Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EKS #3702

Open
thrawny opened this issue Jan 9, 2020 · 8 comments
Open

EKS #3702

thrawny opened this issue Jan 9, 2020 · 8 comments

Comments

@thrawny
Copy link

thrawny commented Jan 9, 2020

Documentation about the kubernetes plugin mentions connecting to EKS clusters. I naively tried using the kubeconfig you get using EKS and adding to samson, but I just got an error.

So my question is just; How to solve getting samson to talk to an EKS cluster?
@grosser
Copy link
Contributor

grosser commented Jan 9, 2020

what is the error ?

@grosser
Copy link
Contributor

grosser commented Jan 9, 2020

try kubectl get pods or similar with the config file to make sure it actually works

@thrawny
Copy link
Author

thrawny commented Jan 10, 2020

the config works fine for me, i'm using the cluster already for some things

the error in samson is just "can't connect to api server" or something like that

here is an example config, as you can see it uses exec and uses the aws cli to fetch a token

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: xxxx
    server: https://xxxx.sk1.eu-west-1.eks.amazonaws.com
  name: arn:aws:eks:eu-west-1:123:cluster/foo
contexts:
- context:
    cluster: arn:aws:eks:eu-west-1:123:cluster/foo
    user: arn:aws:eks:eu-west-1:123:cluster/foo
  name: foo
current-context: foo
kind: Config
preferences: {}
users:
- name: arn:aws:eks:eu-west-1:123:cluster/foo
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - eu-west-1
      - eks
      - get-token
      - --cluster-name
      - foo
      command: aws
      env: null

@grosser
Copy link
Contributor

grosser commented Jan 10, 2020

yeah samson does not support that syntax ...
as per ManageIQ/kubeclient#397 (kubeclient is what samson uses to talk to kubernetes)
"use the --token option and also --api-server" ... I guess that means generate a token and put that into the config ... but that will break after 12h I think (when the token expires)
so some code like https://github.com/abonas/kubeclient/pull/404/files might help ... but I don't have the time/eks-cluster to tinker with that ... PR welcome if you get it working, otherwise try and see if eks offer any other auth mechanism

@thrawny
Copy link
Author

thrawny commented Jan 11, 2020

Ye I figured it wouldn't just work as is. Just wanted to make sure. A quick workaround is to put a proxy in front of EKS that does the auth and have samson call the proxy. I have that working, but it's not a long term solution. Will see if I try to make a PR for this. Thx for the input!

@jandragsbaek
Copy link

@thrawny Would you mind explainng what you ended up doing? I'm in a similar position to yours.

@thrawny
Copy link
Author

thrawny commented Apr 22, 2021

You setup a proxy that calls eks and then samson calls the proxy. In my specific case I made a simple golang app. It would just proxy requests to eks including auth headers and so on. Don't expose the proxy externally! When I made it I was hoping it would be a temporary thing but as many things go, it ended up being temporarily permanent.

@jandragsbaek
Copy link

@thrawny That sounds neat. Is that something you would be willing to open source? It sounds like something that has potential other use-cases as well 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@grosser @jandragsbaek @thrawny