From 7a646b65ecd8907078424ea5aaed7d0a898e9074 Mon Sep 17 00:00:00 2001 From: kmoolya Date: Thu, 2 Jul 2020 21:33:31 +0530 Subject: [PATCH 1/2] allow using AWS role or EC2 Instance role for Elasticsearch Auth --- comm_config.yaml | 9 +++++---- pkg/config/config.go | 1 + pkg/notify/elasticsearch.go | 13 ++++++++++++- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/comm_config.yaml b/comm_config.yaml index c287c46d7..822b25a39 100644 --- a/comm_config.yaml +++ b/comm_config.yaml @@ -20,10 +20,11 @@ communications: elasticsearch: enabled: false awsSigning: - enabled: false # enable awsSigning using IAM for Elastisearch hosted on AWS, if true make sure AWS environment variables are set. Refer https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html - awsRegion: "us-east-1" # AWS region where Elasticsearch is deployed - server: 'ELASTICSEARCH_ADDRESS' # e.g https://example.com:9243 - username: 'ELASTICSEARCH_USERNAME' # Basic Auth + enabled: false # enable awsSigning using IAM for Elastisearch hosted on AWS, if true make sure AWS environment variables are set. Refer https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html + awsRegion: 'us-east-1' # AWS region where Elasticsearch is deployed + roleArn: '' # AWS IAM Role arn to assume for credentials, use this only if you dont want to use the EC2 instance role or not running on AWS instance + server: 'ELASTICSEARCH_ADDRESS' # e.g https://example.com:9243 + username: 'ELASTICSEARCH_USERNAME' # Basic Auth password: 'ELASTICSEARCH_PASSWORD' # ELS index settings index: diff --git a/pkg/config/config.go b/pkg/config/config.go index 64e41bd7d..97ad320b3 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -128,6 +128,7 @@ type ElasticSearch struct { type AWSSigning struct { Enabled bool AWSRegion string `yaml:"awsRegion"` + RoleArn string `yaml:"roleArn"` } // Index settings for ELS diff --git a/pkg/notify/elasticsearch.go b/pkg/notify/elasticsearch.go index 1d39ae9c9..e3e9bb65b 100644 --- a/pkg/notify/elasticsearch.go +++ b/pkg/notify/elasticsearch.go @@ -25,6 +25,9 @@ import ( "time" "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" + "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/aws/signer/v4" "github.com/infracloudio/botkube/pkg/config" "github.com/infracloudio/botkube/pkg/events" @@ -55,11 +58,19 @@ type ElasticSearch struct { func NewElasticSearch(c *config.Config) (Notifier, error) { var elsClient *elastic.Client var err error + var creds *credentials.Credentials if c.Communications.ElasticSearch.AWSSigning.Enabled { // Get credentials from environment variables and create the AWS Signature Version 4 signer - creds := credentials.NewEnvCredentials() + sess := session.Must(session.NewSession()) + if c.Communications.ElasticSearch.AWSSigning.RoleArn != "" { + creds = stscreds.NewCredentials(sess, c.Communications.ElasticSearch.AWSSigning.RoleArn) + } else { + creds = ec2rolecreds.NewCredentials(sess) + } + signer := v4.NewSigner(creds) awsClient, err := aws_signing_client.New(signer, nil, awsService, c.Communications.ElasticSearch.AWSSigning.AWSRegion) + if err != nil { return nil, err } From 8495134fb9a7e8a155b3fe547ce41e780f8f879b Mon Sep 17 00:00:00 2001 From: kmoolya Date: Fri, 3 Jul 2020 12:40:58 +0530 Subject: [PATCH 2/2] support for priority classes and adding config changes to deployment yamls --- deploy-all-in-one-tls.yaml | 3 ++- deploy-all-in-one.yaml | 9 +++++---- helm/botkube/templates/deployment.yaml | 3 +++ helm/botkube/values.yaml | 11 +++++++---- 4 files changed, 17 insertions(+), 9 deletions(-) diff --git a/deploy-all-in-one-tls.yaml b/deploy-all-in-one-tls.yaml index 8690f75a6..7e4eb92ae 100644 --- a/deploy-all-in-one-tls.yaml +++ b/deploy-all-in-one-tls.yaml @@ -261,7 +261,8 @@ stringData: enabled: false