Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2767

sts cloudwatch secret should accept the secret format from credential requests

    XMLWordPrintable

Details

    • False
    • None
    • False
    • NEW
    • OBSDA-59 - CloudWatch log forwarding add-on needs to support STS installations
    • VERIFIED
    • 2
    • Log Collection - Sprint 221, Log Collection - Sprint 222

    Description

      Current format accepted, per LOG-1977:

      apiVersion: v1
      kind: Secret
      metadata:
        namespace: openshift-logging 
        name: my-secret-name
      stringData:
        role_arn: arn:aws:iam::123456789012:role/my-role_with-permissions  
      
      

       

      We will update to utilize the secret format from the "using manual mode with STS" docs.   https://docs.openshift.com/container-platform/4.7/authentication/managing_cloud_provider_credentials/cco-mode-sts.html     

      apiVersion: v1
      kind: Secret
      metadata:
        namespace: openshift-logging 
        name: my-secret-name
      stringData:
        credentials: |-
          [default]
          role_name: arn:aws:iam::123456789012:role/my-role_with-permissions
          web_identity_token_file: /var/run/secrets/openshift/serviceaccount/token   

       


      As an additional note, the current solution will also accept a secret created by `oc create secret --from-literal` command:

      oc create secret generic cw-sts-secret -n openshift-logging --from-literal=role_arn=arn:aws:iam::123456789012:role/my-role_with-permissions

      Will create a secret in the following accepted format: 

      kind: Secret
      apiVersion: v1
      metadata:
        name: cw-sts-secret
        namespace: openshift-logging
      data:
        role_arn: >-
          YXJuOmF3czppYW06OjI2OTczEXAMPLEjpyb2xlL2NhaGFydG1hLTA2MjfoofNoaWZ0LWxvZ2dpbmctcm9sZS1mb3Itc3Rz 

      Acceptance Criteria

      • "credentials" key must also be a valid secret key, with the arn encoded and correctly formatted within the string.   This matches what is created via a Credential Request

      Attachments

        Issue Links

          Activity

            People

              cahartma@redhat.com Casey Hartman
              cahartma@redhat.com Casey Hartman
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: