charts
charts copied to clipboard
rancher
[dev-v2.8] [rancher-logging] Backport PR #2646, logging account service annotation
Issue:
Backport of https://github.com/rancher/charts/pull/2646 for Rancher 2.8
Problem
To avoid usage of long-lived credentials or EC2 Instance Profiles and to narrow down the granted permissions, it's best practice for AWS customers to use IAM Roles for Service Accounts (IRSA). In kube-logging and the plugin fluent-plugin-cloudwatch-logs this is in general supported but requires an appropriate serviceAccount annotation in the Logging resource. Every logging resource has it's own service account and therefore requires individual annotations.
Adding them after deploying rancher-logging is possible but more complicated and has the risk to be changed or override with the next Helm run.
Solution
Package patch version bumped based on https://github.com/rancher/charts/tree/dev-v2.9?tab=readme-ov-file#versioning-charts
I added a new value loggingServiceAccountAnnotations to add annotations based on the logging resource, usage:
## Syntax ##
# <logging-name>:
# <key>: <value>
#
## Example ##
#
# root:
# eks.amazonaws.com/role-arn: <RoleARN>
#
## Result - added to the Logging resource ##
#
# spec:
# fluentd:
# serviceAccount:
# metadata:
# annotations:
# eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-iam-role
#
My use case is limited to Amazon EKS, therefore I only added logic for the root and eks logging to use the values configured via loggingServiceAccountAnnotations. But for sure, this can be extended if required.
Testing
Engineering Testing
Manual Testing
Done as part of https://github.com/rancher/charts/pull/2646
Automated Testing
QA Testing Considerations
Regressions Considerations
Backporting considerations
Validation steps
- Ensure all container images have repository and tag on the same level to ensure that all container images are included in rancher-images.txt which are used by airgap customers.
Ex:-
longhorn-controller:
repository: rancher/hardened-sriov-cni
tag: v2.6.3-build20230913
- Add a 👍 (thumbs up) reaction to this comment once done. CI won't pass without this reaction to the github-action bot's latest validation comment.
- Approve the PR to run the CI check.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@joshmeranda backport of the rancher-logging PR for logging sa annotation support as discussed by mail. My understanding of https://github.com/rancher/charts/tree/dev-v2.9?tab=readme-ov-file#versioning-charts is that the patch version has to be bumped as part of it. The rest is a cherry-pick from https://github.com/rancher/charts/pull/2646. Looking forward to your feedback.
@kevinayres FYI
@nicholasSUSE thanks for approving, is anything else required from me to merge the PR?
I see that https://github.com/rancher/charts/pull/3731 cause a conflict now. Taking a look into the related issue https://github.com/rancher/rancher/issues/44727 I wonder if that means I should backport on top of rancher-logging-103.1.0-rc1+up4.4.0 instead?
@joshmeranda I see you worked on the related PR, tagging you for feedback.
@nicholasSUSE - error is "Error: The latest validation comment by github-actions[bot] does not have the required thumbs-up reaction!". Is there something you need from Dominic or can this be merged? It's been dormant a while now. Thank you.