LOG-6790: Update cw forwarding to use credential file and profiles #3008
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@Clee2691: This pull request references LOG-6790 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.8.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
/test all |
|
@Clee2691: This pull request references LOG-6790 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.8.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
| } | ||
|
|
||
| // ReconcileAWSCredentialsConfigMap reconciles a configmap with credential profile(s) for Cloudwatch output(s). | ||
| func ReconcileAWSCredentialsConfigMap(k8sClient client.Client, reader client.Reader, namespace, name string, outputs []obs.OutputSpec, secrets observability.Secrets, configMaps map[string]*corev1.ConfigMap, owner metav1.OwnerReference) (*corev1.ConfigMap, error) { |
There was a problem hiding this comment.
Do we need the uncached reader other then k8sClient here? Usually that is only an issue when trying to read a cluster resource that we don't own
There was a problem hiding this comment.
Well the reader is used in reconcile.configmap probably because it is used for reconciling the dashboard configmap. So yes
There was a problem hiding this comment.
The dashboard, however, lives in an unmanaged namespace. You should not need to pass the reader here and simply pass the client as the reader in the dependent function
There was a problem hiding this comment.
I see what you mean. Will make the change
|
|
||
| // Add generated credentials configmap to contexts to be mounted in pod | ||
| if credCm != nil { | ||
| context.ConfigMaps[credCm.Name] = credCm |
There was a problem hiding this comment.
Chance of collision wiht a spec'd secret name. We may need an early validation to ensure there is none
There was a problem hiding this comment.
We create other configmaps without name collision validation. I've already generated the name with the forwarder name + aws-creds as that follows our current resource name conventions. I could implement early validation but then should we validate other resource names?
There was a problem hiding this comment.
If we have precedence and are certain there is limited chance of collision then leave it as-is
There was a problem hiding this comment.
I think we will have precedence because it will overwrite what is spec'd when the data etc does not match
|
/test all |
|
/test unit |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Clee2691, jcantrill The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/retest |
5 similar comments
|
/retest |
|
/retest |
|
/retest |
|
/retest |
|
/retest |
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
/lgtm |
|
@Clee2691: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
5 participants
Description
This PR adds the ability for the
ClusterLogForwarderto utilize multiple distinctrole_arnsto authenticate to amazon's Cloudwatch on an STS enabled openshift cluster.Changes:
role_arns.role_arns.configMapwith multiple profiles mounted in/var/run/ocp-collector/config/<CONFIGMAP NAME>/credentials.cloudwatchsink will specify the credentials file along with the profile name wheniamRoleis used as authentication.cloudwatch.This PR depends on changes to the RH Vector build to include a fix for the
regionwhen authenticating to AWS./cc @cahartma @vparfonov
/assign @jcantrill
Links