Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use an AWS IAM Role / User to fetch kubernetes credentials in our deployer #381

Closed
2 tasks done
Tracked by #368
yuvipanda opened this issue May 4, 2021 · 3 comments · Fixed by #673
Closed
2 tasks done
Tracked by #368

Use an AWS IAM Role / User to fetch kubernetes credentials in our deployer #381

yuvipanda opened this issue May 4, 2021 · 3 comments · Fixed by #673
Assignees
@damianavila

Comments

@yuvipanda
Copy link
Member

yuvipanda commented May 4, 2021
edited by damianavila
Loading

Background

For AWS, we've checked in a static version of kubeconfig exported by kops, with a 30d lifetime. Instead, we should create an AWS IAM Role with just enough permissions to run KUBECONFIG=secrets/farallon.yaml kops export kubecfg --admin=30m farallon-2i2c.k8s.local, and use that instead.

Expected timeline

The credentials for farallon in #379 last 30days, so this is a ticking time bomb :D

Steps to complete this goal

  • Make an AWS IAM Role (or User) that can fetch kubeconfig via kops
  • Modify our deployer to accept the role (or user) credentials instead of checking in a static kubeconfig file
This was referenced May 4, 2021
Merged
Closed
@damianavila
Copy link
Contributor

Definitely! Checking in the static kubeconfig file, even when it is a quick way to do it and I think is OK for now for fast iteration, is somehow ringing 🔔 in my head 😉 .

@consideRatio consideRatio mentioned this issue Jun 1, 2021
Closed
5 tasks
damianavila added a commit that referenced this issue Jun 9, 2021
@damianavila
Add the encrypted kubeconfig for the new cluster
040153b 
The exported kubeconfig was generated as --admin=730h (we should handle
this expiration with #381 and before the deadline ;-) and encrypted
in-place using sops.
yuvipanda added a commit to yuvipanda/pilot-hubs that referenced this issue Jun 14, 2021
@yuvipanda
Provixion x1 instances for carbonplan
805ee0a 
- Requested by Joe in 2i2c-org#291 (comment)
- Refresh auth credentials, they had expired. Fixed in
  2i2c-org#381
@yuvipanda yuvipanda mentioned this issue Jun 14, 2021
Merged
@damianavila damianavila mentioned this issue Jul 6, 2021
Merged
yuvipanda added a commit to yuvipanda/pilot-hubs that referenced this issue Jul 18, 2021
@yuvipanda
Update kubeconfig for carbonplan
ab49a7f 
Previous set of credentials have expired. We
should fix this - 2i2c-org#381
@yuvipanda yuvipanda mentioned this issue Jul 18, 2021
Merged
@yuvipanda yuvipanda mentioned this issue Aug 5, 2021
Closed
This was referenced Aug 23, 2021
Closed
Closed
@yuvipanda yuvipanda changed the title Use an AWS IAM Role / User to fetch kops credentials in our deployer Use an AWS IAM Role / User to fetch kubernetes credentials in our deployer Aug 23, 2021
@yuvipanda yuvipanda mentioned this issue Aug 23, 2021
Closed
4 tasks
@damianavila damianavila mentioned this issue Aug 28, 2021
Merged
@choldgraf choldgraf mentioned this issue Aug 31, 2021
Closed
3 tasks
@damianavila damianavila mentioned this issue Sep 7, 2021
Closed
5 tasks
@damianavila damianavila self-assigned this Sep 8, 2021
@damianavila
Copy link
Contributor

In farallon, we would need to create a new deployer user under the 2i2c-engineers group

Created a new user:
aws iam create-user --user-name deployer

Added the user to the 2i2c-engineers group
aws iam add-user-to-group --group-name 2i2c-engineers --user-name deployer

Checked if the user was added to the group
aws iam get-group --group-name 2i2c-engineers

Got the credentials:
aws iam create-access-key --user-name deployer | tee /tmp/farallon.json

damianavila added a commit that referenced this issue Sep 10, 2021
@damianavila
Add the encrypted file containing deployer credentials
28bb1f1 
We identified a 2i2c-engineers groups in Farallon AWS and we have
created a deployer user under that group. We used common awscli commands
to perform this task and retrieve the credentials. More details in [1].

Finally, we encrypted the file with sops accordingly with the current
established workflows to manage secret files.

[1] #381 (comment)
@damianavila damianavila mentioned this issue Sep 10, 2021
Merged
@damianavila
Copy link
Contributor

So, we now have a PR for this one 😉 , #673.

@damianavila damianavila mentioned this issue Sep 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@damianavila damianavila

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use an AWS deployer user to fetch kubernetes credentials in our deployer 2i2c-org/infrastructure
2 participants
@yuvipanda @damianavila