd #10756
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
do-not-merge/work-in-progress
olemarkus
requested review from
justinsb and
johngmyers
and removed request for
justinsb
k8s-ci-robot
added
area/api
area/provider/aws
|
/cc @rifelpet |
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
Added in using https://api. as issuer as k8s 1.20 requires this. The broken test had to be removed as PublicJWKS won't work with FS VFS. Since we try to call the https url to get the cert. If this gets merged, we can do a kubetest of this. We have the rights to write the jwks files to a public store, I believe (we are writing other assets somewhere). The commits are a bit of a mess, so I should clean this up first. |
|
/test pull-kops-e2e-kubernetes-aws |
|
/kind office-hours |
olemarkus
force-pushed
the
irsa
branch
2 times, most recently
from
be328f1 to
941c49e
Compare
k8s-ci-robot
removed
the
approved
k8s-ci-robot
removed
the
needs-rebase
k8s-ci-robot
added
the
needs-rebase
pkg/model/awsmodel/oidc_provider.go
Outdated
| SigningKey: skTask, | ||
| } | ||
|
|
||
| discovery, err := buildDicoveryJSON(serviceAccountIssuer) |
| Contents: fi.NewBytesResource(discovery), | ||
| Lifecycle: b.Lifecycle, | ||
| Location: fi.String("oidc/.well-known/openid-configuration"), | ||
| Name: fi.String("discovery.json"), |
There was a problem hiding this comment.
Nit: maybe public-oidc-configuration (and similar prefix on keys.json). It matters most for the terraform, I suspect (and primarily only optics there)
| } | ||
|
|
||
| type KeyResponse struct { | ||
| Keys []jose.JSONWebKey `json:"keys"` |
There was a problem hiding this comment.
Nit: are taking the dependency on the jose library only for the structs? Should we just embed them?
| @@ -35,7 +35,7 @@ type IAMOIDCProvider struct { | |||
| Lifecycle *fi.Lifecycle | |||
|
|
|||
| ClientIDs []*string | |||
| Thumbprints []fi.Resource | |||
| Thumbprints []*string | |||
There was a problem hiding this comment.
I thought we needed this for the initial preview... I guess if tests are passing then we don't (or we have a gap in our tests!)
There was a problem hiding this comment.
We used to because the thumbprint came from the cluster CA cert. Now they are just well-known strings.
I suspect this may be something we can change back in order to support anonymousauth+public apiserver as oidc provider.
| @@ -53,20 +53,6 @@ func TestBootstrapChannelBuilder_BuildTasks(t *testing.T) { | |||
| runChannelBuilderTest(t, "awsiamauthenticator", []string{"authentication.aws-k8s-1.12"}) | |||
| } | |||
|
|
|||
| func TestBootstrapChannelBuilder_PublicJWKS(t *testing.T) { | |||
There was a problem hiding this comment.
Is there are reason to drop this test?
There was a problem hiding this comment.
Yeah. This PR only supports using s3 as store for jwks, so this fails because filesystem VFS cannot be used for https.
|
Had some questions/nits but this LGTM. As this is feature-flagged, I propose we merge and then I'll probably send a follow-on PR to try to e.g. add the test back if we do need it. /approve |
k8s-ci-robot
added
lgtm
k8s-ci-robot
removed
lgtm
Generate and upload keys.json + discovery.json to public store Don't enable anonymous auth on publicjwks Remove tests that won't work using FS VFS anymore
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb, rifelpet The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
We removed them from kubernetes#10756, but they can be re-added.
We removed them from kubernetes#10756, but they can be re-added.
We removed them from kubernetes#10756, but they can be re-added.
We removed them from kubernetes#10756, but they can be re-added.
This is a continuation of #9271
The workflow is changed a little bit. Users now only need to provide a
publicsDataStoreVFS (only S3 works now) and kOps will handle the rest.This PR also works with #9352. dns-controller gets a dedicated IAM role and can assume it using the projected tokens.
Further work: