Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for EKS Pod Identity #607

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Add support for EKS Pod Identity #607

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
847aeb6
Add support for EKS Pod Identity
moicalcob Sep 5, 2024
364d522
Improve PR message
moicalcob Sep 5, 2024
c0b5128
Change kots config
moicalcob Sep 5, 2024
a491402
Fix
moicalcob Sep 5, 2024
84d78bc
Add service account to tenant-requirements-check
moicalcob Sep 5, 2024
b3c9ef1
Change image for workspace api
moicalcob Sep 5, 2024
2af6fce
Change image for tenant requirements checker
moicalcob Sep 5, 2024
d81c9b7
Fix
moicalcob Oct 29, 2024
eab65ac
Don't inject AWS Access Key if using EKS Pod Identity
moicalcob Oct 29, 2024
632c106
Merge remote-tracking branch 'origin' into feature/sc-438153/add-supp…
moicalcob Oct 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .github/workflows/branch-changes-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,5 +59,9 @@ jobs:
owner: context.repo.owner,
repo: context.repo.repo,
body: `Changes release to Replicated on channel ${{ steps.generate-channel-info.outputs.channel-name }}! Check the [Replicated Dashboard](https://vendor.replicated.com/apps/carto/channels) for more details.
If you need to test the changes, you can assign the channel to your customer and download the latest version from the Admin Console.`
If you need to test the changes, you can assign the channel to your customer and download the latest version from the Admin Console. Deploy the changes using the following command:
\`\`\` bash
kubectl kots install carto/${{ steps.generate-channel-info.outputs.channel-name }} -n <namespace>
\`\`\`
`
})
2 changes: 1 addition & 1 deletion chart/templates/_commonChecks.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Return common collectors for preflights and support-bundle
namespace: {{ .Release.Namespace | quote }}
timeout: 180s
podSpec:
{{- if .Values.commonBackendServiceAccount.enableGCPWorkloadIdentity }}
{{- if .Values.commonBackendServiceAccount.name }}
serviceAccountName: {{ template "carto.commonSA.serviceAccountName" . }}
{{- end }}
restartPolicy: Never
Expand Down
25 changes: 21 additions & 4 deletions manifests/kots-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -494,16 +494,33 @@ spec:
default: repl{{ if ConfigOptionEquals "replicatedLicenseType" "dev"}}repl{{ ConfigOption "derivedSelfHostedGCPProjectId"}}repl{{ end }}

# AWS
## EKS Pod Identity
- name: enableAWSEksPodIdentity
title: AWS EKS Pod Identity
when: '{{repl (ConfigOptionEquals "storageBucketsBehaviour" "custom_aws_s3") }}'
help_text: |-
The CARTO APIs running on your infrastructure are going to use EKS Pod Identity to access to Amazon Web Services.
[More info](https://docs.carto.com/carto-self-hosted/guides/use-eks-pod-identity-in-aws).
type: bool
default: "0"
- name: eksPodIdentityServiceAccountName
title: Kubernetes EKS Pod Identity service account name
when: '{{repl (ConfigOptionEquals "enableAWSEksPodIdentity" "1") }}'
required: true
type: text
help_text: |-
Name of the kubernetes service account that you created in the namespace to configure EKS Pod Identity.
[More info](https://docs.carto.com/carto-self-hosted/guides/use-eks-pod-identity-in-aws).
- name: storageBucketsAwsAccessKeyId
title: The AccessKey ID for S3 buckets
type: text
required: true
when: '{{repl (ConfigOptionEquals "storageBucketsBehaviour" "custom_aws_s3") }}'
when: '{{repl and (ConfigOptionEquals "storageBucketsBehaviour" "custom_aws_s3") (not (ConfigOptionEquals "enableAWSEksPodIdentity" "1")) }}'
- name: storageBucketsAwsAccessKeySecret
title: The AccessKey Secret for S3 buckets
type: text
required: true
when: '{{repl (ConfigOptionEquals "storageBucketsBehaviour" "custom_aws_s3") }}'
when: '{{repl and (ConfigOptionEquals "storageBucketsBehaviour" "custom_aws_s3") (not (ConfigOptionEquals "enableAWSEksPodIdentity" "1")) }}'
- name: storageBucketsAwsS3Region
title: Buckets AWS S3 Region
when: '{{repl (ConfigOptionEquals "storageBucketsBehaviour" "custom_aws_s3") }}'
Expand Down Expand Up @@ -790,10 +807,10 @@ spec:
help_text: |-
The PostgreSQL schema where the DO is installed (i.e. `carto`)