awsSigning: enabled: false # enable awsSigning using IAM for Elastisearch hosted on AWS, if true make sure AWS environment variables are set. Refer https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html - awsRegion: "us-east-1" # AWS region where Elasticsearch is deployed + awsRegion: 'us-east-1' # AWS region where Elasticsearch is deployed + roleArn: '' # AWS IAM Role arn to assume for credentials, use this only if you dont want to use the EC2 instance role or not running on AWS instance server: 'ELASTICSEARCH_ADDRESS' # e.g https://example.com:9243 username: 'ELASTICSEARCH_USERNAME' # Basic Auth password: 'ELASTICSEARCH_PASSWORD' diff --git a/deploy-all-in-one.yaml b/deploy-all-in-one.yaml index 3620287a4..755947471 100644 --- a/deploy-all-in-one.yaml +++ b/deploy-all-in-one.yaml @@ -260,10 +260,11 @@ stringData: elasticsearch: enabled: false awsSigning: - enabled: false # enable awsSigning using IAM for Elastisearch hosted on AWS, if true make sure AWS environment variables are set. Refer https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html - awsRegion: "us-east-1" # AWS region where Elasticsearch is deployed - server: 'ELASTICSEARCH_ADDRESS' # e.g https://example.com:9243 - username: 'ELASTICSEARCH_USERNAME' # Basic Auth + enabled: false # enable awsSigning using IAM for Elastisearch hosted on AWS, if true make sure AWS environment variables are set. Refer https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html + awsRegion: 'us-east-1' # AWS region where Elasticsearch is deployed + roleArn: '' # AWS IAM Role arn to assume for credentials, use this only if you dont want to use the EC2 instance role or not running on AWS instance + server: 'ELASTICSEARCH_ADDRESS' # e.g https://example.com:9243 + username: 'ELASTICSEARCH_USERNAME' # Basic Auth password: 'ELASTICSEARCH_PASSWORD' # ELS index settings index: diff --git a/helm/botkube/templates/deployment.yaml b/helm/botkube/templates/deployment.yaml index 712e70a5d..82f7ea8a9 100644 --- a/helm/botkube/templates/deployment.yaml +++ b/helm/botkube/templates/deployment.yaml @@ -26,6 +26,9 @@ spec: {{ toYaml .Values.extraAnnotations | indent 8 }} {{- end }} spec: + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} serviceAccountName: {{ include "botkube.serviceAccountName" . }} containers: - name: {{ .Chart.Name }} diff --git a/helm/botkube/values.yaml b/helm/botkube/values.yaml index 08875fa78..9d9833dbb 100644 --- a/helm/botkube/values.yaml +++ b/helm/botkube/values.yaml @@ -5,6 +5,8 @@ replicaCount: 1 # Extra annotations to pass to the botkube pod extraAnnotations: {} +# Priority class name for the pod +priorityClassName: "" image: repository: infracloudio/botkube pullPolicy: IfNotPresent @@ -269,10 +271,11 @@ communications: elasticsearch: enabled: false awsSigning: - enabled: false # enable awsSigning using IAM for Elastisearch hosted on AWS, if true make sure AWS environment variables are set. Refer https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html - awsRegion: "us-east-1" # AWS region where Elasticsearch is deployed - server: 'ELASTICSEARCH_ADDRESS' # e.g https://example.com:9243 - username: 'ELASTICSEARCH_USERNAME' # Basic Auth + enabled: false # enable awsSigning using IAM for Elastisearch hosted on AWS, if true make sure AWS environment variables are set. Refer https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html + awsRegion: "us-east-1" # AWS region where Elasticsearch is deployed + roleArn: '' # AWS IAM Role arn to assume for credentials, use this only if you dont want to use the EC2 instance role or not running on AWS instance + server: 'ELASTICSEARCH_ADDRESS' # e.g https://example.com:9243 + username: 'ELASTICSEARCH_USERNAME' # Basic Auth password: 'ELASTICSEARCH_PASSWORD' # ELS index settings index: