capa fix hardcoded role arn for aws iam authenticator #3926
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
Hi @AmitSahastra. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/retest |
AmitSahastra
requested review from
Skarlso
and removed request for
Ankitasw and
dthorsen
AmitSahastra
force-pushed
the
arn-us-gov
branch
from
0b75505 to
4a4792a
Compare
|
/lgtm @sadysnaat Are you happy with this too? :) |
k8s-ci-robot
added
the
lgtm
|
Generally, it's okay; I have one question. Most changes restrict the default partition and only allow the government partition to work. Is that the intention? |
k8s-ci-robot
removed
the
lgtm
|
Ops sorry I probably fumbled one of the suggestions. |
The intention was to make sure the provider works for the specific partition. Due to the hardcoded "aws" partition, there was an issue with resolving regions, ami, and images that are different for different partitions, making sure we look dynamically for region/partition so it works for both. Avoided going for pain partition here so as to not expose resources meant for specific partition to be exposed to others. |
pkg/cloud/services/eks/roles.go
Outdated
There was a problem hiding this comment.
Instead of determining this partition all the time using if else we should do it one time and store the result
and call functions with partition
There was a problem hiding this comment.
Currently
/lgtm
@sadysnaat Are you happy with this too? :)I think we need to refactor the duplicate code and avoid deducing partition using if else all the time
we should do this once and store in service.
@sadysnaat AND @Skarlso Pls take look at the latest code, have made code changes to have util func to get a portion from the region, do we want to update service/crd to store partition ??
AmitSahastra
requested review from
Skarlso and
sadysnaat
and removed request for
Skarlso and
sadysnaat
capa fix hardcoded role arn for aws iam authenticator Added mock for partition
AmitSahastra
force-pushed
the
arn-us-gov
branch
from
3833d23 to
378727f
Compare
|
@sadysnaat @AmitSahastra So sorry, but on second thought, I don't think we need to store this info for three reasons:
That last was the best counterargument, as it can confuse users. I suggest reverting the spec part. The rest is fine to merge. WDYT? |
|
Hi @Skarlso my points
yes but if we store if we need not to derive it again and again like we do for where we backfill networking info
that's because this flow was broken and didn't need derivation, for older versions capa would fail to provision bastion host
I think we do it all the time one mentioned in networkspec other place is https://github.com/kubernetes-sigs/cluster-api/blob/0587101abbc0d558af4f2715b0be536b825742f6/api/v1beta1/cluster_types.go#L53 I am not sure how tools handle this but if you have reference to any repo which gets affected would like to see how clusterapi.cluster.endpoint changes are handled there |
|
Right. We do it all the time but it's not necessarily good. 😁 Okay then. Fine with me. |
@Skarlso @sadysnaat can you provide final review on this. |
|
Okay, if we are doing this, than it's incorrect that v1beta1 has changes in it and the conversion is incorrect too. I'll try to show you later how it can be done. |
|
/test ? |
|
@Skarlso: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test pull-cluster-api-provider-aws-e2e-eks |
k8s-ci-robot
added
the
lgtm
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Skarlso The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
It looks like this needs to be reverted, since this has been merged the periodic e2e unmanaged S3 thing fails. |
|
@AmitSahastra Could you open this again please in a separate PR so we can run other tests on it? We need to find out what went wrong. :) |
Saw this comment today. have opened new PR #4010. |
|
Thanks! |
5 participants
State
READY
What is the purpose of the pull request
ARN hardcoded with ":aws:" partition do not work with "us-gov" cloud.
Implementation
Issue: For few roles/policies arn partition is hardcoded to "aws". While working with "aws-us-gov" cloud partition this does not work and cluster creation failed.
Fix: Check for aws cloud "partition" or "region" to derive correct arn and use it.
/kind bug
Special notes for your reviewer:
Checklist: