Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: IRSA can no longer default to the node role #1466

Closed
1 task done
vibe opened this issue Aug 22, 2024 · 4 comments
Closed
1 task done

[Bug]: IRSA can no longer default to the node role #1466

vibe opened this issue Aug 22, 2024 · 4 comments
Labels
bug Something isn't working needs:triage stale

Comments

@vibe
Copy link

vibe commented Aug 22, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Affected Resource(s)

No response

Resource MRs required to reproduce the bug

apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: default
spec:
  credentials:
    source: IRSA

Steps to Reproduce

  • Deploy AWS Provider with a default config with credentials source set to IRSA.

What happened?

Related to Issue #1252

Versions prior to 1.3, allowed configuring IRSA with no further annotations, which defaulted to the using the node role.

Not sure I quite follow the "why", but the new cache implementation requires AWS_WEB_IDENTITY_TOKEN_FILE to exist otherwise it will fail.

tokenHash, err := hashTokenFile(os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE"))
if err != nil {

Relevant Error Output Snippet

No response

Crossplane Version

1.6

Provider Version

1.11

Kubernetes Version

No response

Kubernetes Distribution

No response

Additional Info

EKS

@vibe vibe added bug Something isn't working needs:triage labels Aug 22, 2024
@vibe
Copy link
Author

vibe commented Aug 22, 2024

I understand there is additional configuration that can be applied to restore functionality, but seems like an oversight to introduce breaking changes to default behavior.

@haarchri
Copy link
Member

i talked about this behaviour with @erhancagirici when implementing #1459 we falling back to the default chain before 1.3 with IRSA and we will do it now with new PodIdentity feature when we don't find the expected behaviours in the environment / files etc.

https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specifying-credentials

think it would be better we force IRSA, PodIdentity and implement an additional type for EC2 / Node Credentials

Copy link

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

@github-actions github-actions bot added the stale label Nov 22, 2024
Copy link

github-actions bot commented Dec 6, 2024

This issue is being closed since there has been no activity for 14 days since marking it as stale. If you still need help, feel free to comment or reopen the issue!

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working needs:triage stale
Projects
None yet
Development

No branches or pull requests

2 participants