Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sonobuoy: re-set the assume role credentials if it expires #892

Merged
merged 1 commit into from Mar 18, 2024
Merged

sonobuoy: re-set the assume role credentials if it expires #892

merged 1 commit into from Mar 18, 2024

Conversation

gthao313
Copy link
Member

@gthao313 gthao313 commented Mar 18, 2024
edited

Description of changes:
We use IAM Role chaining on ephemeral testing infrastructure. Role chaining limits AWS CLI or AWS API role session to a maximum of one hour. When we assume the k8s new account role using role chaining and provide a DurationSeconds parameter value greater than one hour, the operation fails. Testsys sonobuoy agent needs more than one hour, so we need to refresh the credential when the client asks us to provide credentials

Testing done:

x86-64-aws-k8s-124-conformance                             Test                       passed                                        354                       0                     6619   34b6993c                  2024-03-18T05:13:55Z
x86-64-aws-k8s-124-ipv6-test                             Test                       passed                                           1                        0                        0   34b6993c                  2024-03-18T06:42:51Z
 x86-64-aws-k8s-124-test                                  Test                       passed                                           1                        0                        0   34b6993c                  2024-03-18T06:42:51Z

x86-64-aws-k8s-128-conformance                             Test                       passed                                        384                       0                     7009   34b6993c                  2024-03-18T05:26:33Z
x86-64-aws-k8s-128-test                                    Test                       passed                                          1                       0                        0   34b6993c                  2024-03-18T05:29:00Z
x86-64-aws-k8s-128-nvidia-conformance                      Test                       passed                                        384                       0                     7009   34b6993c                  2024-03-18T06:34:18Z
x86-64-aws-k8s-128-nvidia-test                             Test                       passed                                          2                       0                        0   34b6993c                  2024-03-18T06:37:27Z

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@gthao313 gthao313 marked this pull request as ready for review March 18, 2024 05:43
@gthao313 gthao313 requested review from webern and rpkelly March 18, 2024 16:38
@gthao313
sonobuoy: re-set the assume role credentials if it expires
2a84be3 
We use IAM Role chaining on ephemeral testing infrastructure. Role chaining
limits AWS CLI or AWS API role session to a maximum of one hour. When we assume
the k8s new account role using role chaining and provide a DurationSeconds parameter
value greater than one hour, the operation fails. Testsys sonobuoy agent
needs more than one hour, so we need to refresh the credential
frequently.
@gthao313
Copy link
Member Author

Increase the frequency of credential refresh by reducing refresh loops from 110 to 50.

@gthao313 gthao313 merged commit c778fb6 into bottlerocket-os:develop Mar 18, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rpkelly rpkelly rpkelly approved these changes

@webern webern webern approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@gthao313 @rpkelly @webern