pipelines icon indicating copy to clipboard operation
pipelines copied to clipboard

Published 20 hours ago verified publisher icon kubeflow

Bump minio client version to support `assume-web-identity-role` for AWS

Open Jeffwan opened this issue 4 years ago • 20 comments

What steps did you take:

aws add IAM For Service Account feature and aws user doesn't have to inject AWS credentials as env variables.

This requires us to use high AWS SDK version which supports assume-web-identity-role. In this case, we need to add new resolver for minio client.

Here's the minio js and golang version.

  • https://github.com/kubeflow/pipelines/blob/a92d52242524309a3e684f46d7f7bb570495362d/frontend/server/package.json#L13

  • https://github.com/kubeflow/pipelines/blob/master/go.mod#L50

The minimum version to support this issue is

  • https://github.com/minio/minio-go/releases/tag/v6.0.45
  • minio-js side seems doesn't support this yet.

/kind feature /area frontend /area backend

Jeffwan avatar Mar 31 '20 00:03 Jeffwan

We also need to bump argo workflow version to make sure Argo sidecar use right SDK to persist artifacts to S3.

Jeffwan avatar Mar 31 '20 20:03 Jeffwan

To be clear, this is different from assuming instance profiles via kube2iam / kiam

discordianfish avatar Apr 01 '20 10:04 discordianfish

Argo side, argo tracks awssdk upgrade in this issue. https://github.com/argoproj/argo/issues/1774. This has been included in https://github.com/argoproj/argo/releases/tag/v2.5.0. We need this version at least in KFP

Jeffwan avatar Apr 18 '20 23:04 Jeffwan

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 17 '20 23:07 stale[bot]

This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it.

stale[bot] avatar Jul 25 '20 02:07 stale[bot]

This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it.

stale[bot] avatar Aug 01 '20 04:08 stale[bot]

/reopen

Jeffwan avatar Nov 24 '20 17:11 Jeffwan

@Jeffwan: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Nov 24 '20 17:11 k8s-ci-robot

/assign

PatrickXYS avatar Nov 26 '20 16:11 PatrickXYS

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 09 '21 22:06 stale[bot]

@PatrickXYS minio-go module is still at 6.0.14, we would like to use IRSA on EKS, Is there a way this could be bumped up to 6.0.45 or latest. Thanks

Also any plans to do the same for minio-js ?

Nagarajj avatar Aug 16 '21 18:08 Nagarajj

/assign @surajkota

Suraj will be working on AWS part

PatrickXYS avatar Aug 16 '21 21:08 PatrickXYS

/unassign

PatrickXYS avatar Aug 16 '21 21:08 PatrickXYS

/unassign

surajkota avatar Aug 16 '21 23:08 surajkota

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 03 '22 00:03 stale[bot]

Hi, please re-consider to add support for this. In the meantime the minio-js client also got support for IRSA: https://github.com/minio/minio-js/pull/960 I don't think it's already part of a release, but hopefully the JS parts of Kubeflow can be updated as well somwhere soon. Thanks!

LEDfan avatar Mar 03 '22 07:03 LEDfan

@LEDfan yes, we are waiting for minio-js release 7.0.27 so that we can enable this feature.

goswamig avatar Mar 18 '22 07:03 goswamig

Minio-js 7.0.27 was released https://github.com/minio/minio-js/tree/7.0.27 with assume role support

goswamig avatar Apr 21 '22 20:04 goswamig

@Jeffwan @surajkota @PatrickXYS any plans here?

rawc0der avatar Sep 05 '22 10:09 rawc0der

Yes, we do.

We had started on this and updated minio-go in #7946 but this is not sufficient for the UI to work. For the UI to work, we need minio-js support. Minio-js is also available but the corresponding typescript bindings are not. We have paused on this right now also to investigate user experience. Some of the service accounts are in Kubeflow namespace and some are in user profile namespace. Currently, the ml-pipeline-minio-artifact secret is copied to user namespace so using secrets works.

@rrrkharse feel free to post the latest on this, if I missed something

surajkota avatar Sep 09 '22 07:09 surajkota

Closing this issue. Looks like the PR is closed and it covered what this issue asked as feature.

/close

rimolive avatar Mar 24 '24 14:03 rimolive

@rimolive: Closing this issue.

In response to this:

Closing this issue. Looks like the PR is closed and it covered what this issue asked as feature.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

google-oss-prow[bot] avatar Mar 24 '24 14:03 google-oss-prow[bot]