## Workload Identity
# Google
## GKE Workload Identity
- name: enableGoogleWorkloadIdentity
title: Google Workload Identity
when: '{{repl (ConfigOptionEquals "storageBucketsBehaviour" "custom_aws_s3") }}'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when: '{{repl (ConfigOptionEquals "storageBucketsBehaviour" "custom_gcs") }}'

help_text: |-
The CARTO APIs running on your infrastructure are going to use Workload Identity to access to Google Cloud Platform.
[More info](https://docs.carto.com/carto-self-hosted/guides/use-workload-identity-in-gcp).
Expand Down
14 changes: 12 additions & 2 deletions manifests/kots-helm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,8 @@ spec:
registry: '{{repl HasLocalRegistry | ternary LocalRegistryHost "registry.self-hosted.carto.com/proxy/carto/gcr.io/carto-onprem-artifacts" }}'
workspaceApi:
image:
registry: '{{repl HasLocalRegistry | ternary LocalRegistryHost "registry.self-hosted.carto.com/proxy/carto/gcr.io/carto-onprem-artifacts" }}'
registry: '{{repl HasLocalRegistry | ternary LocalRegistryHost "registry.self-hosted.carto.com/proxy/carto/gcr.io/carto-artifacts" }}'
tag: feature_sc_438178_adapt_backend_code_to_start_using_the_credentials
workspaceSubscriber:
image:
registry: '{{repl HasLocalRegistry | ternary LocalRegistryHost "registry.self-hosted.carto.com/proxy/carto/gcr.io/carto-onprem-artifacts" }}'
Expand All @@ -175,7 +176,8 @@ spec:
registry: '{{repl HasLocalRegistry | ternary LocalRegistryHost "registry.self-hosted.carto.com/proxy/carto/gcr.io/carto-onprem-artifacts" }}'
tenantRequirementsChecker:
image:
registry: '{{repl HasLocalRegistry | ternary LocalRegistryHost "registry.self-hosted.carto.com/proxy/carto/gcr.io/carto-onprem-artifacts" }}'
registry: '{{repl HasLocalRegistry | ternary LocalRegistryHost "registry.self-hosted.carto.com/proxy/carto/gcr.io/carto-artifacts" }}'
tag: feature_sc_438178_adapt_backend_code_to_start_using_the_credentials
routerMetrics:
image:
registry: '{{repl HasLocalRegistry | ternary LocalRegistryHost "registry.self-hosted.carto.com/proxy/carto/gcr.io/carto-onprem-artifacts" }}'
Expand Down Expand Up @@ -614,6 +616,14 @@ spec:
# When enabling gke workload identity, the k8s SA should be created by the customer to be able to run preflights
create: false
name: '{{repl ConfigOption "k8sWorkloadIdentityServiceAccountName" }}'
# EKS Pod Identity
- when: '{{repl ConfigOptionEquals "enableAWSEksPodIdentity" "1" }}'
recursiveMerge: true
values:
commonBackendServiceAccount:
# When enabling gke workload identity, the k8s SA should be created by the customer to be able to run preflights
create: false
name: '{{repl ConfigOption "eksPodIdentityServiceAccountName" }}'
# Local Registry
- when: '{{repl (HasLocalRegistry) }}'
recursiveMerge: true
Expand Down
Loading