samson icon indicating copy to clipboard operation
samson copied to clipboard

Published 20 hours ago verified publisher icon zendesk

EKS

Open thrawny opened this issue 5 years ago • 8 comments

Documentation about the kubernetes plugin mentions connecting to EKS clusters. I naively tried using the kubeconfig you get using EKS and adding to samson, but I just got an error.

So my question is just; How to solve getting samson to talk to an EKS cluster?

thrawny avatar Jan 09 '20 10:01 thrawny

what is the error ?

grosser avatar Jan 09 '20 16:01 grosser

try kubectl get pods or similar with the config file to make sure it actually works

grosser avatar Jan 09 '20 16:01 grosser

the config works fine for me, i'm using the cluster already for some things

the error in samson is just "can't connect to api server" or something like that

here is an example config, as you can see it uses exec and uses the aws cli to fetch a token

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: xxxx
    server: https://xxxx.sk1.eu-west-1.eks.amazonaws.com
  name: arn:aws:eks:eu-west-1:123:cluster/foo
contexts:
- context:
    cluster: arn:aws:eks:eu-west-1:123:cluster/foo
    user: arn:aws:eks:eu-west-1:123:cluster/foo
  name: foo
current-context: foo
kind: Config
preferences: {}
users:
- name: arn:aws:eks:eu-west-1:123:cluster/foo
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - eu-west-1
      - eks
      - get-token
      - --cluster-name
      - foo
      command: aws
      env: null

thrawny avatar Jan 10 '20 07:01 thrawny

yeah samson does not support that syntax ... as per https://github.com/abonas/kubeclient/issues/397 (kubeclient is what samson uses to talk to kubernetes) "use the --token option and also --api-server" ... I guess that means generate a token and put that into the config ... but that will break after 12h I think (when the token expires) so some code like https://github.com/abonas/kubeclient/pull/404/files might help ... but I don't have the time/eks-cluster to tinker with that ... PR welcome if you get it working, otherwise try and see if eks offer any other auth mechanism

grosser avatar Jan 10 '20 16:01 grosser

Ye I figured it wouldn't just work as is. Just wanted to make sure. A quick workaround is to put a proxy in front of EKS that does the auth and have samson call the proxy. I have that working, but it's not a long term solution. Will see if I try to make a PR for this. Thx for the input!

thrawny avatar Jan 11 '20 11:01 thrawny

@thrawny Would you mind explainng what you ended up doing? I'm in a similar position to yours.

jandragsbaek avatar Apr 14 '21 13:04 jandragsbaek

You setup a proxy that calls eks and then samson calls the proxy. In my specific case I made a simple golang app. It would just proxy requests to eks including auth headers and so on. Don't expose the proxy externally! When I made it I was hoping it would be a temporary thing but as many things go, it ended up being temporarily permanent.

thrawny avatar Apr 22 '21 07:04 thrawny

@thrawny That sounds neat. Is that something you would be willing to open source? It sounds like something that has potential other use-cases as well 🚀

jandragsbaek avatar Apr 22 '21 09:04 jandragsbaek