Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authenticator CRD & Operator Proposal #79

Closed
christopherhein opened this issue Apr 26, 2018 · 15 comments · Fixed by #116
Closed

Authenticator CRD & Operator Proposal #79

christopherhein opened this issue Apr 26, 2018 · 15 comments · Fixed by #116

Comments

@christopherhein
Copy link
Member

christopherhein commented Apr 26, 2018

If I'm not wrong this is an alternative to #34

Authenticator IAM CRD Proposal

Overview

The current structure of the Heptio Authenticator uses default Kubernetes ConfigMap primitives that allow you to add and remove IAM Roles this gives a single point of configuration for the whole lookup table and allows the authenticator to load once and cache the results. The problem is when it comes to updating if you make a change to this file and re-apply it won’t automatically be affected, admins need to reload the DaemonSet webhook backend for the new config to load. This proposal came out of the 2018-04-05 community call, The discussion was about the usage of CRDs as a way to make this better. The rest of this document will talk about the specifics of how this could work for the authenticator.

Comments - https://docs.google.com/document/d/1UgSDcMbZdMXLY1SxUtQ7r1puLFdGYF660usGW7AlGwE/edit#

/cc @nckturner @mattlandis @mattmoyer

@StevenACoffman
Copy link

StevenACoffman commented Jun 7, 2018

The prometheus operator recently made a similar shift, and provided a tool to migrate existing configmaps to CRDs:

go get -u github.com/coreos/prometheus-operator/cmd/po-rule-migration
po-rule-migration \
--rule-config-map=<path-to-config-map> \
--rule-crds-destination=<path-to-rule-crd-destination>

prometheus-operator 0.20 will otherwise automatically convert (upgrade) existing configmaps to crds.

If this move to CRDs goes forward, then you could borrow their code to make the shift painless.

@christopherhein
Copy link
Member Author

Awesome @StevenACoffman that feedback is great…

@christopherhein
Copy link
Member Author

This could be a nice addition wouldn't be too hard to also have it done in-cluster, so you could pass the name of the ConfigMap in most causes aws-auth as a flag, and have it pull the list, generate the objects and re-apply them to the cluster.

@nckturner
Copy link
Contributor

@christopherhein Let's discuss the feedback on this doc in sig-aws next meeting to move this forward.

@christopherhein
Copy link
Member Author

Sounds good!

@mattlandis
Copy link
Contributor

@christopherhein I am going to take a stab at the implementation for this feature this week.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 24, 2019
@christopherhein
Copy link
Member Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 24, 2019
@wanghong230
Copy link

@christopherhein Is the CRD available in EKS cluster?

@christopherhein
Copy link
Member Author

@christopherhein Is the CRD available in EKS cluster?

As far as I know not yet.

/cc @micahhausler @nckturner

@galindro
Copy link

galindro commented Oct 5, 2019

@christopherhein is there any plans to make it available on EKS? If yes, is there an ETA?

@christopherhein
Copy link
Member Author

@christopherhein is there any plans to make it available on EKS? If yes, is there an ETA?

/cc @tabern @nckturner @micahhausler

@dnascimento
Copy link

Any updates on the ETA?
When will be released a new aws-iam-authenticator version with the CRD as well?

@nckturner
Copy link
Contributor

We're overdue for an authenticator release so that should come relatively soon, but in terms of bringing this feature to EKS, that is TBD. If its something you want please add it to https://github.com/aws/containers-roadmap. I don't think we've had a lot of customers asking for it in EKS so there are currently other higher priorities.

@galindro
Copy link

Done @nckturner : aws/containers-roadmap#550

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants