Skip to content

Commit

Permalink
fix: fixing irsa working mode
Browse files Browse the repository at this point in the history
  • Loading branch information
JianLi-Expedia committed May 13, 2024
1 parent 35fa9ad commit 5d6a1b1
Show file tree
Hide file tree
Showing 6 changed files with 59 additions and 9 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@ All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [7.1.5] - 2024-05-13
### Fixed
- Fixed k8s IRSA.
- Changed k8s service account creation to compatible with newer version kubernetes provider.(eks 1.24 and later, create service account no longer create account token automatically)

## [7.1.4] - 2024-05-06
### Fixed
- Change provider version for `kubernetes`.
Expand Down
2 changes: 1 addition & 1 deletion k8s-cronjobs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ resource "kubernetes_cron_job" "apiary_inventory" {
name = "${local.instance_alias}-s3-inventory"
}
annotations = {
"iam.amazonaws.com/role" = aws_iam_role.apiary_s3_inventory.name
"iam.amazonaws.com/role" = var.oidc_provider == "" ? aws_iam_role.apiary_s3_inventory.name : null
}
}

Expand Down
2 changes: 1 addition & 1 deletion k8s-housekeeper.tf
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ resource "kubernetes_deployment_v1" "apiary_hms_housekeeper" {
"ad.datadoghq.com/${local.hms_alias}-housekeeper.check_names" = var.datadog_metrics_enabled ? "[\"prometheus\"]" : null
"ad.datadoghq.com/${local.hms_alias}-housekeeper.init_configs" = var.datadog_metrics_enabled ? "[{}]" : null
"ad.datadoghq.com/${local.hms_alias}-housekeeper.instances" = var.datadog_metrics_enabled ? "[{ \"prometheus_url\": \"http://%%host%%:${var.datadog_metrics_port}/actuator/prometheus\", \"namespace\": \"hms_readwrite\", \"metrics\": [ \"${join("\",\"", var.datadog_metrics_hms_readwrite_readonly)}\" ] , \"type_overrides\": { \"${join("\": \"gauge\",\"", var.datadog_metrics_hms_readwrite_readonly)}\": \"gauge\"} }]" : null
"iam.amazonaws.com/role" = aws_iam_role.apiary_hms_readwrite.name
"iam.amazonaws.com/role" = var.oidc_provider == "" ? aws_iam_role.apiary_hms_readwrite.name : null
"prometheus.io/path" = "/metrics"
"prometheus.io/port" = "8080"
"prometheus.io/scrape" = "true"
Expand Down
2 changes: 1 addition & 1 deletion k8s-readonly.tf
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ resource "kubernetes_deployment_v1" "apiary_hms_readonly" {
"ad.datadoghq.com/${local.hms_alias}-readonly.check_names" = var.datadog_metrics_enabled ? "[\"prometheus\"]" : null
"ad.datadoghq.com/${local.hms_alias}-readonly.init_configs" = var.datadog_metrics_enabled ? "[{}]" : null
"ad.datadoghq.com/${local.hms_alias}-readonly.instances" = var.datadog_metrics_enabled ? "[{ \"prometheus_url\": \"http://%%host%%:${var.datadog_metrics_port}/actuator/prometheus\", \"namespace\": \"hms_readonly\", \"metrics\": [ \"${join("\",\"", var.datadog_metrics_hms_readwrite_readonly)}\" ] , \"type_overrides\": { \"${join("\": \"gauge\",\"", var.datadog_metrics_hms_readwrite_readonly)}\": \"gauge\"} }]" : null
"iam.amazonaws.com/role" = aws_iam_role.apiary_hms_readonly.name
"iam.amazonaws.com/role" = var.oidc_provider == "" ? aws_iam_role.apiary_hms_readonly.name : null
"prometheus.io/path" = "/metrics"
"prometheus.io/port" = "8080"
"prometheus.io/scrape" = "true"
Expand Down
2 changes: 1 addition & 1 deletion k8s-readwrite.tf
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ resource "kubernetes_deployment_v1" "apiary_hms_readwrite" {
"ad.datadoghq.com/${local.hms_alias}-readwrite.check_names" = var.datadog_metrics_enabled ? "[\"prometheus\"]" : null
"ad.datadoghq.com/${local.hms_alias}-readwrite.init_configs" = var.datadog_metrics_enabled ? "[{}]" : null
"ad.datadoghq.com/${local.hms_alias}-readwrite.instances" = var.datadog_metrics_enabled ? "[{ \"prometheus_url\": \"http://%%host%%:${var.datadog_metrics_port}/actuator/prometheus\", \"namespace\": \"hms_readwrite\", \"metrics\": [ \"${join("\",\"", var.datadog_metrics_hms_readwrite_readonly)}\" ] , \"type_overrides\": { \"${join("\": \"gauge\",\"", var.datadog_metrics_hms_readwrite_readonly)}\": \"gauge\"} }]" : null
"iam.amazonaws.com/role" = aws_iam_role.apiary_hms_readwrite.name
"iam.amazonaws.com/role" = var.oidc_provider == "" ? aws_iam_role.apiary_hms_readwrite.name : null
"prometheus.io/path" = "/metrics"
"prometheus.io/port" = "8080"
"prometheus.io/scrape" = "true"
Expand Down
55 changes: 50 additions & 5 deletions k8s-service-accounts.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
resource "kubernetes_service_account" "hms_readwrite" {
resource "kubernetes_service_account_v1" "hms_readwrite" {
count = var.hms_instance_type == "k8s" ? 1 : 0
metadata {
name = "${local.hms_alias}-readwrite"
Expand All @@ -7,10 +7,25 @@ resource "kubernetes_service_account" "hms_readwrite" {
"eks.amazonaws.com/role-arn" = var.oidc_provider == "" ? "" : aws_iam_role.apiary_hms_readwrite.arn
}
}
automount_service_account_token = true
}

