Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCI: OKE Workload Identity support #64

Merged
merged 4 commits into from
Aug 4, 2023

Conversation

fredtibbitts
Copy link
Contributor

@fredtibbitts fredtibbitts commented Jul 18, 2023

  • I added CHANGELOG entry for this change.
  • Change is not relevant to the end user.

Changes

This PR adds OKE Workload Identity support to the Oracle OCI provider. OKE Workload Identities allow finer-grained access to Oracle OCI resources from OKE workloads. For example, access to object storage buckets can be granted to specific Kubernetes service accounts.

For more information on OKE Workload Identities, see https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm.

Verification

I tested this on an OKE 1.25 cluster, using the following provider configuration:

type: OCI
config:
  provider: oke-workload-identity
  bucket: test-metrics
  region: us-ashburn-1

Store Gateway logs:

ts=2023-07-14T14:44:08.460451209Z caller=factory.go:53 level=info msg="loading bucket configuration"
ts=2023-07-14T14:44:08.460611943Z caller=oci.go:298 level=info msg="creating OCI client" provider=oke-workload-identity
ts=2023-07-14T14:44:09.130805658Z caller=oci.go:342 level=info msg="getting namespace, it might take some time"
ts=2023-07-14T14:44:09.158909901Z caller=inmemory.go:179 level=info msg="created in-memory index cache" maxItemSizeBytes=131072000 maxSizeBytes=262144000 maxItems=maxInt
ts=2023-07-14T14:44:09.159349452Z caller=options.go:26 level=info protocol=gRPC msg="disabled TLS, key and cert must be set to enable"
ts=2023-07-14T14:44:09.160666635Z caller=store.go:519 level=info msg="starting store node"
ts=2023-07-14T14:44:09.160753249Z caller=store.go:418 level=info msg="initializing bucket store"
ts=2023-07-14T14:44:09.160779117Z caller=intrumentation.go:75 level=info msg="changing probe status" status=healthy
ts=2023-07-14T14:44:09.160931807Z caller=http.go:73 level=info service=http/server component=store msg="listening for requests and metrics" address=0.0.0.0:10902
ts=2023-07-14T14:44:09.161264036Z caller=tls_config.go:232 level=info service=http/server component=store msg="Listening on" address=[::]:10902
ts=2023-07-14T14:44:09.161296697Z caller=tls_config.go:235 level=info service=http/server component=store msg="TLS is disabled." http2=false address=[::]:10902
ts=2023-07-14T14:44:12.3997303Z caller=fetcher.go:487 level=info component=block.BaseFetcher msg="successfully synchronized block metadata" duration=3.238864397s duration_ms=3238 cached=60 returned=60 partial=0
ts=2023-07-14T14:44:12.405696227Z caller=bucket.go:675 level=info msg="loaded new block" elapsed=5.885986ms id=01GY0ZYEF7BSH2T9CA2CENQFMR
ts=2023-07-14T14:44:12.41375283Z caller=bucket.go:675 level=info msg="loaded new block" elapsed=13.913072ms id=01GWPY41MT07Y24JKR6V7KX5JC
ts=2023-07-14T14:44:12.414783951Z caller=bucket.go:675 level=info msg="loaded new block" elapsed=14.87897ms id=01GYB2NKBBKX7AZFAGM4P0JMDS
ts=2023-07-14T14:44:12.415185079Z caller=bucket.go:675 level=info msg="loaded new block" elapsed=15.247208ms id=01GY0S2Q7842P2CZ622C5RRYSD
...
ts=2023-07-14T14:44:12.482042943Z caller=bucket.go:675 level=info msg="loaded new block" elapsed=9.046365ms id=01GWP9GVWXF3S5HK07BA8JNGY4
ts=2023-07-14T14:44:12.482189391Z caller=store.go:435 level=info msg="bucket store ready" init_duration=3.321341715s
ts=2023-07-14T14:44:12.482303246Z caller=intrumentation.go:56 level=info msg="changing probe status" status=ready
ts=2023-07-14T14:44:12.482383327Z caller=grpc.go:131 level=info service=gRPC/server component=store msg="listening for serving gRPC" address=0.0.0.0:10901
ts=2023-07-14T14:44:15.252777046Z caller=fetcher.go:487 level=info component=block.BaseFetcher msg="successfully synchronized block metadata" duration=2.770562208s duration_ms=2770 cached=60 returned=60 partial=0

Copy link
Member

@kakkoyun kakkoyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

I needs a rebase though

if err := config.validateConfig(); err != nil {
return nil, errors.Wrapf(err, "invalid oci configurations")
}
configurationProvider = common.NewRawConfigurationProvider(config.Tenancy, config.User, config.Region,
config.Fingerprint, config.PrivateKey, &config.Passphrase)
case okeWorkloadIdentityConfigProvider:
if err := os.Setenv(auth.ResourcePrincipalVersionEnvVar, auth.ResourcePrincipalVersion2_2); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even though it makes me feel weird to set environment variables to configure the configuration provider, as far as I can understand from glancing at the SDK code, this is the only way :/

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed

@fredtibbitts fredtibbitts force-pushed the oke-workload-identity branch from 6edc991 to 9927596 Compare July 21, 2023 16:57
@fredtibbitts
Copy link
Contributor Author

@kakkoyun I have rebased. Thanks for the review.

Signed-off-by: Fred Tibbitts <fred.tibbitts@oracle.com>
Signed-off-by: Fred Tibbitts <fred.tibbitts@oracle.com>
Signed-off-by: Fred Tibbitts <fred.tibbitts@oracle.com>
Signed-off-by: Fred Tibbitts <fred.tibbitts@oracle.com>
@fredtibbitts fredtibbitts force-pushed the oke-workload-identity branch from 9927596 to fbccb22 Compare July 31, 2023 21:48
@fredtibbitts
Copy link
Contributor Author

@kakkoyun any chance you could merge this please? Thanks in advance.

@kakkoyun kakkoyun merged commit d016428 into thanos-io:main Aug 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants