Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for EKS Pod Identity #416

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Add support for EKS Pod Identity #416

wants to merge 7 commits into from

Conversation

tongshen-stephanie
Copy link

@tongshen-stephanie tongshen-stephanie commented Jan 8, 2025
edited by simonmarty
Loading

Issue #, if available: Closes #300

Description of changes:
Introduce an optional parameter usePodIdentity to support EKS Pod Identity

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@tongshen-stephanie tongshen-stephanie requested a review from a team as a code owner January 8, 2025 17:53
@tongshen-stephanie tongshen-stephanie changed the title Add support for Pod Idenity Add support for EKS Pod Identity Jan 8, 2025
@codecov-commenter
Copy link

codecov-commenter commented Jan 8, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 77.41935% with 35 lines in your changes missing coverage. Please review.

Project coverage is 53.67%. Comparing base (be94dd0) to head (c3ca813).

Files with missing lines Patch % Lines
auth/auth.go 76.64% 26 Missing and 6 partials ⚠️
server/server.go 83.33% 1 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #416      +/-   ##
==========================================
+ Coverage   49.67%   53.67%   +3.99%     
==========================================
  Files           9        9              
  Lines         781      911     +130     
==========================================
+ Hits          388      489     +101     
- Misses        383      404      +21     
- Partials       10       18       +8

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

simonmarty
simonmarty requested changes Jan 8, 2025
View reviewed changes
README.md Outdated Show resolved Hide resolved
auth/auth.go Outdated Show resolved Hide resolved
auth/auth.go Show resolved Hide resolved
@simonmarty simonmarty mentioned this pull request Jan 8, 2025
Closed
simonmarty
simonmarty requested changes Jan 16, 2025
View reviewed changes
auth/auth.go
return nil, err
}
credProvider := NewIRSACredentialProvider(p.stsClient, *roleArn, p.region)
config, err = credProvider.GetAWSConfig(fetcher)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

		config, err = credProvider.GetAWSConfig(fetcher)
		if err != nil {
			return nil, err
		}

is common to both blocks of the if statement, it can be extracted out.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

made change in commit c3ca813

auth/auth.go
}
}

func (p *PodIdentityCredentialProvider) GetAWSConfig(fetcher *authTokenFetcher) (*aws.Config, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move the two credential providers to their own files in a subfolder?

Copy link
Author

@tongshen-stephanie tongshen-stephanie Jan 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean creating a separate folder/package similar to auth? I didn't do it because moving credential providers to a new folder would also require moving authTokenFetcher at the same time (otherwise it causes circular dependency since credential provider and auth try to import each other). auth is pretty much empty after moving out those 2 big pieces.

simonmarty
simonmarty requested changes Jan 16, 2025
View reviewed changes
auth/auth.go
return podIdentityAgentEndpointIPv4
}()

var podIdentityAgentEndpoint = defaultPodIdentityAgentEndpoint
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is defaultPodIdentityAgentEndpoint used anywhere else? If not you can remove the extra assignment.

auth/auth.go
return nil, roleErr
}
credProvider := NewIRSACredentialProvider(p.stsClient, *roleArn, p.region)
config, err = credProvider.GetAWSConfig(fetcher)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you missed config, err = credProvider.GetAWSConfig(fetcher)

simonmarty
simonmarty requested changes Jan 16, 2025
View reviewed changes
auth/auth.go
config, err = credProvider.GetAWSConfig(fetcher)

} else {
roleArn, roleErr := p.getRoleARN()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check should be the responsibility of the IRSA credential provider, let's move it to that provider's implementation in its constructor.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simonmarty simonmarty simonmarty requested changes

@joebaro joebaro Awaiting requested review from joebaro

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Pod Identity Association support
3 participants
@tongshen-stephanie @codecov-commenter @simonmarty