Cut release that includes update to aws-sdk-go dependency in support of IRSA #3756
Comments
|
This would be a huge win, having to use an IAM user to access S3 storage at the moment, dealing with key rotation etc, is a pain in the ass. |
|
@milosgajdos Maybe you could give a timeline on this? |
|
Posting #3809 as this is relevant as well. |
|
Hi @milosgajdos - do you or the team have any update on this? |
|
No immediate plans for this. |
|
Any chance we can get this prioritized? Right now, it's impossible to use S3 storage while following current best practices for IAM. This is going to be a stumbling block for most people trying to use S3 with a newly deployed cluster going forward. If not, at least some mention in the docs that IRSA is not supported would be a real improvement. You can follow the docs exactly right now and if you're depending on IRSA things will just fail. Debugging AWS IAM issues is never fun! |
|
My best recommendation is to look into using the |
|
@milosgajdos this doesn't help where we're waiting on it for other projects, like Harbor. Harbor only follow tagged releases. It's also not really great from a perspective of running production workloads, I can't think of many people who'd be happy tagging on What's the reasoning for not releasing this fix? |
I think I explained it in the last I can't speak on behalf of |
|
Perhaps we could take the momentum on this issue and redirect it to getting the Harbor maintainers to pin the base of the |
|
It's not like they're getting more frequent updates by sticking to official releases for |
|
I think one of the upstream maintainers is also a harbor maintainer cc: @wy65701436 |
|
Closing, addressed in the latest release: https://github.com/distribution/distribution/releases/tag/v3.0.0-alpha.1 |
IRSA support by upgrading aws-sdk-go dependency
The version (
v1.15.11) of the aws-sdk-go included in the latest tag of this repository (v2.8.1), is four years old and lacks the functionality required to facilitate IAM Role for Service Accounts (IRSA), which is now the preferred method of retrieving temporary credentials for AWS API calls in a kubernetes context. There was some discussion in reference to doing this on the PR forv2.8.0, but that seems to have died out.We performed some testing using the
edgetag as recommended to rebuild the photon-registry image used by goharbor with a much newer version ofaws-sdk-goincluded in theregistrybinary, and were successful in leveraging the IRSA resources we have in place to use S3 as a backend for Harbor, whereas prior to the rebuild (i.e. usingv2.8.1of this repository to build theharbor-photonimage) we would get errors like this.In a nutshell, we can confirm that IRSA will work for any project that currently relies on this project for
registry, which would be a huge win for a lot of people currently struggling to use S3 for blob storage withregistryvia IRSA.The text was updated successfully, but these errors were encountered: