[WIP] 3026: Add support for s3 data importer inheriting service account credentials

[russellcain]

What type of PR is this?

• /kind feature

What this PR does / why we need it:

• Allows for consistent use of credentials configured in the service account, for S3 data volume sources.

Which issue(s) this PR fixes:

• Fixes CDI importer requires static credentials for S3 and GCS (renewed) #3429

Special notes for your reviewer:

• Hi -- I'll add in some tests shortly, just wanted to get eyes on the core of the change to make sure I'm not barking up the wrong trunk. If we could start the conversation in the interim, I'd appreciate that.

Does this PR introduce a user-facing change?:

• It does allow a new value in the DataVolumeSourceS3 configuration. The needed code-gen files are included in this pull request.

Release note:

Related to https://github.com/kubevirt/containerized-data-importer/issues/3429

This change stems from the desire for a spun-up S3 reader to utilize the aws credentials configured at the Service Account level. The belief is that this would promote consistency in access / minimize any duplication of aws credential keys in the configuration of this S3 CDI. For this PR, we just provide the user with the ability to specify the `ServiceAccountName` instead of an `AccessKey`/`SecretKey` combo. No core/default functionality will change for users which wish to stick with that key combo approach.  

At the importer level, this update utilizes AWS' IRSA credential chain approach. This is a stable approach that has go sdk approach. Additionally, this PR added the recommended `CredentialsChainVerboseErrors` to the aws session configuration. If reviewers worry that this will be too noisy, I am fine with it being removed.

Signed-off-by: _____

[kubevirt-bot]

Hi @russellcain. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mhenriks for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[russellcain]

/hold

[russellcain]

(recent force push to include signoff)
@aglitke and @ShellyKa13 thanks for taking the time to look this over! any and all pointers on how you'd like tests to be done are appreciated

[mhenriks]

/test

[kubevirt-bot]

@mhenriks: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

• /test pull-containerized-data-importer-e2e-ceph
• /test pull-containerized-data-importer-e2e-ceph-wffc
• /test pull-containerized-data-importer-e2e-destructive
• /test pull-containerized-data-importer-e2e-hpp-latest
• /test pull-containerized-data-importer-e2e-hpp-previous
• /test pull-containerized-data-importer-e2e-istio
• /test pull-containerized-data-importer-e2e-nfs
• /test pull-containerized-data-importer-e2e-upg
• /test pull-containerized-data-importer-fossa
• /test pull-containerized-data-importer-non-csi-hpp

The following commands are available to trigger optional jobs:

• /test pull-cdi-apidocs
• /test pull-cdi-generate-verify
• /test pull-cdi-goveralls
• /test pull-cdi-linter
• /test pull-cdi-unit-test
• /test pull-cdi-unit-test-s390x
• /test pull-cdi-verify-go-mod

Use /test all to run all jobs.

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mhenriks]

/test all

[russellcain]

/test all

[kubevirt-bot]

@russellcain: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/test all

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[russellcain]

@mhenriks would you mind kicking off the tests for me, please?

[mhenriks]

/test all

[awels]

/test pull-cdi-goveralls

[mhenriks]

I don't see that this env var is getting set on the import pod. Here are some reference points:

https://github.com/russellcain/containerized-data-importer/blob/a87f77d4f010ee3fb2ca4b30111b7d70596c2eb2/pkg/controller/import-controller.go#L558
https://github.com/russellcain/containerized-data-importer/blob/a87f77d4f010ee3fb2ca4b30111b7d70596c2eb2/pkg/controller/import-controller.go#L1176

[russellcain]

ah rats! thanks for closing this gap in my understanding -- let me take a stab at that right now

[russellcain]

okay so fingers crossed that I understood how this flows in 04d29c3

I dont need to add anything here, right?
https://github.com/russellcain/containerized-data-importer/blob/41ba02d03ce0205b38fdfc9cbae4a1dc17b3abff/tools/cdi-source-update-poller/main.go#L48
looks like more so this parses env vars (which the SA doesnt fall into) and args passed at invocation (also not applicable)?

should i be adding a check about the source here? and then set it to any value if the PodSpec has a SA set?

[mhenriks]

Is the value of serviceAccount ever used in the aws API? Or does the aws lib assume that the pod is running as the privileged service account?

[russellcain]

The latter! hopefully i was too far off base, but the approach was that this would be used as a "flag" given the service account should have been properly set up by the time it is invoked here? (or fail on referencing an un-instantiated SA)

[russellcain]

/retest

[kubevirt-bot]

@russellcain: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[awels]

/test all

[coveralls]

coverage: 59.217% (-0.04%) from 59.26%
when pulling 4b97bf6 on russellcain:3026/IRSA-integration-for-s3-service-accounts
into d08e245 on kubevirt:main.

