-
Notifications
You must be signed in to change notification settings - Fork 899
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IRSA configuration for providers installed via OCI image #5598
Comments
@vilkovtato is this the same scenario being discussed in #5587 by any chance? a quick glance made it seem they were similar, but I wasn't sure if there were a clear distinction between the two for you 🤔 |
@jbw976 - yes, I created that question, it is the same scenario. unfortunately that link which was provided did not answer my quesiton. The problem is to automatically configure new Providers installed via package with picking up IRSA configuration... |
This old issue looks to have been asking for something similar with |
@bobh66 relevant comment: #5587 (reply in thread) |
@jbw976 - thank you for your help. If I understand the above old issue, There is no way, how to configurate newly created Providers in the package configuration. The only option for now is, that after the Provider installation in the cluster we have to manually re-configure the Provider in the cluster. For example:
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: irsa-runtimeconfig
spec:
serviceAccountTemplate:
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::622346257358:role/my-custom-role so the newly created Provider(s) must be re-configured via another template applied to the cluster, like this: apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws-s3
spec:
package: xpkg.upbound.io/upbound/provider-aws-s3:v0.37.0
runtimeConfigRef:
name: irsa-runtimeconfig Is that correct? |
@vilkovtato yes, that is the current method. The idea is to keep the |
What problem are you facing?
I have created Crossplane OCI image and pushed it in the repo. Besides composition/xrd, this is the configuration file:
This package must be installed into the k8s cluster. In the cluster there are already aws providers which were installed manually (not with OCI image). These providers have specified existing
ControllerConfig
like this:This
ControllerConfig
looks like this:So the purpose is for providers to get (via their service accounts) annotation with the IAM role. So the providers are able to create AWS resources.
The problem is this - if the providers which are configured in the OCI image configuration dont exists in the k8s cluster yet, they will be automatically installed, but they (their service accounts) will not get the annotation with IAM role. I havent found a way how I can configure
controllerConfigRef:
in the configuration file (first yaml file).How could Crossplane help solve your problem?
To summarise:
ControllerConfig
when manually installing Providers (second yaml)ControllerConfig
when installing Providers via OCI image (first yaml)Or is there any other way?
Thank you.
The text was updated successfully, but these errors were encountered: