-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(artifacts): support ephemeral credentials for S3. Fixes #5446 #12467
feat(artifacts): support ephemeral credentials for S3. Fixes #5446 #12467
Conversation
e31780d
to
ea24e90
Compare
4bfb0a0
to
d7ff9ed
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please see the comments made, generally looks good though
This comment was marked as spam.
This comment was marked as spam.
@keymon Still waiting on the argo/pkg PR which you already commented on. There's no point me making the changes requested until that one has been merged in 😞 |
04607ef
to
6f29ca4
Compare
@isubasinghe I've updated the PR, would appreciate a review when you have time, thank you! |
@isubasinghe Sorry to ping again, but would be good if you could review the changes here. The PR has been sitting around for ages and I'd like to avoid having to address merge conflicts in the code gen again. |
Yes, please, add support for this as it blocks some local development and unit testing argoproj/pkg#596 has been merged and this is ready to merge! |
@hittingray will re-review this tomorrow. |
88cd6e0
to
7915c55
Compare
@isubasinghe I've rebased it on latest Edit: Seems like just pushing another commit to trigger it fixed it, so flakey test it is. |
7915c55
to
d74ed05
Compare
@hittingray Don't stress about the windows tests, they are broken and are not required for merging. |
@isubasinghe No worries then. It's ready for your review otherwise then :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some minor changes
@agilgur5 can you review the documentation for me, you are a bit more knowledgeable there about conventions. |
d74ed05
to
a26f3ba
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docs review in-line below as requested.
Note that this page has yet to be fully re-written to match the style guide, so some of the style you copied from here is actually non-conformant. A more recent example to copy from is #13376
7568479
to
1592fa3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's still a few more sections I need to think about the edits for, but the in-line comments cover 80-90% (enough to iterate on)
@hittingray could you please make the suggested changes? |
192d770
to
6a83625
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks much better, thanks for improving the docs greatly!
I left a few more comments on things that were missed, as well as the remaining sections I hadn't covered
|
||
!!! Note "Temporary" | ||
IAM role credentials are temporary, so you must refresh them periodically via an external mechanism. | ||
Argo will not refresh them for you. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Argo will not refresh them for you. |
I had suggested removing this before as it is redundant with the above sentence.
We can leave it in if you feel strongly about it, but you hadn't commented there, so not sure if leaving this in intentional
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm ok to remove it. Just wanted to make it clear, but I guess the first sentence is already pretty clear.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea "external mechanism" == "not Argo". The most explicit way would be to recommend some tooling, but I actually don't know of any that do this out of the box
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeh, I don't know off the top of my head. For the access grants, we wrote our own admission controller which retrieves the credentials and injects them at workflow creation time, but it's not open source (for now).
6a83625
to
8d6efa7
Compare
@agilgur5 Thanks for the reviews and sorry for all the back-and-forth! Fixed up again with your suggestions. |
…ixes argoproj#5446 (argoproj#5446) Signed-off-by: Raymond Chow <[email protected]>
8d6efa7
to
bb00922
Compare
No worries, iteration is progress and progress is good! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docs LGTM ✅
Thanks @hittingray for your dedication to getting this PR in over a long time period and pushing through all the iteration and upstream changes! ❤️
@isubasinghe you didn't approve this before, so this is now blocked on your previous change request
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I did a partial backport/cherry-pick of the docs changes to existing features here to |
Fixes #5446
Motivation
We would like to use the new S3 access grants feature, which uses only temporary credentials. The aforementioned issue addresses temporary credentials in general (prior to recently though, this would have only been for IAM role).
Modifications
Firstly, some changes needed to be made in the Argo common
pkg
repo: argoproj/pkg#596I am still waiting for these changes to be reviewed and therefore still have the forked dependency in my
go.mod
. This is quite a small set of changes, as support for temporary credentials was already added to the AWS client in general previously.Inside the Argo Workflows repo, I have made changes to how the S3 artifact driver is initialised, which mainly includes looking for the session token and using it if applicable. There is also a change on the workflow pod side to fetch the relevant secret if applicable.
Verification
I have written a couple unit tests to verify the driver and workflow creation behaviour. There was no test for creation of the driver, so I took the liberty of writing a small test to ensure the behaviour of specifically the changes I made. For the changes in
s3.go
, thes3client
struct is not exported fromargoproj/pkg
, so it made testing the changes I made impossible. I feel the changes made in this file are fairly small anyway.I have also tested the changes by attempting to write into a S3 bucket in a workflow, using both IAM role and S3 access grant credentials. The behaviour is as expected; and when the credentials are invalid, or expired, an appropriate error message is returned.