-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bitnami/elasticsearch] Add support for IAM Roles for Service Accounts (IRSA) #25716
Comments
After sleeping on this I've thought of a way of achieving what I need using a mix of Here's what I added to the chart:
After that I was able for go to the
When the IAM roles were not in place this resulted in an error trying to use the AWS meta-data service. I guess this feature request can be closed, OR something could be done to make the user of IRSA easier to achieve. |
Hi @jim-barber-he, Sorry for the delay. Thanks for the detailed information. It looks like a very interesting new feature, but maybe it is too specific. We're a small team and our capacity is not too high. This is currently in our radar but the priority is not too high. Said that, we can not guarantee any ETA. Anyway, would you like to contribute by creating a PR to solve the issue? The Bitnami team will be happy to review it and provide feedback. Here you can find the contributing guidelines. |
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback. |
Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary. |
Name and Version
bitnami/elasticsearch:8.6.2
What is the problem this feature will solve?
IAM Roles for Service Accounts (IRSA) is a way to grant IAM permissions at a granular container level instead of needing to grant the permissions to the hosts that the containers run on.
It is a superior solution to tools like
kiam
andkube2iam
.IRSA's pod-identity-webhook admission controller mutates pods to inject environment variables such as
AWS_ROLE_ARN
andAWS_WEB_IDENTITY_TOKEN_FILE
into the containers, and defines a volume in the pod with the token and has the containers mount it.Standard authentication with the AWS SDK will use these environment variables appropriately, however Elasticsearch has its own approach so setting these environment variables isn't enough.
The
$AWS_WEB_IDENTITY_TOKEN_FILE
variable is set to/var/run/secrets/eks.amazonaws.com/serviceaccount/token
but this will not be read by Elasticsearch.Instead they look for a symlink in the plugin directory as per their code below:
https://github.com/elastic/elasticsearch/blob/8.6/modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java#L315
This approach is also mentioned in their documentation here:
https://www.elastic.co/guide/en/elasticsearch/reference/current/repository-s3.html#iam-kubernetes-service-accounts
People not using the Bitnami images and Helm charts create the symlink via an initContainer something like what is shown in this comment linked below:
elastic/elasticsearch#52625 (comment)
NOTE: The comment talking about needing to set a
AWS_ROLE_SESSION_NAME
environment variable is no longer true as that is handled by Elasticsearch's code these days:https://github.com/elastic/elasticsearch/blob/8.6/modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java#L336
As far as I can tell there is no way to do something equivalent with the Bitnami images and helm charts (although I could be wrong).
The plugin area of the filesystem is not on a volume that I can mount into an initContainer?
So the same approach shown above to have an initContainer create a symlink will not work as it won't be there on the running container's image.
You can't mount symlinks into a filesystem via the
subPath
part of avolumeMount
, so I don't think I can do any tricks withextraVolumes
andextraVolumeMounts
.I don't think mounting scripts in
/docker-entrypoint-initdb.d
to create the symlink isn't going to help either since they only run once and not every time a container starts?I'm looking for a way for the bitnami/elasticsearch to be able to support the use of IRSA by allowing me to create the symlink in the plugin area.
What is the feature you are proposing to solve the problem?
I guess a couple of approaches I can think of are:
$AWS_WEB_IDENTITY_TOKEN_FILE
environment variable is set and if so, create the symlink.I don't know which script would be most appropriate for this to be added to; maybe
/opt/bitnami/scripts/libelasticsearch.sh
and then a call to it in/opt/bitnami/scripts/elasticsearch/setup.sh
?OR
/docker-entrypoint-initdb.d/*
that run every time the container starts, not just the first time).Also I'm not sure where the symlink would need to be created in the bitnami image.
On the official Elasticsearch image it is created as
/usr/share/elasticsearch/config/repository-s3/aws-web-identity-token-file
But for the bitnami image I suspect it'll either be
/bitnami/elasticsearch/plugins/repository-s3/aws-web-identity-token-file
or/opt/bitnami/elasticsearch/config/repository-s3/aws-web-identity-token-file
?What alternatives have you considered?
I've been looking at the image and chart and I haven't found an obvious way for me to create the symlink in the container's file system that points the the AWS web identity token file.
The text was updated successfully, but these errors were encountered: