Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(fluent-operator): add custom fluent-bit serviceAccountAnnotations parameter #414

Closed
wants to merge 4 commits into from
Closed

feat(fluent-operator): add custom fluent-bit serviceAccountAnnotations parameter #414

wants to merge 4 commits into from

Conversation

sharkeyl
Copy link
Contributor

@sharkeyl sharkeyl commented Aug 25, 2023
edited
Loading

We're deploying the fluent-operator, and corresponding FluentBit resource, on an AWS EKS cluster. As we are using IAM Roles for Service Accounts, we need the ability to add the below annotation to the service account to provide the fluent-bit Pods with access to push to our log sink:

metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/fluent-bit-role

Without this, we see the follow error messages in the fluent-bit Pods:

[2023/08/25 12:41:41] [error] [aws_credentials] STS assume role request failed
[2023/08/25 12:41:41] [ warn] [aws_credentials] No cached credentials are available and a credential refresh is already in progress. The current co-routine will retry.

With the changes in this PR, the service account is correctly annotated to enable the Pods to assume the AWS IAM role.

I wasn't sure whether:

  • The chart version should be bumped in the PR or whether this is automated.
  • These changes need to be made to the fluent/fluent-operator chart first.

Please let me know if there are any changes required.

To reproduce

You'll need an AWS IAM role with a trust relationship that the fluent-bit Pods can assume via IRSA.

I've installed the Helm chart from thelocal chart directory, i.e. helm-charts/charts/fluent-operator, using the following command:

helm upgrade --install --namespace kube-system fluent-operator . --values local-values.yaml

Where the local-values.yaml file contains:

namespaceOverride: kube-system
containerRuntime: containerd
operator:
  disableComponentControllers: fluentd
fluentbit:
  serviceAccountAnnotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::781632261136:role/dev-aws-for-fluent-bit-access
fluentd:
  crdsEnable: false

@sharkeyl sharkeyl mentioned this pull request Aug 29, 2023
Closed
@benjaminhuo
Copy link
Member

For PRs of the fluent operator chart, we recommend to submit to https://github.com/fluent/fluent-operator/tree/master/charts first, we'll sync each fluent operator release chart here in this repo

@sharkeyl
Copy link
Contributor Author

sharkeyl commented Sep 4, 2023

Thanks @benjaminhuo, I've raised a PR to that repo here: fluent/fluent-operator#898

@benjaminhuo
Copy link
Member

@sharkeyl Can this be closed because fluent-operator v2.5.0 is merged now

@sharkeyl
Copy link
Contributor Author

Apologies for not closing earlier - I didn't spot you comment. Closing.

@sharkeyl sharkeyl closed this Oct 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wenchajun wenchajun wenchajun approved these changes

@benjaminhuo benjaminhuo Awaiting requested review from benjaminhuo benjaminhuo is a code owner

@wanjunlei wanjunlei Awaiting requested review from wanjunlei wanjunlei is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sharkeyl @benjaminhuo @wenchajun