resource "kubernetes_service_account" "hms_readonly" {
resource "kubernetes_secret_v1" "hms_readwrite" {
metadata {
name = "${local.hms_alias}-readwrite"
namespace = var.metastore_namespace
annotations = {
"kubernetes.io/service-account.name" ="${local.hms_alias}-readwrite"
"kubernetes.io/service-account.namespace" = var.metastore_namespace
}
}
type = "kubernetes.io/service-account-token"

depends_on = [
kubernetes_service_account_v1.hms_readwrite
]
}

resource "kubernetes_service_account_v1" "hms_readonly" {
count = var.hms_instance_type == "k8s" ? 1 : 0
metadata {
name = "${local.hms_alias}-readonly"
Expand All @@ -19,7 +34,22 @@ resource "kubernetes_service_account" "hms_readonly" {
"eks.amazonaws.com/role-arn" = var.oidc_provider == "" ? "" : aws_iam_role.apiary_hms_readonly.arn
}
}
automount_service_account_token = true
}

resource "kubernetes_secret_v1" "hms_readonly" {
metadata {
name = "${local.hms_alias}-readonly"
namespace = var.metastore_namespace
annotations = {
"kubernetes.io/service-account.name" ="${local.hms_alias}-readonly"
"kubernetes.io/service-account.namespace" = var.metastore_namespace
}
}
type = "kubernetes.io/service-account-token"

depends_on = [
kubernetes_service_account_v1.hms_readonly
]
}

resource "kubernetes_service_account" "s3_inventory" {
Expand All @@ -31,5 +61,20 @@ resource "kubernetes_service_account" "s3_inventory" {
"eks.amazonaws.com/role-arn" = var.oidc_provider == "" ? "" : aws_iam_role.apiary_s3_inventory.arn
}
}
automount_service_account_token = true
}

resource "kubernetes_secret_v1" "s3_inventory" {
metadata {
name = "${local.hms_alias}-s3-inventory"
namespace = var.metastore_namespace
annotations = {
"kubernetes.io/service-account.name" ="${local.hms_alias}-s3-inventory"
"kubernetes.io/service-account.namespace" = var.metastore_namespace
}
}
type = "kubernetes.io/service-account-token"

depends_on = [
kubernetes_service_account_v1.s3_inventory
]
}

0 comments on commit 5d6a1b1

Please sign in to comment.