-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat[chart]: Add shareProcessNamespace field to deployment #2715
feat[chart]: Add shareProcessNamespace field to deployment #2715
Conversation
|
Welcome @wolffberg! |
534916c
to
4be54b9
Compare
@wolffberg can the Vault agent sidecar mutating webhook not make this change to the pod spec? Out of interest, how come you're not using IRSA for the Route53 credentials? |
@wolffberg in addition to the IRSA question, how come the credentials need to be reloaded in the first place? Aren't you injecting credentials which the SDK can renew itself? |
@stevehipwell good idea with the mutating webhook, I will make a POC and see if Hashicorp agrees. We would like to use Vault as the main source of IAM across our different cloud/on-premise deployments to get consistency across our clusters. We also expected the SDK would reload the credentials if a request fails but this does not seem to be the case for the Go SDK. |
I'd be interested in taking a look at the PR when it's up.
I wouldn't advise taking this approach, if you're using EKS then IRSA is going to be significantly more stable with fewer moving parts and fully supported by a single large vendor. It also "just works".
AFAIK the Go SDK wont reload new credentials but will refresh them if that is supported. |
Up and waiting for review hashicorp/vault-k8s#334
I agree but we have EKS, AKS and on-premise clusters and would like a shared Terraform module that fits all.
We are using Vault to assume a role in AWS then inject and rotate the credentials on a regular basis. This way we don't need to expose refreshable credentials to the external-dns container. |
@Raffo could you enable the workflow? |
/approve |
/kind feature |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: seanmalloy, stevehipwell, wolffberg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
Description
Add a value to configure
shareProcessNamespace
in the deployment of external-dns.To use the Vault Sidecar Injector with external-dns and Route53 you need to share the process namespace to restart the external-dns process when credentials are injected as the AWS Go SDK do not allow dynamic reloading of credentials from file.