Feature/island fixes (#198)

* k8s_namespace variable * fix * fix namespace * variable to configure dashboard namespace * add service accounts * attach service account * fix namespace * irsa assume * use oidc_provider variable * annotate service accounts * fix * optional kiam arn * fix * update readme * update changelog * rename k8s_namespace as metastore_namespace * update VARIABLES.md * update readme Co-authored-by: Raj Poluri <[email protected]>
ExpediaGroup · Jul 21, 2021 · b5a3b26 · b5a3b26
1 parent aba59e2
commit b5a3b26
Show file tree

Hide file tree

Showing 11 changed files with 95 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.10.0] - 2021-07-21
+### Added
+- Add support for configuring k8s pods IAM using IRSA.
+
 ## [6.9.3] - 2021-07-14
 ### Added
 - Add support to split customer policy condition.

diff --git a/README.md b/README.md
@@ -82,6 +82,8 @@ module "apiary" {
 ## Notes
   The Apiary metastore Docker image is not yet published to a public repository, you can build from this [repo](https://github.com/ExpediaGroup/apiary-metastore-docker) and then publish it to your own ECR.
 
+  In k8s deployment mode IAM roles can be attached to metastore pods either using [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) or [KIAM](https://github.com/uswitch/kiam), module will use IRSA when `oidc_provider` variable is configured, will use Kiam whne `kiam_arn` variable is configured.
+
 # Contact
 
 ## Mailing List

diff --git a/VARIABLES.md b/VARIABLES.md
@@ -21,6 +21,7 @@
 | atlas_kafka_bootstrap_servers | Atlas kafka bootstrap servers. | string | `` | no |
 | atlas_cluster_name | Name of the Atlas cluster where metastore plugin will send DDL events.  Defaults to `var.instance_name` if not set. | string | `` | no |
 | aws_region | AWS region. | string | - | yes |
+| dashboard_namespace | K8s namespace to deploy grafana dashboard as configmap. | string | `monitoring` | no |
 | db_apply_immediately | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. | bool | `false` | no |
 | db_backup_retention | The number of days to retain backups for the RDS Metastore DB. | string | - | yes |
 | db_backup_window | Preferred backup window for the RDS Metastore DB in UTC. | string | `02:00-03:00` | no |
@@ -61,6 +62,8 @@
 | ldap_ca_cert | Base64 encoded Certificate Authority bundle to validate LDAPS connections. | string | `` | no |
 | ldap_secret_name | Active directory LDAP bind DN SecretsManager secret name. | string | `` | no |
 | ldap_url | Active directory LDAP URL to configure Hadoop LDAP group mapping. | string | `` | no |
+| metastore_namespace | K8s namespace to deploy Hive metastore containers. | string | `metastore` | no |
+| oidc_provider | EKS cluster OIDC provider name, required for configuring IAM using IRSA. | string | `` | no |
 | private_subnets | Private subnets. | list | - | yes |
 | ranger_audit_db_url | Ranger DB audit provider configuration. | string | `` | no |
 | ranger_audit_secret_name | Ranger DB audit secret name. | string | `` | no |

diff --git a/grafana-dashboard.tf b/grafana-dashboard.tf
@@ -26,7 +26,7 @@ resource "kubernetes_config_map" "grafana_dashboard" {
   count = var.hms_instance_type == "k8s" ? 1 : 0
   metadata {
     name      = "${local.instance_alias}-data-lake-dashboard"
-    namespace = "monitoring"
+    namespace = var.dashboard_namespace
     labels = {
       grafana_dashboard = "true"
     }

diff --git a/iam.tf b/iam.tf
@@ -40,19 +40,35 @@ resource "aws_iam_role" "apiary_hms_readonly" {
 {
    "Version": "2012-10-17",
    "Statement": [
+%{if var.kiam_arn != ""}
      {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
-         "Service": "ecs-tasks.amazonaws.com"
+         "AWS": "${var.kiam_arn}"
        },
        "Action": "sts:AssumeRole"
      },
+%{endif}
+%{if var.oidc_provider != ""}
+     {
+       "Effect": "Allow",
+       "Principal": {
+         "Federated": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${var.oidc_provider}"
+       },
+       "Action": "sts:AssumeRoleWithWebIdentity",
+       "Condition": {
+         "StringEquals": {
+           "${var.oidc_provider}:sub": "system:serviceaccount:${var.metastore_namespace}:${local.hms_alias}-readonly"
+         }
+       }
+     },
+%{endif}
      {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
-         "AWS": "${var.kiam_arn == "" ? "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/Admin" : var.kiam_arn}"
+         "Service": "ecs-tasks.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
      }
@@ -74,19 +90,35 @@ resource "aws_iam_role" "apiary_hms_readwrite" {
 {
    "Version": "2012-10-17",
    "Statement": [
+%{if var.kiam_arn != ""}
      {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
-         "Service": "ecs-tasks.amazonaws.com"
+         "AWS": "${var.kiam_arn}"
        },
        "Action": "sts:AssumeRole"
      },
+%{endif}
+%{if var.oidc_provider != ""}
+     {
+       "Effect": "Allow",
+       "Principal": {
+         "Federated": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${var.oidc_provider}"
+       },
+       "Action": "sts:AssumeRoleWithWebIdentity",
+       "Condition": {
+         "StringEquals": {
+           "${var.oidc_provider}:sub": "system:serviceaccount:${var.metastore_namespace}:${local.hms_alias}-readwrite"
+         }
+       }
+     },
+%{endif}
      {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
-         "AWS": "${var.kiam_arn == "" ? "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/Admin" : var.kiam_arn}"
+         "Service": "ecs-tasks.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
      }