[mhenriks]

Couple things

1. if the worker pod does not need to know the SA name and this param is just a flag for setting sessionConfig.CredentialsChainVerboseErrors = aws.Bool(true) then why not make this a boolean value with key something like S3_CREDENTIALS_CHAIN_AUTH

2. You have to set the service account name in the importer pod spec somewhere in here: https://github.com/russellcain/containerized-data-importer/blob/3026/IRSA-integration-for-s3-service-accounts/pkg/controller/import-controller.go#L884-L949

[russellcain]

hi -- thanks for explaining this, i think i am almost on the same page so appreciate the patience on your end.

• for 1, does this handle my concern posted here? I agree that, to the best of my knowledge, the SA name itself will not be meaningfully used by the worker pod and instead is just a flag to not set sessionConfig.Credentials. I guess i was hoping to make a smaller footprint / mimic other patterns where referencing/supplying a SA name in the pod spec communicates that the values of that account are consumed by the pod (since that is happening in this case, just not through an explicit invocation). If I'm talking myself into circles, please let me know, but does this make sense?

  • I also see the merit in an explicit boolean flag -- if what im explaining above comes across as anything hand-wavy, then I'd be alright with someone knowing what they are signing up for with the S3_CREDENTIALS_CHAIN_AUTH value being set. I guess I'd just be a bit worried that the hypothetical user would set this value without having set a SA? and the approach of specifying the SA name slightly safeguards against that? I might be over-worrying here.

• for 2, happy to make this change, but wanted to confirm my understanding. are you saying we need the value set at the top level spec definition for how I'm attempting to consume it later on in cmd/cdi-importer/importer.go? that makes sense to me, but would still want to make sure i got eyes on https://github.com/kubevirt/containerized-data-importer/pull/3433/files#r1767598831

thanks again for taking your time to help me with this, @mhenriks!

[mhenriks]

• S3_CREDENTIALS_CHAIN_AUTH would just be the name of the environment variable in the importer pod spec. This should not be visible to users in any way. Importer pods are created/managed by cdi-deployment controller. The user will still specify the service account name in the API as you have already declared

• The pod spec.serviceAccountName should be set to the value the user set in the datavolume. See here: https://github.com/russellcain/containerized-data-importer/blob/3026/IRSA-integration-for-s3-service-accounts/pkg/controller/import-controller.go#L915-L925

Spec: corev1.PodSpec{
			Containers:        makeImporterContainerSpec(args),
			InitContainers:    makeImporterInitContainersSpec(args),
			Volumes:           makeImporterVolumeSpec(args),
			RestartPolicy:     corev1.RestartPolicyOnFailure,
			NodeSelector:      args.workloadNodePlacement.NodeSelector,
			Tolerations:       args.workloadNodePlacement.Tolerations,
			Affinity:          args.workloadNodePlacement.Affinity,
			PriorityClassName: args.priorityClassName,
			ImagePullSecrets:  args.imagePullSecrets,
-------------> ServiceAccountName: args.serviceAccountName
		},

[chomatdam]

some documentation here explaining what happens when the serviceAccountName is added to the pod, what the pod-identity-webhook is mutating in the pod spec

[russellcain]

will wait back on a response to this conversation before i push up my changes. thanks again, @mhenriks

[russellcain]

thanks for the added context, @chomatdam -- can you let me know if my changes in 69501ee seem to line up with the approach you described, please @mhenriks? thanks again for your guidance on this

[russellcain]

@mhenriks hi - would you mind kicking off the tests for this / taking a quick look over 69501ee when you have a chance, please? thank you!

[mhenriks]

getting there!

[mhenriks]

use_s3_credential_chain_auth is a little verbose compared to other variable names maybe just s3ChainAuth?

[mhenriks]

how about s3ChainAuth as variable name?

[mhenriks]

Where is this getting assigned?

[mhenriks]

/test all

[kubevirt-bot]

@russellcain: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cdi-unit-test-s390x	69501ee	link	false	/test pull-cdi-unit-test-s390x
pull-cdi-goveralls	69501ee	link	false	/test pull-cdi-goveralls
pull-cdi-unit-test	69501ee	link	false	/test pull-cdi-unit-test
pull-cdi-linter	69501ee	link	false	/test pull-cdi-linter

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.