Set up pod identity association in E2E tests #329
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
g-gaston
reviewed
Jan 31, 2025
g-gaston
reviewed
Feb 4, 2025
g-gaston
approved these changes
Feb 5, 2025
| namespace = "default" | ||
| ) | ||
|
|
||
| func NewPodIdentityAddon(cluster, name, roleArn string) PodIdentityAddon { |
There was a problem hiding this comment.
Isn't the addon always the same? If so, why does the caller need to provide? This constructor is already exclusive for the pod identity addon, so i think it encapsulate de knowlege of the addon name and hide that detail from the caller
Wdyt?
There was a problem hiding this comment.
good suggestion. I will add it to my part3 PR.
jaxesn
reviewed
Feb 5, 2025
| }, | ||
| } | ||
|
|
||
| if _, err := k8s.CoreV1().ServiceAccounts(namespace).Create(ctx, serviceAccount, metav1.CreateOptions{}); err != nil { |
There was a problem hiding this comment.
I think we probably should probably retry this
There was a problem hiding this comment.
Let's keep it this way for now. I'd like to understand what errors we may have and what errors are retryable.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
This is part 2 of setting up E2E tests for pod identity. Part 1 PR
Description of changes:
This PR covers pod identity association setup.
(Since this PR already contains enough changes, I will create another PR to actually deploy pods and verify EKS Pod Identity volume is correctly attached.)
I followed this public document to set up pod identity association.
In summary, the following is required in order to set up pod identity association.
The creation of service account and pod identity association can only be done after the EKS cluster is provisioned successfully. We can put this into either
Here I choose to put it into creation of pod identity add-on. The reason for it is we don't need to check or set up this association in every
OS/auth providercombination. It should be a one-time setup for the whole EKS cluster.The creation of IAM role of pod identity can be put into
nodeadm-stack.tsto provision one IAM role for allkube/CNIcombinationsetup-cfn.yamlto provision one IAM role for allOS/Auth providerunder onekube/CNIcombinationOS/Auth providerOption 3 is not applicable for two reasons.
OS/Auth providerOption 1 and 2 are both working but I choose option 2 because it makes more sense as the role is tied to one cluster, which the lifecycle is managed by CloudFormation.
Testing (if applicable):
Documentation added/planned (if applicable):
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.