Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helm: add eni option to use iam-role #14970

Merged
merged 1 commit into from
Mar 1, 2021
Merged

Helm: add eni option to use iam-role #14970

merged 1 commit into from
Mar 1, 2021

Conversation

bluestealth
Copy link
Contributor

@bluestealth bluestealth commented Feb 13, 2021
edited
Loading

Prevents helm from adding secret env in particular AWS_DEFAULT_REGION for AWS pod identity if using an iam-role.

It seems that this prevents the eks-pod-identity-webhook from adding the entry if missing.

level=warning msg="Unable to synchronize EC2 VPC list" error="operation error EC2: DescribeVpcs, failed to sign request: failed to retrieve credentials: failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, failed to resolve service endpoint, an AWS region is required, but was not found" subsys=eni
level=fatal msg="Unable to start eni allocator" error="Initial synchronization with instances API failed" subsys=cilium-operator-aws

Fixes: #13270

Add iamRole option to eni in Helm chart values to allow using serviceaccounts for iam roles on cilium-operator

@bluestealth bluestealth requested review from a team as code owners February 13, 2021 17:57
@bluestealth bluestealth requested review from a team, qmonnet and kkourt February 13, 2021 17:57
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 13, 2021
@qmonnet qmonnet requested review from a team and tgraf and removed request for a team February 15, 2021 14:59
qmonnet
qmonnet approved these changes Feb 15, 2021
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, although my knowledge of AWS is too limited to provide a correct review on the content.

@qmonnet qmonnet added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Feb 15, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 15, 2021
@qmonnet qmonnet removed their assignment Feb 15, 2021
christarazi
christarazi requested changes Feb 16, 2021
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I think the second commit can be squashed with the first

@bluestealth
Helm: add eni option to use iam-role
340c5a1 
Fixes: cilium#13270

Signed-off-by: Michael Ryan Dempsey <[email protected]>
@bluestealth
Copy link
Contributor Author

@christarazi done

kkourt
kkourt approved these changes Feb 16, 2021
View reviewed changes
Copy link
Contributor

@kkourt kkourt left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as @qmonnet

@qmonnet qmonnet removed the request for review from tgraf February 26, 2021 13:55
@qmonnet
Copy link
Member

qmonnet commented Feb 26, 2021
edited
Loading

test-me-please
I see Chris is part of the AWS team and approved, so I removed the review request for Thomas.

@qmonnet qmonnet mentioned this pull request Feb 26, 2021
Closed
@qmonnet
Copy link
Member

qmonnet commented Feb 26, 2021

test-1.19-4.19

@qmonnet qmonnet mentioned this pull request Feb 26, 2021
Closed
@qmonnet
Copy link
Member

qmonnet commented Feb 26, 2021

test-1.20-4.9

@aanm aanm merged commit 54a533e into cilium:master Mar 1, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 1, 2021
@bluestealth bluestealth deleted the oidc branch March 9, 2021 17:08
@leblowl leblowl mentioned this pull request Aug 3, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qmonnet qmonnet qmonnet approved these changes

@christarazi christarazi christarazi approved these changes

@errordeveloper errordeveloper errordeveloper approved these changes

@kkourt kkourt kkourt approved these changes

Assignees

@kkourt kkourt

@errordeveloper errordeveloper

@tgraf tgraf

Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

EKS cilium-operator to use IAM role service account
7 participants
@bluestealth @qmonnet @kkourt @errordeveloper @christarazi @tgraf @aanm