Switch to IRSAv2/pod identity #64
Conversation
| } | ||
| annotations : try(var.use_irsa_v1 ? { | ||
| "eks.amazonaws.com/role-arn" : module.cluster_autoscaler_irsa_role[0].iam_role_arn | ||
| } : null) |
There was a problem hiding this comment.
@Luay-Sol I am not sure about the syntax but AFAIK the try function takes 2 arguments. I can see that you have made the first one but which one is the fallback expression? Am I missing anything here?
There was a problem hiding this comment.
not real, here's the definition of try:
try evaluates all of its argument expressions in turn and returns the result of the first one that does not produce any errors.
And below an example:
There was a problem hiding this comment.
So one expression with a result will work
There was a problem hiding this comment.
I see. However, if there is only one expression (so there is no fallback), can we not just use the expression?
There was a problem hiding this comment.
@Luay-Sol While testing existing cluster migration to use pod identity, I found an issue. We need to address that while creating the cluster as well. Can you please take a look 🙏
| source = "terraform-aws-modules/eks-pod-identity/aws" | ||
| version = "1.2.1" | ||
|
|
||
| name = "${var.cluster_name}-ca" |
There was a problem hiding this comment.
We need to also set use_name_prefix to false because by default it uses prefix to create all resources and the prefix is having length limit of 37. Hence, the deployment will fail for long datacenter name. I found the issue when I was testing the pod identity migration for existing cluster.
| source = "terraform-aws-modules/eks-pod-identity/aws" | ||
| version = "1.2.1" | ||
|
|
||
| name = "${var.cluster_name}-lbc" |
There was a problem hiding this comment.
Same comment as before to use use_name_prefix
| source = "terraform-aws-modules/eks-pod-identity/aws" | ||
| version = "1.2.1" | ||
|
|
||
| name = "${var.cluster_name}-ebs-csi" |
There was a problem hiding this comment.
Same comment as before to use use_name_prefix
| source = "terraform-aws-modules/eks-pod-identity/aws" | ||
| version = "1.2.1" | ||
|
|
||
| name = "${var.cluster_name}-vpc-cni" |
There was a problem hiding this comment.
Same comment as before to use use_name_prefix
| @@ -335,7 +260,7 @@ resource "aws_eks_addon" "csi-driver" { | |||
| resource "aws_eks_addon" "vpc-cni" { | |||
| cluster_name = aws_eks_cluster.cluster.name | |||
| addon_name = "vpc-cni" | |||
| service_account_role_arn = module.vpc_cni_irsa_role.iam_role_arn | |||
| service_account_role_arn = var.use_irsa_v1 ? module.vpc_cni_irsa_role.iam_role_arn : null | |||
There was a problem hiding this comment.
@Luay-Sol I recommend to also add addon_version argument here, otherwise it will use default version for the EKS cluster version.
The pod identity does not work if the vpc-cni version is earlier than 1.15.5-eksbuild.1. If we don't set the addon_version explicitly here, the default version for 1.27 for example, is v1.15.1-eksbuild.1 which is earlier than the required version.
There was a problem hiding this comment.
@nagsubhrajitt do you think it is required here. Considering 1.27 it is going to be out of regular support in couple day from now (July 24).
Another consideration is this project is supposed to be used for cluster creation of latest version of k8s/eks. So I don't see a situation or a reason for supporting older versions.
Reason I am on the fence about add-ons version hard coding: it is going to be challenging for us (as maintainers) for this project as well as for the users.
| } | ||
|
|
||
| ################################################################################ | ||
| # IRSA v1 |
There was a problem hiding this comment.
This header should say v2
| @@ -70,3 +70,15 @@ variable "use_random_suffix_in_node_group_name" { | |||
| type = bool | |||
| default = true | |||
| } | |||
|
|
|||
| variable "use_irsa_v1" { | |||
There was a problem hiding this comment.
Would this be better as an 'enum' instead of two booleans?
What type of PR is this?
What this PR does / why we need it:
This pull request encompasses the migration from AWS IAM Roles for Service Accounts (IRSA) to the new IRSAv2, also known as Pod Identity for Amazon EKS. The migration involves the installation of the
eks-pod-identity-agentaddon and updating several critical components to utilize Pod Identity instead of the traditional IRSA module.Changes
eks-pod-identity-agentAddon: Added theeks-pod-identity-agentto our EKS clusters to enable the use of Pod Identity, which provides a more secure and flexible mechanism for associating AWS IAM roles with Kubernetes service accounts.