Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow serviceaccount from SQLInstance to be referenced in IAM(Partial)Policy(Member) #689

Closed
3 tasks done
wmuizelaar opened this issue Jul 26, 2022 · 11 comments
Closed
3 tasks done

Allow serviceaccount from SQLInstance to be referenced in IAM(Partial)Policy(Member) #689

wmuizelaar opened this issue Jul 26, 2022 · 11 comments
Labels
enhancement New feature or request

Comments

@wmuizelaar
Copy link

Checklist

  • I did not find a related open enhancement request.
  • I understand that enhancement requests filed in the GitHub repository are by default low priority.
  • If this request is time-sensitive, I have submitted a corresponding issue with GCP support.

Describe the feature or resource

Hi,
I would like to be able to reference to the status.serviceAccountEmailAddress fields of an SQLInstance in an IAM policy. This way we can create an IAMPolicy on for example a Storagebucket, so the SQL Instance can write database exports to the bucket.

In the current situation, we need to first deploy the SQLInstance, wait for the status to be filled with the actual value, read that value, craft it into an IAM Policy resource, and apply that.

That's not very declarative - and I would really like this to be declarative as possible.

A possible layout for the adjusted memberFrom part could be:

memberFrom:
  sqlInstanceRef:
    name: <instance-name>
    namespace: <instance-namespace>

just like the existing:

memberFrom:
  serviceAccountRef:
    name: <sa-name>
    namespace: <sa-namespace>

Additional information

No response

Importance

To make the usage of KCC resources fully declarative, this change would be needed.
@wmuizelaar wmuizelaar added the enhancement New feature or request label Jul 26, 2022
@jcanseco
Copy link
Member

Thanks @wmuizelaar. Agreed on all points.

For now, our recommendation to customers is to use a tool that is able to extract values from resources to set fields in other resources, such as kpt and its apply-time-mutation feature.

Do you think that would work for you? It is currently our best recommendation given that it is not likely we'll be able to develop a native KCC feature to solve this problem any time soon.

@wmuizelaar
Copy link
Author

Hey @jcanseco - thanks for replying so quickly!

I'll experiment with kpt's applytime-mutation.

Out of curiosity and to consider: since KCC is now open source - would you be open for a contribution on this kind of feature?

@jcanseco
Copy link
Member

No problem @wmuizelaar :)

And thank you for interest in contributing! I would say hold on to your dev cycles for now since we still need to establish a good way to accept contributions (we're working on it). But yes, in the future, we would like to be able to accept such contributions.

@wmuizelaar
Copy link
Author

The kpt applytime-mutation works, but only if you run kpt live apply locally. It does not work properly in combination with config sync, as I found out through thid thread: https://kubernetes.slack.com/archives/C0155NSPJSZ/p1658838453136579

@jcanseco
Copy link
Member

Gotcha, apologies @wmuizelaar. I just confirmd with the Config Sync and kpt teams that that is true. Is this a blocker for you?

@wleese
Copy link

wleese commented Aug 2, 2022

@jcanseco as @wmuizelaar colleague, I can try to provide an answer.

Is this a blocker for you?

As described in the original post, some very common workflows are not possible using KCC, without extra steps.

Config Sync effectively removes some control over the apply-to-cluster process. Without apply-mutation-time support, the KCC + Config Sync combination becomes impossible (as far as I can tell) to use for common use cases out-of-the-box such as CloudSQL with a backup-to-bucket as documented here: https://cloud.google.com/sql/docs/mysql/backup-recovery/scheduling-backups.

Indeed I'd say this is a blocker to using Config Sync and KCC together for our use case.

@jcanseco
Copy link
Member

jcanseco commented Aug 2, 2022

Thank you @wleese. Agreed.

Could you file a separate support case for this request? It would help raise visibility of your use-case and allow us to prioritize accordingly.

@wleese
Copy link

wleese commented Aug 3, 2022

@jcanseco , did so. Not sure if it's available to you, but here's the link: https://console.cloud.google.com/support/cases/detail/v2/40462527?project=bolcom-pro

@jcanseco
Copy link
Member

jcanseco commented Aug 3, 2022

Thanks. And no we don't have visibility into support cases by default.

I suggest just mentioning that the product team asked you to create a support case for purposes of tracking, and that the support team can just escalate the case directly to us.

@diviner524
Copy link
Collaborator

This is now supported in v1.94.0. Please give it a try and let us know if you see any issues.

@wleese
Copy link

wleese commented Sep 15, 2022

Excellent, thanks! This'll take a while to test. We'll get back to you if it doesn't work out for some reason. Thanks again :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wleese @diviner524 @wmuizelaar @jcanseco