Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-8772

Adding support for STS authentication for S3 for system components

XMLWordPrintable

    • RHOAM Sprint 32, API CCS Sprint 34 (3Scale), API CCS Sprint 35 (3Scale), API CCS Sprint 36 (3Scale), API CCS Sprint 36 (3Scale), API CCS Sprint 37 (3Scale), API CCS Sprint 38 (3Scale), API CCS Sprint 39 (3Scale), API CCS Sprint 40 (3Scale), API CCS Sprint 42 (3Scale), API CCS Sprint 43 (3Scale), API CCS Sprint 44 (3Scale) 2

      Currently, when the system storage type is set to s3, the operator reads a secret (referenced in the APIManager CR) and passes all the info via env vars:

      FILE_UPLOAD_STORAGE = s3   # notify system that s3 storage is wanted
"AWS_ACCESS_KEY_ID"            
"AWS_SECRET_ACCESS_KEY"        
"AWS_BUCKET"                   
"AWS_REGION"                   
"AWS_PROTOCOL"                 
"AWS_HOSTNAME"                 
"AWS_PATH_STYLE"

      This is all the AWS CLI needs to access the AWS S3 endpoints with long-lived credentials.

       

      With the new support for STS authentication (Secure Token Service for  short-term, limited-privilege security credentials),  the secret generated by the Cloud Credential tooling , looks like this:

      apiVersion: v1
stringData:
  credentials: |-
    [default]
    role_arn = arn:aws:iam::12345:role/dev-eng-ocp4-sts-3scale-sts-rael-system-aws-creds
    web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
kind: Secret
metadata:
  name: 3scale-dev-eng-system-assets-cloud-credentials
  namespace: 3scale-sts-rael
type: Opaque

      ApiManager CR - STS flag will be added

      STS boolean flag will be added to ApiManager CR to recognize if it's STS cluster or IAM
      Example for STS cluster:

      apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata: 
  name: apimanager-sample
  namespace: 3scale-test
spec: 
  system: 
    fileStorage: 
      simpleStorageService: 
        configurationSecretRef: 
          name: s3-credentials
        sts: true
  wildcardDomain:<wildcardDomain>

      Secret types and keys

      The proposal is to support both IAM and STS credential secrets in the APIManager CR at `spec.system.fileStorage.simpleStorageService.configurationSecretRef`

      apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata:
  name: apimanager-s3-sample
spec:
  wildcardDomain: <desired-domain>
  system:
    fileStorage:
      simpleStorageService:
        configurationSecretRef:
          name: <configuration-secret-name>   # Support for both IAM and STS secret format

      The IAM AWS secret would have the following format. Same as we have until now. No changes.

      apiVersion: v1
kind: Secret
metadata:
  name: aws-auth
stringData:
  AWS_ACCESS_KEY_ID: 1234567
  AWS_SECRET_ACCESS_KEY: 987654321
  AWS_BUCKET: mybucket.example.com
  AWS_REGION: eu-west-1
type: Opaque

      The STS AWS secret would have the following format. Not showing all the fields. All the available fields, required or optional, will be documented.

      kind: Secret
apiVersion: v1
metadata:
  name: s3-credentials
  namespace: redhat-rhoam-3scale
data:
  AWS_ROLE_ARN: <role>
  AWS_WEB_IDENTITY_TOKEN_FILE: <token_path>
  AWS_BUCKET: <bucket_name>
  AWS_REGION: <region>
type: Opaque

      Summary for keys for each secret "type":

      Secret key IAM STS Required
      ​AWS_ACCESS_KEY_ID
      AWS_SECRET_ACCESS_KEY
      AWS_ROLE_ARN
      AWS_WEB_IDENTITY_TOKEN_FILE
      AWS_BUCKET
      AWS_REGION
      AWS_HOSTNAME
      AWS_PROTOCOL
      AWS_PATH_STYLE

      SystemApp Environment Variables

      The 3scale operator will pass the following env vars depending on the type of the s3 secret

      Secret key IAM STS
      FILE_UPLOAD_STORAGE
      ​AWS_ACCESS_KEY_ID
      AWS_SECRET_ACCESS_KEY
      AWS_ROLE_ARN
      AWS_WEB_IDENTITY_TOKEN_FILE
      AWS_BUCKET
      AWS_REGION
      AWS_HOSTNAME
      AWS_PROTOCOL
      AWS_PATH_STYLE

      Dev notes:

      • The operator will add a projected volume to request the token.
      kind: Pod
apiVersion: v1
metadata:
  name: aws-cli
  namespace: 3scale-sts-rael
spec:
  containers:
     - name: bla
       volumeMounts:
                  - name: bound-sa-token
                    readOnly: true
                    mountPath: /var/run/secrets/openshift/serviceaccount    
  volumes:
    - name: bound-sa-token
      projected:
        defaultMode: 420
        sources:
           - serviceAccountToken:
                   audience: openshift
                    expirationSeconds: 3600
                    path: token

      Maybe, instead of `/var/run/secrets/openshift/serviceaccount`, to avoid clashes, we can use

       volumeMounts:
    - mountPath: "/var/run/secrets/eks.amazonaws.com/serviceaccount/"
      name: aws-token

      volumes:
  - name: aws-token
    projected:
      sources:
      - serviceAccountToken:
          audience: "sts.amazonaws.com"
          expirationSeconds: 86400
          path: token

       

      The doc should have reference to STS configured cluster pre-requisite:

       
      TESTS
      Please see file attached - validation_help.txt
       

        1. validation_help.txt
          2 kB

              Unassigned Unassigned
              eguzki Eguzki Astiz Lezaun
              Darren Fennessy Darren Fennessy
              Miroslav Jaroš Miroslav Jaroš (Inactive)
              Valery Mogilevsky Valery Mogilevsky
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 3 days
                  3d
                  Logged:
                  Time Spent - Not Specified
                  Not Specified