Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow IAM authentication to communal storage #265

Merged
merged 2 commits into from
Oct 13, 2022
Merged

Allow IAM authentication to communal storage #265

merged 2 commits into from
Oct 13, 2022

Conversation

spilchen
Copy link
Collaborator

@spilchen spilchen commented Oct 13, 2022
edited
Loading

This relaxes things in the operator so that the communal credential secret isn't required. Prior to this, the credential secret was required if connecting to a s3://, azb://, or gs:// endpoint.

This will allow us to authenticate with IAM when connecting on AWS. AWS provides two methods of authenticating with IAM:

  • EC2 IAM authentication: an IAM role is attached to the EC2 instance. All pods running on the EC2 instance will be able to use the attached roles.
  • IAM roles for service accounts (AWS IRSA auth for S3 communal storage #200): this is for more fine-grained access control. You can use this to attach IAM roles to a ServiceAccount. All pods running with the ServiceAccount will be able to use the roles. This feature requires a Vertica service of at least 12.0.3 (not yet available at the time of this PR). You will need to specify an existing ServiceAccount in the helm chart when deploying the operator. More details will be included in the official Vertica documentation once a server with support is GA'd.

Make the communal credential secret optional
c8416a0 
This relaxes things in the operator so that the communal credential
secret isn't required. Prior to this, the credential secret was required
if connecting to a s3://, azb://, or gs:// endpoint.

This will allow us to authenticate with IAM when connecting on AWS. AWS
provides two methods of authenticating with IAM:
- EC2 IAM authentication: an IAM role is attached to the EC2 instance.
  All pods running on the EC2 instance will be able to use the attached
  roles.
- IAM roles for service accounts: this is for more fine-grained access
  control. You can use this to attach IAM roles to a ServiceAccount. All
  pods running with the ServiceAccount will be able to use the roles.
  This feature requires a Vertica service of at least 12.0.3 (not yet
  available at the time of this PR). You will need to specify an
  existing ServiceAccount in the helm chart when deploying the operator.
  More details will be included in the official Vertica documentation
  once a server with support is GA'd.
@spilchen spilchen self-assigned this Oct 13, 2022
@spilchen spilchen merged commit b2c3525 into vertica:main Oct 13, 2022
@spilchen spilchen deleted the drop-auth branch October 13, 2022 19:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@spilchen spilchen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@spilchen