Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploy ESO on EKS #4930

Merged
merged 5 commits into from
Mar 15, 2023
Merged

Deploy ESO on EKS #4930

merged 5 commits into from
Mar 15, 2023

Conversation

upodroid
Copy link
Member

/cc @dims @xmudrii @ameukam @BenTheElder

This PR deploys ESO on EKS using Workload Identity Federation. Marko will need to initially apply this manifest, but I intend on creating a prowjob that applies it automatically. We should probably consider using ArgoCD to deploy complex apps bundled as helm charts.

I'll fix the secrets later as I need to upgrade them to new format expected by ESO

@k8s-ci-robot k8s-ci-robot added area/infra Infrastructure management, infrastructure design, code in infra/ area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters area/terraform Terraform modules, testing them, writing more of them, code in infra/gcp/clusters/ size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. sig/testing Categorizes an issue or PR as relevant to SIG Testing. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 13, 2023
@upodroid upodroid mentioned this pull request Mar 14, 2023
Closed
xmudrii
xmudrii reviewed Mar 15, 2023
View reviewed changes
infra/aws/terraform/prow-build-cluster/resources/external-secrets/configmaps.yaml Outdated Show resolved Hide resolved
infra/aws/terraform/prow-build-cluster/resources/kube-system/create-loop-devs_daemonset.yaml
while true; do
for i in $(seq 0 1000); do
if ! [ -e /dev/loop$i ]; then
mknod /dev/loop$i b 7 $i
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we do this via Terraform?

k8s.io/infra/aws/terraform/prow-build-cluster/eks.tf

Lines 104 to 107 in c5181fa

# Required to ensure Prow works well.
pre_bootstrap_user_data = <<-EOT
sysctl -w fs.inotify.max_user_watches=524288
EOT

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can, it is easier to apply the existing manifest :D

infra/aws/terraform/prow-build-cluster/resources/test-pods/test-pods-poddisruptionbudget.yaml Show resolved Hide resolved
infra/gcp/terraform/k8s-infra-prow-build/serviceaccounts.tf Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Mar 15, 2023
@ameukam
Copy link
Member

ameukam commented Mar 15, 2023

/approve

Leaving the lgtm to @xmudri.

ping on slack for the gcp part when ready.

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 15, 2023
xmudrii
xmudrii approved these changes Mar 15, 2023
View reviewed changes
Copy link
Member

@xmudrii xmudrii left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold
to apply Terraform changes

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 15, 2023
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 15, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ameukam, upodroid, xmudrii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@xmudrii
Copy link
Member

xmudrii commented Mar 15, 2023

/hold cancel
Let's get the PR merged actually.

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 15, 2023
@k8s-ci-robot k8s-ci-robot merged commit b44edc4 into kubernetes:main Mar 15, 2023
@k8s-ci-robot k8s-ci-robot added this to the v1.27 milestone Mar 15, 2023
@upodroid upodroid mentioned this pull request Mar 15, 2023
Closed
@ameukam
Copy link
Member

ameukam commented Mar 15, 2023

Got

│ Error: Error setting IAM policy for service account 'projects/k8s-infra-prow-build/serviceAccounts/kubernetes-external-secrets@k8s-infra-prow-build.iam.gserviceaccount.com': googleapi: Error 400: Invalid principalSet member (principalSet://iam.googleapis.com/projects/773781448124/locations/global/workloadIdentityPools/prow-eks/providers/oidc/attribute.sub/system:serviceaccount:external-secrets:external-secrets)., badRequest
│ 
│   with module.workload_identity_service_accounts["kubernetes-external-secrets"].google_service_account_iam_policy.serviceaccount_iam,
│   on ../modules/workload-identity-service-account/main.tf line 43, in resource "google_service_account_iam_policy" "serviceaccount_iam":
│   43: resource "google_service_account_iam_policy" "serviceaccount_iam" {
│ 
╵

during the deployment.

ameukam added a commit to ameukam/k8s.io that referenced this pull request Mar 15, 2023
@ameukam
Fix workload identity provider
209e3c9 
Follow-up of:
  - kubernetes#4930

 - Fix name of the workload identity provider pool.
 - Fix a required version of the terraform provider

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
@ameukam ameukam mentioned this pull request Mar 15, 2023
Merged
@ameukam
Copy link
Member

ameukam commented Mar 15, 2023

Fixing in: #4944

@upodroid upodroid mentioned this pull request Feb 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ameukam ameukam ameukam left review comments

@xmudrii xmudrii xmudrii approved these changes

@BenTheElder BenTheElder Awaiting requested review from BenTheElder

@dims dims Awaiting requested review from dims

Assignees

@xmudrii xmudrii

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure area/infra Infrastructure management, infrastructure design, code in infra/ area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters area/terraform Terraform modules, testing them, writing more of them, code in infra/gcp/clusters/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
v1.27
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@upodroid @ameukam @k8s-ci-robot @xmudrii