Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add secret permissions to clusterrole, annotations to Helm chart. #162

Closed
wants to merge 10 commits into from
Closed

Add secret permissions to clusterrole, annotations to Helm chart. #162

wants to merge 10 commits into from

Conversation

reflection
Copy link

Issue #, if available:
#92

Description of changes:

  • Add secrets permissions to clusterrole, needed if creating secretObjects in SecretProviderClass
  • Allow modifications to service account annotations (i.e. linking IRSA role arn)

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@smobyrne smobyrne added the enhancement New feature or request label Dec 29, 2022
@simonmarty simonmarty changed the title Extend helm chart Add secret permissions to clusterrole, annotations to Helm chart. Sep 18, 2023
@simonmarty simonmarty self-requested a review September 18, 2023 18:52
@simonmarty simonmarty linked an issue Sep 26, 2023 that may be closed by this pull request
EKS K8s secret cannot be created from volume mount with secret store csi driver #92
Open
@s-pouya-s
Copy link

@danmancuso @joebaro
please somebody approves this PR

@theboyisno-one
Copy link

@danmancuso @joebaro please somebody approves this PR

plz approve and merge @joebaro @danmancuso @simonmarty

@jwitko
Copy link

jwitko commented Feb 12, 2024

Also in need of this PR , currently vendoring the chart to compensate.

@reflection reflection requested a review from a team as a code owner February 28, 2024 21:24
@codecov-commenter
Copy link

codecov-commenter commented Feb 28, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 49.67%. Comparing base (be94dd0) to head (f962987).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #162   +/-   ##
=======================================
  Coverage   49.67%   49.67%           
=======================================
  Files           9        9           
  Lines         781      781           
=======================================
  Hits          388      388           
  Misses        383      383           
  Partials       10       10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@simonmarty simonmarty enabled auto-merge (squash) December 3, 2024 21:43
joebaro
joebaro reviewed Feb 6, 2025
View reviewed changes
Copy link
Contributor

@joebaro joebaro left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a few problems here. First I can not reproduce the original issue (more on that below). Second, it is not the AWS plugin that updates the K8s secrets, that is done by the CSI driver itself running under a different service account. Also, the CSI driver is already setting up these permission on their role when sync is turned on. We also would not set these permission globally for all installations as they don't all use K8s secrets (which is why the CSI driver does them conditionally).

I suspect what may have happened is an older version of the CSI driver was not setting the role permission correctly on upgrade or something was set by hand interfering with it. When I upgrade the sync option on the latest CSI driver I do see the cluster role setup correctly:

$ helm install -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver
$ kubectl -o yaml -n kube-system get clusterroles secretprovidersyncing-role
Error from server (NotFound): clusterroles.rbac.authorization.k8s.io "secretprovidersyncing-role" not found

$ helm upgrade -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set syncSecret.enabled=true
$ kubectl -o yaml -n kube-system get clusterroles secretprovidersyncing-role
    ...
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch

As to the annotation on the service account, this is the service account for the AWS provider daemonset, there is no IAM role associated with it. The role association and annotation should be on the application SA, and this is typically done for each application pod using eksctl create iamserviceaccount.

@joebaro joebaro closed this Feb 6, 2025
auto-merge was automatically disabled February 6, 2025 01:33

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joebaro joebaro joebaro left review comments

@simonmarty simonmarty simonmarty approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

EKS K8s secret cannot be created from volume mount with secret store csi driver
8 participants
@reflection @s-pouya-s @theboyisno-one @jwitko @codecov-commenter @joebaro @simonmarty @smobyrne