diff --git a/k8s-cronjobs.tf b/k8s-cronjobs.tf
@@ -8,7 +8,7 @@ resource "kubernetes_cron_job" "apiary_inventory_repair" {
   count = (var.s3_enable_inventory && var.hms_instance_type == "k8s") ? 1 : 0
   metadata {
     name      = "${local.instance_alias}-s3-inventory-repair"
-    namespace = "metastore"
+    namespace = var.metastore_namespace
 
     labels = {
       name = "${local.instance_alias}-s3-inventory-repair"

diff --git a/k8s-readonly.tf b/k8s-readonly.tf
@@ -8,7 +8,7 @@ resource "kubernetes_deployment" "apiary_hms_readonly" {
   count = var.hms_instance_type == "k8s" ? 1 : 0
   metadata {
     name      = "${local.hms_alias}-readonly"
-    namespace = "metastore"
+    namespace = var.metastore_namespace
 
     labels = {
       name = "${local.hms_alias}-readonly"
@@ -37,6 +37,8 @@ resource "kubernetes_deployment" "apiary_hms_readonly" {
       }
 
       spec {
+        service_account_name            = kubernetes_service_account.hms_readonly[0].metadata.0.name
+        automount_service_account_token = true
         dynamic "init_container" {
           for_each = var.external_database_host == "" ? ["enabled"] : []
 
@@ -191,7 +193,7 @@ resource "kubernetes_service" "hms_readonly" {
   count = var.hms_instance_type == "k8s" ? 1 : 0
   metadata {
     name      = "${local.hms_alias}-readonly"
-    namespace = "metastore"
+    namespace = var.metastore_namespace
     annotations = {
       "service.beta.kubernetes.io/aws-load-balancer-internal" = "true"
       "service.beta.kubernetes.io/aws-load-balancer-type"     = "nlb"

diff --git a/k8s-readwrite.tf b/k8s-readwrite.tf
@@ -8,7 +8,7 @@ resource "kubernetes_deployment" "apiary_hms_readwrite" {
   count = var.hms_instance_type == "k8s" ? 1 : 0
   metadata {
     name      = "${local.hms_alias}-readwrite"
-    namespace = "metastore"
+    namespace = var.metastore_namespace
 
     labels = {
       name = "${local.hms_alias}-readwrite"
@@ -37,6 +37,8 @@ resource "kubernetes_deployment" "apiary_hms_readwrite" {
       }
 
       spec {
+        service_account_name            = kubernetes_service_account.hms_readwrite[0].metadata.0.name
+        automount_service_account_token = true
         dynamic "init_container" {
           for_each = var.external_database_host == "" ? ["enabled"] : []
           content {
@@ -231,7 +233,7 @@ resource "kubernetes_service" "hms_readwrite" {
   count = var.hms_instance_type == "k8s" ? 1 : 0
   metadata {
     name      = "${local.hms_alias}-readwrite"
-    namespace = "metastore"
+    namespace = var.metastore_namespace
     annotations = {
       "service.beta.kubernetes.io/aws-load-balancer-internal" = "true"
       "service.beta.kubernetes.io/aws-load-balancer-type"     = "nlb"

diff --git a/k8s-secrets.tf b/k8s-secrets.tf
@@ -2,7 +2,7 @@ resource "kubernetes_secret" "hms_secrets" {
   count = var.external_database_host == "" && var.hms_instance_type == "k8s" ? 1 : 0
   metadata {
     name      = "${local.hms_alias}-credentials"
-    namespace = "metastore"
+    namespace = var.metastore_namespace
   }
 
   data = {

diff --git a/k8s-service-accounts.tf b/k8s-service-accounts.tf
@@ -0,0 +1,23 @@
+resource "kubernetes_service_account" "hms_readwrite" {
+  count = var.hms_instance_type == "k8s" ? 1 : 0
+  metadata {
+    name      = "${local.hms_alias}-readwrite"
+    namespace = var.metastore_namespace
+    annotations = {
+      "eks.amazonaws.com/role-arn" = var.oidc_provider == "" ? "" : aws_iam_role.apiary_hms_readwrite.arn
+    }
+  }
+  automount_service_account_token = true
+}
+
+resource "kubernetes_service_account" "hms_readonly" {
+  count = var.hms_instance_type == "k8s" ? 1 : 0
+  metadata {
+    name      = "${local.hms_alias}-readonly"
+    namespace = var.metastore_namespace
+    annotations = {
+      "eks.amazonaws.com/role-arn" = var.oidc_provider == "" ? "" : aws_iam_role.apiary_hms_readonly.arn
+    }
+  }
+  automount_service_account_token = true
+}
diff --git a/variables.tf b/variables.tf
@@ -427,6 +427,16 @@ variable "docker_registry_auth_secret_name" {
   default     = ""
 }
 
+variable "dashboard_namespace" {
+  description = "k8s namespace to deploy grafana dashboard."
+  default     = "monitoring"
+}
+
+variable "metastore_namespace" {
+  description = "k8s namespace to deploy metastore containers."
+  default     = "metastore"
+}
+
 variable "k8s_docker_registry_secret" {
   description = "Docker Registry authentication K8s secret name."
   type        = string
@@ -451,6 +461,12 @@ variable "kiam_arn" {
   default     = ""
 }
 
+variable "oidc_provider" {
+  description = "EKS cluster OIDC provider name, required for configuring IAM using IRSA."
+  type        = string
+  default     = ""
+}
+
 variable "s3_storage_class" {
   description = "S3 storage class after transition using lifecycle policy"
   type        = string