Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat[chart]: Add shareProcessNamespace field to deployment #2715

Merged
merged 1 commit into from
Apr 22, 2022
Merged

feat[chart]: Add shareProcessNamespace field to deployment #2715

merged 1 commit into from
Apr 22, 2022

Conversation

wolffberg
Copy link
Contributor

Description

Add a value to configure shareProcessNamespace in the deployment of external-dns.

To use the Vault Sidecar Injector with external-dns and Route53 you need to share the process namespace to restart the external-dns process when credentials are injected as the AWS Go SDK do not allow dynamic reloading of credentials from file.

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Apr 20, 2022
edited

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: wolffberg / name: David Wolffberg (534916c)

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Apr 20, 2022
@k8s-ci-robot
Copy link
Contributor

Welcome @wolffberg!

It looks like this is your first PR to kubernetes-sigs/external-dns 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/external-dns has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Apr 20, 2022
@stevehipwell
Copy link
Contributor

@wolffberg can the Vault agent sidecar mutating webhook not make this change to the pod spec?

Out of interest, how come you're not using IRSA for the Route53 credentials?

@stevehipwell
Copy link
Contributor

@wolffberg in addition to the IRSA question, how come the credentials need to be reloaded in the first place? Aren't you injecting credentials which the SDK can renew itself?

@wolffberg
Copy link
Contributor Author

@stevehipwell good idea with the mutating webhook, I will make a POC and see if Hashicorp agrees.

We would like to use Vault as the main source of IAM across our different cloud/on-premise deployments to get consistency across our clusters.

We also expected the SDK would reload the credentials if a request fails but this does not seem to be the case for the Go SDK.

@wolffberg wolffberg mentioned this pull request Apr 21, 2022
Closed
@stevehipwell
Copy link
Contributor

@stevehipwell good idea with the mutating webhook, I will make a POC and see if Hashicorp agrees.

I'd be interested in taking a look at the PR when it's up.

We would like to use Vault as the main source of IAM across our different cloud/on-premise deployments to get consistency across our clusters.

I wouldn't advise taking this approach, if you're using EKS then IRSA is going to be significantly more stable with fewer moving parts and fully supported by a single large vendor. It also "just works".

We also expected the SDK would reload the credentials if a request fails but aws/aws-sdk-go#1993 (comment).

AFAIK the Go SDK wont reload new credentials but will refresh them if that is supported.

@wolffberg
Copy link
Contributor Author

I'd be interested in taking a look at the PR when it's up.

Up and waiting for review hashicorp/vault-k8s#334

I wouldn't advise taking this approach, if you're using EKS then IRSA is going to be significantly more stable with fewer moving parts and fully supported by a single large vendor. It also "just works".

I agree but we have EKS, AKS and on-premise clusters and would like a shared Terraform module that fits all.

AFAIK the Go SDK wont reload new credentials but will refresh them if that is supported.

We are using Vault to assume a role in AWS then inject and rotate the credentials on a regular basis. This way we don't need to expose refreshable credentials to the external-dns container.

@stevehipwell
Copy link
Contributor

@Raffo could you enable the workflow?

@stevehipwell
Copy link
Contributor

/approve

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 21, 2022
@seanmalloy
Copy link
Member

/kind feature
/approve

@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Apr 22, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: seanmalloy, stevehipwell, wolffberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@seanmalloy
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 22, 2022
@k8s-ci-robot k8s-ci-robot merged commit 8da1c8c into kubernetes-sigs:master Apr 22, 2022
This was referenced Oct 14, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Raffo Raffo Awaiting requested review from Raffo

@stevehipwell stevehipwell Awaiting requested review from stevehipwell

Assignees

@seanmalloy seanmalloy

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@wolffberg @k8s-ci-robot @stevehipwell @seanmalloy